Friday, July 24, 2009

From Russia, With Love . . . new Postcard spam spies on your PC

Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evening of July 22nd we began to receive Postcards from thousands of our friends, that we didn't even know we had!



The emails all looked pretty much the same . . .



But they actually pointed to many different websites:

www.postcards.org.deaseza.gs
www.postcards.org.deashza.cn
www.postcards.org.deashza.gs
www.postcards.org.deaswza.gs
www.postcards.org.gewasq.cn
www.postcards.org.gewasq.hn
www.postcards.org.hcpill.com
www.postcards.org.hcpill.net
www.postcards.org.hertfe.com.mx
www.postcards.org.hyrewa.com.mx
www.postcards.org.jukhyt.com.mx
www.postcards.org.kijerw.in
www.postcards.org.kiytre.eu
www.postcards.org.lensaq.com
www.postcards.org.lensaq.net
www.postcards.org.lenshe.com
www.postcards.org.lenshe.net
www.postcards.org.liwefz.cn
www.postcards.org.liwesz.gs
www.postcards.org.liwesz.hn
www.postcards.org.liwofz.in
www.postcards.org.qemuide.cn
www.postcards.org.qemuide.gs
www.postcards.org.qemuide.hn
www.postcards.org.qemuide.in

Each of these websites offers you the opportunity to download your postcard:




The "postcard" link actually downloads a program which infects your computer with "Zeus Bot" software, which allows the criminal to steal all of your passwords for your bank, email, FTP sites, social networking sites, etc.

Even if you are "smart" and don't download and run the "postcard.exe" program, the cyber criminal has placed other traps on his website. In this case, there is a hidden "iframe" on the page, which causes your computer to open a "hidden window" and run whatever commands are located on the website:

evgard.ru/img/in.php


These websites are part of a group of "fast flux hosted" domains, which the anti-phishing community has been calling "Avalanche" because of their similarity to the old Rock Phish criminal campaign. "Fast Flux" domains actually resolve to the IP addresses of innocent victim computers who have a "web proxy" secretly running on their computer. Our cybercrime researchers at UAB have identified more than 3,700 computers that have served as the "web proxy" for these campaigns so far, including several hundred computers in the United States. Each of those proxies looks up the real criminal website, and forwards the information back to their visitors, so that the victim never actually touches the criminal's true computer, only the web proxy of another victim.

Most recently this group has been used for a few different campaigns including:

Ally Bank

secure.ally.com.deaswq.com
secure.ally.com.deaswq.net
secure.ally.com.deasws.com
secure.ally.com.deasws.net
secure.ally.com.hcpill.com
secure.ally.com.hcpill.info
secure.ally.com.hcpill.net
secure.ally.com.picdll.com
secure.ally.com.picdll.net

Comerica

businessconnect.comerica.com.session-id-379.sandigocc.com.mx
businessconnect.comerica.com.session-id-4367610.sdcac.com.mx
businessconnect.comerica.com.session-id-5539.sandigocc.com.mx
businessconnect.comerica.com.session-id-562.dirmode.org.mx
businessconnect.comerica.com.session-id-6290003.dirmode.com.mx
businessconnect.comerica.com.session-id-6815.fikhi.com.mx

eBay

cgi.ebay.com.bvgfty.com
cgi.ebay.com.bvgfty.net
cgi.ebay.com.hukkil.com.mx
cgi.ebay.com.hyfers.com
cgi.ebay.com.hyfers.net
cgi.ebay.com.hyrrte.com
cgi.ebay.com.hyrrte.net
cgi.ebay.com.ikhy1.com
cgi.ebay.com.ikhy1.net
cgi.ebay.com.ikhya.com
cgi.ebay.com.ikhyi.com
cgi.ebay.com.ikhyi.net
cgi.ebay.com.ikhyk.com
cgi.ebay.com.ikhyk.net
cgi.ebay.com.ikhyl.com
cgi.ebay.com.ikhyl.net
cgi.ebay.com.ikhyt.com
cgi.ebay.com.ikhyt.net

They are able to sustain such a high throughput of phishing - those counterfeit bank websites which trick you into giving up your password - because they have an elaborate back end for laundering their money. An army of Americans have chosen to sign up for them to work as "money mules". Rather than taking the risk of performing the financial transactions themselves, the criminals have recruited people with different spam for "work at home" jobs to do the deed for them.

Here's an advertisement being offered currently by these same criminals:



In this case, they promise that you can be a "work at home" Customer Service Specialist, earning $27 per hour "+ a bonus per processed transaction".

Those "processed transactions" work like this.

1) They send someone a spam message with a link to a fake bank website

2) The victim gives up their userid and password on the fake website

3) The criminal logs in to the real bank's website using that information, and transfers money to the "Customer Service Specialist" AKA Money Mule.

4) The Mule then receives instructions on how to wire the money internationally, keeping a generation commission (money stolen from someone else's bank account!) for themselves.

In the new "ZBot" version of this scam, only step 1 changes. You no longer have to visit a fake bank website. Once you have the ZBot malware installed on your computer, the criminal gets your password when you visit your bank's real website. If you have multiple banks and multiple credit cards, the criminal will eventually have passwords to them all as you log in to multiple accounts. This is also true for business accounts. Brian Krebs recently reported how Bullitt County Kentucky lost $415,000 by having it transferred out of their own bank accounts and sent to dozens of Money Mules. The mules each received between $7,000 and $9,900 per transaction, and then wired most of that money overseas.

How prevalent is ZBot? IDG's Ellen Messmer reported this week in her article America's Ten Most Wanted Botnets that Zeus Bot now has 3.6 Million infected victims in the United States, slightly ahead of the 2.9 Million infected with Koobface.

That's 3.6 Million Americans whose computers and financial transactions are being spied upon by Russian criminals.

Do we know its Russian? ZeusBot is actually a system for stealing website data from victims. It comes complete with a nice Graphical User Interface for keeping track of your infected machines, and tools to allow you to prioritize certain banks that are of highest interest to you. At any given moment there are more than 400 distinct command & control sites active for Zeus, so its possible there are many criminals involved. However, the ZeusBot system is written in Russian, as are the users manuals. Some of those controllers are in the United States, and we encourage US Law Enforcement to do everything they can to get to the bottom of this situation.

Your friends in Computer Forensics Research and the security industry can help. Just ask.

SAFETY UPDATE

ATTENTION NETWORK ADMINISTRATORS!!!
If you are observing traffic to the following netblock please contact me at gar@cis.uab.edu. Thank you!

91.213.72.0/24

This netblock is where the Zeus controller for the postcards malware is sitting. Its already shifted several times this week, but included:

91.213.72.10
91.213.72.11 - munaagami.net
91.213.72.12 - conscop.com
91.213.72.13 - pinesk.com

The version I visited this morning was using the "conscop.com" domain as its command and control.

Wednesday, July 22, 2009

Cyber IN-Security: Ten Times More Computer Security Graduates needed for .gov jobs

One hour ago at the National Press Club, the Partnership for Public Service presented its report "Cyber IN-Security: Strengthening the Federal Cybersecurity Workforce". Participating in the presentation were:

- Ron Sanders, chief human capital officer, Director of National Intelligence
- Vance Hitch, chief information officer, Department of Justice
- Max Stier, president and CEO, Partnership for Public Service

A copy of the 36 page report, co-authored with Booz Allen Hamilton, is available from OurPublicService.org.

The first, and most important, of the four challenges described in the report is ...

1) The pipeline of potential new talent is inadequate.

The report says that only 40% of various hiring decision makers in federal agencies are "satisfied or very satisfied" with the quality of applicants applying for federal cybersecurity jobs and only 30 percent are satisfied or very satisfied with the number of qualified candidates who are applying. The need is for "closer to 1,000 graduates a year" to fill these jobs, as opposed to the current 120 graduates provided through the Scholarships for Service program.

A couple quotes from the report:
Defense Secretary Robert Gates has stated that the Pentagon is "desperately short of people who have capabilities (defensive and offensive cybersecurity war skills) in all the services and we have to address it." ... Three-fourths of CIOs, CISOs, IT hiring managers, and HR professionals surveyed for this report said attracting skilled cybersecurity talent would be a "high" or "top" priority for the next two fiscal years.


Much like our government did during the space race, the White House should lead a nationwide effort to encourage more Americans to develop technology, math and science skills. In conjunction with this effort, Congress should fund expansion of the successful programs that provide graduate and undergraduate scholarships in computer science and cybersecurity fields, such as the Scholarship for Service program, in return for a commitment to government service.


Victor Piotrowski, who heads the Scholarship for Service program, says there are currently 870 students who have graduated from the program over its lifetime, and that there are 225 students currently enrolled in the program nationally. The pipeline currently produces 120 students per year, but Victor says the need is for "between 500 and 1,000 such graduates" every year. His program is currently funded at $12 Million per year, although the Cyber Security Act of 2009, proposed by Senator Jay Rockefeller from West Virginia, would raise that to $300 million over five years.

The report also quotes Alan Paller from SANS Institute, who says "There is a radical shortage of people who can fight in cyber space -- penetration testers, aggressors, and vulnerability analysts. My sense is it is an order of magnitude short, a factor of 10 short."

Other agencies quoted in the report describe that they are being "outbid by other agencies", and that the existing pool gets snapped up by the "FBI, NSA, and DHS", leaving other federal agencies without the talent they need.

The Pentagon has estimated that their military, civilian, and contractor workforce dedicated to cybersecurity positions is 90,000 personnel, while the non-DOD cybersecurity workforce is estimated at between 35,000 to 45,000. The Intelligence community, who we have seen takes "the majority" of new hires, has a classified number of workers in this space as well.

Other critical concerns raised by the report are that . . .

- The Hiring Process is Broken
- Government Lacks Clear Definitions for Cybersecurity Jobs
- No Career Path for Cybersecurity Workers
- Pay Limitations Make It Harder for Government to Compete for Top Talent

From my position as the Director of Research in Computer Forensics at the University of Alabama at Birmingham I'm focusing on trying to do our part to help. Students who come through our program will have a solid foundation in the basics of information assurance that are taught in the core of our program, such as Internetworking, Computer Security, Network Security, etc., but we then specialize in addressing the needs of future cybercrime investigators.

In "Law, Evidence and Procedure", students get a broad look at our Justice system and how cases move through it.

In "Introduction to Computer Forensics" we then explain how a computer security "incident" fits into that framework and how the rules they heard about in LEP apply to the specifics of cybercrime cases and cases involving digital evidence.

In "Cybercrime & Forensics" students explore the side of Computer Forensics which we call "Media Forensics", learning about how files are stored on disks, and getting practical experience using the same tools they will encounter in the field, duplicating hard drives to create a forensic working copy, understanding the structure of FAT and NTFS file systems, learning to recover deleted files, crack passwords, decrypt files, and thoroughly document a piece of digital media using tools such as EnCase.

In "Investigating Online Crime" students explore the other side of Computer Forensics which we call "Network Forensics", meaning how the various computers involved in a case interact with one another. From a legal process perspective, this course introduces the students to various tools to retrieve data from providers, including subpoenas, search warrants, etc, as well as what burden of proof is required for each, and for the indictment. Guest speakers include both local and federal law enforcement, and both local and federal prosecutors who share details of actual cases with the students, stressing WHY certain information was required to move their case forward, and any legal or technical barriers that had to be overcome. Students create original applications for analysing cybercrime and digital evidence, and work with Analyst tools, including I2 Analysts Notebook and Maltego to prepare mock presentations for investigators, prosecutors, judges, and juries to document a wide variety of cases.

Top students in our program are also invited to join our research team, where we have active projects working on real cases related to Spam, Phishing, Malware, and website attacks.

I'm excited to see the focus being brought on the great need for graduates who can take on these Cyber Security positions, and hope that many potential graduates will come join us at UAB to prepare themselves for those jobs. Our Certificate in Computer Forensics is available with the Masters or PhD in Computer & Information Science, or with the Masters in Criminal Justice.

Tuesday, July 21, 2009

Twitter search leads to Naked Newscaster malware (Erin Andrews)

Some folks saw this ABC News story yesterday, and sent me surprised questions that I hadn't blogged about it, so, here is the after-the-fact blog about a situation that is still continuing.



(click for ABC News story)

The story actually goes much bigger than that. Sure there are lots of people who have "erin andrews peephole photos" links on Twitter, and almost all of them are pointing to a virus, as we mentioned in the ABC News story.

As we've discussed several times in the past, this is another case of shortened URLs taking you to unknown pages, and Twitter training us all to blindly follow the link. Many of the links we've checked out all go to the same place. So, for example:

http://bit.ly/uUplf
http://bit.ly/zgkG1
http://bit.ly/31YLP9
http://bit.ly/105NfM
http://bit.ly/Wjtxe

all point to the same place . . .



Attempting to play the video there actually redirects you to a malware page where you will grab a link to the website lyy-exe.com and download a piece of malware called onlinemovies.40014.exe.

When we first scanned the malware yesterday morning, VirusTotal indicated that it was detected by four of 41 anti-virus products. By last night that was up to 10 of 41, and this morning when we rescanned (July 21st) the detection rate was XXXXXXXXXX

The rest of the story comes out as we look at the other posts made by some of the people who were posting links to the malware. We decided to grab a few that have posted in the past two hours, and see what else they were posting. Here's our sample group:

estefanikime, corinnenamlo, kaylahjofa, haydenluyan, sandynifa, stacilaqu, margaritloomm, beverlykineo, jazminekayam, stasianika, patsykasex, giselleheni, nadinebeeca, sidneydame, margaretfaxe, marniexuqu, unanilu, shanicebibee, trudypoohm.

It looks like the malware may actually be creating its own Twitter accounts, as these accounts for the most part have no followers, and are following no one. They seem to be depending on the fact that people actually "search" twitter, and their results will be found among the other results. This really points out the fact that Twitter needs to do something more than just their current LIFO (Last In First Out) search. If you search for a term, and I am the last person to post something with that term, you will see MY post, even if nobody follows me at all, even if I am an account that was created thirty minutes ago. Wouldn't it make more sense to see what the people are saying who are at least being followed by SOMEONE?

estefanikime has 0 followers and follows no one. Her recent news stories point to the sites:
legalmusic4all.com (an illegal music site hosted on NetDirekt in Germany)
fusionstories.com (an entertainment blog hosted on NetDirekt in Germany)

and several shortened URLs which use the subject lines:
watch erin andrews video => thecooltube.com
spinnerette => thecooltube.com
2009 espy award winners => thecooltube.com
tour de france stage 16 => thecooltube.com
t.o. show => thecooltube.com
blue spark => thecooltube.com
bachelorette men tell all => thecooltube.com

corinnenamlo has 4 followers but is following no one.
Her shortened URLs use the subject lines:
andrea mcnulty
tokyo rose => thecooltube.com
charleston high school mississippi => thecooltube.com
chuck yeager => thecooltube.com
throw it in the bag remix lyrics => thecooltube.com
jesse holley => thecooltube.com
inhaling duster => thecooltube.com
neil armstrong death => thecooltube.com
chris brown apology => thecooltube.com

Wait! I believe I'm detecting a pattern!

Other links being used included:
arturo gatti funeral
mullah krekar
aaron brink wife vanessa
tna victory road 2009 results
nomura s jellyfish
verizon wireless amphitheater irvine
lee westwood golfer
hgsi stock
labor pains lindsay lohan

All point to the malware site, "thecooltube.com".

When ABC News called yesterday, I was on my way to teach a class for the University of Alabama at Birmingham (UAB)'s Computer Forensics program. The course is called "Investigating Online Crime", and is a mix of Computer & Information Science and Criminal Justice students who are interested in careers in cybercrime investigations. I had been looking for an example for them to work on digging into a case using a variety of online tools, and Maltego from Paterva. I did a quick change-out on the case we would look at, and asked them to follow their leads on this one instead. They certainly found some interesting things!

With ten minutes to go before class, I also asked one of my graduate students, Malware Analyst Brian Tanner, to run a quick dynamic analysis of the malware in the lab. He pulled out some IP addresses of interest for the malware and some of the students included those IP addresses and domain names in their Maltego charts as well. Here are some of the sites that the malware connects to immediately after launching:

myart-gallery.com - 64.27.5.202
isyouimageshere.com - 66.197.155.150
imgesinstudioonline.com - 69.10.35.251
yourimagesstudio.com - 200.35.151.36
imagesrepository.com - 216.240.157.91
delphiner.com - 94.75.207.219
searchzoeken.com - 216.240.149.156

After this basic setup, the malware infected box goes nuts doing advertisement clickfraud, jumping back and forth between a variety of search sites, and following the resulting links, such as "homesearchnova.com" and "top100search.com" and "www-news-today.com" and "ad.reduxmedia.com" and "ad.yieldmanager.com" and "abcsearch.com" and "lucky5forme.com"

In our particular case, we were for some reason doing a lot of "Bollywood" related traffic, doing searches such as "hindi film actor photo" and ending up following links to places like "bollywoodhungama.com"

Someone interested in Advertising Click-Fraud may want to dig into this particular malware much more deeply.

Some of the other interesting clusters the students found were based on nameserver - for instance the nameserver "ns1.alvobs.com" is used by many domains which seem to be involved in tricking people into infecting themselves. Here are some of the domain names that they found were being actively visited:

agro-files-archive.com
allshemes.com
all-tube-world.com
analiticstat.com
best-light-search.com
besttubetech.com
chamitron.com
circuitsradio.com
datasheetcatalog.biz
dipexe.com
dirtydogaudio.com
downloadnativeexe.com
exedownloadfull.com
exe-paste.com
exe-soft-development.com
exe-xxx-file.com
eyeexe.com
getdatasheet.com
go-exe-go.com
greattubeamp.com
green-tube-site.com
holidayhomesearch.com
hotexedownload.com
humorbestimages.com
imagescopybetween.com
isyouimageshere.com
kazus.info
labsmedcom.com
last-exe-portal.com
lost-exe-site.com
luxartpics.com
lyy-exe.com
main-exe-home.com
my-exe-load.com
protectionimage.com
robo-exe.com
sk1project.org
softportal-extrafiles.com
softportal-files.com
sphericalart.com
storeyourimagehere.com
super0tube.com
super-exe-home.com
supertubetop.com
sysreport1.com
sysreport2.com
techdatasheets.com
testtubefilms.com
texasimages2009.com
the-blue-tube.com
thecooltube.com
thetubeamps.com
thetubesmovie.com
tiaexe.com
tube-best-4free.com
tube-collection.com
tubefaster.com
tvtesttube.com
yourtubetop.com

Many of these sites have already been shut down due to malware complaints. Hopefully Directi will look into the others as well.

One of the students ran the WHOIS on many of these domains and noticed that in addition to having invalid phone numbers (such as Tasha Chambers in Kearns Utah, who has the telephone: Tel. +001.98985647689) the pattern was to make either a gmail or a yahoo address using the first portion of the first and last names, so we had whois name/email pairs such as:

Chuck Jackson / chucjack@gmail.com
Colette Milton / colemilto@yahoo.com
Dion Choiniere / noelwollenberg@ymail.com (ok, breaks that pattern!)
Jamie Sires / jamisires@gmail.com
Leota Allison / leotallison@gmail.com
Malcolm Cromer / malccrome@gmail.com
Michael Barnes / michabarn@gmail.com
Norman Troup / normtroup@yahoo.com
Queenie Ziegler / queeziegl@gmail.com
Robyn Hamilton / robrhamil@gmail.com
Tasha Chambers / tashcham@gmail.com

Almost all of the domains that were owned by the people above had been terminated. Almost all of the domains registered to "PrivacyProtect.org" had NOT been terminated - which is probably because PrivacyProtect makes it hard to lodge a complaint based on the fact that the domain has false WHOIS information.

Domains that are still live are:

holidayhomesearch.com
protectionimage.com
imagescopybetween.com
greattubeamp.com
luxartpics.com
analiticstat.com
lyy-exe.com
chamitron.com
exe-soft-development.com
sk1project.org
dirtydogaudio.com
texasimages2009.com
allshemes.com
circuitsradio.com
datasheetcatalog.biz
kazus.info
techdatasheets.com
tubefaster.com
humorbestimages.com
labsmedcom.com
storeyourimagehere.com

After class, Brian got back into the lab to prove to me why he was better than the "automatic unpacker" I had used in class. As usual, he was amazing. He stepped through the malware with a debugger until it had unpacked itself fully into memory, and then dropped the image from memory to reveal even more hard-coded website names, including:

superarthome.com
and
robert-art.com

which seem to be "backup" command & controls. When we launched we sent a string "/senm.php?data=" to "myart-gallery.com", but apparently if that domain is unavailable, the code will try "robert-art.com" or "superarthome.com" instead.

Wednesday, July 15, 2009

Spammers Abusing URL Shortening Services

We've previously warned about the dangers of following "Tiny URLs" on Twitter. With only 140 characters to use in your message, many Twitterers use URL shortening services to save their precious characters. Unfortunately, for most people you have no idea where that click is going to take you until you click on it and get forwarded by the URL shortening service. Its a bit like playing Russian roulette. Click the shortened URLs, and you may get informative news stories, insightful blog articles, pornography, or a new virus!

At the UAB Spam Data Mine we've seen a few of these Tiny URLs used in spam, but now we have our first major campaign that is exploiting them in a highly organized way.



Bingo Palms has a current spam campaign underway which involves a large number of these URL shorteners, including:

aafter.us
bit.ly
is.gd
jh.to
jtty.com
myurl.in
o.ly
phaze.me
sturly.com
tcbp.net
tlink.me
urltwitter.com


So far we've seen almost a thousand of these spam messages, and have encountered 453 unique URLs at this point. Here are the subjects that are being used in this spam campaign:

Subject: $10 free deposit
Subject: $5000 Jackpot waiting for you!
Subject: 200% bonus on every deposit
Subject: 75 and 90 Ball Bingo
Subject: Become A Bingo Hustler
Subject: Become A Winner Today
Subject: Become A Winner With Bingo
Subject: b-i-n-g-o for you!
Subject: Bingo has never been easier.
Subject: Bing-o Was Her Name-o
Subject: Do you like to play bingo online?
Subject: Enjoy Bingo Online
Subject: Ever wanted to play Bingo for Cash ?
Subject: Gamble online? Read me!
Subject: Gamble With Bingo
Subject: Gamble? Like to play online?
Subject: Hot 9-Real SLot Machines! $25,000 Jackpot
Subject: Hustle Online. Play Bingo.
Subject: Like Bingo? Win $
Subject: Nickel, Dime, Quarter, & High Roller Games!
Subject: Nightly Events for CASH Prizes
Subject: Online diplomas here.
Subject: Play Bing0 Online
Subject: Play Bingo Now
Subject: Play Bingo Today
Subject: play online
Subject: Play Online Now
Subject: Play Online, Win Today
Subject: Someone has invited you to a game of Bingo
Subject: Something For You. Play Online.
Subject: Vehicle Warranty - 60% off
Subject: Want to play bingo online and win CASH ?
Subject: Win With Bingo
Subject: You have been invited to a Bingo game!

We see this campaign as a dangerous precedence which could be followed by other spammers to make our efforts to block their spam more difficult. As one would expect, the spammer, in addition to cheating the affiliate program, and offering "probably illegal" gambling to his email recipients, is delivering his spam message through a world-wide botnet of compromised computers. Just in our spam samples, we have spam for this campaign sent from 698 different computers in 43 different countries around the world.

Afrinic countries of CI, MA, SD, ZA
APNIC countries of BD, HK, ID, IN, JP, KR, PK, TH, TW, VN
ARIN countries of US (only 6 machines)
LACNIC countries of AR, BR, CL, CO, MX, SV, VE
RIPENCC countries of AM, AZ, BY, DE, EU, GR, HR, HU, IL, IQ, IR, IT, KZ, MD, PL, PT, RO, RS, RU, UA, UZ

Despite a broad smattering of countries, 43% of our spam came from Brazil, 20% from Russia, 13% from the Ukraine, 7% from India, and 2% from Italy. No other country represented more than 1% of the spam we received in this campaign.


Here are the URLs that we have seen so far in this campaign:

