Wednesday, April 17, 2013

Boston Marathon explosion spam leads to Malware

A new malware spam campaign, claiming to provide videos regarding the Boston Marathon explosion tragedy, is infecting computers and sending spam at a rate that is unprecedented in more than a year. The UAB Spam Data Mine, which has partnered with Malcovery Security to offer the "Today's Top Threat Report" received more than 80,000 copies of the malicious email, with more than 50,000 arriving before noon today.
The top spam subjects for this campaign so far have been:

(count listed as of noon)
  5952 | Boston Explosion Caught on Video
  5885 | Explosions at the Boston Marathon
  5873 | Aftermath to explosion at Boston Marathon
  5855 | 2 Explosions at Boston Marathon
  5729 | Explosions at Boston Marathon
  5725 | Explosion at Boston Marathon
  5690 | Video of Explosion at the Boston Marathon 2013
  5530 | Explosion at the Boston Marathon
  4891 | BREAKING - Boston Marathon Explosion
A second spam campaign is also active, using "CNN-related" spam subjects:
    88 | Opinion: North Korean Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
    84 | Opinion: Osama bin Laden's legacy - Boston Marathon Explosions - CNN.com
    82 | Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
    79 | Opinion: Boston Marathon Explosions - Who benefits? - CNN.com
    77 | Opinion: China Official's  child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
    75 | Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
    70 | Opinion: Boston Marathon Explosions - CIA Benefits? - CNN.com
    70 | Undeliverable: Explosion at the Boston Marathon
    69 | Opinion: Osama bin Laden still alive - Boston Marathon Worse Sensation!? - CNN.com
    67 | Undeliverable: Explosions at Boston Marathon
    67 | Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
    65 | Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
    64 | Undeliverable: Boston Explosion Caught on Video
    62 | Opinion: Boston Marathon Explosions - Osama bin Laden still alive? - CNN.com
    61 | Undeliverable: Video of Explosion at the Boston Marathon 2013
    60 | Opinion: Osama death was Faked by CIA - Boston Marathon Explosions Worse News. - CNN.com
The first group of spam messages have the subject line followed by a single URL, consisting of an IP address followed by either "boston.html" or "news.html".
 count |          machine          |  path                                                                       
-------+---------------------------+-------------------
  1667 | 118.141.37.122            | /boston.html
  1564 | 190.245.177.248           | /boston.html
  1533 | 178.137.120.224           | /boston.html
  1507 | 110.92.80.47              | /boston.html
  1484 | 37.229.92.116             | /news.html
  1466 | 188.2.164.112             | /boston.html
  1448 | 178.137.100.12            | /news.html
  1422 | 78.90.133.133             | /boston.html
  1376 | 118.141.37.122            | /news.html
  1363 | 212.75.18.190             | /boston.html
  1356 | 178.137.120.224           | /news.html
  1344 | 110.92.80.47              | /news.html
  1331 | 83.170.192.154            | /boston.html
  1330 | 37.229.92.116             | /boston.html
  1317 | 219.198.196.116           | /news.html
  1314 | 37.229.215.183            | /boston.html
  1312 | 61.63.123.44              | /news.html
  1309 | 61.63.123.44              | /boston.html
  1280 | 219.198.196.116           | /boston.html
  1271 | 85.198.81.26              | /news.html
  1247 | 190.245.177.248           | /news.html
  1214 | 94.28.49.130              | /boston.html
  1171 | 94.28.49.130              | /news.html
  1157 | 94.153.15.249             | /news.html
  1150 | 83.170.192.154            | /news.html
  1137 | 78.90.133.133             | /news.html
  1100 | 95.87.6.156               | /news.html
  1069 | 85.198.81.26              | /boston.html
  1061 | 94.153.15.249             | /boston.html
  1056 | 212.75.18.190             | /news.html
  1055 | 37.229.215.183            | /news.html
  1038 | 95.87.6.156               | /boston.html
  1028 | 188.2.164.112             | /news.html
  1011 | 178.137.100.12            | /boston.html
   960 | 46.233.4.113              | /news.html
   791 | 176.241.148.169           | /news.html
   766 | 176.241.148.169           | /boston.html
   758 | 91.241.177.162            | /news.html
   739 | 46.233.4.113              | /boston.html
   735 | 213.34.205.27             | /boston.html
   651 | 213.34.205.27             | /news.html
   642 | 91.241.177.162            | /boston.html
   626 | 62.45.148.76              | /news.html
   553 | 85.217.234.98             | /boston.html
   511 | 62.45.148.76              | /boston.html
   484 | 85.217.234.98             | /news.html
   205 | 31.133.84.65              | /news.html
   152 | 31.133.84.65              | /boston.html
    47 | 109.87.205.222            | /boston.html
    44 | 109.87.205.222            | /news.html
    19 | 50.136.163.28             | /news.html
    17 | 50.136.163.28             | /boston.html
The second group uses a website address rather than an IP address followed by either "cnn_boston.html" or "bostoncnn.html"
 count |           machine            |                         path                         
-------+------------------------------+------------------------------------------------------
   191 | www.domcomfort.ru            | /bostoncnn.html
   176 | www.whchivast.com            | /cnn_boston.html
   142 | relax-perm.ru                | /bostoncnn.html
    80 | www.peaceofchristparish.org  | /cnn_boston.html
    71 | imdh.knu.ac.kr               | /cnn_boston.html
    63 | create-serv.ru               | /popeabuse.html
    59 | skinnee.net                  | /cnn_boston.html
    56 | numeralarmowy-112.pl         | /cnn_boston.html
    56 | imdh.kyungpook.ac.kr         | /cnn_boston.h
    41 | higherthanab.com             | /cnn_boston.html
    40 | ufferichter.dk               | /cnn_boston.html
    37 | business-link.net            | /cnn_boston.html
    25 | ochronaprawkonsumenta.pl     | /cnn_boston.html
    24 | mannesmann.cz                | /cnn_boston.html
    20 | kuzenergo.ru                 | /cnn_boston.html
    20 | siemsrl.com                  | /bostoncnn.html
    18 | alex-spil.dk                 | /cnn_boston.html
    17 | host321.ru                   | /cnn_boston.html
    13 | www.vdnh.kiev.ua             | /cnn_boston.html
    10 | www.theophany.co.nz          | /cnn_boston.html
     8 | yanjingedu.org               | /cnn_boston.html
     6 | china-ptjc.com               | /cnn_boston.html
     5 | econ-group.com               | /cnn_boston.html
     3 | mezdustrok.com.ua            | /cnn_boston.html
     2 | alltomforsakringar.nu        | /cnn_boston.html
     2 | ufferichter.com              | /cnn_boston.html
We self-infected by visiting one of the IP address links in a web browser. The page had a series of YouTube videos, including this one:
However, if we look at the source code of the page, we notice something that certainly seems out of place!

The last IFRAME there calls a site called "spareroomwebdesign.com" and a file "waiq.html"
One of the changes to our machine was the addition of a registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SonyAgent: "C:\WINDOWS\Temp\temp86.exe"
When we checked, we found a hidden file, 815,616 bytes in size in that location.
The MD5 of the file is: fdbc94958b8f0ec2b24302c6d4685c46
As of this writing, only 8 of the 46 Anti-virus programs at VirusTotal are aware of this malware and able to detect it. https://www.virustotal.com/en/file/560766fc73edf8eff02674a220e2794c008caeefc476c8fef04c21a16eb23a0f/analysis/
Once infected, your machine BECOMES THE SPAMMER, and begins to distribute emails. In a 48 second run our infected machine attempted to send 348 spam messages, all with a subject from the list above.
The SECOND, CNN-themed spam campaign is a Financial Crimes malware infector, known as Cridex.
Both campaigns have been thoroughly documented in the Malcovery Security Top Threats Today report, normally reserved for our paying subscribers. Due to the extremely prolific nature of the Boston Marathon Explosion spam campaign, we are offering that T3 report as a free sample for any interested parties.

Free Malcovery T3 Report: Boston Marathon Explosion Spam.
Click Logo for your Free T3 Report