Sunday, August 31, 2008

Hurricane Gustav: Fraud Watch

For several years I've worked as an "industry partner" sharing information with the coolest Law Enforcement / Industry / Academia partnership on the planet - the National Cyber Forensics Training Alliance. One of the very first things we did together was compiling potential fraud domains for Hurricane Katrina.

Since that time, anytime we've seen a natural disaster, we've been on the lookup for domains which might be abused for fraud. It was only natural then that I retuned my settings at DomainTools yesterday to alert on Gustav domains.

Here's what we've seen so far about new domains, registered with the word "Gustav" in them:

Parked Domains



- parked at GoDaddy

contributegustav.org
contributiongustav.org
donategustav.org
donationgustav.org
gustav-relief.org
gustavassistance.org
gustavattorney.com
gustavclaims.net
gustavcontribution.org
gustavhelpers.org
gustavlawsuit.com
gustavlawyer.com
gustavlouisiana.org
gustavneworleans.org
gustavotimponi.com
gustavrecovery.org
hurricanegustavrepair.com
hurricanegustavvictims.info
hurricanegustavvictims.org
hurricanegustav08.com

Parked at IPTV Domains:

gustavcharities.com
gustavcharity.com
gustavdonation.com
gustavrelieffund.com

Parked at Mad Dog Domains & Cattle Company:

hurricanegustavresponse.info
officialhurricanegustav2008.info

Parked at Network Solutions:

gustavresponse.com


Parked on a Sedo search click ads site:

gustavhurricanerelief.com
gustavhurricanerelief.info
gustavhurricanerelief.net
gustavhurricanerelief.org
gustavlegalrelief.com
gustavlegalrelief.info

Parked at Sedoparking.com:

gustav-hurricane.info
gustav-hurricane.net
gustav-hurricane.org
gustav-hurricane.us

Points to a Sedo IP, but no content there:


hurricanegustavrelief.info
hurricanegustavrelief.net
hurricanegustavrelief.org


Parked at WebSites2You:

gustavfound.com
gustavmissing.com
survivedgustav.com
survivedgustav.net

For sale by auction on ebay and sedo by "harfordadvantage.com":

helpgustavvictims.com
helpgustavvictims.net
helpgustavvictims.org



Real Domains



There are several newly registered Gustav domains that actually contain real content!


gustavneworleans.com <== SHOCK! A real page of Gustav Information! (registered by Lawrence Muller of Virtual Corp in New York, who owns more than 400 other domains)

gustavpictures.com <== SHOCK! A real page of Gustav-related photos! (registered via Domains By Proxy by someone who seems to be "on the ground" watching the National Guard come into town)

hurricanegustavphotos.com <== SHOCK! A real page for Gustav-related photos! (registered by Cyril Payne of Theodore, Alabama. A nice frame, but no pictures yet.)

hurricanegustave.info <== SHOCK! Real information about the storm! (registered by Mark Cummings of Madisonville, Louisiana. Useful and current storm data, with Weather Channel graphics.)

Two Offering Good Deeds



Two other domains seem to be owned by Good Citizen who have reserved the domains and will give them for free to a worthy charity who would like to have the domain:


gustavrelief.info <== SHOCK! A good deed doer has reserved this domain, which he will give for free to a real charity . . .

gustavrelieffund.org <== See image



So far no signs of fraud, only Domain Speculation, but as always, we'll be keeping an eye on the situation as we move forward.

Gary Warner
Director of Research
UAB Computer Forensics
http://www.cis.uab.edu/forensics/

Saturday, August 30, 2008

Banking Digital Certificate Malware in Spam

Recently we've been seeing more and more of the Digital Certificate malware. In the past week, we've seen Bank of America, Capital One, Colonial Bank, SunTrust, TD Bank North, and Wachovia all hit with spam campaigns attempting to infect the spam recipients with a keylogger to send their login information to the criminals.

As an example, here is a screenshot of this week's Bank of America digital certificate website.



The malware varies regularly, which makes it quite difficult for the anti-virus companies to keep up. For instance, here is the VirusTotal scan for the Bank of America version of the malware:



Only 8 of 36 anti-virus products are currently detecting this malware.

The patterns of the machine names used by these spam messages look like these:

Three brands used "verify.html" as their path, with very distinctive machine names.

Bank of America:

commercialandbusiness.bankofamerica.usanationwide.memberverify.UpdateSessionYScI4av8Xx6XyZA.selfservice.privatelogin.rashidalocher.com

Sun Trust:

onlinetreasurymanager.suntrust.comibswebsuntrust.siteminderagent.certificateUpdate.memberverify.communitypage.CommunityID779487708.membersLogin.classmm.com

Wachovia:

commercial.wachovia.online.financial.service.communitypage.UpdateSessionnyU4wDDSOMRKI5C.ptcontrol.selfservice.keredi.com

The two other patterns used different paths.

TD BankNorth used the path "/TDBankNorthCertificate.htm" with machine names like:

webexpress.tdbanknorth.ecosystem.productsremote.UpdateSessionhgdWqQlW2v1bJVo.encrypted.comreportid.wilsonioa.com\

and Colonial Bank used /Colonial_Bank.htm with machine names like:

update.colonialbank.webbiz.sitesurvey.encrypted.privatelogin.e4y6.com


Using the UAB Spam Data Mine, we made a query to find how many Digital Certificate spam messages were received containing "*verify.htm*" in the path portion of their URL. We found that we had 4,417 messages,

1,531 Bank of America messages were sent from 688 unique machines
2,535 Sun Trust messages were sent from 1396 unique machines
351 Wachovia messages were sent from 243 unique machines

The Bank of America spam used these domains:


acc1254c.com
acc1254ccs11.com
alyciahasch.com
bellamaster.com
bellamastersr.com
bikoem.com
bkjblgb80.com
bnyril.com
bryondeckelman.com
bryondeckelmang.com
caloshe.com
dnreru.com
eirinf.com
eljaikhalid.com
ewahwrh.com
farahlacaille.com
fgyfyfif.com
fgyfyfiffrg.com
fhrtrfjggj.com
floydhoffer.com
gamanzi.com
gwlevssv.com
hsshroi4w.com
hyevestal.com
imrero.com
jerriin.com
jhf88ujf.com
jiolof.com
keikoaragoni.com
kelrfo.com
kjbh876y.com
kjhgljkhg8y9.com
knezzei.com
ksdeaaz.com
lavvis.com
lkjggoyg.com
lulangenberg.com
megdlabajhy.com
miefjko.com
miogef.com
nainuibnq9.com
narcisawickenh.com
nefgie.com
nutrolo.com
oleviacamp.com
qioche.com
rahimaabdulla.com
rashidalocher.com
rosettalaur.com
sefiddo.com
shavonallton.com
shshwhr.com
shshwhrnoi.com
sonnyferen.com
sonnyferenc.com
tyived.com
vellazanis.com

The Sun Trust domains were:

34iuyrd.com
asopwi.com
bamtyf.com
brijfy.com
bvnvnv.com
classmm.com
cs12xc.com
cvbcv.com
cvbcvr.com
cvht54r.com
cvnbvt.com
dfsasd12ds.com
dgfhjdbg.com
dmnbgdj.com
dsroler.com
ertuyl.com
esdroi.com
ewriaij.com
ewroled.com
gdfed.com
gewrfu.com
gfeeinxo.com
gi6tff.com
hyewd.com
ioesach.com
iyg4d.com
iyggeed.com
jiuhf.com
juyrdeo.com
juytdo.com
jwiejo.com
kiufrq.com
kiuxs.com
koudver.com
liseqo.com
loifde.com
loiuf.com
mnxcbv.com
mreeik.com
msouna.com
muydew.com
nneesa.com
nrfeal.com
nurfef.com
oeirf.com
ogfauun.com
oifgrev.com
oinges.com
oofdees.com
opxex.com
qedsa.com
rekjtyieu.com
rtfghj.com
safbvbv.com
sduoud.com
uiyvcx.com
ureocv.com
vchgd.com
vcvoolow.com
vfhtfdf.com
vntdff.com
vvsamerica.com
wertod.com

And the Wachovia domains were:

dsooler.com
ferunqe.com
feudej.com
fferber.com
geoorlre.com
geyyune.com
keredi.com
kirewu.com
kiured.com
kiweuuyc.com
loremoid.com
moerde.com
nitrrolle.com
nniedew.com
nuteer.com
oeirfeg.com
vretrol.com

UAB Computer Forensics students were able to "unpack" the malware, showing that both the August 29th Bank of America malware and the August 22nd SunTrust malware sent its keylogged data to:

124.217.248.174 - Malaysia, PIRADIUS NET


Both the August 28th Capital One Bank malware and the August 29th Colonial Bank malware was slightly different, although very similar in structure. It made connection instead to a Ukranian IP address:

91.203.92.81 - http://www.spacestormsinc.com/cb_4.exe

The malware analysis shows that we have two separate Command & Control points, but VirusTotal reports that both families of malware are actually the "Papras" virus.