http://aafter.us/0oysiA
http://aafter.us/15Exas
http://aafter.us/3d3V9e
http://aafter.us/459UeB
http://aafter.us/4fOecg
http://aafter.us/4R2udg
http://aafter.us/4YzvqA
http://aafter.us/6DvEsN
http://aafter.us/78Lj60
http://aafter.us/9GQEkZ
http://aafter.us/9TOYVb
http://aafter.us/A4Oc0S
http://aafter.us/AxwsYK
http://aafter.us/b9rkEe
http://aafter.us/bezEO3
http://aafter.us/BIyffd
http://aafter.us/ckqW55
http://aafter.us/cyHq06
http://aafter.us/D8kzvt
http://aafter.us/DBYJNk
http://aafter.us/dpJxBc
http://aafter.us/ew7332
http://aafter.us/FIDLQs
http://aafter.us/FJLPyM
http://aafter.us/fTJDW4
http://aafter.us/jptgOx
http://aafter.us/JwmKyP
http://aafter.us/jYg3j6
http://aafter.us/kdOH1o
http://aafter.us/knACii
http://aafter.us/motFQJ
http://aafter.us/n8quI5
http://aafter.us/N8U0Bq
http://aafter.us/P8o6Kn
http://aafter.us/PI3BvT
http://aafter.us/qDDkB6
http://aafter.us/QfSfkf
http://aafter.us/RH3z2F
http://aafter.us/rNqm6H
http://aafter.us/sEwQMU
http://aafter.us/siykT5
http://aafter.us/sY6RN1
http://aafter.us/TXgsXd
http://aafter.us/UxbBYV
http://aafter.us/vcmHnv
http://aafter.us/XwUWd3
http://aafter.us/YP4zHn
http://aafter.us/YUXbB4
http://aafter.us/ZjUAOw
http://bit.ly/10VJRX
http://bit.ly/11oYQ8
http://bit.ly/14egZi
http://bit.ly/15piKn
http://bit.ly/16aOsd
http://bit.ly/16iqi3
http://bit.ly/16temb
http://bit.ly/19AQlF
http://bit.ly/37LQeX
http://bit.ly/4mrqW9
http://bit.ly/8Tbvz
http://bit.ly/9K5r5
http://bit.ly/B0S1U
http://bit.ly/b3JyJ
http://bit.ly/E7hiD
http://bit.ly/eBlww
http://bit.ly/Ex5GL
http://bit.ly/EzZV4
http://bit.ly/FIolK
http://bit.ly/gj9Py
http://bit.ly/gQxNZ
http://bit.ly/ih7Di
http://bit.ly/iwdpY
http://bit.ly/joj8y
http://bit.ly/lhPp7
http://bit.ly/MOXP7
http://bit.ly/N3iVs
http://bit.ly/Q4XY0
http://bit.ly/q7EwA
http://bit.ly/RWnFc
http://bit.ly/tdLyV
http://bit.ly/TEXC4
http://bit.ly/tSW62
http://bit.ly/ttrZ5
http://bit.ly/tvZ0h
http://bit.ly/V2q7R
http://bit.ly/Ve1jJ
http://bit.ly/VI7n6
http://bit.ly/Vs7Tb
http://bit.ly/xiUSr
http://bit.ly/xJEcE
http://bit.ly/xjIii
http://bit.ly/YdVa5
http://is.gd/1xL2e
http://is.gd/1xL2f
http://is.gd/1xL2g
http://is.gd/1xL2h
http://is.gd/1xL2i
http://is.gd/1xL2k
http://is.gd/1xL4B
http://is.gd/1xL4E
http://is.gd/1xL4F
http://is.gd/1xL4G
http://is.gd/1xL4L
http://is.gd/1xL6e
http://is.gd/1xL6m
http://is.gd/1xL6o
http://is.gd/1xL6r
http://is.gd/1xL6u
http://is.gd/1xL6z
http://is.gd/1xL8H
http://is.gd/1xL8t
http://is.gd/1xLaB
http://is.gd/1xLaE
http://is.gd/1xLaK
http://is.gd/1xLaO
http://is.gd/1xLaP
http://is.gd/1xLaW
http://is.gd/1xLcS
http://is.gd/1xLdc
http://is.gd/1xLdg
http://is.gd/1xLdh
http://is.gd/1xLdi
http://is.gd/1xLeX
http://is.gd/1xLff
http://is.gd/1xLfG
http://is.gd/1xLfx
http://jh.to/1obuti
http://jh.to/3ulofu
http://jh.to/4alo9u
http://jh.to/4u0axo
http://jh.to/4u9o8u
http://jh.to/5ayoja
http://jh.to/9eyisi
http://jh.to/9i8ika
http://jh.to/do0eba
http://jh.to/do9ihu
http://jh.to/ha6e0u
http://jh.to/je2a9e
http://jh.to/le8iha
http://jh.to/li3iju
http://jh.to/lozi1i
http://jh.to/rokoye
http://jh.to/vetagi
http://jh.to/xu5onu
http://jh.to/yekife
http://jh.to/yilizo
http://jh.to/zeximo
http://jtty.com/05i
http://jtty.com/0g8k
http://jtty.com/640z
http://jtty.com/6g0
http://jtty.com/90jm
http://jtty.com/aeuw
http://jtty.com/afn2
http://jtty.com/alr9
http://jtty.com/bhsv
http://jtty.com/cgt2
http://jtty.com/clx8
http://jtty.com/cn69
http://jtty.com/dhs9
http://jtty.com/dqr6
http://jtty.com/e2b0
http://jtty.com/e589
http://jtty.com/ehlm
http://jtty.com/ejn3
http://jtty.com/ely7
http://jtty.com/eu27
http://jtty.com/fruy
http://jtty.com/gkot
http://jtty.com/hklq
http://jtty.com/htx3
http://jtty.com/ilq3
http://jtty.com/ilw4
http://jtty.com/ix12
http://jtty.com/ixz6
http://jtty.com/jk17
http://jtty.com/knwz
http://jtty.com/lw56
http://jtty.com/lwz2
http://jtty.com/nrz1
http://jtty.com/ouxz
http://jtty.com/rsv9
http://jtty.com/tyz6
http://jtty.com/tz68
http://jtty.com/vyz2
http://jtty.com/wpz0
http://jtty.com/wt0h
http://jtty.com/y0q3
http://myurl.in/2SA9A
http://myurl.in/3Kgq3
http://myurl.in/3txkM
http://myurl.in/50WTX
http://myurl.in/6MUXd
http://myurl.in/6rP1t
http://myurl.in/8m00V
http://myurl.in/8QnMd
http://myurl.in/9ml8L
http://myurl.in/AhDeA
http://myurl.in/AKF1g
http://myurl.in/AMJBY
http://myurl.in/BCD7U
http://myurl.in/BM1RA
http://myurl.in/CcSAD
http://myurl.in/cooWR
http://myurl.in/drm2U
http://myurl.in/e0LIu
http://myurl.in/EcZlr
http://myurl.in/Ezbrh
http://myurl.in/Fk2Qs
http://myurl.in/H6xsv
http://myurl.in/HbY51
http://myurl.in/HiUfB
http://myurl.in/ivqVE
http://myurl.in/kr0Xn
http://myurl.in/L62hH
http://myurl.in/LUk5g
http://myurl.in/NWsMe
http://myurl.in/oa5Zo
http://myurl.in/Oq8Jj
http://myurl.in/pWVr8
http://myurl.in/q6qsq
http://myurl.in/rhChK
http://myurl.in/th2Gr
http://myurl.in/TSR8k
http://myurl.in/u8jyb
