Friday, October 31, 2008

LaSalle acquisition by Bank of America spreads malware

LaSalle customers are being invited by spam to use the new Digital Certificates that are required by Bank of America. The email messages being sent are quite simple, and belong to the long string of "Digital Certificate" malware which we have seen target BancorpSouth, Bank of America, Bank of the West, CapitalOne, CareerBuilder, Chase Bank,, Colonial, Comerica, Eastern Bank, Google Adwords, Key Bank, Merrill Lynch, M&I Bank, OceanBank, OpenBank, RBC, SunTrust, TD BankNorth, Wachovia.

The newsworthy portion of this scam is the fact that it preys on the uncertainty of banking customers involved in a merger. The FDIC's Sandra Thompson issued a memo on October 28th addressing exactly that point. Thompson's warning was to be on the alert for phishing scams targeting "financial institutions involved in high-profile mergers, acquisitions or failures."

Here's a sample of the LaSalle/Bank of America email:

LaSalle Bank Consumers Warning:

Please be advised that we cannot guarantee the confidentiality of not protected information.
Therefore, we strongly encourage you to update your system.
New Bank of America x.509 privacy certificate for LaSalle Bank consumers can be downloaded from our customer service department.

Proceed to customer service department>>.

LaSalle Bank and Bank of America will not be responsible for any damages, if you ignore this warning.

Sincerely, Keith Landers.
2008 LaSalle Bank and Bank of America Community.

The "Sincerely" name is random and is unique in each of the several hundred sample emails that we've received so far.

The destination website points to a page that looks like this:

and which tries to download an executable malware program. This tiny program, called "LaSalleSetup.exe" is merely the "dropper" which downloads additional malware, but its still troubling how few anti-virus products will actually stop it from running. At this timestamp, only 15 of the 36 Anti-virus products at VirusTotal detected this dropper as being malware, and neither McAfee nor Symantec were among those detecting it.

Once the dropper executes on the computer, it downloads additional malware from the address which is the address all of the recent versions (since October 15th) have been using. is a registered domain. Perhaps they will remove it for us? is fast-flux hosted on a botnet, just like the rest of the domains. The "right-this-minute" group of IP addresses its using are:,,,

some of which allow the malware to be dropped, and others of which do not. The last address on the list seems to ahve been part of this botnet the longest, and has been observed running the Ocean Bank version of the Digital Certificate malware as well.

The "a.exe" malware is also not very well detected, with only 19 of 36 anti-virus products detecting it from Virustotal, and again, with no coverage from McAfee or Symantec.

Both the dropper and the second stage malware were crafted today. This probably just means they were repacked from the same base code, but neither had been observed or reported in the places we checked before this afternoon.

a.exe will store itself on the local machine as the file 9129837.exe and will link itself to Internet Explorer. IE is the only browser which will cause keystrokes to be sent to the criminals because of that. The malware also steals FTP, POP email, and ICQ session logon credentials.

I don't know where this one sends its stolen data yet . . . the most recent version we've run "in the wild" sent it to: or

We've seen at least 34 unique subject lines on the spam messages, such as:
  • LaSalle Bank - Date and time our site was accessed
  • LaSalle Bank - determine the level of interest in information available on our site.
  • LaSalle Bank - identifying information about our visitors
  • LaSalle Bank - Please be advised
  • LaSalle Bank - the bank uses this information to create summary statistics
  • LaSalle Bank - Visitors to this bank Website remain anonymous.
  • LaSalle Bank - we do not collect identifying information about visitors to our site.
  • LaSalle Bank - we may use standard software
  • LaSalle Bank Consumers - we cannot guarantee the confidentiality of information sent.
  • LaSalle Bank Consumers: allow the web server to log the pages you use
  • LaSalle Bank Consumers: any information that you might send to us
  • LaSalle Bank Consumers: if you send confidential or private information to us
  • LaSalle Bank Consumers: other personal information
  • LaSalle Bank Consumers: private information in your e-mail
  • LaSalle Bank Consumers: we strongly discourage you from including any confidential information
  • LaSalle Bank Consumers: you have visited the site before
  • LaSalle Bank Consumers: your Account Number
  • LaSalle Bank Security: additional step to logging onto Online Banking .
  • LaSalle Bank Security: implemented an additional access authentication feature
  • LaSalle Bank Security: Please take a moment to prepare for this additional layer of security
  • LaSalle Bank Security: prompt you to answer your security verification question(s)
  • LaSalle Bank Security: reviewing your security verification question and answer
  • LaSalle Bank Security: we help you monitor your online accounts.
  • LaSalle Bank Security: we’re adding additional security features
  • LaSalle Bank will not be responsible for any damages
  • Warning LaSalle Bank Consumers:Making Online Banking even more convenient and secure for you—totally free.
  • Warning LaSalle Bank Consumers: Additional Security Features for Online Banking
  • Warning LaSalle Bank Consumers: Customer Identification Program
  • Warning LaSalle Bank Consumers: Information from a consumer reporting agency
  • Warning LaSalle Bank Consumers: Information We Collect
  • Warning LaSalle Bank Consumers: Information you provide us for applications or other forms
  • Warning LaSalle Bank Consumers: Notice of Financial Privacy Rights
  • Warning LaSalle Bank Consumers: providing you with secure and convenient online access

The domain names that we've seen hosting the dropper malware so far are:

which were all registered with BIZCN.COM as their registrar.

The full machine names look like these (with many random strings and different names substituted. Each full URL is truly unique.)

The full URLs really look more like this:

But anything that includes at least the domain name and the lasalle.php will resolve to the same location.

Thursday, October 30, 2008

First Enom Phish, now Network Solutions Phish

Yesterday we reported that in the wake of ICANN's actions against ESTDomains, a new phishing campaign against eNom had begun. eNom holds the keys to more than 9 million domains, so that was pretty big news. Today the phishers have turned their attention to Network Solutions, which is listed as the Number Three registrar by domain count with more than 6.5 million domains.

With email subjects such as:

Attention: domain is expired
Attention: domain will be expired soon.
Attention: domain will be expired tomorrow.
Attention: domains are expired.
Attention: domains will be expired tomorrow.
Please, renew your domain
Please, renew your domains
Your domain are expired at this time!
Your domain is expired today!
Your domain will be deleted soon
Your domain will be deleted today

the phisher hopes to get the attention (and the userid and password) of the legitimate owners of domains registered at Network Solutions.

The email body looks like this:

Dear Network Solutions Customer,

We recently notified you that the registration period for your Network Solutions domain name had expired. As a benefit of having previously registered a domain name(s) with Network Solutions, you are eligible to receive a percentage of the net proceeds that were generated from the renewal and transfer of the domain name you chose not to renew. Since you have chosen not to renew the domain name listed below during the applicable grace period, we were successful in securing a backorder for this domain name on your behalf and it has been transferred to another party in accordance with the Service Agreement.

Renew your domain now -

You must click on the following link, enter your domain name, and confirm your contact information in order to claim these funds. If your contact information is not correct, you must enter Account Manager and make the appropriate changes prior to clicking "submit" from the confirmation screen. If you do not do this, you will be confirming inaccurate information and will not receive any payment. Checks will only be made payable and mailed to the Account Holder of record.


Network Solutions® Customer Support

With Senders such as:

NetworkSolutions Inc
NetworkSolutions Support
NetworkSolutions Support Team
NetworkSolutions Team Tech Support

and From addresses such as:

and nonsense tags such as:

We expect more URLs will be added, as we are still on the early side of this phishing spam campaign, but here is what we have seen so far at the UAB Spam Data Mine.

We've reported these domains and hope to see quick action by the registrar for them.

As with every current top spam campaign, the registration WHOIS information indicates the registrant as being "Shestakov Yuriy" AKA Alexey Vasiliev - the registrant behind all the top "Russian girls" spam domains and most of the Canadian pharmacy spam domains, who has also used email addresses "" and "" as his identity when registering domains.

Hopefully OnlineNIC will terminate these domains quickly.

As with yesterday's eNom domains - these domains are fast flux hosted on the same site as a great deal of child pornography. More details are available to law enforcement.

Wednesday, October 29, 2008

Caution: Enom Phishing continues

If you have a domain name registered with the ICANN Registrar Enom, please be on the alert! A phishing campaign began against Enom users on October 27th. Here's what the phishing page looks like. As the phishing page points out, eNom is the "#1 Registrar Reseller" for the past seven years, and manages more than eleven million domain names!

