Thursday, December 31, 2009

New Year's Waledac Card

We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back!

I'm on vacation today, so I was actually alerted to the story by a friend twittering this SC Magazine story. Vacation or not, that was worth checking into. I took a dip into the UAB Spam Data Mine looking for domain names associated with this version of the malware.

We've seen more than sixty different Subject lines used by the spam:

2010 New Year Wishes!
A Great 2010!
A Happy New Year!
A New Year e-card is waiting for you
A special card just for you
Greeting Card from Santa
Greeting for you!
Greeting you with heartiest New Year wishes.
Greetings from Santa
Happy 2010 To U!
Happy 2010!
Happy New Year 2010!
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Happy New Year To U!
Happy New Year Wish!
Happy New Year wishes just for you
Happy New Year Wishes!
Happy New Year!
Happy, Happy New Year!
Have a funfilled and blasting NewYear!
Have a Great New Year!
Have a happy and colorful New Year!
Have a Happy New Year!
Have a very Happy New Year!
I made an Ecard for U!
I sent you the ecard
l want to share Greeting with you
New Year 2010 Ecard Special Delivery
New Year 2010 greetings for you
New Year 2010!
New Year Cheers!
New Year E-card for you
New Year Ecard Notification
New Year Wishes!
Regards from Santa
Santa has sent you a digital postcard!
Santa has sent you a greeting card!
Santa has sent you a Happy New Year E-Card!
Santa has sent you a New Year E-Card!
Santa has sent you a New Year greeting card!
Santa has sent you an E-Card!
Santa has sent you an ecard!
Santa has something to show you!
Santa sent you New Year Greetings
Santa sent you a Greeting!
Santa sent you New Year Wishes!
Santa wishes you a Happy New Year
Sparkling wishes on the New Year!
Special New Year Wish for you.
Warmest Wishes For New Year!
Welcome 2010!
Wishing you a Happy New Year!
Wishing you the Best New Year!
You have a greeting card
You have a New Year Greeting!
You Have An E-card Waiting For You!
You have received a greetings card
You Received an Ecard.
You've got a Happy New Year Greeting Card!
You've got a New Year card!
You've got an E-card

Each domain can be used with any subject, and with any of the following paths:


Domain names are pre-pended with random host names, such as:

These domains are of course registered at China Springboard Inc. On each domain name, you can click the name to see the Waledac Tracker report by our friend Jeremy at SudoSecure in Huntsville. Some of these domain names have as many 12,000 entries in his Waledac Tracker! - registered Oct 27, 2009 - NS1.FAVOLU.COM - - registered Aug 7, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Sep 30, 2009 - NS1.FAVOLU.COM - - registered Aug 7, 2009 - NS1.FAVOLU.COM - - registered Sep 30, 2009 - NS1.FAVOLU.COM - - registered Oct 27, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Aug 7, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Oct 27, 2009 - NS1.FAVOLU.COM - - registered Oct 27, 2009 - NS1.FAVOLU.COM - - registered Oct 27, 2009 - NS1.FAVOLU.COM - - registered Nov 26, 2009 - NS1.FAVOLU.COM - - registered Sep 30, 2009 - NS1.FAVOLU.COM - - registered Sep 30, 2009 - NS1.FAVOLU.COM -

DomainName : FRAMTR.COM

RSP: China Springboard Inc.

Name Server: NS6.FAVOLU.COM
Name Server: NS3.FAVOLU.COM
Name Server: NS1.FAVOLU.COM
Name Server: NS2.FAVOLU.COM
Name Server: NS5.FAVOLU.COM
Name Server: NS4.FAVOLU.COM
Status: clientTransferProhibited
Status: clientDeleteProhibited
Creation Date: 2009-11-26
Expiration Date: 2010-11-26
Last Update Date: 2009-12-31

Registrant ID: V-X-57482-12887
Registrant Name: HUA XINGJUN
Registrant Organization: HUA XINGJUN
Registrant Address: CHANGZHOUDADAO214
Registrant City: CZ
Registrant Province/State: JS
Registrant Country Code: CN
Registrant Postal Code: 213072
Registrant Phone Number: +86.051956612412
Registrant Fax: +86.051956612412
Registrant Email:

Some of these domains are already published in, such as: - this one is a Fake AV dropper. Here's the VirusTotal report showing 19 of 40 detects:

File size: 230994 bytes
MD5 : ab585c87652c933f82bbaddfd52ea15d
SHA1 : a142cb266ad6cd764501981f6bb194025b7c8cc8
- this actually causes a download from
- this one causes a download from
- (you'll be shocked to learn that domain is registered to someone in St. Petersburg, Russia . . .one Denis Sergunkin already known to be hosting Fragus Exploit kits on other domains of his, such as and
- this one also hits
- that one ALSO hits So, Denis? are you paying the Waledac gang? or ARE you the Waledac gang?

This time around the Waledac domains are hosted using Fast Flux, and they are also using Fast Flux for the Nameservers. As we've discussed before, this means that the addresses of the compromised computers are entered into the nameserver records as the host addresses for the malware domains. In other words, getting infected makes your computer spread the infection. So far we've seen more than 1500 computers being used by the malware in this way.

I'll load up a Virtual Machine in a bit to evaluate the actual malware.

Facebook Zbot Still Spreading

We're also seeing an on-going fake Facebook update, which is the Zeus bot. Here are the 45 domains we've seen in the UAB Spam Data Mine so far this morning:

Saturday, December 26, 2009

2009 Year in Review

As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share back with our readers what stories were most interesting to them, based on the traffic that was created to the blog. We'll do two more "Year in Review" stories, one focused on social computing threats, and one focused on the year's "Cyberwar" stories.