http://myurl.in/UzmYY
http://myurl.in/vppYC
http://myurl.in/wZoeF
http://myurl.in/XAj2y
http://myurl.in/xIIll
http://myurl.in/Y2Dc7
http://myurl.in/YbCtF
http://myurl.in/YG2Ny
http://myurl.in/yl4s2
http://myurl.in/yxj2l
http://o.ly/qT1
http://o.ly/qT3
http://o.ly/qT4
http://o.ly/qT5
http://o.ly/qT6
http://o.ly/qT7
http://o.ly/qT8
http://o.ly/qT9
http://o.ly/qTA
http://o.ly/qTb
http://o.ly/qTC
http://o.ly/qTH
http://o.ly/qTJ
http://o.ly/qTK
http://o.ly/qTm
http://o.ly/qTn
http://o.ly/qTO
http://o.ly/qTR
http://o.ly/qTS
http://o.ly/qTU
http://o.ly/qTV
http://o.ly/qTW
http://o.ly/qTX
http://o.ly/qYF
http://o.ly/qYh
http://o.ly/qYi
http://o.ly/qYm
http://o.ly/qYn
http://o.ly/qYo
http://o.ly/qYp
http://o.ly/qYq
http://o.ly/qYS
http://o.ly/qYt
http://o.ly/qYv
http://o.ly/qYw
http://o.ly/qYx
http://o.ly/qYy
http://phaze.me/0994
http://phaze.me/0cjw
http://phaze.me/0r08
http://phaze.me/11c7
http://phaze.me/1j84
http://phaze.me/1jy4
http://phaze.me/2dsc
http://phaze.me/2s08
http://phaze.me/2tq6
http://phaze.me/2xzx
http://phaze.me/3k5z
http://phaze.me/3r3k
http://phaze.me/3trj
http://phaze.me/3v4x
http://phaze.me/4kdb
http://phaze.me/4q59
http://phaze.me/5314
http://phaze.me/5jb1
http://phaze.me/6gjq
http://phaze.me/6n6p
http://phaze.me/836x
http://phaze.me/ckyd
http://phaze.me/d4nf
http://phaze.me/dj19
http://phaze.me/ffrn
http://phaze.me/fn86
http://phaze.me/g30w
http://phaze.me/g68v
http://phaze.me/gm36
http://phaze.me/hwjf
http://phaze.me/jh88
http://phaze.me/jrny
http://phaze.me/k12t
http://phaze.me/m9b6
http://phaze.me/nq7c
http://phaze.me/nt1x
http://phaze.me/nz1b
http://phaze.me/p0q0
http://phaze.me/pkkt
http://phaze.me/rm2y
http://phaze.me/t4wq
http://phaze.me/tqn0
http://phaze.me/v1b0
http://phaze.me/vm98
http://phaze.me/vmtm
http://phaze.me/vqqw
http://phaze.me/w736
http://phaze.me/xptc
http://phaze.me/yqnd
http://phaze.me/zh2v
http://sturly.com/aal0
http://sturly.com/aal1
http://sturly.com/aal2
http://sturly.com/aal5
http://sturly.com/aal6
http://sturly.com/aalm
http://sturly.com/aalq
http://sturly.com/aalr
http://sturly.com/aals
http://sturly.com/aalv
http://sturly.com/aalw
http://sturly.com/aalx
http://sturly.com/aaly
http://sturly.com/aalz
http://sturly.com/aama
http://sturly.com/aamb
http://sturly.com/aamc
http://sturly.com/aame
http://sturly.com/aamf
http://sturly.com/aamg
http://sturly.com/aamh
http://sturly.com/aami
http://sturly.com/aamk
http://sturly.com/aaml
http://sturly.com/aams
http://sturly.com/aamu
http://tcbp.net/s9
http://tcbp.net/sa
http://tcbp.net/sB
http://tcbp.net/sc
http://tcbp.net/sd
http://tcbp.net/sE
http://tcbp.net/sF
http://tcbp.net/sg
http://tcbp.net/sh
http://tcbp.net/sI
http://tcbp.net/sj
http://tcbp.net/sk
http://tcbp.net/sl
http://tcbp.net/sN
http://tcbp.net/sQ
http://tcbp.net/sS
http://tcbp.net/st
http://tcbp.net/sW
http://tcbp.net/sX
http://tcbp.net/sY
http://tcbp.net/t0
http://tcbp.net/t2
http://tcbp.net/t3
http://tcbp.net/t5
http://tcbp.net/t7
http://tcbp.net/t8
http://tcbp.net/t9
http://tcbp.net/ta
http://tcbp.net/tb
http://tcbp.net/tc
http://tcbp.net/te
http://tcbp.net/ti
http://tcbp.net/tj
http://tcbp.net/tk
http://tlink.me/1499
http://tlink.me/1500
http://tlink.me/1501
http://tlink.me/1502
http://tlink.me/1503
http://tlink.me/1504
http://tlink.me/1505
http://tlink.me/1507
http://tlink.me/1508
http://tlink.me/1510
http://tlink.me/1514
http://tlink.me/1515
http://tlink.me/1516
http://tlink.me/1517
http://tlink.me/1518
http://tlink.me/1519
http://tlink.me/1520
http://tlink.me/1525
http://tlink.me/1526
http://tlink.me/1527
http://tlink.me/1529
http://tlink.me/1530
http://tlink.me/1532
http://tlink.me/1533
http://tlink.me/1534
http://tlink.me/1537
http://tlink.me/1538
http://tlink.me/1540
http://tlink.me/1542
http://tlink.me/1543
http://tlink.me/1545
http://tlink.me/1549
http://tlink.me/1550
http://tlink.me/1554
http://tlink.me/1555
http://tlink.me/1557
http://tlink.me/1560
http://tlink.me/1563
http://tlink.me/1564
http://tlink.me/1565
http://tlink.me/1566
http://tlink.me/1567
http://tlink.me/1569
http://tlink.me/1570
http://tlink.me/1571
http://tlink.me/1572
http://tlink.me/1573
http://tlink.me/1574
http://tlink.me/1575
http://tlink.me/1576
http://urltwitter.com/1ipevu
http://urltwitter.com/2i7isa
http://urltwitter.com/4aza2o
http://urltwitter.com/4otifu
http://urltwitter.com/5ireri
http://urltwitter.com/6eyoco
http://urltwitter.com/6i3eko
http://urltwitter.com/bi3e7o
http://urltwitter.com/bixaso
http://urltwitter.com/fale2e
http://urltwitter.com/gu3eto
http://urltwitter.com/jafabu
http://urltwitter.com/jarewa
http://urltwitter.com/kedopu
http://urltwitter.com/kuno6o
http://urltwitter.com/me3ajo
http://urltwitter.com/nasozi
http://urltwitter.com/so3afi
http://urltwitter.com/vido6a
http://urltwitter.com/wulule
http://urltwitter.com/yucazo