Its too early to know if this attempt to steal userids and passwords for some of those eleven million domain names is related to the announcement that ICANN has terminated ESTDomains privileges. As we mentioned yesterday, the absence of ESTDomains may be a great inconvenience to criminals who are accustomed to using their services to register new domains for their criminal activities.

The spam from the earlier version looked like this:

Dear eNom Customer,

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable:

* Main site
* All web hosting services
* Email services
* Communication with the registry affecting new registrations, renewals, and transfers

For access your account follow this link -

The following services will not be affected and will continue to be fully operational:

* DNS will resolve normally - although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period
* Email forwarding and site redirection will operate normally

We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience.

eNom Tech Support

The UAB Spam Data Mine received 298 copies of the earlier campaign, which resolved to seven unique domain names. Instead of sending the user to the actual domain for Enom, they were redirected to:

The email subject lines for the first batch were:

Maintenance at eNom
Maintenance at eNom - attention
Maintenance at eNom - warning
Maintenance at
Maintenance at - attention!
Maintenance at - warning!

Sending names including:

eNom Inc
eNom Support
eNom Support Team
eNom Team
eNom Tech Support
eNomCentral Inc
eNomCentral Support
eNomCentral Team
eNomCentral Tech Support

From addresses were,,,, or

We got roughly fifty of these spam messages so far today. Here's a typical one:


Dear user,

On Wed, 29 Oct 2008 12:22:39 +0530 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

The contact information for the domain which displayed in the Whois database was indeed invalid. On Wed, 29 Oct 2008 12:22:39 +0530 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.


If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:

Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260


Thank you,
Domain Services



The domains are of course Fast Flux hosted. At the moment of this writing each resolves to the following IP addresses:,,,,,,

But a quick history shows that they have also resolved to all of the following:

This botnet of hosting machines is also associated with the group of child pornography servers. These domains use "" (ns5, ns6) and "" as their nameservers, with such domains as "littlelolita", "lolita-bbs", and "nude-kids", "xlsites" and others. (More information available to law enforcement, just ask.)

Tuesday, October 28, 2008

Ding Dong The Witch Is Dead! ( ICANN Pulls the Plug on ESTDomains )

Today is certainly a great day! The first day of NBA season had me feeling good (although I'd rather be watching the Pistons than Cavs-Celtics or Portland-Lakers), but the latest news has me dancing in the living room! (Which is scaring the parakeet, and making the water in the fishtank jiggle alarmingly.)

ICANN's Director of Contractual Compliance, Stacy Burnette, has officially begun termination proceedings to eliminate EST Domains as a registrar.

Anyone who has worked in Internet Security for any amount of time will be familiar with the fact that EST Domains is the registrar of choice for most Eastern European cyber criminals. EST should have realized their time was limited when investigative cyber reporter Brian Krebs shined his searchlights into their dark corner of the Internet with his two part series, that began with A Superlative Spam and Scam Site Registrar and continued with EST Domains: A Sordid History and a Storied CEO.

It was Krebs' second column that started certain parties in the ICANN community to begin the process of finding Estonian court documents that would prove conclusively (and locally) that what Krebs allged in his column was true -- that a known criminal was running an ICANN Registrar.

The hand-writing has been on the wall since Krebs' column, which has lead to an increase in criminal domains being registered on Chinese-based registrars, but historically if a domain was involved in crime or malware, there was a great chance it was going to be registered at EST Domains. (Some of the "Chinese" registrars actually have "subcontractor" arrangements in St. Petersburg and Moscow to allow Russian criminals to register their own domains, but make them appear to be registered in China.)

The ICANN letter opens with:

Dear Mr. Tsastsin:

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction. This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008.

Since Estonian Court records indicate the conviction occurred on 6 February 2008, and EstDomains made no attempt to remove Tsastsin from office because of these convictions, the terms of the RAA allow such a termination.

EstDomains 281,000 domain names under management will be transfered using the ICANN "De-accredited Registrar Transition Procedure" on or before 6 November 2008. An announcement requesting parties interested in taking over the management of these domains was posted on the ICANN website this evening at:

The letter quoted above is also available on the ICANN website, at:

Brian Krebs and all the folks at ICANN, and all the researchers who contributed to bringing this event to pass - Well Done!

Tip to Phishers: First Build Site, THEN Spam

As a transplant to the South, I was not at first familiar with the expression "Bless his little heart". Its often used to express amusement at something silly a young child or animal may do, because they don't know any better. When used with regards to adults, it replaces Yankee expressions because Southerners are generally too polite to say someone is too stupid to live. I've lived in the South for more than twenty years now, so when I saw the phishing campaign that started up around 1:20 this morning, all I could say about the Phisher was "awwww....bless his little heart!"

Here's what the spam emails look like:

When I say we started getting spam from this campaign, I mean SEVERAL messages every minute. The spammer had registered himself some nice domain names using the Chinese Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.

He had chosen some innocent American's identities to use when he did his domain name registrations, so they would seem "American", I guess . . .

He was Darleen Murray from Buffalo, NY
and Ray Brooks from Swanquarter, NY
and David Minor from New York, NY
and Eric Mattson from Sherman Oaks, CA
and Joshua Zadow from Mitchell, SD
and Thomas Brooks from Atlanta, GA
and Alice Hatch from Murray, UT
and Leonard Johnson from Socaldwell, OK
and Stephanie Jordan from Seattle, WA
and Ruth Sims from Morro Bay, CA
and Sam McNeal from Baltimore, MD
and Barbara White from Bangor, ME
and Robert Russwurm from Kingston, NY
and Megan Alfonso from Lake Wales, FL

He even used their real phone numbers and email addresses for the contact information on the registrations!

Each of these folks curiously decided to use the same Technical ID on their registrations -- gTec Limited in Moscow, Russia.

Seven of the domains were registered on October 13th, and seven more on October 23rd, but none were used for spamming before this morning.

Early this morning, Our Pathetic Phisher launched his spam campaign, using machines from all around the world to send his spam. We received messages sent from Japan and Germany, from Korea and Lithuania, from Canada and Kansas City, from Russia and Bulgaria, from the Ukraine and from Turkey.

But there is nothing on ANY of the websites! Even as we sit here watching the spam continue to flow in, we can't get ANY of the websites to show content!

Was it a bad path in the spam? (Regardless of brand they all used the same path.)

Was it quick action by those staunch anti-phishing crusaders in China? (The IP addresses are all the same . . . . . . which is hosted on CNCGroup in Shangdong China.

Or it possible, that the Phisher is just that stupid. That he forgot to put the content on his webservers before he began to send his spam. I'm inclined to believe this is the situation here.

Say it with me . . .

"Bless his little heart..."

Here are the URLs that we saw . . . many times each:

Monday, October 27, 2008

Operación Carrusel sets an example for fighting Child Pornography

The Spanish government last week reminded us how easy it is to catch large groups of online perverts who enjoy downloading child pornography. Last week in Spain, Manuel Vasquez, the chief of the national police's "Brigada de Investigación Tecnológica", announced the detention of 121 people, and brought charges against 96 of them. 800 police officials performed 210 searches in 42 Spanish provinces, leading to the seizure of 347 hard drives, 1,186 CDs and DVDs, and 36 laptop computers. Among those charged was a member of the CNI (Centro Nacional de Inteligencia) and an agent of the National Police who worked in Spain. Four underaged students were also detained.

(watch the video in Spanish)

"Operation Carrousel" is the largest coordinated effort in the history of la Policía Nacional. The investigation began in July of 2007 when the Federal Police of Brasil (la Policía Federal de Brasil) shared log files from a major child pornography distribution network with the government of 75 countries. The archives which they shared identified 18,000 IP addresses from which child pornography had been accessed, including 1,600 connections that had originated in Spain. Those IP addresses were turned over to the Brigade of Technological Research (BIT), who used them to identify 250 homes from a great deal of the activity had occurred.

Those investigated were all "distributers" -- those who could be shown to have ACCESSED the Brazilian stash and also to have SHARED at least three files via Peer to Peer (P2P) networks that made clear reference to underaged pornography in their file names. Terms such as "preteen" or "pcth" (which in Spanish is an abbreviation for "preteen hard core") were suspected, and contents were checked to determine whether the files were in fact what they were labelled.

The Spanish article describing these events, at, closes by pointing out how the criminals in these situations are from all walks of life . . . taxi drivers, bank employees, police, commercial pilots, concierges, and teachers, . . . from all ages . . . 4 minors, 5 over the age of 60, 60 between the ages of 18 and 30, 74 from 31 to 40, 52 from 41 to 50, and 22 more between 51 and 60 . . .and from all parts of the country. 49 were arrested in Catalonia, 37 in Andalusia, 29 in Madrid, 22 in Valencia, 15 in Basque country, 13 in Castilla y Leon, 11 in Galicia, 8 in Castilla La Mancha, 7 in Canarias, 6 in Murcia, 5 in Aragón, 5 in Cantabria, 5 in Baleares, 4 in Extramadura, and 1 in La Rioja.

The crime is the same in most every country. We saw similar results in Australia this summer with Operation Centurion, which began when German authorities shared lists of IP addresses of those who visited a child porn website in Germany with other countries. In that case 1,500 Australian IP addresses were investigated -- so far as we can tell the ONLY country of the 170 with whom the Germans shared the information that did anything useful with it. In the opening raid in May, more than 70 Australians were arrested, and more than one million child exploitation images and videos were seized. Arrests in Australia now exceed one hundred people, with the most recent happening last week with the arrest of Robert Andrusiow in Wollongong.

The USA has not had a similar operations since the March 2002 Operation Candyman, which netted 89 offenders in 20 states after 266 searches were conducted. 27 of those arrested plead guilty to molesting more than 36 children.

In Operation Candyman, the Houston FBI's Child Exploitation Task Force set up a Yahoo "eGroup" at, and monitored the activities of visitors for nearly a year before the raids.

Like its predecessor, Operation Avalanche, which lead to 100 arrests in 37 states, there were some rather strong challenges and accusations of entrapment. The problems generated from CandyMan and Avalanche need to be studied, and compared with the results of Spain's Operación Carrusel and Australia's Operation Centurion.

The lesson we should be learning from the successes in Australia and Spain is that its not necessary to conduct undercover operations that may lead to charges of entrapment. We have technology on our side. Monitoring the highly trafficked child pornography websites of the world and determining where the visitors come from is a perfectly adequate way in which to scoop up large collections of online perverts. To be sure, some of those IP addresses will lead to open WiFi points, libraries, hotels, etc. But as we learned in Spain, many of the perverts are operating from their own homes, and using those same home addresses to do Peer to Peer "distribution". Searching their homes will certainly put officials on the trail to more badness, and will send an important message that is in need of an update: Child Pornography Is Not Tolerated in the United States of America.

Sunday, October 26, 2008

Phishing Clue Needed in Ecuador


After 26 days of continuous abuse, all of the ".ec" domains mentioned below were terminated within 1 day of the posting of this article. Thanks to those who saw this and helped bring it to the attention of our new friends in Ecuador...

End Update

Help! If you happen to know someone who works at NIC.EC, would you be willing to help translate a phishing problem to them?

The current longest-lived phishing campaign on the planet is currently abusing a group of domains in Ecuador, and its time for these domains to be terminated.

The domains in question are:

This campaign is part of the longest lived phishing campaign in the history of phishing, which has been continually plaguing Abbey Bank, a part of the Santander Group. Its long been obvious in the anti-phishing world that no one at Santander Group cares about phishing, so we pretty much just leave them alone. They don't answer emails, they don't have a visible level of participation in the Anti-Phishing Working Group, and they don't have a visible level of participation in the Digital PhishNet. They are also one of the few phishing-targeted banks on the planet that don't seem to use any external anti-phishing services. (Based on volume and longevity of phishing sites only -- if they are paying someone to shut down phishing sites, that company should find a new line of work.)

But this post isn't about Abbey. If Abbey were the only victim, I wouldn't be writing this. The problem is that the great success this phisher is having hosting his domains on ".ec" (Ecuador) domain space has caused him to branch out to target other brands.

The current Abbey path "/CentralFormWeb/Form/", has been in use since September 23rd. Since that date, I've received 64,473 alerts of phishing URLs on that path. The initial domains for the attack,,, and were quickly terminated. was created on September 26th and has been used contantly since that time., were added on September 27th, and and on September 30th.