755 copies of Colonial Bank malware spam were received in August from 567 unique sending IP addresses. There were several versions of the malware, which we received on August 1, 7-9, 12-13, 21, 26, and 28th.

These three patterns:
connect.colonialbank.webbiz.securitychallenge.bankonenet.siteminderagent.1R4RV76FGJ52QSItrue.chmtrueph.TWIC5ZVP01AYVE0.webbanking.comreportid219661038.standard.cnvbesa.com
update.colonialbank.webbiz.sitesurvey.securitychallenge.bankonline.nxcvjd.com
Colonialbank.webbiz.wirebiz.globalupdate.memberverify.UpdateSession8xtlTQP0nbvuHV3.privatelogin.communitypage.kifrola.com

included spam for these domains:

cnvbesa.com
dnmsbds.com
pzvsbl.com
vbnvrdx.com
bvnvrx.com
eg3x.com
nxcvjd.com
e4y6.com
kiufce.com
refolfi.com
writreseses.com
kiredew.com
redossa.com
hwwjkrnh6.com
latashabeaber.com
susancasolary.com
carismulders.com
eusebiolemler.com
kifrola.com
senafonua.com
rerefofolo.com
bilerex.com
urterc.com
qakigro.com
jrievrol.com
sgwewr465.com
codefd.com
sgwewr464.com
niytec.com
nbiueh.com

31 of the machines which sent the "verify" version of the malware also sent 48 copies of the Capital One malware. These domains were used for Capital One.

dexoim.com
jimmedy.com
jioece.com
jioeres.com
klainey.com
maginele.com
mkeiop.com
niytec.com
nnerdix.com
poemils.com

Tuesday, August 26, 2008

E-cards Run Wild. Where are the Anti-Virus Companies?

E-card spam was running wild today according to many of my students, co-workers, fellow InfraGard members, family members, and total strangers who had read an article about the UAB Spam Data Mine. While we collected well over 1,000 copies of the message in the Data Mine, we heard from our colleagues in UAB Security that campus-wide they had blocked emails originating from more than 4,000 unique IP addresses. That means 4,000 compromised computers had tried to send copies of this email just to people who work or study at UAB!

The emails we received pointed to URLs like:

http://turismoaq.it/e-card.exe
http://pieralbrechtdr.com/e-card.exe
http://faunarium.net/e-card.exe
http://independenceinstrument.com/

Detection of the most recent version of the malware is horrible! At this timestamp, as illustrated by the current Virus Total Results, only 10 of 34 anti-virus engines can detect the product. I'm writing this at home where I run McAfee Security Center on my Vista Ultima machine. With a "just refreshed" version of the anti-virus, it still doesn't detect the 'e-cards.exe' that I just fetched from faunarium.net.



What does the virus do?

It starts out by creating a few files in the currently logged in users Temp folder, including:

dimarik_1.exe
inst2_294.exe
scan.exe

After a bit, a strange pattern emerges. Scanned files are being sent out to the Internet! I won't list the IP here (its been shared with law enforcement), but logs publicly viewable on the server's webpages indicated that thousands upon thousands of infected computers are sending files from themselves to this collection point. Logging one line per received file, there are days where this server has received more than 10 MB of log entries! Today so far, not quite 2 MB of log entries indicated 24,000 files retrieved.

Saturday, August 23, 2008

Leave Those Viruses at SCHOOL!

Computer viruses are crippling the Huntsville City Schools. How can you be sure your student (or school) won't be a carrier?

In yesterday's Huntsville Times Steve Campbell reported that computer viruses had nearly shut down the Huntsville City schools. Teachers couldn't use their prepared computer lessons, student attendance could not be tracked, and lunch room accounts could not be accessed because of the virus.

Update: We've now received a working copy of the virus that infected the Huntsville schools. The virus is known as "Sality". A VirusTotal report is available here:

Reported Detection of Sality.

Here's McAfee's Description of W32/Sality.AI, which was first detected August 5th. This is actually detected as W32/Sality.AG, which is described in more detail HERE. Neither version matches exactly what we are seeing. "SafeMode" is eliminated by deleting your non-primary "ControlSets" from the Registry. Registry Editing and Task Manager are disabled with keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System. A kernel-mode driver being loaded in the SYSTEM.INI is responsible for blocking the execution of most anti-virus products. Editing the SYSTEM.INI can eliminate that problem. Two randomly named .exe files are placed in the current users \Documents and Settings\(user)\Local Settings\Temp. The bigger problem is that several .exe files located in \Windows\System32\ are modified so that their execution re-invokes the whole set of affairs. To make it worse, these files are then set to be invoked when other files are called, by doing things such as infecting "WinMine.exe" or "Notepad.exe" and then making it the default debugger for your system. These files will have to be recovered from safe media.

The "Sality Removal Tool" offered by AVG was written in December of 2007 and is totally ineffective against the current version of Sality in our experience. We are continuing to test other methods of disinfection. When we have more advice we'll update it here.

USB Jumpers


Virus researchers at UAB Computer Forensics have been looking at these types of viruses, called "USB Jumpers", since January and have been amazed that there hasn't been a devastating outbreak earlier.

While many viruses spread via email or by visiting infected webpages, this network spreads by network connections and via "USB Thumb Drives".

When a USB drive is inserted into a computer, the computer scans the drive for an "AutoRun.inf" file. If the AutoRun.inf file is present, the computer does whatever it is told to do.

If a stranger (or a student, in this case) gives you a USB thumb drive and you stick it into the computer, the default setting on any Windows computer is to execute that AutoRun sequence.

The way this family of viruses, which we call "USB Jumpers", works is that they modify the AutoRun.inf file to execute a copy of the virus, which is often present on the thumbdrive as a "hidden file" called "Setup.exe".

Once a computer is infected, every thumb drive inserted into that computer will be updated to also be a USB Jumper. So, if a teacher has students turn in their homework on USB sticks, the first student may give the teacher an infected thumb drive. The teacher then also gathers homework from all of the other students. As each student's thumb drive is inserted into the teacher's computer, it also becomes infected, and can now be used to spread the virus to their home computer or other teachers' computers.

Administrator Trouble


Once a trusted computer on a network is infected, the infection can spread quickly to every other computer on the network, especially if an Administrator logs in to the computer. When someone with "Domain Administrator" privileges logs in to the computer, the virus on that computer now has "Administrator privileges" on the entire network. When the virus realizes it is an Administrator, it attempts to open a "network share" with every other computer on the network. If the share is successful, it will copy itself to the setup routines on the remote computer, and then close the connection.

This is especially devastating! When a computer is first infected, the infection is limited to the local machine and to USB drives inserted into that computer -- but the person who is called from the IT Department to remove the virus will almost certainly log in with "Administrator" access to remove the virus. As soon as that happens, every machine on the network can be infected within a matter of seconds.

Bringing the Virus Home


Whether you have a student in the house, or whether you have a family member who works in the school system, if they bring home a USB drive which has been used in a school computer, there is a chance that they are bringing a virus home with them as well. From there, a USB drive can easily spread the virus to Mom and Dad's work computers.

How do you stop it? Step One is to turn off AutoRun.

On your Windows computer, click "Start", then Run, and type
"gpedit.msc". This is the Group Policy Editor.



Follow the menus:

Local Computer Policy -> Computer Configuration -> Administrative
Templates -> System

Then choose the item Turn off Autoplay.



Double click it, and choose "Enabled" for "All Devices".

There is a downside to taking this action. Once this protection is enabled, CDs will not automatically try to play themselves when inserted. You will have to launch the application, or your music player, manually. If you do not use USB drives and you do like the convenience of "autoplaying" CDs you may not want to take these steps.

If you do use your USBs in stranger's computers (even at school or work!) that is a small inconvenience to pay for this level of protection.

UPDATE Regarding PIF Files



W32/Sality will write itself to USB drives using one of the following file extensions. ".cmd", ".exe", ".pif". While the advice above is effective on most copies - if the drive contains a ".pif" extension, there is further danger. Browsing a folder containing a ".pif" from Active Desktop (the default in Windows XP) is enough to invoke the virus. If you are unsure if your USB drive has a hidden .pif, go to a DOS Windows (Start=>Run=>CMD). Then do a directory listing to show hidden files. So, if your USB is on the "E:" drive, the command would be "dir e: /ah". If a hidden .pif file exists, it should be deleted.

dir e: /ah
attrib -h -s e:\badfile.pif
del e:\badfile.pif




Interested in malware? I spoke last week at "Tech Mixer University" on the topic of "Investigating Malware". My presentation is available on my UAB Computer Forensics page.

Gary Warner
Director of Research
UAB Computer Forensics
gar@cis.uab.edu

Friday, August 22, 2008

Celebrity Spam-Off: Will Paris Hilton Overtake Angelina as Top Spam Bait?

Based on the high volume of "Paris Hilton" spam today (21% of all spam messages received had "Paris Hilton" in the subject line), you're probably wondering "Is Paris Hilton the most popular Spam Celebrity?" No. Actually you are probably aren't wondering that, but its Friday afternoon, and I'm tired of being serious. So, while we waited for the UAB Spam Data Mine to finish a report about spam for a law enforcement case, we went ahead and produced . . .

The August Celebrity Spam Score Card



CelebrityPercentage of August Spam
Angelina Jolie5.2%
Britney Spears3.8%
Paris Hilton3.2%
George Bush0.6%
Barrack Obama0.5%
Lindsey Lohan0.36%
John McCain0.32%
Brad Pitt0.27%
Spongebob0.19%
Pamela Anderson0.16%
Heath Ledger0.14%
Madonna0.12%


Receiving less than 1/10th of 1% of all spam in August were:


Tony Blair
Sara Jessica Parker
Avrile Lavine
J Lo
Miley Cyrus
Christian Bale
Paul McCartney

Face it. Americans want to know what's going on in the lives of our celebrities. The spammers know this. But please resist the bait.

Paris Hilton did not give birth to aliens. Paris Hilton did not lecture on Dickens and Dostoevsky. John McCain did not name Paris Hilton as his running mate. There is not really a movie of Paris Hilton doing THAT with HIM/HER/THEM. Paris HIlton was not nominated for the Nobel Prize, no matter what your spam says. If you follow the link, the website you visit will try to infect your computer with malware.

If you want to know what Angelina Jolie did, subscribe to People magazine. If you want to know what Paris Hilton probably didn't do, read the National Enquirer. But whatever you do: don't click the links in your email!

Oh - for comparison - CNN edged out Angelina Jolie ever so slightly with 5.4% of all the spam for the month of August so far. MSNBC was only a handful of emails behind Paris Hilton, with 3.2% of all spam messages for August so far.

And now for the serious part . . .


120 subject lines used to advertise the virus being pushed by all the Paris/Britney spam we received today.
I'll include a few of the tamer ones here, but many are too offensive for a sensible blog post:

Aliens Deny Impregnating Paris Hilton
Britney Finally Passes Rolling Stones Audition
Britney mind control claims: manager says K-Fed responsible
Britney Spears and Paris Hilton to Visit Burma
Paris Hilton Pregnant By Aliens
Paris Hilton Returned By Aliens
Paris Hilton Seeks New Best Friend Competition


3,732 IP addresses of compromised computers that sent us those Paris/Britney virus links.



175 unique malware links those messages wanted us to click on.


121 websites that were compromised to make them host the virus.

Most have now been shutdown. There are two versions of the virus being distributed. If you have been infected by this virus, the primary symptom will be that your computer will seem to have a new anti-virus program scanning your system, and probably changing your Windows wallpaper.

These sites are all still distributing "play.exe", which is 74,752 bytes in size and has the MD5 of 15e20faa53450a4ff64ef6b3541889fb. Its very well detected, based on this VirusTotal report showing that 32 of 36 anti-virus products know its a virus.

1000millasargentina.com.ar
3kman.com.ar
agmerparana.com.ar
bandaantidoto.com
beta.theindustryresource.com
edr.co.in
elportal.info
evergreen-studio.com
gfportfolio.com.ar
glycerine.servebeer.com
madurezcero.com
marketah.mysteria.cz
roskiman.com
sadsystems.com.ar.elserver.com
scoutik.mysteria.cz
thomasregisterofnj.com
www.bwlapdance.com
www.lenapiel.com

These 26 sites are still actively distributing the other version, which can be called "stream.exe" or "player.exe". They are 78,848 bytes and have the MD5 of a3aec9130af6f69c715dc6eb89949079, which, according to this Virus Total Report is slightly less detectable, with 26 of 36 anti-virus products detecting it.

1000millasargentina.com.ar
3kman.com.ar
7yascokgec.com
agmerparana.com.ar
bandaantidoto.com
beta.theindustryresource.com
crosmedia.ro
dkya.com.ar
elobservadorag.com.ar
elportal.info
eryvelton.adm.br
evergreen-studio.com
fmorigenes.com
glycerine.servebeer.com
hey.ba
madurezcero.com
marketah.mysteria.cz
mundoartegaleria.com
roskiman.com
scoutik.mysteria.cz
thomasregisterofnj.com
vakhariaretail.com
www.bodegasadan.com
www.bwlapdance.com
www.lenapiel.com
www.stoplosslevel.com


Good luck, and have a great weekend.

Gary Warner
Director of Research
UAB Computer Forensics
& Celebrity Spam Score Keeper

Shadow Botnet case may yield spammer Leni Neto

The case of the "Shadow Botnet", which peaked with 150,000 machines will hopefully bring long-time phisher and pill-spammer Leni Neto to justice. On July 29th, the Dutch police arrested a 19-year-old Dutch man and his 16-year-old brother. We now know the elder brother is Nordin Nasiri, from Sneek, Netherlands. The Shadow botnet was spread through the Microsoft Windows Live Messenger instant messaging network. IM users would receive a text message from a friend, containing a link to download a file. If the file was downloaded, that machine would then send the same invitation to all of the people in its Microsoft Messenger address book. The Dutch also arrested a Brazilian visitor, Leni de Abreu Neto, 35, of Taubaté, Brasil, who was arranging to lease the Botnet from Nasiri for 25,000 Euros. Nasiri indicated that he believed Neto would be using the botnet to send spam.

That's a pretty good guess, as IP addresses and domains used in spam in the past have come up over and over as belonging to "Leni Neto" in Brazil.

Our colleague in anti-spam blogging, Spam Hound has such an example in his blog from June 2006!

Leni is a fairly technical person, if he's the same Brazilian Leni Neto found sharing his expertise on "mysql.com".

But mostly we know Leni is a spammer. One who, fortunately, in 2004 hadn't yet learned the importance of hiding his identity, as evidenced by the WHOIS information on this US Bank Phish from 2004 at "USBANK-SECURE.BIZ":


Domain Name: USBANK-SECURE.BIZ
Domain ID: D7530751-BIZ
Sponsoring Registrar: GO DADDY SOFTWARE, INC.
Domain Status: ok
Registrant ID: GODA-07675458
Registrant Name: Leni Neto
Registrant Organization: BR IT Consulting
Registrant Address1: Av Cons Nebias, 340 Cj 64
Registrant City: Santos
Registrant State/Province: Sao Paulo
Registrant Postal Code: 11015-002
Registrant Country: Brazil
Registrant Country Code: BR


Back then AbuseButler listed Leni Neto as the registrant of at least twelve spammed domains in September 2004. ScamFraudAlert has also listed some Leni Neto owned domains, such as "lilo-three.com", and Ackadia's Anti-Spam Pages mentions him as the owner of utoometoo.biz and wallacerights.com, registered to his email address of "lneto77@uol.com.br". Nigerianspam.com listed his in their second tier, "Lesser (bleep)-eating scumbags", crediting him with 345 419-scam emails. He was also listed as the owner of a company doing Digital Cable Filter scams, "roll-toit.biz". Toasted Spam documents his pill-spamming under the domain "moreofitnow.biz", also in February 2004.

With all of that information, let me be the first to say, Leni Neto, welcome to the United States of America!

Shutting Down the Botnet



The nice twist on this case is that after the Dutch High-Tech Crime Unit worked with Kaspersky Anti-Virus to create special instructions for the victims - using the criminals own Botnet to identify which people needed to be notified of how to remove the infection!

Once infected, bots would connect to an IRC channel, hosted at "elena.ccpower.ru" on port 3306, and join the chat rooms with names such as "#.nigger", or "#.xxcc2". In discussions of this particular botnet dating back as long ago as May 18th, that can be found on the Ryan1918.com forum, security afficionados such as a "superior member" there, named "SF", said that the botnet belonged to "whoopies" and that it contained 105,000 bots.

Kaspersky's instructions for removing the bot are given both in Dutch and English.

Unfortunately, law enforcement in general seems to have a very low interest in actually shutting down botnets, despite a few high profile cases, such as those in Operation Bot Roast II.

For instance, this botnet. The Command & Control, "elena.ccpower.ru", has been a well-documented botnet C&C site for years! Look for example at this McAfee AV Report from 2005, which lists both this site and this channel as being the way a particular piece of malware spreads.


Acting Assistant Attorney General Matthew Friedrich of the Criminal Division and Jim Letten, U.S. Attorney for the Eastern District of Louisiana, announced Thursday, August 21 that they had indicted Neto, and that extradition proceedings were underway to have Neto sent from the Netherlands to New Orleans for trial. The case is another example of international cooperation, with the Cyber Squad of the FBI's New Orleans field office, the Dutch Hi-Tech Crimes Unit and the Cyber Section of the Brazilian Federal Police all working together to bring about the arrest and indictments.

Wednesday, August 20, 2008

More Online Pharmacy Affiliates Indicted

In a trend that we first remarked on here in August 2007, with our story AffPower Indictments Scare Affiliates, more online pharmacy affiliates have been indicted by the US Department of Justice.

In this August 13th News Release from the US Attorney of the Western District of Missouri, seven Pulaski County residents were accused of participating in "a $3.4 million conspiracy to distribute prescription drugs through Internet pharmacy Web sites."

While the indictment is still sealed, we do have some initial facts. Those charged are:

Anthony D. Holman, 33
Arcelia Holman, 41 (Anthony's wife)
Clifton Thibodeaux, 33 (Arcelia's brother)
Yvonna Bays, 46
Marvin Eugene Nelson, 60
Mark E. Fitzgerald, 36
Nance R. Fitzgerald, 37 (Mark's wife)

The seven are accused of participating in a conspiracy to distribute prescription drugs, including hydrocodone, alprazolam, and zolpidem, by using fraudulent prescriptions obtained through websites they operated.

Additional charges for aiding and abetting the distribution of hydrocodone are also leveled at the seven, while the Holmans are also charged with money laundering.

If convicted, they will forfeit $3.4 million, as well as vehicles.

The Holman's corporation was PersonalizedRx, LLC.

The online pharmacy criminals refer to these services as "OCS's" or "Online Consultation Services". They are convinced that having an email-based consultation with a pharmacist is a legitimate substitute for medical consultation before dispatching a prescription for controlled substances.

Using public WHOIS records, we were able to confirm that Anthony Holman was the owner of "personalizedrx.com", creating the domain on February 1, 2005, using the email address "edayne@yahoo.com" and listing a street address in Delcambre, Louisiana.

"edayne" is an email address that belonged to Arcelia Holman, who used that address in posts for her genealogy research on the Sharbeno family history.

Back in August 2005, someone started a thread on "PharmacyWatchers.com" warning about using PersonalizedRX.com. A member of that forum rose to their defense with this posting:


I have used this ocs several times and had 1 problem. It was something about a personal problem with the dr. The 1st dr they used when they 1st opened almost took them down, but they have changed and are using dr.p. She is very nice and had always rxd me 120 with 2 rf's. Im sry you had this experiance, it really doesent sound like them. I will call and find out whats up. Ira and Arcelia are always willing to talk to you. They are very hands on. I have spent a long time on the phone with them just chatting. Mabe they will come and let us know whats up.


Anthony Holman filed for bankruptcy in 2004 in St. Louis, but apparently has done a lot of catching up since then.

Arcelia and Anthony actually had these charges brought against them in Civil procedings back on October 4, 2007. In that case, the prosecutor for the US Attorney's office, Cynthia Hyde, filed a default judgment against Arcelia Holman, and included the proof of notice sent to Arcelia in Zwolle, Louisiana. The items listed for Forfeiture were:

A bank account containing $403,930.36
Another bank account containing $2,979.53
A Cashier's Check for $10,000
A 2001 BMW X5
A 1978 Chevrolet Corvette
A 2001 Toyota 4 Runner.

These items were seized by the Drug Enforcement Administration on April 27, 2007. The DEA had begun an investigation targeting the Holmans on November 17, 2006. During the course of the investigation, a wiretap revealed that they were planning to flee the state of Missouri.

After being picked up in a routine traffic stop and brought in for questioning, the Holmans admitted that the items above were proceeds or bought with proceeds from their operation of the following websites:

www.personalizedrx.com

(registered to: Anthony Holman, 900 W Fran St. Apt 7, Delcambre, LA edayne@yahoo.com)

www.1stoppainshoppe.com

(registered to: Partners Medicine Place LLC Waynesville, MO, yvonnagbays@yahoo.com)

www.themedicineplace.com

(registered to: Gene Nelson, PO Box 485 Waynesville, MO, genenelson47@yahoo.com)

www.comfortscripts.com (Privacy Protection used to register in July 2007)

www.5starfreedom.net (Domains by Proxy used to register in November 2006)


Archives of most of these websites can still be seen via "archive.org"'s WayBack Machine. The Medicine Place, for example, clearly states:

"All medications dispensed by a licensed & regulated pharmacy"

and "The Medicine Place on call Doctors will conduct their consultation.
Prescriptions can be made available WITHIN 24 HOURS Consultation Fees are $100."

I like the Announcements section: "We no longer ship to Nevada, Tennessee and Kentucky". Hmmmm... I wonder why?


According to these earlier court records, here is how the set up functioned:


From at least 2006, the Holman organization has advertised, offered to sell, and sold controlled substances and prescriptive drugs from these Internet pharmacy websites, or previous versions of these Internet pharmacy websites, to consumers. The Holman organization does not require consumers to have a prescription before ordering the controlled substances and non-controlled prescription drugs from the websites. Once a consumer has located the Internet pharmacy website, they follow the website directions and usually begin by filling out a “medical history questionnaire.” After electronically transmitting the “medical history questionnaire,” the consumer will then usually fax medical records when requested, and pay for an “initial consultation,” usually via a credit card, or cash on delivery (C.O.D.). The identity of the consumer, the medical information in the questionnaire, and medical records are not verified. The consumer is instructed to call a number to set up a “consultation,” or they are told that they (consumer) will be called for a “consultation.” During the so-called “consultation,” a person (usually a U.S. based physician assistant) will sometimes review the questionnaire submitted to the Internet pharmacy website with the consumer over the telephone. The person reviewing the information with the consumer usually identifies themselves as a physician assistant, or does not identify themselves at all. Once it is determined what controlled substance/painkiller (usually hydrocodone) the consumer wants to order, the physician assistant (or person conducting the consultation) will “recommend” a prescription to be issued in the name of the consumer for the chosen controlled substance.
...
The recommendation, along with consumer information, is then (allegedly) “forwarded” to a physician with an active and valid DEA Registration Number that works for the Internet pharmacy website operation. The physician will then “review” the
consumer information along with the recommendation by the physician assistant. The doctor then authorizes a prescription under his/her DEA Registration number and forwards the authorization to the Internet pharmacy website operation center (Holmans).

When the operation center receives the prescription from the physician, the prescription is forwarded (usually by fax) to a U.S. based pharmacy. When the prescription is received by the pharmacy, the prescription is filled in the consumer’s name and the controlled substance is then shipped to the consumer. The pharmacy filling and shipping the prescription will then charge an additional amount to the consumer, allegedly to cover the cost of the controlled substances and shipping.

The Holman organization has agreements with several pharmacies located all over the
United States to fill the prescriptions. After the pharmacies fill the prescriptions, they ship the controlled substances to the consumer via FedEx, UPS or DHL. The Holman organization, through its Internet pharmacy businesses, pays for the shipping costs, reimburses the pharmacies for the cost of the drugs, and pays the pharmacies a fulfillment fee of approximately $16 for each prescription they fill. The Holman organization charges the consumer for the drugs and a consultation fee of approximately $100 to $120, from which they pay the physicians approximately $50. This entire scheme has evolved over time in an effort to subvert state and federal regulations governing the safe dispensation of pharmaceutical drugs, and allows the
consumer to obtain potentially harmful, addictive, prescription drugs (primarily controlled substances), for use without direct supervision of a responsible physician.

(From Case 6:07-cv-03355-DW Document 1, Filed 10/04/2007, pages 5&6)

Let this be a warning to all of the affiliates who believe they can get rich selling drugs illegally. The website owners and their affiliates are going to be rounded up and sent to jail.

It is against the law to sell drugs where an "online consultation" has been used to get the prescription. Hopefully this case will settle that matter once and for all.

Tuesday, August 19, 2008

Evidence that Georgia DDOS attacks are "populist" in nature

I've speculated to the press a couple times that the attacks against websites in Georgia are most likely populist in nature rather than state sponsored. It seemed time to provide more complete evidence.

If you aren't familiar with the conflict between Georgia and South Ossetia, the Wikipedia article actually has some interesting, if slanted, background. Since 1992, South Ossetia has been trying to secede, with its most recent vote on the issue in 2006. On April 13, 2007 Georgia gave in and allowed the self-named "Alternative Government of South Ossetia" to be recognized as the "Provisional Administration of South Ossetia", and on May 10, Dmitry Sanakoyev was appointed the head of the administrative entity.