First I wanted to mention that in 2009, pageviews to the blog went up by about 74% over 2008. Although I had hoped for 200,000 pageviews this year, we fell a bit shy of the mark. As of December 26th, we've had 125,983 unique visitors bring us 192,409 pageviews in 150,722 visits.

Google was the primary way that people found our stories, and I am grateful to the folks at Google for hosting the blog again this year. After Google, the #2 referrer to the site was Facebook. Its nice to see people on Facebook warning each other about security risks and sharing links to the blog with each other. #3 was Twitter. Although I have a bit more than 550 followers on Twitter, its also been nice to see a large number of retweets with links back to the blog. Thanks to all the Facebookers and Twitterers who have been sharing our stories with their friends and followers.

2009 Top Stories by Readership

1. Webmasters Targeted by CPanel Phish - many hosting companies and webmaster organizations helped spread the word about this unique phishing attack that wasn't trying to steal banking passwords, but rather webmaster passwords. The goal of the attack was to compromise the login credentials that allow webmasters to change their webpages, which is exactly what we've been seeing this week. Thousands of accounts being taken over so that their webpages could be injected with malicious iframes to compromise visitors to existing websites with a "clean" history.

2. Fake FDIC spam campaign spreads Zeus malware - one of the most prevalent ways to steal identities this year was to begin with a broadly targeted social engineering scare which enticed visitors to click links that would lead to malware. In this case, the spam warned "Your bank has failed!" and provided a link to your "personalized FDIC report" to determine if your deposits were covered by insurance.

3. Computer Virus Masquerades as Obama - despite being a November 2008 story, websurfers continued to follow links to our story about malware being distributed in links that claimed to be messages from our President.

4. DownAdUp, Conflicker, Conficker whatever you want to call it, this worm drew tons of attention from January until March. Then, after what most consider an April 1st "flop", the worm got very little media attention. This is largely because of the successful efforts of the Conficker Working Group which has worked behind the scenes to keep the malware at bay and to warn network operators. Most don't realize that there are still more than 6 million Conficker-infected computers in the world.

5. Outlook Web Access and Fake Microsoft Outlook Update both drew large amounts of attention as spammers took advantage of the popularity of Microsoft's mail software to trick users into downloading malware.

6. Gumblar's 48,000 compromised domains make the web a dangerous place was also a popular story. Sharing details about the IFRAMES injected into the compromised webpages helped webmasters to know that they were part of the attack.

7. The IRS version of Zeus was one of several stories where the distributors of the Zeus password-stealing software used government based spam campaigns to fool email recipients. They also imitated the Centers for Disease Control, the Social Security Administration.

8. One on-going trend that we've seen was covered in our story Carders Do Battle Through Spam. These battles, which I call "pigeon fights", involve a spammer sending out false and very criminal accusations against another online criminal group. In this case, there was a bit of truth, as the spam claimed that sells illegal credit cards, while in other cases they may be accused of terrorism, child pornography, or human traficking. The goal seems to be to get enough law-abiding citizens to report the horrible spam they got to focus law enforcement attention on a competitor.

9. Its nice to be able to share good news in our blog, and the best kind of news is when cyber criminals get arrested. Our story The FBI's Biggest Domestic Phishing Bust Ever covered Operation: Phish Phry, where more than 50 Americans and a number of Egyptians were arrested as part of an international phishing conspiracy that had stolen funds from more than 5,000 American bank accounts.

10. Our next largest story was the coverage we offered to a Spam Crisis in China. That one is not over yet, but a major step forward was accomplished this month when CN-NIC announced new rules on domain registrations. We'll be reviewing the results of these rules, which limit the fraudulent use of ".cn" domains, to determine what impact the changes are having on spam so far.

Other stories that received high volumes of traffic included:

* - Koobface Wrecks Search Results. Koobface remains one of the greatest cyber threats we're currently facing.

* - Several stories about the Waledac malware, including a Couponizer version of Waledac, an SMS Spy Waledac, a Dirty Bomb in Your City Waledac, and an Independence Day Waledac.

* - I continue to be contacted daily by people who have been hit by a Traveler Scam claiming a stranded friend needs money. Most of these are Nigerian account takeovers of Hotmail,, and Yahoo email addresses which are then used to email all the friends found in the address book.

* - and of course the Erin Andrews / Twitter / Naked Newscaster story, which will continue to get traffic forever because it has the word "naked" in the title.

Thanks to Those who Link to our Stories . . .

We've had some faithful friends who have been kind enough to mention the blog. I probably should have run this as a separate story at Thanksgiving time, but for all of you listed below, Thank You! Whether you are security experts, journalists, or fellow bloggers, I am happy to count us all on the same team.

the Internet Storm Center at SANS has linked stories several times from their Handlers Diary. These selfless individuals donate their time to track emerging threats and from time to time share stories from this blog with their readers. They have an enormous readership based on the impact to this blog when one of our stories is mentioned there. Traffic-wise, it is better to show up in the SANS ISC Diary than to be Slash-Dotted!

Brian Krebs of the Washington Post continues to be the most influential journalist in the Internet Security space and has been kind enough to mention our stories on several occasions in 2009. His legendary leadership in the McColo campaign has changed the way the world looks at evil web hosting, but his constant awareness of what's happening in cybercrime has also kept him at the forefront of investigative journalism in our space. I can't wait to see what Brian does in 2010!

UAB's Computer & Information Sciences department has also driven considerable traffic to the blog - and not just from my students! Our unique offering of a certificate in Computer Forensics that combines the disciplines from Criminal Justice, Forensic Science, and Computer Science is gaining popularity as the correct approach to preparing cybercrime investigators for their career.

The Composite Blocking List sent us traffic all year long, but mostly from a single story, which was their definitive coverage of the effects of the McColo shutdown on spam. Using a blocklist like the CBL, SpamHaus SBL, or SURBL is highly recommended anti-spam practice.

Ryan Naraine and Dancho Danchev should be on every security person's Google Reader list. With a nice mix of straight security and cybercrime, the consistency and quality of this blog drives a lot of traffic when we get a nod from them.

Security.NL is one of the most consistent referrers to the blog and drives a lot of traffic our way. Last year they linked to our blog thirty separate times! Since I don't speak Dutch, I can only hope that a "beveiligingsexpert" is a good thing, because they say I am one! Thanks for making sure our friends in the Netherlands are on top of cybercrime and security issues!

IDG's Robert McMillan also is a journalist who is breaking an enormous number of cybercrime stories, although its harder to quantify the number of referrals from his blogs because they show up as links from PC World, ComputerWorld, Network World, Linuxworld, CIO, CSO, InfoWorld, and the foreign language versions of so many of those as well. Bob is another hard-working cyber security journalist who often exposes me to new stories that end up being covered in this blog. Thanks, Bob!

The Register also continues to break stories regularly on cybercrime issues, and has frequently sent traffic our way - especially in stories from Dan Goodin and John Leyden.

SC Magazine continues to grow in popularity and influence as well, and we've been favored by mention several times this year from Dan Kaplan. He's a journalist well worth following! It was also great to work with their editor, Illena Armstrong, on the SC 24/7 Virtual Symposium on botnets.

Thanks also to some others who regularly send traffic to this blog:

Security Focus: Headlines

SiL at InBoxRevenge and all the great anti-spammers there . . . (and also SiL's blog, I Kill Spammers.)

the Malware Domains List and their forums.

ThreatChaos blogger Richard Stiennon

and our friends at HK CERT, Simple Machines, Dark Reading, Le Monde, New York Times, ComputerForensicsBlog, PGP Blog, Naver Blog, and all the rest . . .

Tuesday, December 22, 2009

A donde se va Avalanche? BBVA! y United Bankers Association

The Avalanche botnet continues to send out spam for spreading malware and phishing. Its newest target is Spanish banking giant BBVA.

We don't get a lot of Spanish spam to the UAB Spam Data Mine, but we have received several copies with subjects like:

Establecidas nuevas medidas de seguridad
Aviso Urgente
nuevas medidas de seguridad
Nuevas Medidas De Seguridad
Haga El Favor De Confirmar Sus Datos
Aviso Importante Para Los Clientes Del Banco

The message looks like this:
Estimado cliente,
Servicio técnico del banco BBVA renovó el software para mejorar el servicio de los clientes del banco.
Para asegurar la integridad de sus datos Usted tiene que rellenar el Formulario de cliente.
Para empezar a rellenar el formulario pulse en el vínculo:
Esto es un mensaje automático, no hace falta que respondas.
Reciba un cordial saludo,
Grupo BBVA.

The samples that we have so far use these domain names:

The list is already growing . . . up to 14 now . . .

The first page of the websites just asks for a Userid and Password:

The second page asks visitors to provide 100 three-digit numbers which are used as a fraud prevention mechanism by the bank. In normal usage, visitors to the bank are prompted with an X and Y coordinate, like "A7", and will add to their password the three digit number that is found on that position on their card. Each banking customer has their own unique card. The phisher here can't use their userid and password unless they also have the card information, so they are asking for THE ENTIRE CARD!

But what else can we learn by looking at Passive DNS?

As with all of the "Avalanche family" of phishing and malware sites, the site is hosted via Fast Flux. That is, infected personal computers around the world have malware on them which allows the criminal to point his Nameserver settings to these compromised home computers. When someone clicks on the spam message, they are directed not to the criminal's webserver, but to one of these compromised home computers.

The Fast Flux phrase refers to the fact that the criminal constantly updates his nameservers to rotate the hosting of the spammed hostname across many hundreds of bots.

As an example, here are some of the IP addresses for the hostname:

When we investigate one of those IP addresses, we find that the same Fast Flux hosts were found to also be hosting the Zeus malware distribution sites that we've discussed earlier, and also a "United Bankers Association" site.

We can still see the UBA version, and find many samples of it in the UAB Spam Data Mine, such as these:

The bank you have an account in, is declared bankrupt. Learn How to Save your Money: >link<

Subjects for this spam include:

A message for the owner of ******** bank account.
A new back is declared bankrupt.
Bankrputcy declaration.

Yeah, it really says "back" instead of "bank" and really uses "********" in the subject line.

The sites we found sharing Fast Flux hosting with the BBVA campaign include:

We saw tons of this spam yesterday for a variety of domains and hostnames, such as:

This site doesn't provide ANY information about the so-called bankruptcy of "your bank", but it does tell you you have to upgrade your Adobe Macromedia Flash Player:

The malware distributed there, called "flashinstaller.exe" is binary identical to the current fake Visa malware, "cardstatement.exe". A VirusTotal Report shows 13 of 41 anti-virus products currently detecting the malware.

Additional information
File size: 188928 bytes
MD5 : d61c6195eda54b1009208ba823ccdac4

There are also tons of "" links, such as:

Monday, December 21, 2009

Some updates . . . Visa/Zeus and Google Jobs

On December 12th we covered a new "" version of the Zeus distribution spam.
(See story: Ongoing Visa Scam Drops Zeus Zbot.

There are at least forty domains seen in today's spam. Please see the story above for more on the URL pattern, (the machine name may begin with "alerts", "reports", "statements", "transactions", or a "sessionid" with random characters after the "sessionid" version, but here is one sample URL for each domain:

Its too early to know for sure what malware this is, because currently only 4 of the 41 anti-virus products at VirusTotal detect it as anything at all. Sunbelt calls it Bredolab, the three others all say only that it is "suspicious". I'll try to run it through our malware VM later today and make a more definite judgement.