Several other domains have come and gone during this campaign, including:,,,,,,,,,,

For each of the domains above, one can do "path replacement" to demonstrate that there are several brands being targeted. As an example:

The machine name portion does not matter. Any machine name may be used with any of the four paths.

American Express was added to the attack on October 20th. That's EXTREMELY unusual, as we almost never see attacks against American Express!

Scotia Bank was next, added to the attack on October 23rd, using, since its first day.

Lloyds TSB is the newest victim brand, introduced to these paths only on October 25th. The Lloyds and Scotia attack paths have only used 9 domain names so far this time around, with the paths "/myca/form/serverstack/action" and "/online/form.jsp/" respectively:

I'm watching for new domains both in my phish pheeds, and by monitoring the Nameservers and, both being currently preferred by this phisher.

Because these are "proxy hosted" phish, they may temporarily not resolve for 90 seconds or so until it is noticed that one of the proxies is non-functional. When that is detected, the phisher's monitoring system automagically updates the nameserver resolution to point to a new available proxy. With a pool of thousands of potential proxy redirectors, this phish will continue to live until our friends in Ecuador terminate the domain names.

Thanks for any introductions you may have for us.

Oh - for any former CastleCops PIRT Handlers - I'm happy to report that the system seems "stable" and its time to report back to work! We've had a few die-hard PIRT Handlers who have worked straight through - most notably "Downie" and "s0tet". I hope to see many of the rest of you back there soon!

A sample PIRT ticket for the Abbey/AmEx/Scotia phish would be:

Hopefully we'll have PIRT tickets for all nine of the active domains by this evening.

Thursday, October 23, 2008

The demise of index1.php PornTube Video Malware

When a criminal finds a good thing, he stays with it. One criminal has been doing exactly that since May 17th. Every day since May 17th, the UAB Spam Data Mine has received spam messages with shocking, offensive titles promising to have videos of offensively described sex acts, which pointed to webpages ending in "index1.php". I started to write today's article saying that it had finally stopped, but unfortunately, a small batch trickled in just before I sat down to write. (Two domains were in that batch -, which has already been fixed so that it is not able to deliver the malware - and, which is still hosting a fake YouTube page showing a sexual act and attempting to infect visitors with their malware.)

What I can say is that something has happened this week to dramatically impact the volume of this malware-advertising spam. While there are times when the volume was more than 10% of all spam, for the month of October, this campaign averaged about 2% of the total spam volume per day. In May it was only a fraction of 1%, although present each day, in June it crossed 1%, peaking in mid-August where it was 3% of all spam we received.

During the course of this spam campaign, we received spam from more than 30,000 infected computers, which advertised malicious websites on more than 2,260 domains.

Each of those websites was an existing legitimate website, which was taken over by the criminals to allow them to post their malicious software on the site. Once their malware was in place, visitors would be invited to load software to view the movie (viewers with older browsers were infected even if they didn't ask to load the software). That malware in turn launched the installer for the then current fake Anti-Virus 2008 (currently calling itself AntiSpyware 2009).

A quick check of the 2,269 previously used domains shows that 166 of them are still hosting the malware.

Here are the links to the malware, in case someone would like to contact these webmasters and help them get this stuff removed.

We believe that the webmaster's own computer may be compromised. It appears that the criminal logs in to the websites using the administrator's userid and password, creates the directory where he is going to place his virus, and then uploads his files to it.

If you are a webmaster of one of these domains, we would very much like to see your server logs. Please email if you would be willing to share:

!!DANGER!! IF YOU ARE NOT A PROFESSIONAL ANTIVIRUS RESEARCHER, THESE LINKS ARE NOT FOR YOU!!!!\hot_video.exe\pornvideo815uw.exe\videopornu376x.exe\video435_porn.exe\videporn920ma.exe\news_usama_video.exe\usama_video.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\news\video463847.exe\news\video6432434.exe\news\video7656532.exe\news\video9865565.exe\news_usama_video.exe\news_usama_video.exe\pornivideo03y45i.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\videoPorn218hdy.exe\tvideo_my_hot.exe\hot_video.exe\pornvideo815uw.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\news_usama_video.exe\shoking_video_news.exe\videporn920ma.exe\pornvideo815uw.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\tvideo_my_hot.exe\video79885.exe\news\video463847.exe\news\video6432434.exe\news\video7656532.exe\news\video9865565.exe\hot_video.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\videporn920ma.exe\pornwvideo3u96.exe\pornnvideo238vf.exe\video4326xx.exe\my_video_hot.exe\video432654xd.exe\pornwvideo3u96.exe\pornivideo396.exe\videopornu376x.exe\pornnvideo238vf.exe\news\video463847.exe\news\video6432434.exe\news\video7656532.exe\news\video9865565.exe\videoPorn218hdy.exe\tvideo_my_hot.exe\tvideo_my_hot.exe\pornivideo396.exe\news\video463847.exe\news\video6432434.exe\news\video7656532.exe\news\video9865565.exe\news\video463847.exe\news\video6432434.exe\news\video7656532.exe\news\video9865565.exe\pornvideo815uw.exe\news_usama_video.exe\videporn920ma.exe\videokl_ds4.exe\vide839pornn.exe\news_usama_video.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\shokinng_video.exe\video25653.exe\news_usama_video.exe\video.exe\videoXXX76s3545.exe\videoxxx834j.exe\my_video_hot.exe\pornmvideo6d19.exe\video_usama.exe\video.exe\new_usama_video.exe\tvideo_my_hot.exe\my_hot_video.exe\pornyvideo194vf.exe\videporn920ma.exe\video.exe\videoQe32.exe\pornivideo03y45i.exe\videoPorn218hdy.exe\news_usama_video.exe\tvideo_my_hot.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\videopornu376x.exe\my_video_hot.exe\pornivideo03y45i.exe\secret_archive.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\video.exe\vide839pornn.exe\news_usama_video.exe\pornmvideo6d19.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\pornovideo729lo.exe\videopornu376x.exe\videporn920ma.exe\news_usama_video.exe\my_hot_video.exe\news_usama_video.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\hot_video.exe\video4335gfd3.exe\pornnvideo238vf.exe\videoPorn218hdy.exe\my_hotvideo.exe\my_video_hot.exe\videopornu376x.exe\pornwvideo3u96.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\antivir\AntivirusXP2008Installer.exe\pornvideo815uw.exe\pornivideo03y45i.exe\install_antivirus.exe\videopornu376x.exe\pornivideo396.exe\video245fgw22.exe\my_hots_video.exe\pornvideo815uw.exe\antivir\AntivirusXP2008Installer.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\pornnvideo238vf.exe\my_hots_video.exe\my_video_hot.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\video83porn.exe\pornyvideo194vf.exe\my_hotvideo.exe\video23574fr41.exe\videoXXX76s3545.exe\pornmvideo6d19.exe\antivir\AntivirusXP2008Installer.exe\videosecrt927.exe\my_hots_video.exe\my_hots_video.exe\video857porn.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\video7346.exe\pornivideo03y45i.exe\pornivideo03y45i.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\videosecrt927.exe\tvideo_my_hot.exe\free_vid.exe\videonjk568.exe\video623porn.exe\tvideo_my_hot.exe\videoPorn218hdy.exe\pornivideo03y45i.exe\videosecrt927.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\video23678fe3.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\videopornu376x.exe\videoPorn218hdy.exe\videoPorn218hdy.exe\video354rporn.exe\news_usama_video.exe\hot_video.exe\my_hot_video.exe\my_video_hot.exe\news_usama_video.exe\my_hotvideo.exe\pornovideo729lo.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\pornotube\video1439654.exe\pornotube\video54582.exe\pornotube\video76566.exe\pornotube\video8657786.exe\my_hots_video.exe\videosecrt927.exe\pornovideo729lo.exe\video3468ht34.exe\my_hots_video.exe\videopornu376x.exe\pornnvideo238vf.exe

Wednesday, October 22, 2008

Ryan Goldstein: Digerati Faces ?Justice?

This will be brief. I promise.

You'll recall my frustration when New Zealander hacker, Owen Thor Walker, AKA "AKILL", was indicted as a "super hacker" back in April (see AKILL Convicted Are We Safer Now?, and my even greater frustration when he got off with no jail time and only having to pay $11,000 in restitution (which was only about 1/5th of what we could PROVE he had stolen!)