Friday, July 03, 2009

Are You Ready for Independence Day Fireworks? Waledac is!

Loyal Blog readers will know that the UAB Spam Data Mine has been tracking the Waledac spam campaigns since their onset. We've followed this worm through the Obama inauguration, Valentine's Day, A Fake Grocery Coupon scam, a Fake Reuters story about a terrorist bomb, and an SMS Spy program. Of course ALL of the domains associated with Waledac infection have been registered on ENAME.cn, the horribly managed Chinese registrar who seems to register more domains used in spam and malware than any other registrar on earth! Even though many of the SMS Spy version of the domains are still live, they have been forwarding to Canadian Pharmacy websites recently.

Until today.



Here is a sneak preview of the newest version of Waledac. Although the spam campaign has not yet started, the websites are already displaying this new YouTube page promising "Colorful Independence Day events took place throughout the country". The past tense indicates to us that this campaign probably won't take off until late on the day of July 4th. The video claims to be the "South Shore's Fourth of July fireworks show" which has been named by "The American Pyrotechnics Association" as the best display in the nation.

As with previous versions though, the problem is that when you click "play" on the fake YouTube page, you are invited to run "install.exe". What is that?

Unfortunately, its a demonstration of how Anti-Virus products work. Anti-virus products start to detect a virus when enough people complain about the virus to warrant the addition of the virus to their library of anti-virus signatures. In this case, because the virus hasn't been spammed yet, almost no one has complained, and as a result, almost no one knows that it is a virus. By the time the virus begins to spread on Saturday evening of a holiday weekend, how many anti-virus engineers will be in the shop to write a definition?

4 of 40 anti-virus products know to block this program!


Last year of course it was the Storm Worm that was spreading via Fourth of July fireworks, as we covered in our story Storm Worm Salutes Our Nation on 4th.

Hopefully with a little advance warning, we'll do a better job protecting ourselves this year!

We infected one machine with this version of Waledac to see what happened. The most immediate impact is that we started sending spam. The "install.exe" which we downloaded actually had the SMTP engine built in, so we would say this is the primary purpose. The Waledac executable is also doing huge volumes of peer to peer traffic, as before, talking to many things which seem to be nginx servers (but which are actually nginx Proxy servers.)

In addition to the spam-sending, we made connection to the website "securitytoolspro.com", which downloaded an executable "12690784.exe", which is actually a fake anti-virus product.

The first action of this download is to change our windows wallpaper to look like this:



Then the install begins:



After "scanning" our computer, it asks us to "Remove All Threats", which involves buying the product from a website:



An unpacked version of the Waledac malware can be retrieved from Eureka, which I used to do a lazy man's unpack:

Eureka Report. Clicking the "Strings" tab of that report will provide many hard-coded IP addresses which are part of the "start up" process for the peer to peer network.

UPDATE


We had set our spam traps up to let me know when we got our first Waledac Fireworks spam, and it JUST came in while I was at dinner! (Roughly twelve hours after my initial post of this article PREDICTING this spam campaign.)

The first spam message we received on this campaign was received from a Russian IP address, 94.255.18.91, and used the email subject: "Light up the sky". The body of the message was only one line, as with previous Waledac campaigns, and read: "American Independence Day" and contained a link the virus.

The hostile website in this email was "moviesfireworks.com".

Other email subjects we've seen include:

America the Beautiful
Celebrate the spirit of America
Celebrating the spirit of our Country
Celebrations have already begun
Happy Birthday America!
Long Live America
Super 4th!

The single line of text in the bodies of the emails have included:

America the Beautiful
Bright and joyful Fourth of July
Celebrate the spirit of America
Happy Birthday, America!
Long Live America
Super 4th!
The best of 4th of July Salute

So, we believe that the same spam template variable is probably being used for the subject line and the email body line.

The domain names we have actually seen in received emails so far are:

fireholiday.com
fireworksholiday.com
holidayfirework.com
holidaysfirework.com


As with all previous Waledac spam, these are "Fast Flux hosted" on a multitude of IP addresses.

Other Domain Names (DO NOT CLICK!!!!!)

fireworkspoint.com
moviesfireworks.com
moviefireworks.com

Jeremy from SudoSecure responded to one of my posts with information from his excellent Waledac tracker. I have to point out that his domain list is VERY complete, and that his blog post was one hour earlier than mine. 8-) But we aren't competing . . . 8-)

4thfirework.com
fireholiday.com
fireworksholiday.com
fireworksnetwork.com
fireworkspoint.com
handyphoneworld.com
happyindependence.com
holidayfirework.com
holidaysfirework.com
holifireworks.com
interactiveindependence.com
miosmschat.com
movie4thjuly.com
moviefireworks.com
movieindependence.com
movies4thjuly.com
moviesfireworks.com
moviesindependence.com
outdoorindependence.com
superhandycap.com
thehandygal.com
video4thjuly.com
videoindependence.com
yourhandyhome.com


Waledac Tracker at SudoSecure

Jeremy's Waledac Blog post



Domains should be updated here as people see them in their spam . . .

http://rss.uribl.com/nic/CHINA_SPRINGBOARD_INC_.html

These are being registered on China Springboard, which is a change of Registrar for Waledac, who has always used ENAME before. Of course the ENAME registrar is still loaded with horrible volumes of spam:

http://rss.uribl.com/nic/XIAMEN_ENAME_NETWORK_TECHNOLOGY_D_B_A_ENAME_CN_ENAME_COM.html

Thanks to our friends at URI Black List for providing those real time feeds of bad domains from Chinese registrars for us. They also have a feed for XIN NET:

http://rss.uribl.com/nic/XIN_NET_TECHNOLOGY_CORPORATION.html