After Georgia attempted to join NATO in April of 2008, Senators Joseph Biden and Richard Lugar, who were co-sponsors of the Senate Resolution 523, which declared the support of the US Senate for allowing both the Ukraine and the Republic of Georgia to join, issued a press release regarding Russia's strongly voiced opposition to the move. According to the press release, President Putin had gone so far as to threaten nuclear war on the Ukraine if they joined NATO, and promised to "subvert the territorial integrity of Georgia" if it continued in its efforts.

On June 4, 2008, Biden and Lugar passed another Senate Resolution, this time condemning Russia for their use of "threatening rhetoric, military brinksmanship, and economic boycotts to intimidate and undermine the Georgian governmnet."

This Biden Press Release explains:


In April, the Russian Federation established official ties with the Georgian breakaway regions of Abkhazia and South Ossetia in order to intentionally subvert reconciliation efforts between these regions and the Georgian government. Russia has also engaged in a series of provocative military stunts including shooting down a Georgian plane.
...
The United State must lead an intensive international diplomatic counter-offensive against Russia's efforts to destabilize Georgia and the region.


The scenario that has unfolded on the Internet is very similar to that which anticipated the Russian-Estonian DDOS attacks in April and May of 2007. At that time, President Putin's opposition to Estonia's removal of the Bronze Soldier was spread in the Moscow Times and other places, speaking of how the Estonian's had betrayed Putin's own father, a member of the NKVD sabotage unit who had been in Estonia fighting the Nazis. After the will of the President was made known, the cause was taking up by Russian youth organizations, fiercely loyal to their president, and well-versed in the ways of the Internet. Groups like Nashi, Young Russia, Mestniye and others distributed scripts on the web forums their members frequented, inviting them to participate in an "Internet War" (Интернет-войне), and providing them with a simple script which could be run as a ".bat" file on their computers, which would cause their machines to participate in a DDOS against Estonia.

A script which is almost exactly like the script which I've now found on hundreds of Russian language webpages where readers are being encouraged to run on their own computers, being distributed in archive files with names such as "ossetia.zip

"Yandex Clubs", similar to Facebook Groups have been started, with names such as:

Разбираем Политику - Война в Грузии!
http://clubs.ya.ru/4611686018427388521/

which translates to: "We dismantle politics - War in Georgia!"

That group currently has 937 members and is lead by three moderators who use the names:

"intersolar-direct". (Intersolar works for an advertising company of the same name).

"politican" (you can see Politican's photo album here: http://fotki.yandex.ru/users/rfvxeuf/)

"agjul-2000" (who collects photos of children and puppies when he's not declaring Cyber wars, see: http://ajgul-2000.ya.ru/?ncrnd=4295 )

A search on "yandex.ru", which is perhaps similar to a Russian language Yahoo, found hundreds of webpages where posts containing "ping commands" designed to DDOS the site "president.gov.ge". You can do the search yourself like this:

http://yandex.ru/yandsearch?text=ping+president.gov.ge+

or even on google.ru:

http://www.google.ru/search?complete=1&hl=ru&q=ping+"president.gov.ge"&filter=0





© bash

Хочешь поддержать Южную Осетию в Интернет-войне?
Вставь в текстовый файл следующий текст

(Gar-translation: Want to support South Ossetia in the Internet-war?
Insert the following into a text file)

@echo off
@echo Call this file (MSK) 18:00, 20:00
@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!
pause

start ping newsgeorgia.ru -t -l 1024
start ping apsny.ge -t -l 1024
start ping nukri.org -t -l 1024
start ping opentext.org.ge -t -l 1024
start ping messenger.com.ge -t -l 1024
start ping president.gov.ge -t -l 1024
start ping government.gov.ge -t -l 1024
start ping parliament.ge -t -l 1024
start ping nsc.gov.ge -t -l 1024
start ping constcourt.gov.ge -t -l 1024
start ping supremecourt.ge -t -l 1024
start ping cec.gov.ge -t -l 1024
start ping nbg.gov.ge -t -l 1024
start ping nplg.gov.ge -t -l 1024
start ping police.ge -t -l 1024
start ping mod.gov.ge -t -l 1024
start ping mes.gov.ge -t -l 1024
start ping mfa.gov.ge -t -l 1024
start ping iberiapac.ge -t -l 1024
start ping mof.ge -t -l 1024

Сохрани с расширением.bat и запускай!

(Gar-translation: Now save with a ".bat" extension and launch!)




The script above was being distributed on a Russian hacker board on August 12th.

Here is a rather typical posting . . . I apologize for my poor translation, using a computer for that:

http://www.myzafira.ru/forum/viewtopic.php?t=2745&view=next&sid=ff42b833bc19c03b3c60ae6a2f1ac5a3

The poster says:


I ask the administrators not to delete my communication. From the Soviet Information ministry, 8 August 2008: Georgian troops DISLOYALLY attacked South Ossetia completely annihilating the city of Tskshinvali. Under the rubble of the blasted buildings reside THOUSANDS OF PEOPLE and HUNDREDS OF RUSSIANS! They cannot leave because the city is filled with snipers! It is time for us to to join the war! Georgia has begun a war with Russia and is spreading false information from their government. Call to settle this with a DDOS-attack


He goes on to list a script similar to the one above which would attack eight different government websites in Georgia. So, this poster's plea to his readers is - Russians are dying - the Georgian government is lying about it - we can stop them from spreading these lies by DDOS'ing the government websites.

Other posters have used other forms of argument to convince their fellow Russians this is the right course of action, but I would consider this "typical behavior".




So . . . to get back to the question "is this a state-sponsored cyber attack"? I'm not sure we agree on what that question means. If the question is "is the Russian government attacking the websites of Georgia", I think its fairly obvious the answer is "No."

Has the government used its voice in the media to create a popular tension, where the average citizen believes that allowing Georgia to join NATO will weaken "Common Russia", as the phrase is being used, and that splintering Georgia through support for South Ossetia will prevent that? "Certainly!"

And have some of those citizens started a grass-roots DDOS attack by distribution of scripts such as the one above? "Yes."

Monday, August 18, 2008

One third of current spam points to malware sites

This summary is not available. Please click here to view the post.

Friday, August 15, 2008

New BBC spam mocks Georgia's President, Spreads New Virus

This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads a new virus.

The mail is delivered with three distinct subjects so far:

A copycat spammer is using headlines:

BBC NEWS.
Weekly BBC NEWS.
Your subscription.

to send spam messages claiming a headline that the President of
Georgia is gay.

The Headlines within the email message choose from:

Mikheil Saakashvili gay scandal! New of this week!
Saakashvili have a funny woman organ (pu..sy)! see it!
Funny Saakashvili gay video...See now!Sensation!
Sensation! president of Georgia... GAY! See now!
Last news! Saakashvili (president of Georgia) the gay!
President of Georgia - intim (GAY) video! see now!


The spams contain a linked image of the President from the BBC:



We've received 300+ copies so far . . .

Malware loads from these locations:

http://194.30.13.57/upload1/upload.php
http://aguadodecea.com/upload1/upload.php
http://elitezeitung.de/upload1/upload.php
http://farmaciacardelus.com/upload1/upload.php
http://freeweb.8k.ro/upload1/upload.php
http://hespistani.com/upload1/upload.php
http://magicweb.es/upload1/upload.php
http://marpersa.110mb.com/upload1/upload.php
http://miami-fitness.de/upload1/upload.php
http://outragerecords.com/upload1/upload.php
http://pendulumsandmore.com/upload1/upload.php
http://thecar.fr/upload1/upload.php
http://transporter.tv/upload1/upload.php
http://vishalkullarwar.com/upload1/upload.php
http://www.oris-uk.com/upload1/upload.php
http://xrevolution.de/upload1/upload.php

All of those locations actually cause the virus to be delivered from a single location, the IP address:

79.135.167.49

The name of the malware is "name.avi.exe", and at the moment, only FOUR out of 36 anti-virus products detect it.



Clearly the spam is from someone who doesn't have a solid command on the English language.

So far the emails have been received from more than 40 IP addresses. Spot-checking these IP addresses for previous spam activity finds nothing in the UAB Spam Data Mine, suggesting these machines are not part of a previously used spamming botnet.