I'm back in frustration mode over the sentencing of Ryan Goldstein. Goldstein was finally sentenced yesterday in the East District of Pennsylvania, after being indicted more than eleven months ago (November 1, 2007) for "18 USC 371 - Conspiracy to Commit Computer Fraud".

Ryan traded favors such as "an undetected, unreleased bifrost beta with 100% antivirus and firewall bypass", as well as passwords to various forums to incentive AKILL to DDOS groups which had bothered Ryan, including TAUNET, ssgroup, and others. No one probably would have noticed or cared if it weren't for the fact that Ryan decided to host a malware update on some servers at University of Pennsylvania, where he is a student. When Walker instructed his 50,000 compromised computers to update themselves with code from the UPenn server, it caused an "accidental" Denial of Service, disabling some of the network services at UPenn.

Ryan's lawyer, Ronald Levine of Post & Schell, got an extension until March 10th, but they decided to plea out, and did so on February 29th. Since then, sentencing was scheduled for June 10, August 5, August 19, and finally October 21st.

Ryan was finally sentenced yesterday to 90 days in jail, followed by 90 days in a halfway house, and 180 days of house arrest. He will also not be allowed to use a computer "other than for work or school activities" for five years.

The prosecution failed to bring any charges regarding the more than 1,000 child pornography images found on his computer. They then agreed that he could schedule the 90 days at his convenience, so as not to conflict with his class schedule. He'll probably serve them during summer vacation.

I'm not sure what kind of school wants to have a convicted computer criminal and child pornography collector as one of their students. I guess he'll get his degree and go find a job, after his brief visit to jail.

The judge apparently shared my frustration at the lack of serious charges, based on his remarks reported in the Philadelphia Inquirer yesterday. U.S. District Judge Michael Baylson completed the sentencing of Goldstein, and then turned to his next case, where he sentenced Derrick Williams to two years for possession of Child Pornography. The judge thought it worth noting that "It seems very unfair. . . . I want to note for the record that Mr. Goldstein is white and Mr. Williams is African American and that adds to my discomfort". According to the Philadelphia Inquirer, both men possessed roughly 1,000 images of child pornography.

According to the sentencing guidelines, Williams should have received an 8 to 10 year sentence.

Thursday, October 16, 2008

FTC stops AffKing and SanCash, so is Pill Spam Gone?

In yesterday's blog, we shared information about the FTC and New Zealand police's Takedown of AffKing and SanCash. As soon as I posted, people started asking, "Have you seen a decrease in pill spam?" So, this morning we went to Starbuck's and checked out the morning spam over a few espressos.

To make sure we were using fresh spam, we looked only at spam from midnight until 6 AM for October 16, 2008. To begin, we sorted our spam into two big buckets: Pill Spam, and Everything Else. Then, we did some simple checking of what was in the Everything Else bucket, to reveal this graph:

We then opened up the "Pill Spam" data and started digging into the clusters. The emails in this category contained 12,040 URLs, of which 1,231 were unique. The most common URL was for the website which occurred 1,118 times, followed by with 960 occurrences and which was present in 570 emails.

Twenty-Eight URLs accounted for 50% of the pill spam emails.

Eighty-seven URLs accounted for 75% of the pill spam emails.

179 URLs accounted for 90% of the pill spam emails.

The graphic below shows the top Sixty-five URLs in the Pill Spam category which each contained at least .25% of the volume of emails.

In each case, all of the domains from each provider were hosted on a single ISP. The domains were:

31% -

14% -

8% -

6% -

No Image Available - Site Offline

5% -

1% -

0.3% -

We'll revisit the topic of pill spam in two weeks time to see if there has been any significant change in the field. It may be that the implications of the recent decision have not yet set in, or it may be some of the spammers are so bold that they just switched affiliates and kept right on spamming!

For now, I'll leave you with the even worse truth about these spammers. They have dozens or even thousands of other domains already registered and ready to send spam. Each of these IP addresses above also hosts a plethora of other domain names which are sitting in reserve for future spam purposes. Some of these may be valid domains, I am not claiming they are all pill sites, but every one that I have checked so far was hosting a pill site:

VDHost of Latvia -

Hanaro Telecom in Korea on

Megaplan on

CNC Group on

ChinaNet on

The Planet on