Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, 26 August 2008

E-cards Run Wild. Where are the Anti-Virus Companies?

Posted on 20:55 by Unknown
E-card spam was running wild today according to many of my students, co-workers, fellow InfraGard members, family members, and total strangers who had read an article about the UAB Spam Data Mine. While we collected well over 1,000 copies of the message in the Data Mine, we heard from our colleagues in UAB Security that campus-wide they had blocked emails originating from more than 4,000 unique IP addresses. That means 4,000 compromised computers had tried to send copies of this email just to people who work or study at UAB!

The emails we received pointed to URLs like:

http://turismoaq.it/e-card.exe
http://pieralbrechtdr.com/e-card.exe
http://faunarium.net/e-card.exe
http://independenceinstrument.com/

Detection of the most recent version of the malware is horrible! At this timestamp, as illustrated by the current Virus Total Results, only 10 of 34 anti-virus engines can detect the product. I'm writing this at home where I run McAfee Security Center on my Vista Ultima machine. With a "just refreshed" version of the anti-virus, it still doesn't detect the 'e-cards.exe' that I just fetched from faunarium.net.



What does the virus do?

It starts out by creating a few files in the currently logged in users Temp folder, including:

dimarik_1.exe
inst2_294.exe
scan.exe

After a bit, a strange pattern emerges. Scanned files are being sent out to the Internet! I won't list the IP here (its been shared with law enforcement), but logs publicly viewable on the server's webpages indicated that thousands upon thousands of infected computers are sending files from themselves to this collection point. Logging one line per received file, there are days where this server has received more than 10 MB of log entries! Today so far, not quite 2 MB of log entries indicated 24,000 files retrieved.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ▼  August (22)
      • Hurricane Gustav: Fraud Watch
      • Banking Digital Certificate Malware in Spam
      • E-cards Run Wild. Where are the Anti-Virus Compan...
      • Leave Those Viruses at SCHOOL!
      • Celebrity Spam-Off: Will Paris Hilton Overtake An...
      • Shadow Botnet case may yield spammer Leni Neto
      • More Online Pharmacy Affiliates Indicted
      • Evidence that Georgia DDOS attacks are "populist" ...
      • One third of current spam points to malware sites
      • New BBC spam mocks Georgia's President, Spreads Ne...
      • Can You Pick the Real MSNBC.Com Breaking News?
      • MSNBC Breaking News replaces CNN Spam Wave
      • Anti-Virus Products Still Fail on Fresh Viruses
      • iTunes Store Phish
      • The UAB Spam Data Mine: Looking at Malware Sites
      • TJX Update: The San Diego Indictments
      • TJX Update: The Boston Indictments
      • Linking all the News Spam together (CNN.com Daily ...
      • CNN Spam Diversifies . . .
      • TJX Reminder: "We Will Arrest You, and We Will Sen...
      • CNN Lends Authenticity to News Spam
      • Another Insider Busted: Countrywide Financial Analyst
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile