Posts by author:

UAB's Director of Research in Computer Forensics

Inter-company Invoice spam leads to Malware

by UAB's Director of Research in Computer Forensics on August 10, 2011

This morning we are seeing a new spam campaign in the UAB Spam Data Mine. Volumes are still low, but the count is rising steadily, and the detection so far is horrible. When I started writing this post we had seen 710 copies. It's now up to 1389 copies and counting!

count | mbox
-------+---------------------
1 | 2011-08-10 05:45:00
6 | 2011-08-10 06:00:00
3 | 2011-08-10 06:15:00
85 | 2011-08-10 06:30:00
1 | 2011-08-10 06:45:00
3 | 2011-08-10 07:00:00
1 | 2011-08-10 07:15:00
301 | 2011-08-10 07:30:00
252 | 2011-08-10 07:45:00
260 | 2011-08-10 08:00:00
247 | 2011-08-10 08:15:00
229 | 2011-08-10 08:30:00
(12 rows)

The spam pretends to be an invoice from a random company. So far this morning we've seen spam claiming to be an invoice from:

Aleris International Corp.
AMR Corporation Corp.
Anic Corp.
Arch Coal Corp.
ATFT Corp
Beazer Homes USA Corp.
Boyd Gaming Corp.
Brookdale Senior Living Corp.
Hyland Software Corp.
KPMG Corp.
Kraft Foods Corp.
Miltek Corp.
Novellus Systems Corp.
OSN Corp.
PDC Corp.
Safeco Corporation Corp.
WLC Corp.

Subject can be:

Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company inv. from (company)
Re: Fw: Inter-company invoice from (company)
Re: Fw: Intercompany invoice from (company)
Re: Fw: Corp. invoice from (company)

A couple example emails follow:

Hi
Attached the inter-company inv. for the period January 2010 til December 2010.

Thanks a lot for support setting up this process.

CHERYL Flowers
Kraft Foods Corp.

Hi

Attached the inter-company inv. for the period January 2010 til December 2010.
Thanks a lot

Asher GIFFORD
Anic Corp.

Good day

Attached the intercompany invoice for the period January 2010 til December 2010.

Thanks a lot for supporting this process
MAYOLA LEARY
Aleris International Corp.

The attachment may be named "Intinvoice" or "Invoice" followed by an underscore, a date, and an "invoice number" ".zip" such as:

Intinvoice_08.6.2011_2222341965.zip
or
Intinvoice_08.4.2011_Q167829.zip
or
Invoice_08.6.2011_T40099.zip

We've seen 1300+ copies so far in the UAB Spam Data Mine, and I have 15 in my personal email.

So far, all have had the same attachment MD5, which yields a 6 of 43 detection rate on this VirusTotal Report.

So far everyone is just saying it is "Suspicious" or "Generic" ... which is our invitation to infect ourselves and figure out what it does!

When we launched the malware, we made a connection to "armaturan.ru" on 94.199.48.152.

We also talked to "ss-partners.ru" on 77.120.114.100
and to "ledinit.ru" on 78.111.51.121

The connection to armaturan.ru did:

GET /forum/dl/ots.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}

which seems to be uniquely registering our machine, and giving seller #4 credit for my infection?

From ss-partners.ru we fetched a file:

GET /dump/light.exe

which dropped an approximately 70k file onto our local machine.

Then we went back to armaturan.ru and sent another get:

GET /forum/dl/getruns.php?seller=4&hash={8FA33B0C-3F04-405B-83BD-1CD82D298FF2}&ahash=5895b2509324d6a17b2b6ea09859a485

Any bets on whether that ahash is the MD5 of the file I just downloaded?

Looks like I just reported back to the C&C that I successfully downloaded and installed malware with that MD5.

At this point I checked my registry and found that I had a new Run command for next time I restart. I'm supposed to run:

C:\Documents and Settings\Administrator\Application Data\3B1F8DC4\3B1F8DC4.EXE

Odd, I don't recall having a file named that?

Actually, we confirmed that this is the file that was downloaded as "light.exe" above. The VirusTotal report shows only 4 of 43 infection reports for this file as well. See VirusTotal Report.

Unfortunately, it disproves my MD5 theory. This is NOT the "ahash" value. This file's MD5 is f58d5cbb564069eca8806d4e48d7a714.

Launching the second file caused the machine to open an SSL tunnel to 78.111.51.121 and then sit idle.

You may recognize that as the IP address for "ledinit.ru" earlier, but it didn't make a connection by name. It went straight for the IP address. If that IP sounds familiar, it's probably because there have been many other malware campaigns tied to the network "Azerbaijan Baku Sol Ltd", but I'm sure that's just because it's a very large network.

78.111.51.100 is currently hosting three live Zeus C&C servers. Surely a coincidence.

fileuplarc.com
hunterdriveez.com
asdfasdgqghgsw.cx.cc

I'll email the owner and get those taken down right away! (smirk)

-----------

person: Vugar Kouliyev
address: 44, J.Jabbarli str., Baku, Azerbaijan
mnt-by: MNT-SOL
e-mail: vugar@kouliyev.com
phone: +994124971234
nic-hdl: VK1161-RIPE
source: RIPE # Filtered

route: 78.111.48.0/20
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

route: 78.111.51.0/24
descr: SOL ISP
origin: AS43637
mnt-by: MNT-SOL
source: RIPE # Filtered

----------------

Armaturan.ru on 94.199.48.152 also has a sordid history.

That IP address, in Hungary, has been associated with at least two active SpyEye domains: hdkajhslalskjd.ru and hhasdalkjjfasd.ru

I suppose we'll have to ask Mr. Zsolt nicely if he would remove those domains.

person: Zemancsik Zsolt
address: Victor Hugo u. 18-22.
address: 1132 Budapest
address: Hungary
phone: +36 203609059
e-mail: darwick@cyberground.hu
nic-hdl: DARW-RIPE
mnt-by: DARW-MNT
source: RIPE # Filtered

route: 94.199.48.0/21
descr: Originated from 23VNet Network
origin: AS30836
mnt-by: NET23-MNT
source: RIPE # Filtered

========
ss-partners.ru is on servers from Bellhost.ru, a customer of Volia DC

person: Volia DC Admin contact
address: Ukraine, Kiev, Kikvidze st. 1/2
phone: +38 044 2852716
abuse-mailbox: abuse@dc.volia.com
nic-hdl: VDCA-RIPE
mnt-by: VOLIA-DC-MNT
source: RIPE # Filtered

route: 77.120.96.0/19
descr: Volia more specific route
origin: AS25229
mnt-by: VOLIA-MNT
mnt-lower: VOLIA-MNT
source: RIPE # Filtered

Fake IRS emails continue to spread Gov-related Zeus

by UAB's Director of Research in Computer Forensics on August 5, 2011

in SBN

We've already seen nearly 500 copies of the new Government-related Zeus spam campaign so far this morning in the UAB Spam Data Mine. As has been typical in this campaign that we first started tracking on July 13th, the detection has been fairly horrible each morning for the new malware version. We lasted updated on this malware on July 29th in our story Government-related Zeus Spam Continues.

Today's version advertises the domain "tax-irs-report.com" and asks users to download the file 0000770950077US.pdf.exe from that site.

190 different computers have sent us the spam for this campaign so far today. 118 of them from the USA, 40 from India.

When we asked the UAB Spam Data Mine what other virus links we had been sent by this same group of 190 computers on other days, we got this list:

receiving_date | machine | path
----------------+------------------------------+-------------------------------
2011-07-13 | usbanking-security.com | /tax_report.pdf.exe
2011-07-15 | federalsecusrity.com | /pending-taxes.pdf.exe
2011-07-19 | irs-report-link.com | /tax-report.pdf.exe
2011-07-19 | irs-taxes-report.com | /tax-report.pdf.exe
2011-07-19 | taxreport-irs.com | /tax-report.pdf.exe
2011-07-20 | alerts-federalresrve.com | /rejected_wire.pdf.exe
2011-07-20 | nacha-alert.com | /rejected_transaction.pdf.exe
2011-07-20 | nacha-alert.org | /rejected_transfer.pdf.exe
2011-07-20 | reports-federalreserve.com | /rejected_wire.pdf.exe
2011-07-21 | national-security-agency.com | /blocked_list.exe
2011-07-21 | national-security-agency.com | /token_security_update.exe
2011-07-21 | nsa-security.net | /blocked-list.exe
2011-07-21 | nsa-security.net | /token_security_update.exe
2011-07-22 | irs-downloads.com | /00000700955160US.exe
2011-07-22 | irs-files.com | /00000700955170US.exe
2011-07-26 | irs-alert.com | /00000700955770US.exe
2011-07-27 | nacha-transactions.org | /304694305894903.pdf.exe
2011-07-27 | taxes-refund.com | /00000700975770US.exe
2011-07-27 | www.nacha-rejected.com | /304694305894903.pdf.exe
2011-07-28 | fdic-updates.com | /system_update_07_28.exe
2011-07-29 | federalreserve-alert.com | /transaction_report.pdf.exe
2011-07-29 | taxes-security.com | /00000700955060US.pdf.exe
2011-08-03 | irs-report.com | /00000770950077US.exe
2011-08-05 | tax-irs-report.com | /0000770950077US.pdf.exe
(24 rows)

So, at least some of today's spamming computers have been with this campaign since the beginning (July 13th).

When today's malware is executed it sets a registry key in "HKEY_USERS\S-1-5(my user)-500\Software\Microsoft\Windows\CurrentVersion\Run" to relaunch itself from my current user account where it had copied itself as "C:\Documents and Settings\Administrator\Application Data\Afena\iror.exe"

It makes connection to domains generated with a DGA (Domain Generation Algorithm). Today's live domain was:

olojkpcltulirqr.info on 50.57.71.39

from there it did a GET for /news/?s=158404

It tried many other domains, but none of the others were live. Some of them include:

jruioljslsitjpfv.biz
wlnzkqmohuhzqyra.info
tjjhmtjlziebo.net
jpkpbxkoxwijzijr.info

As we have seen before, the malware ALSO fetches a copy of "heap_v206_mails.exe" after it successfully installs itself.

The spam started at 4:45 AM (Central time), peaked at 5:15, and then began to trickle off. (We group in 15 minute windows.)

count | 15 minute spam block
-------+---------------------
3 | 2011-08-05 04:45:00
3 | 2011-08-05 05:00:00
406 | 2011-08-05 05:15:00
86 | 2011-08-05 05:30:00
(4 rows)

This morning's malware is largely undetected:

A VirusTotal Report shows 6 of 43 AV products know that this is a virus.

I have to praise Microsoft for being the only one of the six to correctly call this Zeus (Zbot).

Email subjects we've seen on this morning's campaign:

count | subject
-------+-------------------------------------------------------------------
38 | Change Confirmation
4 | Does your company is registered outstanding tax debt
5 | Does your company is registered tax debt
1 | Does your enterprise including unpaid tax debts
1 | Does your enterprise listed outstanding tax debts
1 | Does your enterprise listed unpaid tax debts
30 | Federal Tax payment rejected
1 | For your company including unpaid tax debts
1 | For your company is registered outstanding tax debts
1 | For your company is registered tax debts
1 | For your company is registered unpaid tax debt
1 | For your company listed tax debts
2 | For your enterprise listed tax debt
70 | Internal Revenue Service
24 | Internal Revenue Service (IRS)
19 | Internal Revenue Service United States Department of the Treasury
32 | IRS.gov
31 | IRS.gov US
19 | Notice of Underreported Income
35 | Payment IRS.gov
50 | Support IRS.gov
40 | Treasury Inspector General for Tax Administration
42 | U.S. Department of the Treasury
1 | Your company including outstanding tax debts
1 | Your company including tax debts
1 | Your company listed outstanding tax debt
2 | Your company listed tax debts
1 | Your enterprise including outstanding tax debts
2 | Your enterprise is registered unpaid tax debts
1 | Your enterprise listed outstanding tax debt
1 | Your enterprise listed unpaid tax debt
39 | Your IRS payment rejected
(32 rows)

A mix and match of sender name, sender-username, and sender-domain creates the from addresses:

count | sender_name
-------+---------------------------------------------------------------------
19 | "Internal Revenue Service"
18 | "Internal Revenue Service (IRS)"
27 | "Internal Revenue Service (IRS.gov)"
29 | "Internal Revenue Service United States Department of the Treasury"
23 | "Internal Revenue Service US Department of the Treasury"
29 | "IRS.gov"
18 | "IRS.gov United States Department of the Treasury"
30 | "IRS.gov US"
22 | "IRS.gov US Department of the Treasury"
21 | "IRS United States Department of the Treasury"
41 | "Payment IRS.gov"
37 | "Support IRS.gov"
23 | "The Consumer Financial Protection"
37 | "Treasury Inspector General for Tax Administration"
30 | "United States Department of the Treasury"
19 | "U.S. Department of the Treasury"
23 | "US_IRS"
17 | "USIRS"
35 | "US IRS.gov"

count | sender_username
-------+--------------------------
12 | admin
8 | adminnistration
9 | alerts
16 | cunsumer
29 | delivery
15 | e-file
10 | finance
33 | frboard-webannouncements
36 | govdelivery
26 | info
17 | information
14 | inspector
8 | internal_revenue_service
30 | Internal_Revenue_Service
18 | irs
6 | news
14 | news-alerts
8 | no-reply
28 | privacy_policy
22 | protection
5 | public
5 | report
9 | service
17 | stats
22 | subscriber
12 | subscriptions
13 | support
13 | usirc
14 | USIRS
13 | usttb
16 | webannouncements
(31 rows)

count | sender_domain
-------+-------------------
93 | antifraud.irs.gov
73 | info.irs.gov
78 | irs.gov
91 | irs.security.gov
73 | irs.taxes.gov
90 | service.irs.gov
(6 rows)

Love Map Spam spreads Fake AV

by UAB's Director of Research in Computer Forensics on August 3, 2011

in SBN

The top malware spam of the morning is another Fake Antivirus product, but as you'll see in today's story, its a very familiar Fake AV product.

About 1/2 of 1% of the spam we've seen this morning is a new campaign spreading a fake antivirus dropper. The malware has a fair detection rating, with 17 of 43 AV products detecting the malware according to VirusTotal in their report for MD5 = 635aceafb9ee4236e50e7d0f6c7a7895.

The email bodies use some random misspellings, but look something like this:

WELCOME S'EXOHOLIC!
Are YOU real Se'X-tourist?
Check ->>NEW PROJECT: WORLD MAP OF PUSSY
With Best Wishes ...
www. love-map .com

and then have an attachment, which is the malware.

(the website, love-map.com, doesn't actually exist...)

The attachment filename is "map_of_love###.zip" where ### is a random number of length between 4 and 8 characters.

Thanks to the UAB Spam Data Mine, it's fairly easy for us to link this new Fake AV spam campaign to previous ones. For example -- we've seen 520 distinct sending IP addresses so far this morning, so let's ask "What was the most common email subject that those same sending IP addresses sent us yesterday?"

43 of the IP addresses sent us an email yesterday with the subject "Your credit card is blocked"

33 sent us "Your credit card has been blocked"

That's the same campaign we've been seeing since we wrote about it on July 23rd (See: MasterCard Spam Leads to Fake AV.

The other big fake AV campaign from yesterday was one pretending to be the US Postal Service. We saw 814 copies of that spam yesterday, and 154 of them came from computers that also sent us today's "Love Map" malware.

The USPS subjects were like:

DELIVERY CONFIRMATION FROM USPS 0785164
From USPS 0735590
USPS Attention 03867076
USPS: DELIVER CONFIRMATION - FAILED 1399475
USPS Delivery Confirmation 1784864
USPS id. 167163
Your USPS id. 12286791

With random upper and lowercasing, and random numbers in each subject.

Here's a VirusTotal report on yesterday's USPS Fake AV, which had MD5 = a9a01f061d336774276fabb1827b91cc

How closely related are the "MasterCard" fake AV and the USPS fake AV? Well, they are actually IDENTICAL. Its the same Malware. Here's a report extract from yesterday showing the email subject and the MD5 of the attached malware:

Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card is blocked | a9a01f061d336774276fabb1827b91cc
Your credit card has been blocked | a9a01f061d336774276fabb1827b91cc
From USPS 38864359 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 954859 | a9a01f061d336774276fabb1827b91cc
From USPS 8815572 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 6498394 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 73687208 | a9a01f061d336774276fabb1827b91cc
USPS DELIVERY CONFIRMATION 56547166 | a9a01f061d336774276fabb1827b91cc
USPS ATTENTION 578975 | a9a01f061d336774276fabb1827b91cc
USPS: DELIVER CONFIRMATION - FAILED 9211453 | a9a01f061d336774276fabb1827b91cc
From USPS 5174072 | a9a01f061d336774276fabb1827b91cc
USPS Attention 1201554 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 92444941 | a9a01f061d336774276fabb1827b91cc
DELIVERY CONFIRMATION FROM USPS 575555 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 82259351 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 139017 | a9a01f061d336774276fabb1827b91cc
Your USPS id. 381458 | a9a01f061d336774276fabb1827b91cc
From USPS 3877947 | a9a01f061d336774276fabb1827b91cc
USPS id. 45254864 | a9a01f061d336774276fabb1827b91cc

OK, back to today . . .

Here are the "Love Map" spam subject lines we've seen it use so far:

BABECITIES IN WORLD 2011
BABEPLACES IN WORLD 2011
BABIESPLACES IN WORLD 2011
BABIESSPOTS IN WORLD 2011
BABYCITIES IN WORLD 2011
BABYSPOTS IN WORLD 2011
GIRLSCITIES IN WORLD 2011
GIRLSPLACES IN WORLD 2011
GIRLSSPOTS IN WORLD 2011
HOT BABE CITIES 2011
HOT BABE PLACES 2011
HOT BABE SPOTS 2011
HOT BABIES CITIES 2011
HOT BABIES SPOTS 2011
HOT BABY CITIES 2011
HOT BABY PLACES 2011
HOT BABY SPOTS 2011
HOT CITIES OF BABE 2011
HOTCITIES OF BABIES 2011
HOT CITIES OF BABY 2011
HOTCITIES OF BABY 2011
HOT CITIES OF GIRLS 2011
HOTCITIES OF GIRLS 2011
HOTCITIES OF PUSSY 2011
HOT GIRLS PLACES 2011
HOT GIRLS SPOTS 2011
HOT PLACES OF BABE 2011
HOT PLACES OF BABIES 2011
HOTPLACES OF BABIES 2011
HOT PLACES OF BABY 2011
HOTPLACES OF BABY 2011
HOT PLACES OF GIRLS 2011
HOTPLACES OF GIRLS 2011
HOT PLACES OF GIRLS IN WORLD
HOTPLACES OF GIRLS IN WORLD
HOT PLACES OF PUSSIES 2011
HOTPLACES OF PUSSIES 2011
HOT PLACES OF PUSSY 2011
HOTPLACES OF PUSSY 2011
HOT PUSSIES CITIES 2011
HOT PUSSIES SPOTS 2011
HOT PUSSY CITIES 2011
HOT PUSSY PLACES 2011
HOT PUSSY SPOTS 2011
HOT SPOTS OF BABE 2011
HOT SPOTS OF BABIES 2011
HOTSPOTS OF BABIES 2011
HOT SPOTS OF GIRLS 2011
HOTSPOTS OF GIRLS 2011
HOT SPOTS OF GIRLS IN WORLD
HOT SPOTS OF PUSSIES 2011
HOTSPOTS OF PUSSIES 2011
HOT SPOTS OF PUSSY 2011
HOTSPOTS OF PUSSY 2011
JULY-2011: BABECITIES IN WORLD
JULY-2011: BABEPLACES IN WORLD
JULY-2011: BABIESCITIES IN WORLD
JULY-2011: BABIESPLACES IN WORLD
JULY-2011: BABYCITIES IN WORLD
JULY-2011: BABYPLACES IN WORLD
JULY-2011: GIRLSPLACES IN WORLD
JULY-2011: GIRLSSPOTS IN WORLD
JULY-2011: HOT BABE CITIES
JULY-2011: HOT BABE PLACES
JULY-2011: HOT BABE SPOTS
JULY-2011: HOT BABIES CITIES
JULY-2011: HOT BABY CITIES
JULY-2011: HOT BABY PLACES
JULY-2011: HOT BABY SPOTS
JULY-2011: HOT CITIES OF BABE
JULY-2011: HOTCITIES OF BABE
JULY-2011: HOTCITIES OF BABIES
JULY-2011: HOT CITIES OF BABY
JULY-2011: HOTCITIES OF BABY
JULY-2011: HOT CITIES OF GIRLS
JULY-2011: HOTCITIES OF GIRLS
JULY-2011: HOT CITIES OF PUSSIES
JULY-2011: HOTCITIES OF PUSSIES
JULY-2011: HOT CITIES OF PUSSY
JULY-2011: HOTCITIES OF PUSSY
JULY-2011: HOT GIRLS PLACES
JULY-2011: HOT GIRLS SPOTS
JULY-2011: HOT PLACES OF BABE
JULY-2011: HOTPLACES OF BABE
JULY-2011: HOT PLACES OF BABIES
JULY-2011: HOTPLACES OF BABIES
JULY-2011: HOT PLACES OF BABY
JULY-2011: HOTPLACES OF BABY
JULY-2011: HOT PLACES OF GIRLS
JULY-2011: HOTPLACES OF GIRLS
JULY-2011: HOTPLACES OF PUSSIES
JULY-2011: HOT PLACES OF PUSSY
JULY-2011: HOTPLACES OF PUSSY
JULY-2011: HOT PUSSIES CITIES
JULY-2011: HOT PUSSIES PLACES
JULY-2011: HOT PUSSIES SPOTS
JULY-2011: HOT PUSSY CITIES
JULY-2011: HOT PUSSY PLACES
JULY-2011: HOT PUSSY SPOTS
JULY-2011: HOTSPOTS OF BABE
JULY-2011: HOT SPOTS OF BABIES
JULY-2011: HOTSPOTS OF BABIES
JULY-2011: HOT SPOTS OF BABY
JULY-2011: HOTSPOTS OF BABY
JULY-2011: HOT SPOTS OF GIRLS
JULY-2011: HOTSPOTS OF GIRLS
JULY-2011: HOT SPOTS OF PUSSIES
JULY-2011: HOTSPOTS OF PUSSIES
JULY-2011: HOT SPOTS OF PUSSY
JULY-2011: LOVE BABE CITIES
JULY-2011: LOVE BABE PLACES
JULY-2011: LOVE BABIES SPOTS
JULY-2011: LOVE BABY CITIES
JULY-2011: LOVE BABY PLACES
JULY-2011: LOVE BABY SPOTS
JULY-2011: LOVE CITIES IN WORLD
JULY-2011: LOVE CITIES OF BABE
JULY-2011: LOVECITIES OF BABE
JULY-2011: LOVECITIES OF BABIES
JULY-2011: LOVE CITIES OF BABY
JULY-2011: LOVECITIES OF BABY
JULY-2011: LOVECITIES OF GIRLS
JULY-2011: LOVE CITIES OF PUSSIES
JULY-2011: LOVECITIES OF PUSSIES
JULY-2011: LOVE CITIES OF PUSSY
JULY-2011: LOVECITIES OF PUSSY
JULY-2011: LOVE GIRLS CITIES
JULY-2011: LOVE GIRLS PLACES
JULY-2011: LOVE GIRLS SPOTS
JULY-2011: LOVE MAP OF BABE
JULY-2011: LOVE MAP OF BABIES
JULY-2011: LOVE-MAP OF BABIES
JULY-2011: LOVE-MAP OF BABY
JULY-2011: LOVE MAP OF GIRLS
JULY-2011: LOVE-MAP OF GIRLS
JULY-2011: LOVE MAP OF PUSSIES
JULY-2011: LOVE-MAP OF PUSSIES
JULY-2011: LOVE MAP OF PUSSY
JULY-2011: LOVE-MAP OF PUSSY
JULY-2011: LOVEPLACES IN WORLD
JULY-2011: LOVE PLACES OF BABE
JULY-2011: LOVEPLACES OF BABE
JULY-2011: LOVE PLACES OF BABIES
JULY-2011: LOVEPLACES OF BABIES
JULY-2011: LOVE PLACES OF BABY
JULY-2011: LOVEPLACES OF BABY
JULY-2011: LOVE PLACES OF GIRLS
JULY-2011: LOVEPLACES OF GIRLS
JULY-2011: LOVE PLACES OF PUSSIES
JULY-2011: LOVEPLACES OF PUSSIES
JULY-2011: LOVE PLACES OF PUSSY
JULY-2011: LOVE PUSSIES PLACES
JULY-2011: LOVE PUSSIES SPOTS
JULY-2011: LOVE PUSSY CITIES
JULY-2011: LOVE PUSSY PLACES
JULY-2011: LOVE SPOTS IN WORLD
JULY-2011: LOVESPOTS IN WORLD
JULY-2011: LOVE SPOTS OF BABE
JULY-2011: LOVESPOTS OF BABE
JULY-2011: LOVE SPOTS OF BABIES
JULY-2011: LOVE SPOTS OF BABY
JULY-2011: LOVE SPOTS OF GIRLS
JULY-2011: LOVESPOTS OF GIRLS
JULY-2011: LOVE SPOTS OF PUSSIES
JULY-2011: LOVESPOTS OF PUSSIES
JULY-2011: LOVE SPOTS OF PUSSY
JULY-2011: LOVESPOTS OF PUSSY
JULY-2011: PUSSYCITIES IN WORLD
JULY-2011: PUSSYPLACES IN WORLD
JULY-2011: SEXYCITIES IN WORLD
JULY-2011: SEXY LOVE MAP
JULY-2011: SEXY LOVE-MAP
JULY-2011: SEXY PLACES IN WORLD
JULY-2011: SEXYPLACES IN WORLD
JULY-2011: SEXYSPOTS IN WORLD
JULY-2011: SEXY WORLD MAP
JULY-2011: WORLD MAP OF BABE
JULY-2011: WORLD-MAP OF BABE
JULY-2011: WORLD MAP OF BABIES
JULY-2011: WORLD-MAP OF BABIES
JULY-2011: WORLD MAP OF BABY
JULY-2011: WORLD-MAP OF BABY
JULY-2011: WORLD MAP OF GIRLS
JULY-2011: WORLD-MAP OF GIRLS
JULY-2011: WORLD-MAP OF PUSSIES
JULY-2011: WORLD MAP OF PUSSY
JULY-2011: WORLD-MAP OF PUSSY
KNOW-HOW: BABECITIES IN WORLD
KNOW-HOW: BABEPLACES IN WORLD
KNOW-HOW: BABESPOTS IN WORLD
KNOW-HOW: BABIESCITIES IN WORLD
KNOW-HOW: BABIESSPOTS IN WORLD
KNOW-HOW: BABYCITIES IN WORLD
KNOW-HOW: BABYPLACES IN WORLD
KNOW-HOW: BABYSPOTS IN WORLD
KNOW-HOW: GIRLSPLACES IN WORLD
KNOW-HOW: HOT BABE PLACES
KNOW-HOW: HOT BABE SPOTS
KNOW-HOW: HOT BABIES CITIES
KNOW-HOW: HOT BABIES PLACES
KNOW-HOW: HOT BABIES SPOTS
KNOW-HOW: HOT BABY CITIES
KNOW-HOW: HOT BABY PLACES
KNOW-HOW: HOT BABY SPOTS
KNOW-HOW: HOT CITIES OF BABE
KNOW-HOW: HOTCITIES OF BABE
KNOW-HOW: HOT CITIES OF BABIES
KNOW-HOW: HOTCITIES OF BABIES
KNOW-HOW: HOT CITIES OF BABY
KNOW-HOW: HOTCITIES OF BABY
KNOW-HOW: HOT CITIES OF PUSSIES
KNOW-HOW: HOTCITIES OF PUSSY
KNOW-HOW: HOT GIRLS CITIES
KNOW-HOW: HOT GIRLS SPOTS
KNOW-HOW: HOT PLACES OF BABE
KNOW-HOW: HOTPLACES OF BABE
KNOW-HOW: HOT PLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABIES
KNOW-HOW: HOTPLACES OF BABY
KNOW-HOW: HOT PLACES OF GIRLS
KNOW-HOW: HOTPLACES OF GIRLS
KNOW-HOW: HOT PLACES OF PUSSIES
KNOW-HOW: HOT PLACES OF PUSSY
KNOW-HOW: HOTPLACES OF PUSSY
KNOW-HOW: HOT PUSSIES CITIES
KNOW-HOW: HOT PUSSIES PLACES
KNOW-HOW: HOT PUSSY PLACES
KNOW-HOW: HOT SPOTS OF BABE
KNOW-HOW: HOTSPOTS OF BABE
KNOW-HOW: HOT SPOTS OF BABY
KNOW-HOW: HOTSPOTS OF BABY
KNOW-HOW: HOTSPOTS OF GIRLS
KNOW-HOW: HOTSPOTS OF PUSSY
KNOW-HOW: LOVE BABE CITIES
KNOW-HOW: LOVE BABE SPOTS
KNOW-HOW: LOVE BABIES CITIES
KNOW-HOW: LOVE BABIES PLACES
KNOW-HOW: LOVE BABY CITIES
KNOW-HOW: LOVE CITIES IN WORLD
KNOW-HOW: LOVECITIES IN WORLD
KNOW-HOW: LOVECITIES OF BABE
KNOW-HOW: LOVECITIES OF BABIES
KNOW-HOW: LOVE CITIES OF BABY
KNOW-HOW: LOVECITIES OF BABY
KNOW-HOW: LOVE CITIES OF GIRLS
KNOW-HOW: LOVECITIES OF PUSSIES
KNOW-HOW: LOVE CITIES OF PUSSY
KNOW-HOW: LOVECITIES OF PUSSY
KNOW-HOW: LOVE GIRLS CITIES
KNOW-HOW: LOVE GIRLS SPOTS
KNOW-HOW: LOVE MAP OF BABE
KNOW-HOW: LOVE MAP OF BABIES
KNOW-HOW: LOVE MAP OF BABY
KNOW-HOW: LOVE-MAP OF BABY
KNOW-HOW: LOVE MAP OF GIRLS
KNOW-HOW: LOVE-MAP OF GIRLS
KNOW-HOW: LOVE MAP OF PUSSIES
KNOW-HOW: LOVE-MAP OF PUSSIES
KNOW-HOW: LOVE MAP OF PUSSY
KNOW-HOW: LOVE-MAP OF PUSSY
KNOW-HOW: LOVE PLACES IN WORLD
KNOW-HOW: LOVEPLACES IN WORLD
KNOW-HOW: LOVE PLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABE
KNOW-HOW: LOVEPLACES OF BABIES
KNOW-HOW: LOVE PLACES OF BABY
KNOW-HOW: LOVEPLACES OF BABY
KNOW-HOW: LOVE PLACES OF GIRLS
KNOW-HOW: LOVEPLACES OF GIRLS
KNOW-HOW: LOVE PLACES OF PUSSIES
KNOW-HOW: LOVEPLACES OF PUSSIES
KNOW-HOW: LOVE PLACES OF PUSSY
KNOW-HOW: LOVEPLACES OF PUSSY
KNOW-HOW: LOVE PUSSIES CITIES
KNOW-HOW: LOVE PUSSIES PLACES
KNOW-HOW: LOVE PUSSIES SPOTS
KNOW-HOW: LOVE PUSSY CITIES
KNOW-HOW: LOVE PUSSY PLACES
KNOW-HOW: LOVE PUSSY SPOTS
KNOW-HOW: LOVE SPOTS IN WORLD
KNOW-HOW: LOVE SPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABE
KNOW-HOW: LOVESPOTS OF BABIES
KNOW-HOW: LOVESPOTS OF BABY
KNOW-HOW: LOVE SPOTS OF GIRLS
KNOW-HOW: LOVESPOTS OF GIRLS
KNOW-HOW: LOVE SPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSIES
KNOW-HOW: LOVESPOTS OF PUSSY
KNOW-HOW: PUSSYPLACES IN WORLD
KNOW-HOW: PUSSYSPOTS IN WORLD
KNOW-HOW: SEXY CITIES IN WORLD
KNOW-HOW: SEXYCITIES IN WORLD
KNOW-HOW: SEXY LOVE MAP
KNOW-HOW: SEXY LOVE-MAP
KNOW-HOW: SEXY PLACES IN WORLD
KNOW-HOW: SEXYPLACES IN WORLD
KNOW-HOW: SEXY SPOTS IN WORLD
KNOW-HOW: SEXYSPOTS IN WORLD
KNOW-HOW: SEXY WORLD MAP
KNOW-HOW: SEXY WORLD-MAP
KNOW-HOW: WORLD MAP OF BABE
KNOW-HOW: WORLD-MAP OF BABE
KNOW-HOW: WORLD MAP OF BABIES
KNOW-HOW: WORLD-MAP OF BABIES
KNOW-HOW: WORLD MAP OF BABY
KNOW-HOW: WORLD-MAP OF BABY
KNOW-HOW: WORLD MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF GIRLS
KNOW-HOW: WORLD-MAP OF PUSSIES
KNOW-HOW: WORLD MAP OF PUSSY
LOVE BABE CITIES 2011
LOVE BABE PLACES 2011
LOVE BABE SPOTS 2011
LOVE BABIES CITIES 2011
LOVE BABIES PLACES 2011
LOVE BABIES SPOTS 2011
LOVE BABY CITIES 2011
LOVE BABY PLACES 2011
LOVE BABY SPOTS 2011
LOVE CITIES IN WORLD 2011
LOVE CITIES OF BABE 2011
LOVECITIES OF BABE 2011
LOVE CITIES OF BABIES 2011
LOVECITIES OF BABIES 2011
LOVE CITIES OF BABY 2011
LOVECITIES OF BABY 2011
LOVE CITIES OF GIRLS 2011
LOVECITIES OF GIRLS 2011
LOVE CITIES OF PUSSIES 2011
LOVECITIES OF PUSSIES 2011
LOVE CITIES OF PUSSY 2011
LOVECITIES OF PUSSY 2011
LOVE GIRLS CITIES 2011
LOVE GIRLS PLACES 2011
LOVE GIRLS SPOTS 2011
LOVE MAP OF BABE 2011
LOVE-MAP OF BABE 2011
LOVE MAP OF BABIES 2011
LOVE-MAP OF BABIES 2011
LOVE MAP OF BABY 2011
LOVE-MAP OF BABY 2011
LOVE-MAP OF GIRLS 2011
LOVE MAP OF PUSSIES 2011
LOVE-MAP OF PUSSY 2011
LOVE PLACES IN WORLD 2011
LOVEPLACES IN WORLD 2011
LOVE PLACES OF BABE 2011
LOVEPLACES OF BABE 2011
LOVE PLACES OF BABIES 2011
LOVEPLACES OF BABIES 2011
LOVEPLACES OF BABY 2011
LOVE PLACES OF GIRLS 2011
LOVEPLACES OF GIRLS 2011
LOVE PLACES OF GIRLS IN WORLD
LOVEPLACES OF GIRLS IN WORLD
LOVE PLACES OF PUSSIES 2011
LOVEPLACES OF PUSSIES 2011
LOVE PLACES OF PUSSY 2011
LOVEPLACES OF PUSSY 2011
LOVE PUSSIES PLACES 2011
LOVE PUSSIES SPOTS 2011
LOVE PUSSY CITIES 2011
