Thursday, September 16, 2010

Linking Spam by its Attachments

Today some anti-spam friends were chatting about a new rash of "attachment spam" and wondering what attachments "belonged together" and what they did. Sounded like the perfect question for the UAB Spam Data Mine, so I thought I'd take a peek.

The first thing I did was to look for email subjects that had non-graphics-file attachments where we had received at least 250 copies of the email message today.

It wasn't actually that long of a list:

Apartment for rentApplication to rent.html
B street financial information - part 1B St.Package 1.html
Church of Body ModificationChurch of Body Modification.html
Cops kill active shooter at Johns Hopkins HospitalHospital violence on the rise, agency warns.html
Daniel Covington dieDaniel Covington.html
detailsShadow Ranch Marketing
Employment letter for visa applicationjun wang letter.html
Evite invitation from (Random Name)Evite invitation.html
Evite invitation from (Random Name)Evite
Facebook password has been
find a copy of the lettercopy of the letter.html
FW:September financials and newsletterSeptember 2010.html
Invoice for Floor ReplacementInvoice-Stockton.html
Invoice Payment ConfirmationInvoice Payment Confirmation.html
Jackie Evancho and Sarah BrightmanJackie Evancho and Sarah Brightman.html
League proposal.html
Marketing Package.htmlMarketing Package.html
NFL Picks Week 2NFL Picks Week 2.html
Order confirmation for order #(Random number)invoice.html
Shipping NotificationShipping Notification.html
You've got a faxeFAX(RandomNumber)

Then I looked to see which of the email attachments were actually the same attachment. That's actually pretty easy for us, since we store the attachments by name, with an MD5 value prepended to the name, such as:

34eaf3d214f1ef58b56d58de5e5e25b6_Invoice Payment Confirmation.html

Group One: MD5 = 136e771425e841bda5fabec0c81df974 -

For the Attachment with an MD5 value of:


We saw all of the following subjects:

'America's Got Talent' Judges Were They Shocked By.html
Application to rent.html
B St. Package 1.html
Church of Body Modification.html
copy of the letter.html
Daniel Covington.html
Hospital violence on the rise, agency warns.html
Jackie Evancho and Sarah Brightman.html
jun wang letter.html
NFL Picks Week 2.html
September 2010.html

So, it would be pretty safe to assume those were all "the same."

That is a block of javascript that starts by doing a document.write with the following block of ASCII letters "unescaped":


Which is some Javascript code that looks like this:

hp_ok=true;function hp_d01(s){if(!hp_ok)return;var o="",ar=new Array(),os="",ic=0;for(i=0;i gt s.length;i++){c=s.charCodeAt(i);if(c lt 128)c=c^2;os+=String.fromCharCode(c);

and some more stuff I won't list here . . .

All of that mess ends up doing this:

First, you go to this webpage: on the IP address

That page told my browser:


Then did a "Meta Refresh" which sent me to: on

while at the same time loading an IFRAME which took me here: on IP address

That site dropped a 15kb file on my machine.

The IP also hosts the sites:

"" is a free domain provider that the criminals are abusing like crazy right now.

Other domain names located on include:

All of those except "" use Yahoo nameservers.

Group Two: MD5 = 34eaf3d214f1ef58b56d58de5e5e25b6 -

For MD5:


We saw all of the following subjects:
Evite invitation.html
Invoice Payment Confirmation.html
Shipping Notification.html

This group's attachment is also a BASE64 encoded html file.

If a user simply clicks the attachment, it SEEMS to take us to a Canadian Pharmacy website of the GlavMed variety:

But unfortunately, a deeper analysis of the code shows it takes the long way around. First the site sends us to: on IP address in Latvia

Then it sends us on to "" on in China's Guangdong province.

The ZIP Files: Group One -

Even though there are many different MD5s of the ".zip" file, quite a few of them are so similar in function, they are clearly "the same" despite different MD5s.

The first of the ".zip" emails has the subject: "Bar/Bri"

The body of the email reads:

Thank you for ordering from Capcom Entertainment, Inc. on September 15, 2010. The following email is a summary of your order. Please use this as your proof of purchase. If you paid by credit card, please look for attached invoice.
Confidential & Privileged

Unless otherwise indicated or obvious from its nature, the information contained in this communication is attorney-client privileged and confidential information/work product. This communication is intended for the use of the individual or entity named above. If the reader of this communication is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and destroy any copies--electronic, paper or otherwise--which you may have of this communication.