58.186.135.166 - Vietnam
59.180.133.160 - India
64.25.16.52 - JetBlue Airways, Salt Lake City, Utah
65.109.64.212 - ADVA Technologies, Sandhurst, GB
65.17.231.160 - Cable Bahamas
65.75.75.34 - Alabanza, Inc - Baltimore, Maryland
66.232.98.237 - NOC4Hosts, Tampa, Florida
67.96.77.3 - US Cellular, Knoxsville, Tennessee
78.132.144.87 - JSC Center Telecom - Russian Federation
79.139.129.137 - Moscow Local Telephone - Russian Federation
80.255.244.19 - Web Media Services - Russian Federation
80.72.23.56 - Colocation facility - Netherlands
81.23.99.50 - Severen Telecom, Russian Federation
85.71.224.34 - Czech Republic
86.126.61.166 - Bucharest, Romania
88.246.83.148 - Turk Telekom, Ankara, Turkey
88.254.4.69 - Poland
89.107.158.235 - St. Petersburg Telephone, Russian Federation
89.110.58.84 - ??
94.28.200.128 - Verizon
96.234.41.61 - Verizon
96.235.33.22 - Verizon
123.193.82.34 - Taiwan
151.8.226.253 - Italy
158.104.100.27 - Wilamette University, Salem, Oregon
159.213.32.206 - Italy
189.20.97.3 - Germany
194.8.120.227 - Federal Agency of Education, Moscow, Russia
195.161.9.2 - Austin Community College, Austin, TX
198.213.3.242 - Colombia
200.11.45.83 - Mexico
200.52.83.57 - Chile
200.73.29.90 - Colombia
205.166.61.190 - Cumberland Technologies, Mechanicsburg, PA
206.162.192.100 - SEI Data, Dillsboro, Indiana
211.110.195.30 - Korea
212.163.164.16 - Germany
212.8.197.5 - Spain
212.85.33.141 - Spain
216.147.32.118 - Albanza
217.35.209.165 - BTNet
220.248.143.44 - China

Thursday, August 14, 2008

Can You Pick the Real MSNBC.Com Breaking News?

The top spam on the planet was again today the "msnbc.com - BREAKING NEWS", falling from its peak of nearly 14%, but still remaining in a healthy first place with 6% of all spam received today at the UAB Spam Data Mine.

In order to determine how similar the spam was to the actual emails that would be received by MSNBC Breaking News subscribers, I subscribed to the service. Can you pick the two headlines from the list of spam today that really came from MSNBC?

msnbc.com - BREAKING NEWS: "I Ate All The Pies" - Man Confesses
msnbc.com - BREAKING NEWS: [video] If Barack Obama Is an Oreo, What Is John McLaughlin?
msnbc.com - BREAKING NEWS: [video] New Yorker Cover of John McCain
msnbc.com - BREAKING NEWS: [video] Take it from us: People Hate Satire
msnbc.com - BREAKING NEWS: 6 Ways Airlines Could Make Some Serious Money of You
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Advertisement feature; Guess Who game now available on Blue-tooth
msnbc.com - BREAKING NEWS: Airlines Roll Out New Punch-In-The-Face Fee
msnbc.com - BREAKING NEWS: Americans love law suits for breakfast
msnbc.com - BREAKING NEWS: Barbra Streisand: "I Don't Want to Talk to the Maid"
msnbc.com - BREAKING NEWS: Bins to be collected just once a year
msnbc.com - BREAKING NEWS: Black Activists Line Up To Take Swipe At Obama
msnbc.com - BREAKING NEWS: Blue Peter to raise standards: competition entries to be criticised on show
msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport
msnbc.com - BREAKING NEWS: Brett Favre Undergoes ESPN Surgery
msnbc.com - BREAKING NEWS: British competitor fails to 'crash out' of Olympics
msnbc.com - BREAKING NEWS: Bush Finally Reads Job Description
msnbc.com - BREAKING NEWS: Bush, Cheney To Co-Star In "Flip This White House"
msnbc.com - BREAKING NEWS: Catapult Program Flings Commuters to Work
msnbc.com - BREAKING NEWS: Consumer prices jump 0.8 percent in July; inflation rises at fastest rate in 17 years
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: Councils Powerless to Prevent Surge in Table Morris Dancing
msnbc.com - BREAKING NEWS: Couple Plans Breakup in January 2009
msnbc.com - BREAKING NEWS: Cranberries CD Cures Woman's Urinary Tract Infection
msnbc.com - BREAKING NEWS: Daily Stir: London Mayor Gets Nipple Caught In Ringer
msnbc.com - BREAKING NEWS: Damien Hirst pickles business manager
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: Deer Decoy Badly Damaged in Crash That Caused Death of Elderly Couple
msnbc.com - BREAKING NEWS: Don Majkowski Demands to be Reinstated as Packers Quarterback
msnbc.com - BREAKING NEWS: Early Morning Coffee Conversation Entices Normally Flavorless Office Staff
msnbc.com - BREAKING NEWS: Elizabeth Taylor found murdered at home
msnbc.com - BREAKING NEWS: Europe's Most Wanted Man Discovered Living With Smurfs
msnbc.com - BREAKING NEWS: Even The New Yorker 'Cartoon Dogs' Are Pissed at the 'Obama Cover'
msnbc.com - BREAKING NEWS: Exclusive: Barack Obama Can Fly Through The Air Like That Guy On Heroes
msnbc.com - BREAKING NEWS: Extreme Home Makeover: Host Ty Pennington's House Inadvertantly Bulldozed
msnbc.com - BREAKING NEWS: Fan Rushed to Hospital After Bleeding Team Colors
msnbc.com - BREAKING NEWS: Favre gets unconditional reverse deactivation restriction preclusion
msnbc.com - BREAKING NEWS: Favre Signs Deal With Gerber
msnbc.com - BREAKING NEWS: Find out the disorders in your personality with this test
msnbc.com - BREAKING NEWS: Forecasters Predict Hello Dolly Headlines as Storm Hits
msnbc.com - BREAKING NEWS: Four Horseman of the Apocalypse Split; Pestilence to go Solo
msnbc.com - BREAKING NEWS: Fox News Admits Grievous Error
msnbc.com - BREAKING NEWS: Fredie Mac losses mount, loses billions every month
msnbc.com - BREAKING NEWS: GOld prices reach 25-year high, buy gold for a safe and reliable investment
msnbc.com - BREAKING NEWS: Government admits losing Prime Minister's bucket and spade
msnbc.com - BREAKING NEWS: Grinch Turns Attention to Gas Tax Holiday
msnbc.com - BREAKING NEWS: History Channel Begins Incorporating Product Placements into History
msnbc.com - BREAKING NEWS: Is Gay Bishop Gay Enough?
msnbc.com - BREAKING NEWS: Jason Kidd Feels Guilty After Stealing Ball from Chinese Point Guard
msnbc.com - BREAKING NEWS: Jihadist Children's Television Workshop Debuts New Characters
msnbc.com - BREAKING NEWS: John Edwards Admits Fathering Clay Aiken's Baby
msnbc.com - BREAKING NEWS: Laughter of Bullpen Coach Leads to Paranoia Among Texas Ranger Relievers
msnbc.com - BREAKING NEWS: Led Zepp's Stairway to Heaven Not Up To Code
msnbc.com - BREAKING NEWS: M1 Roadworks Revealed as 'Conceptual Art'
msnbc.com - BREAKING NEWS: Man Believes Life Only Validated When Captured on Camera
msnbc.com - BREAKING NEWS: Mary-Kate Olsen supplied drugs
msnbc.com - BREAKING NEWS: Maybe al-Maliki's Comments Really Were Lost in Translation
msnbc.com - BREAKING NEWS: McCain A 'GPS Black Hole' Say Scientists
msnbc.com - BREAKING NEWS: McCain Advisor: We're A Nation Of Winos
msnbc.com - BREAKING NEWS: McCain Endorses Bush For 3rd Term
msnbc.com - BREAKING NEWS: McCain Opposes Gay Adoption of Highways
msnbc.com - BREAKING NEWS: McCain Plans Vietnam Campaign Tour
msnbc.com - BREAKING NEWS: McCain Serenades Gramm: '50 Ways to Leave Your Hoover'
msnbc.com - BREAKING NEWS: McCain to 'Match' Obama With Tour of Epcot's 'World Showcase'
msnbc.com - BREAKING NEWS: McCain, Obama: Cosmo Cover Also Tasteless, Offensive
msnbc.com - BREAKING NEWS: McCain's Op-Ed on Iraq Rejected by The 'Pennysaver
msnbc.com - BREAKING NEWS: Mexican arrested on billion-dollar graft case
msnbc.com - BREAKING NEWS: Millions of credit card numbers stolen from bank database, find out if you are affected
msnbc.com - BREAKING NEWS: NAACP Protests Hurricane Names
msnbc.com - BREAKING NEWS: NASA Claim to Have Achieved First Zero-Gravity Erection
msnbc.com - BREAKING NEWS: Nature Did Not Connect the Funny Bone to the Satire Bone
msnbc.com - BREAKING NEWS: New Economic Stimulus Package Inlcudes Goat
msnbc.com - BREAKING NEWS: No one killed in Bancroft, West Virginia Today
msnbc.com - BREAKING NEWS: Nuts! Jackson Backs Neutering Stray Politicians
msnbc.com - BREAKING NEWS: NY Times Challenges Al Gore to Make 'Climate Change Campaign' More Dramatic
msnbc.com - BREAKING NEWS: Obama 'Airs' His Criticism of John Edwards
msnbc.com - BREAKING NEWS: Obama Orders The New Yorker to Go Back to Satirizing Bush
msnbc.com - BREAKING NEWS: Obama Proposes Tax Cut Tax
msnbc.com - BREAKING NEWS: Obama Satirized as a 'Jew' by Jordanian Magazine, 'The New Ammaner'
msnbc.com - BREAKING NEWS: Obama set to win presidency
msnbc.com - BREAKING NEWS: Obese, Malodorous Boy Missing
msnbc.com - BREAKING NEWS: Pale, Hairless and Would Never Fit In Anyway
msnbc.com - BREAKING NEWS: Polar Bears must be taught to Swim
msnbc.com - BREAKING NEWS: Police Raid Donut City
msnbc.com - BREAKING NEWS: Police to Tackle Bike Crime with New Indifferent Squad
msnbc.com - BREAKING NEWS: Poll: Congresss Opinion of Constituents at All-Time Low
msnbc.com - BREAKING NEWS: Preliminary US Presidential election polls results here
msnbc.com - BREAKING NEWS: Report: Fate of "Ross and Rachel" Used to Torture Iraqi Prisoners
msnbc.com - BREAKING NEWS: Royals Become First Sports Team To Sponsor Gay Guy
msnbc.com - BREAKING NEWS: Russian troops appear to be preparing to withdraw from Georgia, U.S. says
msnbc.com - BREAKING NEWS: Ryanair's O'Leary revealed to be Greenpeace activist
msnbc.com - BREAKING NEWS: Satirists Riot Over The New Yorker Obama Cartoon
msnbc.com - BREAKING NEWS: Scientist Prepare to Colonize Redneck Area
msnbc.com - BREAKING NEWS: Scientists Warn Of New Global Luke Warming Threat
msnbc.com - BREAKING NEWS: SJC Loosens Handgun Control To Stimulate Economy
msnbc.com - BREAKING NEWS: Software Piracy Leads to Full-Fledged Piracy
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: South Carolina Sinking - Gov. Implores Obese Citizens to "Exercise For It
msnbc.com - BREAKING NEWS: Sports Fans Novelty Wig Marks Him Out as 'a Bit of a Character
msnbc.com - BREAKING NEWS: Steve Jobs Names God as Successor
msnbc.com - BREAKING NEWS: Stonehenge was Part of Crazy Golf Course for Race of Giant Humans
msnbc.com - BREAKING NEWS: Study reveals bass players 'every bit as dull as golfers'
msnbc.com - BREAKING NEWS: Stupid Asians lose lawsuits against Americans
msnbc.com - BREAKING NEWS: The Evolution of Wal-Mart's Corporate Logo failed
msnbc.com - BREAKING NEWS: The Founding Fathers Fought for My Right to be a Stupid Jerk
msnbc.com - BREAKING NEWS: The New Yorker Continues its Irony Tour, wish on Rushmore
msnbc.com - BREAKING NEWS: The World is on Pace to Run out of Internet by 2010
msnbc.com - BREAKING NEWS: Three Italian College Students Purchase Kansas City Royals for 500 Euros
msnbc.com - BREAKING NEWS: Thursday, Al Gore gave yet another speech about the planet or something
msnbc.com - BREAKING NEWS: Tiger Woods to take 2-year break from golf
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Tour Manager Mostly In Charge of Getting Band Drugs
msnbc.com - BREAKING NEWS: UK Government Put on 'Special Measures' - Private Managers to be Appointed
msnbc.com - BREAKING NEWS: US Dollar hits 6-year high, further gains expected
msnbc.com - BREAKING NEWS: Video Game Designer Forces Children to Play Mini-Game for Lunch Money
msnbc.com - BREAKING NEWS: Video: Mr. White's List of Demands - Ep. 6
msnbc.com - BREAKING NEWS: What Annoyed Us About The Olympic Opening Ceremony
msnbc.com - BREAKING NEWS: What do Somalia, Long John Silver and the U.N. have in common?
msnbc.com - BREAKING NEWS: Which Olsen Twin is the Evil Twin?
msnbc.com - BREAKING NEWS: White Elephant in the Room Actually Charlie Weis
msnbc.com - BREAKING NEWS: Whos going to stop the WNBA?


Here's the big give-away on the spam vs. real. When one subscribes to the MSNBC Breaking News service, the "To:" address for the email won't show up as your address. It will show up as "BREAKINGNEWS@LISTS.MSNBC.COM". If you have MSNBC mail that is showing this in the "To:" address, its probably real.

Of the subjects above, the only headlines delivered by the "real" email were:

Consumer prices jump 0.8 percent in July; inflation rises at fastest rate in 17 years

and

Russian troops appear to be preparing to withdraw from Georgia, U.S. says

All the rest were fakes.

The sites advertised in the spam are still quite wide-spread. Here is the list of compromised sites used to spread the virus today:

(CAUTION!!! LIVE MALWARE!!! DO NOT FOLLOW THESE LINKS!!!)
http://02a068f.netsolhost.com/msnlive.html
http://3zebras.net/msn.html
http://62.129.131.197/msn.html
http://67.192.59.138/msn.html
http://83.98.189.245/msnlive.html
http://aadaviation.com/msnlive.html
http://aieadvisor.com/msnlive.html
http://ajinmo.com/msnlive.html
http://akropoli-bg.com/msnlive.html
http://alahed.com/msnlive.html
http://alamalhospital.com/msnlive.html
http://albenahills.ru/msnlive.html
http://allprojectorlamps.3dcartstores.com/msnlive.html
http://alnasarlab.com/msnlive.html
http://amafhha.com/msnlive.html
http://artbazar.ro/msnlive.html
http://ask4pkproperties.com/msnlive.html
http://aspektstudio.cz/msnlive.html
http://atlaspk.com/msnlive.html
http://azeemacademy.com/msnlive.html
http://baitululoom.com/msnlive.html
http://barbara.ines.ro/msnlive.html
http://beachcomber.de/msn.html
http://bellamyslb.com/msnlive.html
http://benotman.com/msnlive.html
http://bijoux24.com/msnlive.html
http://blazeteck.com/msn.html
http://bsynchro.com/msnlive.html
http://buybestvalue.com/msnlive.html
http://dealeronlane.com/msnlive.html
http://djero.be/msnlive.html
http://doorsalutionsinc.com/msnlive.html
http://dps-varna.com/msnlive.html
http://drbabar.com/msnlive.html
http://ebuzzdigital.com/msnlive.html
http://efmpentathlon.org/msnlive.html
http://efthealingcentre.com/msn.html
http://epcms.net/msnlive.html
http://fabrixuniform.com/msnlive.html
http://fadidaoud.com/msnlive.html
http://finger.czweb.org/msnlive.html
http://florapics.dk/msnlive.html
http://forumifq.webd.pl/msnlive.html
http://frmkaynak.com/msnlive.html
http://gibsoncreek.ca/msnlive.html
http://gogoautos.com/msnlive.html
http://gradat.com/msnlive.html
http://gscmis.com/msnlive.html
http://guardiansales.net/msnlive.html
http://knhospital.com/msn.html
http://mic.edu.lb/msn.html
http://micronmetals.com/msn.html
http://nyinjuryfirm.net/msn.html
http://pbkom.pl/msn.html
http://peladorasmarino.com.ar/msn.html
http://russianfolk.com/msn.html
http://sleightofhanddesigns.com/msn.html
http://solidyne.com.ar/msn.html
http://sprtx.com/msn.html
http://student.arcadia.edu/msnlive.html
http://www.4x4.co.rs/msnlive.html
http://www.alpskesyry.cz/msnlive.html
http://www.bdriverentacar.com/msnlive.html
http://www.blazeteck.com/msn.html
http://www.domusmolior.com/msnlive.html
http://www.enjm.com/msnlive.html
http://www.expertbriscoe.com/msnlive.html
http://www.germanosmedical.com/msnlive.html
http://www.matbroome.com/msn.html

I repeated our Linking All the News Spam together query with MSNBC instead of CNN. 1/7th of the computers from which we had received MSNBC spam had also sent us CNN spam. 1/9th of our MSNBC machines had sent "earlier families" or "unbranded" News Spam prior to the beginning of the CNN campaign.

None of the IP addresses currently sending us MSNBC spam are being seen sending any other type of spam.

Wednesday, August 13, 2008

MSNBC Breaking News replaces CNN Spam Wave

Want the freshest breaking news? You can subscribe to it from MSNBC by visiting their Breaking News by Email page. CNN has the same offer at CNN Alerts by Email.

But what if your trusted news delivery mechanism is the bad guys new delivery malware delivery mechanism? By imitating legitimate emails, criminals have built up a network of more than 250,000 spam-sending machines. Up until 2:12 AM today CNN had been the primary target, and we received CNN Alerts, at rates peaking as high as a dozen per minute. At 2:12 AM, the CNN campaign stopped.

Beginning at 3:15 AM today, August 13th, the UAB Spam Data Mine began receiving emails with news headlines in them that claimed to be from MSNBC. We're now receiving several each minute, with more than 500 archived already this morning. Here's the first one we received:



In that email, the unsubscribe link really goes to Microsoft, the Privacy statement really goes to Microsoft, but the "breakingnews" link went to:

(DO NOT CLICK! THIS IS A MALWARE PAGE!!!)

http://ndcbfworshipplanning.org/up.html

So far (and this campaign is still only 2.5 hours old) we have seen the malware distributed on the following 45 domain names:


http://01fe1e4.netsolhost.com/up.html
http://208.112.17.55/up.html
http://66.241.199.27/up.html
http://70x7riders.org/up.html
http://accara.org.ar/up.html
http://acevaleting.com/up.html
http://adultvision.contentcoders.com/up.html
http://alternativemicro.com/up.html
http://anygig.com/up.html
http://bamtec.hu/up.html
http://bg-buttisholz.ch/up.html
http://blocket.be/up.html
http://cirujanomonterrey.com/up.html
http://clarefoundation.org/up.html
http://criminallegalhelp.com/up.html
http://discoverpeople.co.uk/up.html
http://dmisystems.ro/up.html
http://dominostalknews.com/up.html
http://empoweringbirths.com/up.html
http://fecami.org.ar/up.html
http://foothillchristian.org/up.html
http://gallinaspuras.com.ar/up.html
http://gekkoeurope.com/up.html
http://gfranco.com.ar/up.html
http://interd.ru/up.html
http://jonathanwheat.com/up.html
http://ndcbfworshipplanning.org/up.html
http://pilotsupport.com/up.html
http://randymethven.com/up.html
http://starpt.net/up.html
http://stewsamuels.com/up.html
http://suruu.com/up.html
http://www.berachahbaptist.org/up.html
http://www.bicetokyo.com/up.html
http://www.cdpc.net/up.html
http://www.complete-safety-resources.ca/up.html
http://www.cristianosecuador.com/up.html
http://www.donovanpinscherclub.com/up.html
http://www.dransfieldandross.biz/up.html
http://www.floridapottingsoils.com/up.html
http://www.greatgraphicsnow.com/up.html
http://www.lakeoconee.net/up.html
http://www.nsdcar.com/up.html
http://www.soundsrightdjs.com/up.html

On each server, a file called "adobe_flash.exe" will be downloaded to the visitors PC. I retrieved the malware successfully from 42 websites, and compared it using MD5. All 42 copies have the same MD5:

06bd0701d470475d32c6d98a0c685e4b http://01fe1e4.netsolhost.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://208.112.17.55/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://66.241.199.27/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://70x7riders.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://accara.org.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://acevaleting.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://adultvision.contentcoders.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://alternativemicro.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://bg-buttisholz.ch/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://blocket.be/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://cirujanomonterrey.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://clarefoundation.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://criminallegalhelp.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://discoverpeople.co.uk/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://dmisystems.ro/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://dominostalknews.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://empoweringbirths.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://fecami.org.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://foothillchristian.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://gallinaspuras.com.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://gfranco.com.ar/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://interd.ru/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://jonathanwheat.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://ndcbfworshipplanning.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://pilotsupport.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://randymethven.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://starpt.net/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://stewsamuels.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://suruu.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.berachahbaptist.org/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.bicetokyo.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.cdpc.net/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.complete-safety-resources.ca/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.cristianosecuador.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.donovanpinscherclub.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.dransfieldandross.biz/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.floridapottingsoils.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.greatgraphicsnow.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.lakeoconee.net/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.nsdcar.com/adobe_flash.exe
06bd0701d470475d32c6d98a0c685e4b http://www.soundsrightdjs.com/adobe_flash.exe




There have been sixty unique subjects used so far, but look for that number to grow dramatically:

msnbc.com - BREAKING NEWS: Abortion made illegal in New York
msnbc.com - BREAKING NEWS: Abortion outlawed in California
msnbc.com - BREAKING NEWS: Americans love law suits for breakfast
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: Anthrax case solved
msnbc.com - BREAKING NEWS: Apple September show highly anticipated
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport
msnbc.com - BREAKING NEWS: Buy gold at lowest prices and make immediate profits
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: Dark Knight establishes dominance with 400 million mark
msnbc.com - BREAKING NEWS: Elizabeth Taylor found murdered at home
msnbc.com - BREAKING NEWS: Elvis Presley daughter gives birth to twins
msnbc.com - BREAKING NEWS: Europeans dislike Americans attitudes
msnbc.com - BREAKING NEWS: Find out how to get top returns for your money at minimum risk
msnbc.com - BREAKING NEWS: Find out the disorders in your personality with this test
msnbc.com - BREAKING NEWS: Freddie Mac loses $1B
msnbc.com - BREAKING NEWS: Fredie Mac losses mount, loses billions every month
msnbc.com - BREAKING NEWS: GOld prices reach 25-year high, buy gold for a safe and reliable investment
msnbc.com - BREAKING NEWS: Google launches free music downloads in China
msnbc.com - BREAKING NEWS: High calorie food banned in canteens
msnbc.com - BREAKING NEWS: Hospital CEO arrested in healthcare scheme
msnbc.com - BREAKING NEWS: How to save money on gas
msnbc.com - BREAKING NEWS: I will be suing you
msnbc.com - BREAKING NEWS: Japanese Prime Minister denies World War 2 ever took place
msnbc.com - BREAKING NEWS: Jerry Yang relinquishes control over Yahoo
msnbc.com - BREAKING NEWS: Jury duties for you
msnbc.com - BREAKING NEWS: Mary-Kate Olsen guilty for Heath Ledger's death
msnbc.com - BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger's death
msnbc.com - BREAKING NEWS: Mary-Kate Olsen responsible for Heath Ledger's death
msnbc.com - BREAKING NEWS: Mary-Kate Olsen supplied drugs
msnbc.com - BREAKING NEWS: McCain gives up fighting for presidency
msnbc.com - BREAKING NEWS: McCain told lies to win votes
msnbc.com - BREAKING NEWS: McDonald's found to breach FDA regulations, suspended from trading
msnbc.com - BREAKING NEWS: Mexican arrested on billion-dollar graft case
msnbc.com - BREAKING NEWS: Microsoft announces takeover bid for Intel, details inside
msnbc.com - BREAKING NEWS: Microsoft buys over AOL
msnbc.com - BREAKING NEWS: Millions of credit card numbers stolen from bank database, find out if you are affected
msnbc.com - BREAKING NEWS: NASDAQ index gains 720 points overnight upon war announcement
msnbc.com - BREAKING NEWS: Obama set to win presidency
msnbc.com - BREAKING NEWS: Oil prices rises due to attacks
msnbc.com - BREAKING NEWS: Plane crashes into prep school, hundreds of kids killed
msnbc.com - BREAKING NEWS: Please give your opinions for change
msnbc.com - BREAKING NEWS: Preliminary polls for the election
msnbc.com - BREAKING NEWS: Preliminary US Presidential election polls results here
msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak
msnbc.com - BREAKING NEWS: Sony announces replacement to successful PSP gaming system
msnbc.com - BREAKING NEWS: Stocks set to fall on recession
msnbc.com - BREAKING NEWS: Stupid Asians lose lawsuits against Americans
msnbc.com - BREAKING NEWS: Tiger Woods to take 2-year break from golf
msnbc.com - BREAKING NEWS: Time Warner sells AOL
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: US Dollar hits 6-year high, further gains expected
msnbc.com - BREAKING NEWS: Vitamin C shows promise in anti-cancer trials
msnbc.com - BREAKING NEWS: West Nile virus found in California
msnbc.com - BREAKING NEWS: West Nile virus spreading in USA
msnbc.com - BREAKING NEWS: West Nile virus spreads in Europe
msnbc.com - BREAKING NEWS: Wildfires hit Arizona, leave thousands homeless
msnbc.com - BREAKING NEWS: You are looking at a lawsuit
msnbc.com - BREAKING NEWS: You are selected as a jury

Visiting the webpage in question also causes the computer to receive a pop-up from the site:

http://asvoo.org/antivir/

The asvoo.org domain was created on August 1st, and claims to be hosted in Panama on the "Net2Net" hosting company. Its running the nginx webserver, favored by Russian and Ukrainian criminals, and is hosted on the IP address: 200.46.83.233

That IP address hosts more than 150 "spam-related" domains, and has been blacklisted by SpamHaus since August 1st. In the most recent SpamHaus SBL Advisory, the IP is related to "CNN" alerts, offering even more evidence that the CNN and MSNBC attacks are one and the same.





(a sample CNN spam from August 5 is listed on the Spamhaus site, click the image above for more details.)