LOVE PUSSY PLACES 2011
LOVE PUSSY SPOTS 2011
LOVE SPOTS IN WORLD 2011
LOVESPOTS IN WORLD 2011
LOVESPOTS OF BABE 2011
LOVE SPOTS OF BABIES 2011
LOVESPOTS OF BABIES 2011
LOVE SPOTS OF BABY 2011
LOVESPOTS OF BABY 2011
LOVE SPOTS OF GIRLS 2011
LOVESPOTS OF GIRLS 2011
LOVE SPOTS OF GIRLS IN WORLD
LOVE SPOTS OF PUSSIES 2011
LOVESPOTS OF PUSSIES 2011
LOVE SPOTS OF PUSSY 2011
LOVESPOTS OF PUSSY 2011
PUSSIESCITIES IN WORLD 2011
PUSSIESPLACES IN WORLD
PUSSIESSPOTS IN WORLD 2011
PUSSYCITIES IN WORLD 2011
PUSSYPLACES IN WORLD 2011
PUSSYSPOTS IN WORLD 2011
SEXY CITIES IN WORLD 2011
SEXY LOVE MAP 2011
SEXY LOVE-MAP 2011
SEXY PLACES IN WORLD 2011
SEXYPLACES IN WORLD 2011
SEXY SPOTS IN WORLD
SEXYSPOTS IN WORLD
SEXY WORLD MAP 2011
SUMMER-2011: BABECITIES IN WORLD
SUMMER-2011: BABEPLACES IN WORLD
SUMMER-2011: BABIESCITIES IN WORLD
SUMMER-2011: BABIESPLACES IN WORLD
SUMMER-2011: BABYCITIES IN WORLD
SUMMER-2011: BABYPLACES IN WORLD
SUMMER-2011: GIRLSCITIES IN WORLD
SUMMER-2011: GIRLSPLACES IN WORLD
SUMMER-2011: GIRLSSPOTS IN WORLD
SUMMER-2011: HOT BABE SPOTS
SUMMER-2011: HOT BABIES CITIES
SUMMER-2011: HOT BABIES PLACES
SUMMER-2011: HOT BABY PLACES
SUMMER-2011: HOT CITIES OF BABE
SUMMER-2011: HOTCITIES OF BABE
SUMMER-2011: HOT CITIES OF BABIES
SUMMER-2011: HOT CITIES OF BABY
SUMMER-2011: HOTCITIES OF BABY
SUMMER-2011: HOT CITIES OF GIRLS
SUMMER-2011: HOT CITIES OF PUSSIES
SUMMER-2011: HOT CITIES OF PUSSY
SUMMER-2011: HOTCITIES OF PUSSY
SUMMER-2011: HOT GIRLS CITIES
SUMMER-2011: HOTPLACES OF BABE
SUMMER-2011: HOT PLACES OF BABIES
SUMMER-2011: HOTPLACES OF BABIES
SUMMER-2011: HOT PLACES OF BABY
SUMMER-2011: HOTPLACES OF BABY
SUMMER-2011: HOT PLACES OF GIRLS
SUMMER-2011: HOTPLACES OF GIRLS
SUMMER-2011: HOT PLACES OF PUSSIES
SUMMER-2011: HOTPLACES OF PUSSIES
SUMMER-2011: HOT PLACES OF PUSSY
SUMMER-2011: HOTPLACES OF PUSSY
SUMMER-2011: HOT PUSSIES CITIES
SUMMER-2011: HOT PUSSIES PLACES
SUMMER-2011: HOT PUSSY CITIES
SUMMER-2011: HOT PUSSY SPOTS
SUMMER-2011: HOT SPOTS OF BABE
SUMMER-2011: HOTSPOTS OF BABE
SUMMER-2011: HOT SPOTS OF BABIES
SUMMER-2011: HOTSPOTS OF BABIES
SUMMER-2011: HOT SPOTS OF BABY
SUMMER-2011: HOTSPOTS OF BABY
SUMMER-2011: HOT SPOTS OF GIRLS
SUMMER-2011: HOTSPOTS OF GIRLS
SUMMER-2011: HOT SPOTS OF PUSSIES
SUMMER-2011: HOTSPOTS OF PUSSIES
SUMMER-2011: HOT SPOTS OF PUSSY
SUMMER-2011: HOTSPOTS OF PUSSY
SUMMER-2011: LOVE BABE CITIES
SUMMER-2011: LOVE BABE PLACES
SUMMER-2011: LOVE BABE SPOTS
SUMMER-2011: LOVE BABIES CITIES
SUMMER-2011: LOVE BABIES SPOTS
SUMMER-2011: LOVE BABY CITIES
SUMMER-2011: LOVE BABY PLACES
SUMMER-2011: LOVE CITIES IN WORLD
SUMMER-2011: LOVE CITIES OF BABE
SUMMER-2011: LOVECITIES OF BABE
SUMMER-2011: LOVECITIES OF BABIES
SUMMER-2011: LOVE CITIES OF BABY
SUMMER-2011: LOVECITIES OF BABY
SUMMER-2011: LOVE CITIES OF PUSSIES
SUMMER-2011: LOVECITIES OF PUSSIES
SUMMER-2011: LOVE CITIES OF PUSSY
SUMMER-2011: LOVECITIES OF PUSSY
SUMMER-2011: LOVE GIRLS CITIES
SUMMER-2011: LOVE GIRLS PLACES
SUMMER-2011: LOVE GIRLS SPOTS
SUMMER-2011: LOVE MAP OF BABE
SUMMER-2011: LOVE-MAP OF BABE
SUMMER-2011: LOVE MAP OF BABIES
SUMMER-2011: LOVE-MAP OF BABIES
SUMMER-2011: LOVE MAP OF BABY
SUMMER-2011: LOVE-MAP OF BABY
SUMMER-2011: LOVE-MAP OF GIRLS
SUMMER-2011: LOVE MAP OF PUSSIES
SUMMER-2011: LOVE-MAP OF PUSSIES
SUMMER-2011: LOVE MAP OF PUSSY
SUMMER-2011: LOVE-MAP OF PUSSY
SUMMER-2011: LOVE PLACES OF BABE
SUMMER-2011: LOVEPLACES OF BABE
SUMMER-2011: LOVE PLACES OF BABIES
SUMMER-2011: LOVEPLACES OF BABIES
SUMMER-2011: LOVE PLACES OF BABY
SUMMER-2011: LOVEPLACES OF BABY
SUMMER-2011: LOVE PLACES OF GIRLS
SUMMER-2011: LOVEPLACES OF GIRLS
SUMMER-2011: LOVE PLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSIES
SUMMER-2011: LOVEPLACES OF PUSSY
SUMMER-2011: LOVE PUSSIES CITIES
SUMMER-2011: LOVE PUSSIES PLACES
SUMMER-2011: LOVE PUSSIES SPOTS
SUMMER-2011: LOVE PUSSY CITIES
SUMMER-2011: LOVE PUSSY SPOTS
SUMMER-2011: LOVE SPOTS IN WORLD
SUMMER-2011: LOVESPOTS IN WORLD
SUMMER-2011: LOVE SPOTS OF BABE
SUMMER-2011: LOVESPOTS OF BABE
SUMMER-2011: LOVE SPOTS OF BABIES
SUMMER-2011: LOVESPOTS OF BABIES
SUMMER-2011: LOVE SPOTS OF BABY
SUMMER-2011: LOVESPOTS OF BABY
SUMMER-2011: LOVE SPOTS OF GIRLS
SUMMER-2011: LOVE SPOTS OF PUSSIES
SUMMER-2011: LOVESPOTS OF PUSSIES
SUMMER-2011: LOVE SPOTS OF PUSSY
SUMMER-2011: LOVESPOTS OF PUSSY
SUMMER-2011: PUSSYCITIES IN WORLD
SUMMER-2011: PUSSYPLACES IN WORLD
SUMMER-2011: SEXYCITIES IN WORLD
SUMMER-2011: SEXY LOVE MAP
SUMMER-2011: SEXY LOVE-MAP
SUMMER-2011: SEXY PLACES IN WORLD
SUMMER-2011: SEXYPLACES IN WORLD
SUMMER-2011: SEXY SPOTS IN WORLD
SUMMER-2011: SEXYSPOTS IN WORLD
SUMMER-2011: SEXY WORLD MAP
SUMMER-2011: SEXY WORLD-MAP
SUMMER-2011: WORLD MAP OF BABE
SUMMER-2011: WORLD-MAP OF BABE
SUMMER-2011: WORLD MAP OF BABIES
SUMMER-2011: WORLD MAP OF BABY
SUMMER-2011: WORLD-MAP OF BABY
SUMMER-2011: WORLD MAP OF GIRLS
SUMMER-2011: WORLD-MAP OF GIRLS
SUMMER-2011: WORLD MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSIES
SUMMER-2011: WORLD-MAP OF PUSSY
WORLD MAP OF BABE 2011
WORLD MAP OF BABIES 2011
WORLD-MAP OF BABIES 2011
WORLD-MAP OF BABY 2011
WORLD MAP OF GIRLS 2011
WORLD-MAP OF GIRLS 2011
WORLD MAP OF PUSSY 2011
WORLD-MAP OF PUSSY 2011
(532 rows)

