Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 16 March 2009

Finding the Spam Before Its Spammed . . .

Posted on 08:30 by Unknown
This morning I met with Brian Tanner, one of the UAB Malware Analysts, to determine what malware he should unpack for us this morning. I told him that I was interested in doing a quick check on the "Facebook" malware that we saw over the weekend. The only problem is that Ryan and the guys at Facebook had already had all those domains shut down. No problem. We'll just find the domains they are ABOUT to spam instead.

The UAB Spam Data Mine had received more than 500 emails yesterday in what we are calling the "Facebook Stripper" spam campaign.



The subject lines are each unique, having a suffix of "(Last rated by Random Name)", where Random Name has a first and last name randomly chosen. There are 32 base subjects though:

FaceBook message: Dancing Girl Drunk In The Pub- facebook Video
FaceBook message: Amateur Video - Perfect Girls striptease
FaceBook message: Art Of Exotic Dancing Striptease Series - video...
FaceBook message: Beautiful Girl Dancing Extrahard Striptease!
FaceBook message: Beautiful Girl Dancing Striptease! Cute!
FaceBook message: Beautiful girl hot dancing alone - video
FaceBook message: Beautiful Girls Dancing in the Club
FaceBook message: Dancing Girl loves herself - Amazing Clips
FaceBook message: Dancing girl oriental dance ...
FaceBook message: Dancing girls ... Funny and Hot Videos
FaceBook message: Erotic Dance Striptease
FaceBook message: Exotic Dance Video From facebook member.
FaceBook message: Extreme striptease dance video
FaceBook message: Facebook girl Striptease Beautiful dance
FaceBook message: facebook members Dancing In Striptease
FaceBook message: Girls Dancing on facebook Video
FaceBook message: Hot Girl Dancing At Striptease Dance Party
FaceBook message: Magnificent Exotic Dancing - video ...
FaceBook message: Magnificent girl dancing video clip
FaceBook message: Magnificent Girls dancing in front of camera
FaceBook message: Magnificent Girls dancing on stage
FaceBook message: Magnificent Girls extremely dancing
FaceBook message: Magnificent Striptease Dance
FaceBook message: Numerous of Magnificent Girls Dancing video
FaceBook message: Perfect Girl Dancing Video
FaceBook message: Perfect Girls Dancing - Video
FaceBook message: Smokin' and dancing girl
FaceBook message: These two girls are so... watch the video
FaceBook message: Two Magnificent Girls Dancing, More Info ...
FaceBook message: Two Magnificent Girls Dancing...
FaceBook message: Very Beautiful facebook girl Dance Video!
FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing


Yesterday the domains used in the spam were:

53445player.com
5436player.com
7636player.com
4346player.com
867player.com

While these domains were hosted on a large number of botnet hosted machines, their nameserver actually had a static location. They all used the nameserver "ns1.pvthstonline.com" (8.12.160.183) and "ns2.pvthstonline.com" (205.1.190.113).

Using a Passive DNS Replication service (*wave* to Florian), we checked to see what other nameservers were hosted on 205.1.190.113.

ns2.insdcertificate.com and ns2.shortcuttingv.com were both hosted on that IP.

We knew that the domains served by insdcertificate.com were old - we saw those mostly on the 13th -- 342certificate.com, 234certificate.com, 656certificate.com, 767certificate.com and 867certificate.com -- so we decided to look for domains that were served by ns2.shortcuttingv.com.

Sure enough, we found five domains - all registered THIS MORNING (its only 10:40 AM here):

423adobe.com
545adobe.com
675adobe.com
685adobe.com
987adobe.com

We confirmed that 423adobe.com is being fast flux hosted -- its currently using the IP addresses:

71.195.128.169 (ComCast in Brandon, MA)
75.138.113.226 (Charter Cable in Ashville, NC)
96.32.130.151 (Charter Cable in Alpharetta, GA)
98.209.65.175 (ComCast in East Lansing, MI)
208.120.237.132 (Mindspring in Brooklyn, NY)

Looking at some history on these IPs, we can confirm that they have previously hosted Bank of America "video demo malware", on domains such as 867certificate.com and aheadfixpatch.com, as well as previous days of the Facebook stripper malware, on domains such as 5436player.com, and facebooketus.com.

When we put the "path" of "/home.htm" on one of the domains that we are predicting for today's host, we get the Facebook look-alike page, along with a popup telling us we have to download a new video player (which is actually the virus), now using the name "Flash_Adobe11.exe"



Uploading the malware to VirusTotal, we see that it is only detected by 4 of the 39 anti-virus products with which it is scanned. If you are relying on AVG, McAfee, Microsoft, Symantec, Trend, or pretty much anyone else to protect you from this virus, so far, they don't know about it. (Our report to VirusTotal causes a copy to be sent to them for analysis though - which is one of the reasons we love VirusTotal!)

Click for VirusTotal report

File size: 36352 bytes
MD5...: d17008513f2c93933b92a392260c5cda

Brian finished unpacking the malware and confirms that this copy still sends its stolen credentials to Hong Kong's HostFresh network to the IP address 58.65.232.17.

Afternoon Update


We've now seen more than 300 copies of the "predicted" facebook spam, and the criminals have now shifted again to another group of domain names:

2433module.com
3445module.com
3499module.com
5464module.com
9873module.com

We've seen less than 4 copies of each of these latest, which have a new malware piece as well, which you can find a VirusTotal report for here:

http://www.virustotal.com/analisis/aadd5db3b69580412041681ea3bb65e7
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ▼  March (7)
      • GhostNet or Gh0st RAT: The Cyber Persecution of Tibet
      • Bank Hacking Exposed: The Analyzer Affadavit
      • Stop the Rumors: Quit SMSing about WalMart Gang In...
      • Carders do battle through spam - carder.su
      • Waledac: Fake Dirty Bomb in Your City
      • Finding the Spam Before Its Spammed . . .
      • ClassMates.com spam keeps sucking passwords
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile