Monday, July 07, 2008

Nuwar Looks for News Readers?

What news headlines would make you click an email link, even though you KNOW you aren't supposed to do that? The authors of the newest round of Nuwar, which may or may not be the same "storm" worm that we've seen two rounds of already this month, think they know.

Based on a review of this afternoon's "infect you through news headlines", the virus authors believe you want to know about Obama, McCain, Angelina Jolie, and the new Batman movie.

The spam for malware-infection "PornTube" sites is really out of control lately.

The current trend is to hack into someone's site, leave an "r.html" file there, and then send spam with totally unrelated subjects which, when clicked on, will open very offensive porn images and also try to infect the visitor by sending them to a secret website through an "iFrame". (The iFrame redirection site, digitaltreath.info, is now down and will hopefully stay down, after nearly a month of hosting badness.)

The malware which is present on each site is a file called "video.exe", which at least several AV products (AVG, McAfee, Microsoft, Trend) are calling "Nuwar", aka Storm.

Symantec calls it "Trojan.Erotpics", while several others call it "Exchanger" (AhnLab, BitDefender, ClamAV, Fortinet, VBA).

eSafe, F-Prot, Panda haven't weighed in yet -- VirusTotal shows 22 of 33 detections right now.

The template seems to be, pick a random subject, pick a random body line, pick a random website, with the choices I've seen today including:

Subjects
===========

  • Actors required Sign up now
  • Angelina jolie shock pregnancy discovery
  • Angelina Jolie suffers miscarriage
  • Apple files for bankruptcy
  • Are you getting enough
  • Beyonce breaks up with Jay Z
  • Blast in Pakistan
  • Brad Pitt confesses to betrayal
  • China fires missle in Taiwan's direction
  • Christopher Nolan's Knight vision
  • Clinton withdraws support for Obama
  • Eminem found dead in disco toilet
  • Fantastic year for spanish athletes
  • Federer crashes out
  • Fight for your benefits and rights
  • Heath Ledger never saw the Dark Knight
  • Hurricane hits Caribbean islands
  • India plans attack on terrorists
  • Join our talent hunt contest
  • Latest gossips on celebrities
  • Madonna admits to extra marital affair
  • McCain suffers heart attack
  • McCain withdraws from presidential race
  • McCaine vows to remain celibate
  • Memorabilia for heroes only
  • Miley cyrus naked photos expose
  • Obtain your degree in six months
  • Oil falls below $100 a barrel
  • Party scenes with American idols
  • Retire a millionaire
  • Search for singing talents
  • Spielberg found dead in freak accident
  • Take a look only if you are worth it
  • The Mummy 3 movie bankrupt, release delayed


Bodies
===========

  • A-rod admits to previous secret gay fetish
  • Asian girls mass Org partying
  • Barack Obama has been exposed to lack patriotism and shows loss of support from the masses
  • Can you take on two hot girls
  • Check out your popularity polls among colleagues
  • Elton John’s new lover
  • European girls group Org scenes
  • FBI surveillance team reveals trade secrets
  • French hospital in the south of France has admitted Hollywood actress Angelina Jolie
  • Fully online Master's degrees available at accessible prices
  • Gays in U.S military
  • Gun ban threatens to destroy obama's campaign
  • J Lo secret marriage threatens to destroy current marriage
  • John McCain gathers support from lackeys in Iraq and Afghanistan towards his election campaign
  • Kobe Bryant traded to Toronto in latest blockbuster trade
  • Late and great Ledger in running for posthumous Oscar award
  • Lindsay lohan drugged out at own birthday party
  • Madonna split finalized, Guy Ritchie in tears
  • ndia vows to find the masterminds behind the suicide attack that have killed entire embassy staff in Afghanistan
  • Obama belittles McCain's ability to be a presidential candidate contender at his age
  • Obama openly supports abortion and gay rights in bid to win more support from the masses
  • Oprah Winfrey announces wedding plans
  • Paris Hilton in new naked pictures romp at 4th of july party
  • Places to go for secret rendezvous
  • Pregnant Angelina Jolie asked the media to leave her alone while she waits to give birth to twins
  • President Bush latest political guffaw
  • Rating of stolen car for 2007
  • Republican John McCain admits he has no ideas how to jump start the economy and that the Democrat's stimulus plan is the way to go
  • Senator McCain found unconscious in toilet
  • Start your own business and make more money
  • The sky is the limit for Christian Bale as he returns for a second attempt at taming Gotham City
  • This week top travel destination
  • Videos of your neighbors making things
  • Videos on sports celebs and their flings
  • Wesley Clark snubs McCain's service as forgettable in July 4 tribute to the nation
  • Your colleagues are earning more than you



Websites
===========
PLEASE DO NOT VISIT THESE LINKS! THEY *WILL* ATTEMPT TO INFECT YOUR COMPUTER!!!!
Note, all of these sites may contain legitimate business on other pages, but these "r.html" pages have been placed on these domains by a hacker. We aren't saying these sites are guilty of anything other than having bad security.

http://209.222.133.85/r.html
http://50percentoff.nl/r.html
http://adlerautomobile.bg/r.html
http://avellanas.org/r.html
http://balcondelrio.com/r.html
http://boeckinggmbh.de/r.html
http://bursabil-net.com/r.html
http://www.cochesdeimportacion.formulacoches.com/r.html
http://chromet.com/r.html
http://www.dicon.eu/r.html
http://dysank.pl/r.html
http://ethereal-hell.telefragged.com/r.html
http://fabricadsonhos.com/r.html
http://fazemos.com.br/r.html
http://www.govdeli.com/r.html
http://houtkoning.nl/r.html
http://i-manager.it/r.html
http://iconn.pl/r.html
http://livresedotabaco.com/r.html
http://lpplegnica.pl/r.html
http://mediahits.de/r.html
http://phoenixadministration.com/r.html
http://pikous.fr/r.html
http://point1.angies-cafe.de/r.html
http://www.rundegg.com/r.html
http://s229782982.mialojamiento.es/r.html
http://savons-de-provence.com/r.html
http://superhostsite.com/r.html
http://testing.vuenosairez.com/r.html
http://www.trivium.hu/r.html
http://www.rundegg.com/r.html
http://zonamediabus.net/r.html


There seem to be at least two "active" sets of templates (so, you would never see "Angelina Jolie" subjects with the "Kobe Bryant" body, because they are in different template sets, as an example.)

So, news readers, beware . . .

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.