"Wrong Transaction" Hotel spam malware continues to evolve

by UAB's Director of Research in Computer Forensics on July 31, 2011

in SBN

One of the distinct advantages of having the UAB Spam Data Mine is that we are able to provide near-real-time intelligence about the evolution of malware campaigns being delivered by spam. On July 27, 2011 we provided a warning about Wrong Transaction Hotel Spam that was covered by Robert McMillan in PC World and ComputerWorld, and was also mentioned by Matt Liebowitz for MSNBC.

Unfortunately, from an anti-virus perspective, consumers are no safer than they were when we first put out the warning four days ago.

We're still seeing more than 1,000 copies per day of this malware (with the exception of the 29th) each day:

 count | receiving_date
-------+----------------
  1516 | 2011-07-27
  1828 | 2011-07-28
   813 | 2011-07-29
  1470 | 2011-07-30
  1258 | 2011-07-31
(5 rows)

but the malware is constantly evolving.

Count	Malware MD5	TimeRange
593	c15eb3c47800fec025b6a86a6409f144	2011-07-27 03:00 AM to 2011-07-27 08:30 AM
1001	01e3bbd4b6f8c22a3516771f9b6792bc	2011-07-27 12:45 PM to 2011-07-28 04:45 AM
318	57d931256fd6d7184528ae983e34677b	2011-07-27 08:00 AM to 2011-07-27 13:30 PM
865	6e2eae488317280dd813e3e2fc9e0275	2011-07-28 04:15 AM to 2011-07-28 13:00 PM
554	ad760ac5806a84a272e1eb76b315ac31	2011-07-28 12:30 PM to 2011-07-28 20:15 PM
1116	4140ee10115174fe36a738d4d943f2af	2011-07-29 13:45 PM to 2011-07-30 04:00 AM
614	e2d3d4ccf02ea924e6d11cb452235f4c	2011-07-30 03:30 AM to 2011-07-30 16:15 PM
931	5bbe80ad216c89bcbb6891178dc4b5fa	2011-07-30 14:45 PM to 2011-07-31 07:30 AM
409	ca84d1a0c49eff5ca829b5fa531800e8	2011-07-31 07:30 AM to 2011-07-31 13:15 PM
484	aa412182a164321a159f9b2e95be53bc	2011-07-31 13:15 PM to 2011-07-31 CURRENT TIME

Each of the links in the table above will take you to the VirusTotal report showing how many of 43 different anti-virus products detected this particular malware at the time it was submitted to VirusTotal.

I'll let you explore the links for yourself, but may I call attention to the fact the last one is detected by FOUR of forty-three AV products, and the one immediately prior to that by ONE of forty-three.

Just to make sure there was not a problem, I decided to look at those last two and confirm that they actually were malware.

We started with the sample starting with "aa412". It unpacks successfully as an .exe named "Refund_Form" that uses an icon from Microsoft Office Excel to try to trick people into thinking it's a Spreadsheet.

When we launched it, it made connections to:

runescapegpge2011.ru - 84.247.61.25
www.radio-80.com - 210.172.192.38
heftyhips.com - 66.197.251.53

That last would be exactly the same domain that the first sample we looked at on the 27th connected to. It fetched "soft.exe" from www.radio-80.com.

I'm going to go out on a limb and say this is malware. "soft.exe" got renamed "defender.exe" and placed in our "C:\Documents and Settings\All Users\Application Data\" directory, which was scheduled to launch when the machine reboots.

Defender.exe was declared to be malware by 6 of 43 anti-virus packages at VirusTotal. Here's the report. It's Fake anti-virus.

Next, just to be thorough, we also checked out the version that started with "ca84d1". Just like the first, it unpacked to a "Refund_Form.exe" file, although this one had a different MD5. When we launched Refund_Form it made network connections to:

runescapegpge2011.ru - 84.247.61.25
ewingparkbmx2011.ru - failed to resolve

It looks like this version is not functioning due to a dead domain, which may be the reason the "aa412" version was released.

That "84.247.61.25" box is in Romania, currently using a domain name with "RuneScape" in the domain name. The same IP has recently been called bedownloader2011.ru, diamondexchange2011.ru, watchfamilyguynow2011.ru and is also currently resolving as yomwarayom2001.ru.

Update 01AUG2011

At 3:15 this morning, the malware being distributed swapped to:

2e749d608d29aef739f5b08e7f63225a (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 2e749d608d29aef739f5b08e7f63225a is:

a446ced5db1de877cf78f77741e2a804 Filename: Refund-Form (dot) exe (1 of 43 detects at VirusTotal).

At 4:30 this morning, and continuing to the present moment (07:45 AM Central Time), the malware being distributed swapped to:

4b126c49c261ca0f65fce9e5d08811d6 (click for VirusTotal Report)

The MD5 for the exe inside of the zip file with MD5 4b126c49c261ca0f65fce9e5d08811d6 is:

2f0155c39ddcf490f3a310ba0546c627 Filename: Refund_Form (dot) exe (5 of 43 detects at VirusTotal).

"Government-related" Zeus spam continues

by UAB's Director of Research in Computer Forensics on July 28, 2011

in SBN

As we discussed in yesterday's article, "Wrong transaction" hotel spam, the UAB Spam Data Mine now has an ability to provide early alerting when a new spam campaign is directly linking to executable files.

This morning we have a new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.

One of the two spammed destinations is:

alert-irs.com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c

This malware is currently showing a (12 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

The other spammed destination is:

fdic-updates.com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2

This malware is currently showing a (8 of 43) detection rate at VirusTotal, as seen in this VirusTotal Report.

Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.

The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing. Here is the count per 15 minute block seen in the UAB Spam Data Mine:

     5 | ACH and Wire transfers disabled.      | 2011-07-28 06:00:00
     3 | Banking security update.              | 2011-07-28 06:00:00
     1 | Update for your banking account.      | 2011-07-28 06:00:00
   107 | ACH and Wire transfers disabled.      | 2011-07-28 05:45:00
   138 | Banking security update.              | 2011-07-28 05:45:00
   108 | Security update for banking accounts. | 2011-07-28 05:45:00
   122 | Update for your banking account.      | 2011-07-28 05:45:00
     1 | Banking security update.              | 2011-07-28 05:30:00
     1 | Security update for banking accounts. | 2011-07-28 05:30:00
     1 | ACH and Wire transfers disabled.      | 2011-07-28 05:15:00
     1 | Banking security update.              | 2011-07-28 05:15:00
     1 | Security update for banking accounts. | 2011-07-28 05:15:00

(Timestamps are US-Central Time, GMT -6)

The FDIC spam comes from email addresses that randomly associate these "usernames" with these "hostnames". Everything in the first column was seen combined with everything in the second column.

admin            @   admin.fdic.gov
adminnistration  @   administration.fdic.gov
cunsumer         @   fdic.gov
FDIC             @   security.fdic.gov
finance          @
govdelivery      @
information      @
inspector        @
news             @
no-reply         @
privacy_policy   @
protection       @
public           @
report           @
service          @
stats            @
support          @
webannouncements @

Here's what the email actually says:

Dear clients,
Your account ACH and Wire transactions have been
temporarily suspended for your settings, due to the
expiration of your security version. To download and install the
newest Updates, click here.

As soon as it is Applied, your transaction abilities will be fully restored.

Best regards,
Online security department
Federal Deposit Insurance Corporation

The IRS related spam came first:

     2 | Internal Revenue Service     | 2011-07-28 04:15:00
     2 | Federal Tax payment rejected | 2011-07-28 04:00:00
     2 | Your IRS payment rejected    | 2011-07-28 04:00:00
     2 | Internal Revenue Service     | 2011-07-28 03:45:00

This is fairly typical spamming for this group. They like to make a new Zeus variant, populate it on a website, and then spam it very hard at the beginning of the East Coast business day. For example, here is the spam for:

"nacha-rejected.com"

     2 | Rejected transaction | 2011-07-27 05:30:00
     1 | Canceled  payment    | 2011-07-27 05:15:00
     2 | Canceled transaction | 2011-07-27 05:15:00
     3 | Payment rejected     | 2011-07-27 05:15:00
     5 | Rejected transaction | 2011-07-27 05:15:00
     2 | Canceled transaction | 2011-07-27 05:00:00
     8 | Canceled transfer    | 2011-07-27 05:00:00
     5 | Payment canceled     | 2011-07-27 05:00:00
     3 | Payment rejected     | 2011-07-27 05:00:00
     4 | Rejected transaction | 2011-07-27 05:00:00
    92 | Canceled  payment    | 2011-07-27 04:45:00
    74 | Canceled transaction | 2011-07-27 04:45:00
    84 | Canceled transfer    | 2011-07-27 04:45:00
    60 | Payment canceled     | 2011-07-27 04:45:00
    75 | Payment rejected     | 2011-07-27 04:45:00
    57 | Rejected transaction | 2011-07-27 04:45:00
     2 | Payment canceled     | 2011-07-27 04:30:00
     1 | Payment rejected     | 2011-07-27 04:30:00
     1 | Canceled transaction | 2011-07-27 04:15:00
     2 | Payment canceled     | 2011-07-27 04:15:00

nacha-transactions.com

     1 | Payment rejected     | 2011-07-27 07:00:00
     1 | Rejected transaction | 2011-07-27 06:45:00
     4 | Canceled  payment    | 2011-07-27 06:30:00
     2 | Canceled transfer    | 2011-07-27 06:30:00
     1 | Payment canceled     | 2011-07-27 06:30:00
     1 | Payment rejected     | 2011-07-27 06:30:00
     1 | Canceled transaction | 2011-07-27 06:15:00
     1 | Canceled transfer    | 2011-07-27 06:15:00
     1 | Payment canceled     | 2011-07-27 06:15:00
     1 | Payment rejected     | 2011-07-27 06:15:00

taxes-refund.com

     1 | Internal Revenue Service        | 2011-07-27 08:00:00
     1 | U.S. Department of the Treasury | 2011-07-27 08:00:00
     1 | Internal Revenue Service        | 2011-07-27 07:45:00
     2 | Internal Revenue Service (IRS)  | 2011-07-27 07:45:00
     2 | Payment IRS.gov                 | 2011-07-27 07:45:00
     1 | Internal Revenue Service        | 2011-07-27 07:30:00
     1 | IRS.gov                         | 2011-07-27 07:30:00
     1 | U.S. Department of the Treasury | 2011-07-27 07:30:00

Three consecutive campaigns, one following the other, with the whole thing wrapping up before 8 AM Central time. (which would be 9 AM Eastern time).

The NACHA spam leading to Zeus has been an issue for a very long time. We've seen spam like this since all the way back to November 2009, but it's been fairly constant since February of this year when we shared the article ACH Transaction Rejected Payment Spam.

Following the Botnet Back in Time

Because of the way we archive our email, it's possible for us to ask the UAB Spam Data Mine to reveal a deeper history for this particular spamming botnet by asking a question like:

"Show me all the spam subjects that have been sent by IP addresses that sent me this morning's fdic-updates.com spam message"