Attachment: used the MD5:

25 of 43 detection at VirusTotal - mostly called "FraudLoad" or "ZBot".

When we launched this malware, it connected to several servers in rapid order:


and downloaded a 471kb file from That file was my FakeAV present. It stored in my current user's "Local Settings\Temp" directory as "dfrgsnapnt.exe"

VirusTotal FakeAV Report (20 of 43 detects)

A backup version was also running as "wscvc32.exe" from the same location.

The second ".zip" email had the Subject "details" and contained this email body:


As with all bank owned assets there is a strong desire to sell. The Lender is anticipating a sale before year end and they have encouraged us to bring them qualified offers to purchase.

I will contact you shortly to discuss in detail.



Shadow Ranch Marketing used the MD5:


24 of 43 detects at VirusTotal, mostly "FraudLoad" and ZBot.

The behavior of this malware was identical to the first - using the same domain names, fetching the same FakeAV from the same server, and installing it using the same name.

The third ".zip" email had the Subject: Shipping Notification

The body of the email read:
Shipping Notification Thank you for shopping with us. We look forward to serving you again.

The following is your receipt. Please retain a copy for your records.

Qty Item no Description Price S&H Tax Return
1 FC864-2038B Msg Drma7303 White 650.99 6.95 3.37 ____

Merchandise total 650.99
Shipping and handling 6.95
Tax on mdse 6.75% 3.37
Invoice total 706.31

Welcome to the convenience of shopping JCPenney Catalog

Shipping used the MD5s:

218adbd9f6abb8f0b7fd73765e62d005 behaved just like the first two entries on this list, in that it began by visiting,,,,, and downloaded the same Fake AV from the same location.

The first has 24 of 43 detects at VirusTotal, mostly Fraudload, FakeAV, and ZBot.

The second has 26 of 43 detects at VirusTotal, mostly ZBot.

The fourth ".zip" email had the subject:

The body of the email was very simple, with a Random Name in the body that matched the "From" name:
============================================================ Jed Keller used the MD5s:


The first has 21 of 43 detects at VirusTotal called FraudLoad, Alureon, FakeAV, or ZBot.

The second has 26 of 43 detects at VirusTotal called ZBot or Outbreak.

"Corrections" also behaved exactly like those above. Dropping a FakeAV after contacting and the others.

The ZIP Files: Group 2 =

The sixth ".zip" email uses the subject: Facebook password has been changed

The body of the email contains:
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.

Important Message!
You can find your new password in attached document.

Thank you.
Facebook Team.

Attachment: used the MD5:

This one is ESPECIALLY TRICKY, because the filename is hidden from the user! The email contains this code:

Content-Type: application/zip;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

Which makes the attachment, which is actually called "" show up as a ".jpg" file, like this:

22 of 42 detects at VirusTotal mostly called BredoLab or Sasfis.

Launching "New_password" generated lots of quick webtraffic, starting with connections to "" on IP, from which I did this get:


I have no idea what that means, but it feels familiar -- for instance, compare with the URL Dancho talked about back in May with some itunes spam.

It also fetched from the unlikely named machine:

which has the IP address

Then we downloaded the file "/milk/dogpod.exe" from

I also did a crazy long fetch that began with "/get2.php?c=ALOVLEKD" from the host

When I did fetches like that, I downloaded "7.tmp" and "8.tmp" which VirusTotal calls bad:

7.tmp VirusTotal report showed it had not been reported before. It called it mostly "Kazy" or "Oficla" and gave a 17 of 43 report.
18 of 43 detection for 8.tmp
It also fetched from "" before loading some BBC News.

The last ".zip" email has the subject line You've got a fax

The body has a nice graphic and reads "The Fax message is attached to this email!"

The attachment has random numbers in the name, such as "":

eFAX(randomnumbers) used the MD5:

19 of 39 detects at VirusTotal mostly called ZBot, Oficla, or Sasfis.

When we launched this file, which was 22kb in size, it connected to "" just like the "Facebook New Password" one above. I noticed when I launched this time that I sent back a 15 ?minute? delay statement to the server. I'll wait to see what happens.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.