Tuesday, August 26, 2008

E-cards Run Wild. Where are the Anti-Virus Companies?

E-card spam was running wild today according to many of my students, co-workers, fellow InfraGard members, family members, and total strangers who had read an article about the UAB Spam Data Mine. While we collected well over 1,000 copies of the message in the Data Mine, we heard from our colleagues in UAB Security that campus-wide they had blocked emails originating from more than 4,000 unique IP addresses. That means 4,000 compromised computers had tried to send copies of this email just to people who work or study at UAB!

The emails we received pointed to URLs like:

http://turismoaq.it/e-card.exe
http://pieralbrechtdr.com/e-card.exe
http://faunarium.net/e-card.exe
http://independenceinstrument.com/

Detection of the most recent version of the malware is horrible! At this timestamp, as illustrated by the current Virus Total Results, only 10 of 34 anti-virus engines can detect the product. I'm writing this at home where I run McAfee Security Center on my Vista Ultima machine. With a "just refreshed" version of the anti-virus, it still doesn't detect the 'e-cards.exe' that I just fetched from faunarium.net.



What does the virus do?

It starts out by creating a few files in the currently logged in users Temp folder, including:

dimarik_1.exe
inst2_294.exe
scan.exe

After a bit, a strange pattern emerges. Scanned files are being sent out to the Internet! I won't list the IP here (its been shared with law enforcement), but logs publicly viewable on the server's webpages indicated that thousands upon thousands of infected computers are sending files from themselves to this collection point. Logging one line per received file, there are days where this server has received more than 10 MB of log entries! Today so far, not quite 2 MB of log entries indicated 24,000 files retrieved.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.