VirusTotal Report here

File size: 188928 bytes
MD5 : d61c6195eda54b1009208ba823ccdac4

Google Jobs Update

We warned about a Google Jobs scam back on December 1st (see article: Google Jobs Scam -- Read the Fine Print!!). Google actually sued the scammers who were running that scheme on December 9th (see article: Google v. Pacific WebWorks. Unfortunately the spam, and the scamming, continues unabated.

One example would be the spam messages for this "" blog:

which leads to the website "", which forwards to the website "", which recruits people to join the scam by sharing their credit card number on the site "".

On that site, the same scam is still being run by this organization:

Search 4 Profit, LLC.
7614 Arvilla Avenue.
Sun Valley, CA 91352

The Fine Print still reads:

Terms and Disclosures. Billing authorization obtained pursuant to the Uniform Electronic Transaction Act and the Electronic Signatures in Global and National Transactions Act. By submitting this form, I am ordering Search Secret Systems for a 7-day bonus period for $1.97 billed to my credit Card; If you enjoy Search Secret Systems, simply do nothing. On the 7th day my credit card will automatically be charged an easy payment of $89.26 once a month for three months. After the three months you will not be billed again. You will then maintain unlimited access to our member site. During your three month program you may cancel anytime by calling 1-877-361-8622 M - F, 8am-8pm MST.

Amazingly, the phone number was answered and a person actually asked how they could help me! When we wrote the first article, the phone rang and rang, but no one ever answered.

Of course, there are still quite a few ways this is illegal, even if they do now answer the phone, including the CAN SPAM violations. The email "from" address is forged and there is no "unsubscribe" link of any sort, nor is there a physical mailing address, despite this being a commercial offer. Here's an example spam message:

Never work in an office again! I've been working for someone else my entire life. A few weeks ago I found out about working for Google online so I decided to check it out. I signed up and read a few articles and tried a few different things and within 6 weeks I was making enough to quit my full time job to work at home! If this sounds like something that interests your, check out URL
A song, a song, high above the trees

Work for the world's largest employer today lori has Earned $2,069 This December Alone! Check it out here:
O tidings of comfort and joy.

Friday, December 18, 2009

Who is the "Iranian Cyber Army"? Twitter DNS Redirect

(Update: 12JAN10 - Iranian Cyber Army Returns -- Target: )

#1 Search on Google in the past hour: "Iranian Cyber Army"
#2 Search on Google in the past hour: "Twitter hacked"

What do these things have to do with each other?

A formerly unknown group, the Iranian Cyber Army, was able to redirect the DNS for Twitter, causing all visitors to be temporarily redirected to another IP address, not belonging to Twitter, and sharing the message from the Iranian Cyber Army that they are cooler hackers than you.

Since we do actually track website defacers at UAB, and since we've never heard of the Iranian Cyber Army, we thought we would take a quick peek in our favorite Iranian hacker rooms to see who was boasting of their conquest.

First we found "vhdmsm" sharing details of the attack in the Iranian Hacker Forum, Ashiyane Digital Security.

They quote the defacement:


Iranian Cyber Army



U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....



Take Care

and post links to the Twitter Blog entry about the attack, and a CNET news story.

But there is no indication they were themselves involved.

We're going to need some more evidence. Perhaps someone should be talking to the folks at BlueHost this morning.

See for yourself?

A little twiddling with various DNS Caching systems, and we were able to find the IP address to which traffic had been redirected:

There are some interesting domains there, including:

That site is interesting, because its on Bluehost, in the United States.

which currently shows content made from these graphic files (I've moved them to a more permanent location...just in case):

In my opinion, it looks like that server was compromised via WordPress vulnerabilities, but that is just an educated guess based on content at this time. So, it looks like the hacker first hacked one of the sites on the Bluehost box, other,, or, then redirected all the twitter traffic to that IP by changing the Nameserver entries for Twitter to point away from their normal Google-provided IP addresses to instead.

Tuesday, December 15, 2009

China changes registration rules - will spam changes follow?

Big news from China with regards to their domain name registration policies.

Readers of the blog know that I have regularly complained about criminals from around the world abusing the services of Chinese domain name registration companies. We have also commented on the practice of "bullet-proof hosting", for instance in our story Spam Crisis in China.

I am happy to report that the fine people at the China Internet Network Information Center (CNNIC) have taken action to address this situation!

Thanks to Robert McMillan from IDG for giving me the Twitter tip-off on this story!

Many Chinese news sources are reporting the story:

Individuals banned from .cn application is the report from the Shanghai Daily

China barred individuals from applying for Chinese domain names, ending with .cn, from yesterday as part of a national campaign against pornographic content spread online, the industry regulator said.

Applicants for domain name registration are required to hand in written application forms, with a business license and the applicant's identity card, according to the China Internet Network Information Center (CNNIC).

The new application system will help the CNNIC better regulate the Internet environment in the country and crack down on improper content online, experts said.

CNNIC decided to screen applicants' qualifications strictly to stop individuals obtaining domain names using fake information, said Liu Zhijiang, vice director of the regulator.

"The applications in written form can help us do our work more accurately," media reported quoting Liu.

Reading the recent announcements from China Internet Network Information Center we can see that changes began to be introduced on November 30.

In the article, With Regard to Complaints from the Public Domain Name Registration Services two new requirements are given to all Domain Name Registration Services:

1) they must prominently display a link to the Ministry of Industry and Information Technolgoy along with their MIIT approval number to do business in this area.

2) they must prominently display information on how to make a domain name registration complaint to the CNNIC, including their email, telephone, and fax number for CNNIC.

In their own version of security through journalism (the term we use in the US is called "Krebsing"), CNNIC revealed in their letter of December 10th that further changes would be coming as a result of a television documentary on the CCTV program "Focus" and other media reports that indicated that criminals using false information were registering websites to carry out illegal activities. They announced in their open letter, On the strengthening of domain name registration service management, that changes would be coming to crack down on "pornographic websites", stating that "CNNIC has a duty to the country as the domain name registration authroity to take responsibility to stop this illegal activity."

As part of this letter, they announce that "in the face of rampant phishing, they have joined the internet community to establish an "anti-phishing website union" more than a year ago, and in the previous year have shut down more than 8,000 phishing websites to protect the public interest."

As part of their plans, the CNNIC has pledged to shutdown companies performing registrations for illegal activities, and to enhance their manpower and resources to address complaints more rapidly. They have also provided a 24 hour Customer Service Telephone number and an email that can be used to report illegal domain activity:

7 x 24 hour Customer Service Tel: 010-58813000
Fax: 010-5881266

An announcement followed also on December 10th, With regard to domain name registration: Information to carry out notification of special treatment. In this announcement the rule was made that any domain name must contain "true, accurate and complete domain name registration information" and that any domain name registration that was untrue, inaccurate, or incomplete would result in the domain name being terminated. This new ruling specifically extends to previously registered domains as well - any previously registered domain reported to have false registration information is to be cancelled within five days. Any agents acting on behalf of the registration company (the phrase is "lower-level agents" - I believe this specifically refers to resellers) are also to be held to these requirements.

In a second announcement on December 11th, Domain name registration information on further strengthening the audit notice CNNIC also announced that effective at 9 o'clock on December 14th, all domain name registrations would need to be submitted ONLINE AND IN WRITING and include:

- a copy of the registration application stamped with the official seal of the applicant
- a copy of the enterprise business license
- optionally, an organization certificate (for non-businesses)
- a photocopy of the applicant's identity paperwork

The announcement state that the Domain Name Registration Service must then carefully examine the written materials and send a copy to CNNIC.

The online registration is allowed to proceed in realtime, but if the written materials are not received within five days, the domain name must be canceled.

We will anxiously await measurement of the results of this new policy. There are several news stories referring to particular registration companies being banned from future .cn registration until they come into compliance. According to John Leyden's article Chinese domain crackdown targets smut sites these include:

(John was quoting Global Times of China)

Saturday, December 12, 2009

Ongoing VISA scam drop Zeus Zbot

I guess the UAB Spam Data Mine is having a bad day! Our VISA card is being used in Kuwait!

Dear VISA card holder,

A recent review of your transaction history determined that your card was used at an ATM located in Kuwait, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card

Its also being used at an ATM located in:

Albania, Angola, Argentina, Australia, Bahamas, Cambodia, Central African Republic, China, Cuba, Cyprus, Egypt, Ethiopia, France, Greenland, Guam, Honduras, Italy, Jamaica, Japan, Jordan, Korea, Liberia, Lithuania, Luxembourg, Mauritania, Monaco, Mozambique, Nepal, New Zealand, Niger, Oman, Palau, Panama, Paraguay, Peru, Philippines, Romania, Russian Federation, Rwanda, Seychelles, Somalia, Sri Lanka, Switzerland, Taiwan, Tajikistan, Thailand, Turkmenistan, United Arab Emirates, United Kingdom, Uruguay, Zambia, and probably others.

We know that its real, because for security purposes they X'ed out part of our number, as you can see on this destination website below.

Of course, EVERY VISA card starts with a "4", so that isn't actually a very useful hint.

The subject lines in our emails were:

possible fraudulent transaction
possible fraudulent transaction and/or collusion
possible fraudulent transaction and/or collusion with your VISA card
possible fraudulent transaction has been executed
possible fraudulent transaction has been executed with your VISA card
possible fraudulent transaction is identified
possible fraudulent transaction is identified with your VISA card
possible fraudulent transaction occurred
possible fraudulent transaction occurred with your VISA card
possible fraudulent transaction with your VISA card

The "STATEMENT" link on the website is for an executable named "cardstatement.exe".

The copy we sent to VirusTotal was detected by 16 of 41 AV products according to this VirusTotal Report.

Its a big file. File size: 131072 bytes
MD5 : 1560a00d7e83a085ac76b5d514761baa

Several majors are already detecting it as "zbot".

We've seen the malware spammed on 118 different domain names since the start of the campaign, with more than 17,000 copies of the spam received in the UAB Spam Data Mine. In front of the domain name are several possible prefixes:

Here are the 118 domain names we've seen so far:

Only a small handful of these are live. We're seeing mostly the ".be" domains right now, such as:

but, those are the URLs seen in the freshest spam. The criminal seems pretty reliable about shifting to new domains when the old ones go offline.

Be very careful about visiting these pages . . . the new Zbot distribution websites also contain driveby infectors. The current one is being dropped via an IFRAME which points here:


That drops a malicious PDF called "pdf.pdf" and a malicious flash file called "swf.swf". It also looks like it calls a file called "sNode.php".

Here is a VirusTotal report for pdf.pdf (12 of 41 detects)

File size: 21784 bytes
MD5 : 254f1479f6546ad62651ae572a16b4e8

and a VirusTotal report for swf.swf (0 of 41 detects)

File size: 10735 bytes
MD5...: 48a36eaf2ca13802f539c9bf065781af

Seems rather strange that they would be pushing a "safe" Flash file. Could it really be a totally undetectable .SWF file exploit? Professional researchers, please help yourselves. Opinions wanted.

The additional droppers are currently fetching two files:

1file.exe (Virus report here - is a Zbot infector with 17 of 41 detects.
File size: 131072 bytes
MD5 : 1560a00d7e83a085ac76b5d514761baa

file.exe (Virus Report here) - is also a Zbot infector with 14 of 41 detects.
File size: 130048 bytes
MD5 : ded54d739fa2e4c66d4a488d3b855861

I guess the nice thing about that directory is that its an open browsable directory, complete with "ReadMe_!!!.txt" file.

Here's the source code for a nice little file called "install.sql". Perhaps we can learn a bit about how the Avalanche spammer works from this file.


-- phpMyAdmin SQL Dump
-- version 2.6.1
-- Хост: localhost
-- Время создания: Июл 17 2009 г., 22:57
-- Версия сервера: 5.0.45
-- Версия PHP: 5.2.4
-- БД: `123321`

-- --------------------------------------------------------

-- Структура таблицы `browsers`

`id` tinyint(4) NOT NULL auto_increment,
`name` varchar(16) default NULL,

-- Дамп данных таблицы `browsers`

INSERT INTO `browsers` VALUES (1, 'Opera');
INSERT INTO `browsers` VALUES (2, 'Konqueror');
INSERT INTO `browsers` VALUES (3, 'Lynx');
INSERT INTO `browsers` VALUES (4, 'Links');
INSERT INTO `browsers` VALUES (5, 'MSIE etc');
INSERT INTO `browsers` VALUES (6, 'Netscape');
INSERT INTO `browsers` VALUES (7, 'Mozilla');
INSERT INTO `browsers` VALUES (8, 'Firefox');
INSERT INTO `browsers` VALUES (9, 'Unknown');
INSERT INTO `browsers` VALUES (10, 'MSIE 7');
INSERT INTO `browsers` VALUES (11, 'MSIE 8');

-- --------------------------------------------------------

-- Структура таблицы `countries`

`abrev` char(2) NOT NULL default '',
`name` varchar(44) character set cp1251 collate cp1251_general_cs default NULL,
KEY `abrev` (`abrev`)

-- Дамп данных таблицы `countries`

INSERT INTO `countries` VALUES ('AP', 'Asia/Pacific Region');
INSERT INTO `countries` VALUES ('EU', 'Europe');
INSERT INTO `countries` VALUES ('AD', 'Andorra');
INSERT INTO `countries` VALUES ('AE', 'United Arab Emirates');
INSERT INTO `countries` VALUES ('AF', 'Afghanistan');
INSERT INTO `countries` VALUES ('AG', 'Antigua and Barbuda');

(Gar-Note: Skipping Big Long Country List here)
-- Дамп данных таблицы `hit2plug`

-- --------------------------------------------------------

-- Структура таблицы `loads`

`id` int(11) NOT NULL auto_increment,
`sploit_id` int(11) NOT NULL default '0',
`time` varchar(16) NOT NULL default '',
`hash` varchar(32) NOT NULL default '',
KEY `hash` (`hash`)

-- Дамп данных таблицы `loads`

-- --------------------------------------------------------

-- Структура таблицы `os`

`id` tinyint(4) NOT NULL auto_increment,
`name` varchar(32) NOT NULL default '',

-- Дамп данных таблицы `os`

INSERT INTO `os` VALUES (1, 'Linux');
INSERT INTO `os` VALUES (2, 'Windows 95');
INSERT INTO `os` VALUES (3, 'Windows 98');
INSERT INTO `os` VALUES (4, 'Windows XP SP2');
INSERT INTO `os` VALUES (5, 'Windows 2000');
INSERT INTO `os` VALUES (6, 'Windows XP');
INSERT INTO `os` VALUES (7, 'Windows 2003');
INSERT INTO `os` VALUES (8, 'Windows Vista');
INSERT INTO `os` VALUES (9, 'Windows Mobile');
INSERT INTO `os` VALUES (10, 'Macintosh');
INSERT INTO `os` VALUES (11, 'FreeBSD');
INSERT INTO `os` VALUES (12, 'Unknown');

-- --------------------------------------------------------

-- --------------------------------------------------------

-- Структура таблицы `sploits`

`id` int(11) NOT NULL auto_increment,
`name` varchar(32) NOT NULL default '',
`loads` int(11) NOT NULL default '0',

-- Дамп данных таблицы `sploits`

INSERT INTO `sploits` VALUES (1, 'RDS.DataSpace', 0);
INSERT INTO `sploits` VALUES (2, 'PDF.Collab', 0);
INSERT INTO `sploits` VALUES (3, 'PDF.Printf', 0);
INSERT INTO `sploits` VALUES (4, 'PDF.Icon', 0);
INSERT INTO `sploits` VALUES (5, 'Other', 0);

-- --------------------------------------------------------
The guys at MaxMind will be excited to know that these criminals are customers of theirs for Geocoding the locations of their infected bots.

The creators of the "FSPACK" malware engine will also be proud to count these guys as customers.

It looks like we've got four exploits that are going to try to run when we visit, if you can trust the loader. RDS.DataSpace is OLD, like MS06-014. A note on SecurityFocus in 2007 says that the MPack Hacker Tool uses it. Apparently the FSPack hacker tool does too!

Wednesday, December 09, 2009

Minipost: Google v. Pacific WebWorks

I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and by creating new accounts in all those places and then spamming those URLs. They then second-phase scammed by claiming that you were entering a "$1.95 trial", which actually could cost more than $200 and had no way to exit, since no one ever answers the phone number you have to call to "cancel your trial". (see Google Jobs Scam: Read the Fine Print

Several sources are reporting that Google has now filed suit against the parent company of this scam, Pacific WebWorks. I first heard about it from Graham Cluley's Sophos Blog, but went on to find Google's report.

