Monday, March 31, 2008

Don't Be A Fool! Don't Click on New Storm Email!

The Storm Worm is at it again, spamming Holiday related spam to infect our machines.

Beginning around noon on March 31st, UAB's Spam Data Mine began receiving email containing a familiar pattern - a holiday related subject line, with an IP number as the URL to a website the spammer wished us to visit.

Subject lines we've seen so far include:


  • All Fools' Day
  • Gotcha! April Fool!
  • Happy April Fool's Day.
  • I am a Fool for your Love
  • Surprise! The joke's on you.
  • Today's Joke!
  • Wise Men Have Learned More from Fools...

The email bodies are just a single phrase followed by a link to a malware website:


  • All Fools' Day (link)
  • Doh! All's Fool. (link)
  • Happy April Fool's Day. (link)
  • Happy April Fools! (link)
  • I am a Fool for your Love (link)
  • Join the Laugh-A-Lot! (link)
  • Surprise! The joke's on you. (link)
  • Gotcha! April Fool!
  • Happy April Fool's Day.


Some of the spammed servers are actually still hosting a previous version of the malware, called "e-card.exe", which has been detected since March 11th. (Although there are still 13 AV companies, according to "VirusTotal.com", including Symantec, which do not detect this old version as a virus.

While some of the servers are offering an old "e-card.exe" version, most have changed to look like this:



The new executable names are "foolsday.exe" and "kickme.exe". Both are the same file, which as of this writing is 139,776 bytes in size, and has an MD5 value of:

7bc0344370ce5e6dd6e1a99e8ce347e0

I was the first to upload the new version of the virus to VirusTotal (or at least it did not say "this file has previously been analyzed", as it does when you are not the first.) At this time, coverage is very spotty. For instance, AVG, ClamAV, F-Prot, McAfee, Microsoft, NOD32, Panda, Symantec, and Sophos all say "No virus found". In fact, of the 32 antivirus products checked by VirusTotal, only 5 named this as a virus, and three of those based this on the fact that it was a "Packed Executable".

UAB researchers have found the same "FoolsDay" version of the malware on more than a dozen servers so far, and, as is usual for storm, most of these are cable modem attached PCs belonging to Americans. Sites in cities like Los Angeles, Miami were prevalent, while we did see one site in Russia (79.164.169.26), and one in Turkey (78.166.30.169) so far.

What happened to Easter?

Several people in the AV community have been wondering, "What happened to Easter?" One theory is that our criminals are Christian on some level and decided not to use the resurrection of Christ to spread viruses. The other theory (which I prefer) is that Russian Orthodox Easter isn't until April 14th, and the virus writers got caught sleeping, not remembering that we in the West don't celebrate Easter when they do.

Tuesday, March 25, 2008

Phishers Seek Google Adword Accounts

In recent months we have seen occasions where Advertisements placed with Google have actually pointed consumers to sites which would attempt to infect their computers with various forms of malware. A new Phishing Campaign discovered in the UAB Spam Data Mine may indicate this form of attack is about to get a lot worse.

Google has been very quick to identify and terminate the accounts of these malware advertisers, but what will their response be when long-time "known good" advertisers suddenly start having malware pop up in their ads?

This seems to be the focus of a new phishing campaign.

The email which comes from:

adwords-noreply@google.com

Looks like this:




Dear Google AdWords Customer!


In order to update your billing information, please sign in
to your AdWords account at https://adwords.google.com, and submit your
billing information. Your account will be reactivated as soon as you have
entered your payment details. Your ads will show immediately if you
decide to pay for clicks via credit or debit card. If you decide to pay
by direct debit, we may need to receive your signed debit authorization
before your ads start running, depending on your location. If you
choose bank transfer, your ads will show as soon as we receive your
first payment. (Payment options vary by location.)

Thank you for choosing AdWords. We look forward to providing you with
the most effective advertising available.

Sincerely,

The Google AdWords Team




The problem is that the Adwords link doesn't go to Google. In a review of fifty samples of the email collected from the UAB Spam Data Mine, fifteen counterfeit "Google AdWords" websites were identified:

http://adwords.google.com.049jfm.cn/select/Login/

http://adwords.google.com.0k8ujd.cn/select/Login/

http://adwords.google.com.adwordsgl.cn/select/Login/

http://adwords.google.com.fgreo3.cn/select/Login/

http://adwords.google.com.fnjdk.cn/select/Login/

http://adwords.google.com.fr4ck.cn/select/Login/

http://adwords.google.com.fri23.cn/select/Login/

http://adwords.google.com.fruwa0b.cn/select/Login/

http://adwords.google.com.googadw.cn/select/Login/

http://adwords.google.com.irf12.cn/select/Login/

http://adwords.google.com.kdje332.cn/select/Login/

http://adwords.google.com.ork0r.cn/select/Login/

http://adwords.google.com.r4oik.cn/select/Login/

http://adwords.google.com.session932.cn/select/Login/

http://adwords.google.com.treoo.cn/select/Login/


In what is now becoming a familiar pattern, criminals are using previous crimes to enable future crimes. In the current example of the Google Adwords phishing spam, although the "From" addresses say the email came from Google, the rest of the header makes it clear that these emails were sent from logged in Yahoo and Hotmail accounts.

Whether these accounts were created as throw away accounts for this spam campaign, or are actually accounts which were broken into and used without their owners' permission is still being investigated. The lists of yahoo and hotmail accounts have been shared with investigators, and those, as well as the counterfeit website lists, have been sent to the FBI's Digital PhishNet for further investigation.




(screen shot of http://adwords.google.com.adwordsgl.cn/select/Login/ - 24MAR08 0630AM CST)

Emails were received from Brazil, Germany, India, the Netherlands, Russia, Spain, Switzerland, Turkey, Uruguay, but also from California, Florida, Georgia, Indiana, and Massachusetts.



The UAB Spam Data Mine is operated by UAB Computer Forensics Research, a Joint Operation of the Department of Computer & Information Sciences and the Department of Justice Sciences at The University of Alabama at Birmingham.