Here's Google's actual report on it:

GoogleBlog: Fighting Fraud Online Taking Google Money Scammers to Court

And the Lawsuit filing (26 page PDF)

The case is very similar to the Google Money Tree lawsuit brought by the FTC against Infusion Media and West Coast Internet Media:

FTC v. Infusion Media and West Coast Media (17 page PDF)

Go Google! Take these Spammers and Scammers off the Internet!

Yet Another Facebook spam - New Zeus / Zbot threat

As Solomon said, "What has been will be again, what has been done will be done again; there is nothing new under the sun." (Ecclesiastes 1:9) Today we have another round of the "Facebook Update Tool" which we actually blogged about on October 28th (See Facebook Phish: Users Beware! and on November 28th (See Beware Weekend Facebook Scam.

The path has changed since the last go-round, with two different URL patterns being used:


Email subjects are fairly limited to these choices:

Subject: Facebook Account Update
Subject: Facebook account update
Subject: Facebook Update Tool

Here's our actual message count for top Facebook subjects so far this morning:

784 | Facebook Password Reset Confirmation. Customer Message.
779 | Facebook Password Reset Confirmation. Support Message.
757 | Facebook Password Reset Confirmation. Customer Support.
755 | Facebook Password Reset Confirmation. Your Support.
753 | Facebook Password Reset Confirmation. Important Message
602 | Facebook account update
569 | Facebook Update Tool
550 | Facebook Account Update

All of the "Facebook Password Reset Confirmation" are emails with a '.zip' attachment intended to infect with Bredolab. These were covered in Yesterday's blog entry: Ongoing Badness: AmEx, Facebook and .CN. The Zeus / Zbot infector is in the campaign represented by the bottom three subjects on the list. With 189,301 messages received so far this early morning, that puts the Facebook Zeus at .9% of our email volume for this morning, and the Facebook Bredolab at 2% of our email volume for this morning. Let's be generous and say that 3% of all of our spam this morning is using a Facebook scam to try to infect us with malware.

For comparison, here are the top Facebook spam subjects for yesterday:

Z 2309 | Facebook Account Update
B 2292 | Facebook Password Reset Confirmation. Support Message.
Z 2261 | Facebook Update Tool
B 2256 | Facebook Password Reset Confirmation. Your Support.
B 2249 | Facebook Password Reset Confirmation. Customer Message.
B 2244 | Facebook Password Reset Confirmation. Important Message
B 2225 | Facebook Password Reset Confirmation. Customer Support.
Z 2185 | Facebook account update

Z = Zeus / Zbot; B = Bredolab

By the 24 hour clock, yesterday we received 917,872 spam email messages, so 1.2% of yesterday's entire spam volume was Bredolab infectors, and .7% of yesterday's entire spam volume was Facebook Zeus / Zbot, or roughly 2% of all spam for the day, although that's not really fair since Facebook Zeus started so late in the day.

Here's an example of the email body:
Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.

Please click on the link below to update your account online now:

If you have any questions, reference our New User Guide.

The Facebook Team

There are fifty new domain names used in this attack, with 36 of the domains resolving as live at this writing (5:15 AM December 9, 2009).

Despite the wide popularity of this on-going scam, it also calls into question the validity of traditional anti-virus solutions. Any signature-based malware solution is going to be challenged by rapidly changing malware such as these Zbot infectors. This morning's version of the malware is currently detected by only 9 of 41 anti-virus solutions as reported by this VirusTotal report.

File size: 131584 bytes
MD5 : 959efa29b4979bcc1d664d7e0726aa74

Security suites which include website blocking fare much better, protecting their customers not by knowing this virus, but by recognizing that the website is offensive. For instance, I am using the McAfee Site Advisor plug-in for Firefox, which recognized this site as offensive. The Google SafeBrowsing list used by Firefox also knows these are offensive sites, and TrendMicro's "Smart Protection Network" performs a similar function for their customers. When selecting an anti-virus solution, make sure that they are also proactively blocking websites known to distribute malware. Even when the criminal shifts to a new virus definition, the fact that these websites are known to be bad will prevent the malware from being downloaded.

Tuesday, December 08, 2009

Ongoing Badness: AmEx, Facebook, and .CN

Here are several forms of "ongoing badness" that we are still seeing in the UAB Spam Data Mine:

American Express Phish

This campaign, which we told you about December 5th (see: American Express Phishing Campaign) continues to be heavily spammed. Today we've seen the following websites:

With at least these live as of this writing:

The emails for this one read like this:

Dear American Express customer,

A newly revised American Express Online Form has been issued by the American Express Customer Care Team. Please complete this form as soon as possible. You can access the form at:

American Express Online Form.

Thank you for choosing American Express.

American Express

Facebook Password Reset Malware

A Facebook spam campaign claims four of our top ten email subjects for the morning, with more than 5,000 copies seen already:

Count Subject
1123 | Facebook Password Reset Confirmation. Important Message
1108 | Facebook Password Reset Confirmation. Customer Support.
1089 | Facebook Password Reset Confirmation. Your Support.
1080 | Facebook Password Reset Confirmation. Customer Message.
1034 | Facebook Password Reset Confirmation. Support Message.

This campaign has an attached ZIP file, with the most popular attachment name this morning being:

That file is recognized by 18 of 41 AV products according to this VirusTotal Report which finds the most popular definition names to be of the Bredolab family of malware.

We've been seeing Bredolab, primarily as fake package delivery notices, for some time this fall. We mentioned it back on October 2 as the second story in Cyber Security Awareness Day Two, but its been a near constant presence since that time.

Here's a sample email body:

Hey gar ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Your Facebook.

The attachment had these characteristics:
File size: 17223 bytes
MD5 : 632c33ddd8ad8fe9ba317fa441ff4540

More BredoLab - DHL Services

There is also a DHL services version that continues to be heavily spammed this morning:

Subject: DHL Services. Please get your parcel NR.42246

Each email has a randomly generated parcel number, but we've seen more than 1,000 copies of this spam already this morning as well, with messages that look like this:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Express Services.

The ZIP file attached to this email is also Bredolab according to this VirusTotal report, which showed a 20 of 41 detection rate.

File size: 17904 bytes
MD5 : f6fc6ffbd0be0c0b0d8b702b5b47d571

Climate Change?

We wondered if the Climate Change Summit would end up being used as a spam bait, but so far its only being used as yet another lame way to deliver Viagra messages.

The Subjects:

Act now on climate, summit urged
What are your hopes for climate summit?

Are only two of many pathetic news headline attempts to get people to visit chinese domain names to see their Canadian pharmacy ads. Other headlines for this particular spammer include:

Balancing act
BBC World News
Bottle of cognac from 1788 and more up for grabs at Paris auction
'Cancer donor' kidney transplant success
Chanting back
Day in pictures
Decade in words
Dubai stock market slumps again
Gayle ton keeps Australia at bay
In pictures
Into the spotlight
Kabul mayor guilty of corruption
Member (your email) get (##)% OFF on ALL Pfizer
Personal ##% off
Romanian opposition alleges fraud
Silverstone deal saves British GP
Soldiers killed in attack
TV channel says sorry for jungle rat killing
US man charged over Mumbai attack
User (your email) get (##) discount on ALL Brands

Of all the emails we have received so far this morning (242,800 emails already at 6:30 AM), the top 18 emailed subjects were all from this campaign!

1344 | Silverstone deal saves British GP
1294 | Soldiers killed in attack
1290 | Decade in words
1288 | What are your hopes for climate summit?
1281 | Dubai stock market slumps again
1279 | Kabul mayor guilty of corruption
1277 | Bottle of cognac from 1788 and more up for grabs at Paris auction
1273 | Balancing act
1260 | Into the spotlight
1251 | Act now on climate, summit urged
1235 | BBC World News
1224 | Romanian opposition alleges fraud
1218 | 'Cancer donor' kidney transplant success
1214 | US man charged over Mumbai attack
1207 | Gayle ton keeps Australia at bay
1206 | TV channel says sorry for jungle rat killing
1188 | Day in pictures
1168 | In pictures
1136 | Facebook Password Reset Confirmation. Important Message
1117 | Facebook Password Reset Confirmation. Customer Support.
1110 | Chanting back
1100 | Facebook Password Reset Confirmation. Your Support.
1094 | Facebook Password Reset Confirmation. Customer Message.
1039 | Facebook Password Reset Confirmation. Support Message.

23,607 of these emails were from this particular Canadian Pharmacy group, which gives us 10% of all our emails - before we put in the subjects which use email addresses and random character insertion.

If we look at the top domains that we saw so far this morning (6:30 AM) after the huge amounts of spam for x10 cameras ( and some other Chinese hosted but not Chinese named spam domains, (, most of the top ten spammed domains are Chinese pill seller domains:

Here's the rest of the 661 ".cn" domains in our spam this morning:

Saturday, December 05, 2009

American Express phishing campaign

More than 1200 emails received for a new American Express phish:

Email subjects:

American Express Online Form
customer notification
important alert
important information
important instructions
important notification
important security update
instructions for customer
official information
official update

the websites are:

the path on each of the sites is:


Webmasters Targeted by CPANEL phish

Webmasters from at least 90 online hosting providers are specifically targeted in the newest round of Avalanche phish.

The spam emails that are going out look like these:

Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details.
Please confirm your FTP details by using the link below:

Subject lines use the name of the targeted hosting company in the email subject, such as:

(targeted hosting company) webhosting update
(targeted hosting company) web hosting update
(targeted hosting company) webhosting user
(targeted hosting company) web hosting update
for (targeted hosting company) webhosting user
for (targeted hosting company) web hosting user

Given all the variations, we've seen more than 900 unique subject lines.

When the link is followed, the websites are of course the criminal's phishing page instead of the web hosting company's CPanel page. (CPanel is a popular website
administration tool.)

The goal seems to really be capturing the FTP userids and passwords of webmasters. You can imagine what sorts of badness this campaign may lead to!

The website looks like this:

Here are some websites currently live . . .

The pattern of the URL is:

cpanel.(targeted hosting company).topleveldomain

where (targeted hosting company) can be:

The URL contains your email address and the provider link. When you visit the page, this information is stored as part of the URL for "command_003.php". You can see what I mean in the layout below:

(title)WebHost Manager(/title)
(meta http-equiv="Content-Type" content="text/html; charset=UTF-8")
(link rel="shortcut icon" href="" type="image/x-icon">)
(frameset cols="217,566*" frameborder="NO" border="0" framespacing="0" rows="*")
(frame src="command.htm" name="commander" frameborder="no" id="commander" scrolling="yes")
(frameset rows="70,*" cols="*" framespacing="0" frameborder="no" border="0")
(frame src="command_002.htm" name="topFrame" frameborder="no" noresize="noresize" id="topFrame" scrolling="no")
(frame src="command_003.php?" name="mainFrame" id="mainFrame" frameborder="no")(/frameset)

After providing the userid and password, your information is saved, and then you are forwarded to whatever hosting provider was specified in the "service=" tag. If you clicked on a version of the email, you go to If you clicked on a version of the email, you go to yahoo.

If you are a webmaster and have received one of these emails, please be sure to contact your hosting provider to reset your passwords immediately, and review your pages to see what changes may have been made. If you learn what the bad guys are doing with your site, please drop me a note about it as well. (gar at uab dot edu)