     5 | 2011-07-28 06:00:00 | ACH and Wire transfers disabled.
     3 | 2011-07-28 06:00:00 | Banking security update.
     1 | 2011-07-28 06:00:00 | Update for your banking account.
   107 | 2011-07-28 05:45:00 | ACH and Wire transfers disabled.
   138 | 2011-07-28 05:45:00 | Banking security update.
   108 | 2011-07-28 05:45:00 | Security update for banking accounts.
   122 | 2011-07-28 05:45:00 | Update for your banking account.
     1 | 2011-07-28 05:30:00 | Banking security update.
     1 | 2011-07-28 05:30:00 | Security update for banking accounts.
     1 | 2011-07-28 05:15:00 | ACH and Wire transfers disabled.
     1 | 2011-07-28 05:15:00 | Banking security update.
     1 | 2011-07-28 05:15:00 | Security update for banking accounts.
     1 | 2011-07-27 23:30:00 | ho
     1 | 2011-07-27 21:15:00 | RE:.. How do you do,
     4 | 2011-07-27 20:00:00 | ho
     1 | 2011-07-27 14:45:00 | VIDEO: Lockerbie bomber at pro-Gaddafi rally
     1 | 2011-07-27 12:00:00 | Yo
     1 | 2011-07-27 08:00:00 | Internal Revenue Service
     1 | 2011-07-27 06:45:00 | Rejected transaction
     2 | 2011-07-27 05:15:00 | Rejected transaction
     2 | 2011-07-27 05:00:00 | Canceled transaction
     2 | 2011-07-27 05:00:00 | Canceled transfer
     3 | 2011-07-27 05:00:00 | Payment rejected
    33 | 2011-07-27 04:45:00 | Canceled  payment
    22 | 2011-07-27 04:45:00 | Canceled transaction
    26 | 2011-07-27 04:45:00 | Canceled transfer
    24 | 2011-07-27 04:45:00 | Payment canceled
    30 | 2011-07-27 04:45:00 | Payment rejected
    17 | 2011-07-27 04:45:00 | Rejected transaction
     1 | 2011-07-27 04:30:00 | Payment canceled
     1 | 2011-07-27 04:15:00 | Canceled transaction
     1 | 2011-07-27 04:15:00 | Payment canceled
     1 | 2011-07-26 17:15:00 | Attack on Guinea leader repelled
     1 | 2011-07-26 06:00:00 | IRC.gov
     1 | 2011-07-26 05:45:00 | VIDEO: Phoenix hit by second dust storm
     1 | 2011-07-25 14:00:00 | Hi!
     1 | 2011-07-23 19:45:00 | Giant space telescope reaches orbit
     1 | 2011-07-23 19:45:00 | High Court challenge on care cuts
     1 | 2011-07-23 19:45:00 | HMRC in cost-cutting 'challenge'
     1 | 2011-07-23 19:45:00 | Mortgage lending remains subdued
     1 | 2011-07-23 19:45:00 | Mum's stress reaches baby in womb
     1 | 2011-07-23 19:45:00 | Nato hands over key Afghan city
     1 | 2011-07-23 19:45:00 | Personal pension advice still bad
     1 | 2011-07-23 19:45:00 | Scots economy escapes recession
     1 | 2011-07-23 19:45:00 | Serbia arrests last war crimes fugitive
     1 | 2011-07-23 19:45:00 | Strauss-Kahn daughter questioned
     1 | 2011-07-23 19:45:00 | VIDEO: Key moments as MPs grill Murdochs
     1 | 2011-07-23 18:30:00 | Heya
     2 | 2011-07-22 19:45:00 | Hi
     1 | 2011-07-22 19:00:00 | Hey
     1 | 2011-07-22 19:00:00 | Hi
     1 | 2011-07-22 13:45:00 | Heya
     1 | 2011-07-22 07:15:00 | Read: A Must for High-Rise Emergencies
     1 | 2011-07-22 05:00:00 | IRC.gov
     1 | 2011-07-22 04:45:00 | Support IRS.gov
     2 | 2011-07-22 03:45:00 | Change Confirmation
     1 | 2011-07-22 03:45:00 | Does your enterprise including outstanding tax debts
     1 | 2011-07-22 03:45:00 | Internal Revenue Service
     1 | 2011-07-22 03:45:00 | Internal Revenue Service United States Department of the Treasury
     1 | 2011-07-22 03:45:00 | IRC.gov
     1 | 2011-07-22 03:45:00 | IRS.gov US
     1 | 2011-07-22 03:45:00 | Notice of Underreported Income
     3 | 2011-07-22 03:45:00 | Support IRS.gov
     2 | 2011-07-22 03:45:00 | Treasury Inspector General for Tax Administration
     2 | 2011-07-22 03:45:00 | U.S. Department of the Treasury
     2 | 2011-07-22 03:45:00 | Your company including unpaid tax debts
     1 | 2011-07-21 13:00:00 | Manhood raisers with price-offs!
     1 | 2011-07-21 13:00:00 | Super lasting and good stiff!
     1 | 2011-07-21 05:45:00 | New security update
     2 | 2011-07-21 04:45:00 | Go id token update
     6 | 2011-07-21 04:45:00 | Security token update
     1 | 2011-07-21 04:45:00 | Token code update
     2 | 2011-07-21 04:45:00 | Token software update
     1 | 2011-07-20 07:30:00 | Canceled  payment
     1 | 2011-07-20 07:30:00 | Rejected transaction
     1 | 2011-07-20 07:00:00 | Payment rejected
     1 | 2011-07-20 06:45:00 | Canceled  payment
     1 | 2011-07-20 06:45:00 | Payment canceled
    16 | 2011-07-20 06:30:00 | Canceled  payment
     8 | 2011-07-20 06:30:00 | Canceled transaction
    10 | 2011-07-20 06:30:00 | Canceled transfer
     7 | 2011-07-20 06:30:00 | Payment canceled
     8 | 2011-07-20 06:30:00 | Payment rejected
     6 | 2011-07-20 06:30:00 | Rejected transaction
    19 | 2011-07-20 06:15:00 | Canceled  payment
    13 | 2011-07-20 06:15:00 | Canceled transaction
    15 | 2011-07-20 06:15:00 | Canceled transfer
    16 | 2011-07-20 06:15:00 | Payment canceled
    17 | 2011-07-20 06:15:00 | Payment rejected
    24 | 2011-07-20 06:15:00 | Rejected transaction
     2 | 2011-07-20 05:00:00 | Wire transfer # 3240569823405844930
     4 | 2011-07-20 05:00:00 | Wire transfer # 3463453123432454667
     1 | 2011-07-20 05:00:00 | Wire transfer # 3858994783568734677
     1 | 2011-07-20 05:00:00 | Wire transfer # 4577867895676542367
     2 | 2011-07-20 05:00:00 | Wire transfer # 5645746324515345353
     2 | 2011-07-20 05:00:00 | Wire transfer # 6754846773457536756
     2 | 2011-07-20 05:00:00 | Wire transfer # 6785675623451222333
     1 | 2011-07-20 05:00:00 | Wire transfer # 8565696735865742365
     2 | 2011-07-20 05:00:00 | Wire transfer ID 2345578568567567544
     1 | 2011-07-20 05:00:00 | Wire transfer ID 3265474356547356756
     1 | 2011-07-20 05:00:00 | Wire transfer ID 3425215345565475468
     1 | 2011-07-20 05:00:00 | Wire transfer id 3425233214234534634
     5 | 2011-07-20 05:00:00 | Wire transfer ID 3425233214234534634
     1 | 2011-07-20 05:00:00 | Wire transfer id 3452364365475463425
     1 | 2011-07-20 05:00:00 | Wire transfer ID 4135146854351231151
     1 | 2011-07-20 05:00:00 | Wire transfer ID 4353267658545629087
     3 | 2011-07-20 05:00:00 | Wire transfer ID 5468513264769656536
     1 | 2011-07-20 05:00:00 | Wire transfer id 5473785489567245623
     1 | 2011-07-20 05:00:00 | Wire transfer ID 5687895416264572398
     1 | 2011-07-20 05:00:00 | Wire transfer ID 5876978567345176586
     1 | 2011-07-20 05:00:00 | Wire transfer ID 6768576565423453415
     1 | 2011-07-20 05:00:00 | Wire transfer id 6857234568657433677
     3 | 2011-07-20 05:00:00 | Wire transfer id 8479764976835672345
     1 | 2011-07-20 05:00:00 | Wire transfer id 8658375686537546544
    41 | 2011-07-20 05:00:00 | Your Wire fund transfer
     1 | 2011-07-20 04:30:00 | Wire transfer ID 6431531354846843122
     1 | 2011-07-19 04:45:00 | Change Confirmation
     1 | 2011-07-19 04:45:00 | Does your company is registered outstanding tax debts
     2 | 2011-07-19 04:45:00 | U.S. Department of the Treasury
     1 | 2011-07-19 04:45:00 | Your IRS payment rejected
     1 | 2011-07-19 04:30:00 | Change Confirmation
     1 | 2011-07-19 04:30:00 | Does your company including  tax debts
     1 | 2011-07-19 04:30:00 | Does your enterprise listed unpaid tax debts
     2 | 2011-07-19 04:30:00 | Federal Tax payment rejected
     1 | 2011-07-19 04:30:00 | For your company including unpaid tax debt
     1 | 2011-07-19 04:30:00 | For your enterprise including  tax debt
    13 | 2011-07-19 04:30:00 | Internal Revenue Service
     4 | 2011-07-19 04:30:00 | Internal Revenue Service (IRS)
     2 | 2011-07-19 04:30:00 | Internal Revenue Service United States Department of the Treasury
     4 | 2011-07-19 04:30:00 | IRC.gov
     5 | 2011-07-19 04:30:00 | IRS.gov US
     8 | 2011-07-19 04:30:00 | Notice of Underreported Income
     6 | 2011-07-19 04:30:00 | Payment IRS.gov
     4 | 2011-07-19 04:30:00 | Support IRS.gov
     5 | 2011-07-19 04:30:00 | Treasury Inspector General for Tax Administration
     1 | 2011-07-19 04:30:00 | U.S. Department of the Treasury
     2 | 2011-07-19 04:30:00 | Your enterprise has remained outstanding tax debts
     3 | 2011-07-19 04:30:00 | Your IRS payment rejected
     1 | 2011-07-19 04:15:00 | Internal Revenue Service
     1 | 2011-07-18 10:30:00 | Love BlackJack? Check out the games at Winner Palace
     1 | 2011-07-16 02:00:00 | Out of Office AutoReply: Please Review
     1 | 2011-07-15 09:00:00 | For your company is registered unpaid tax debt
     1 | 2011-07-15 09:00:00 | Internal Revenue Service
     2 | 2011-07-15 08:45:00 | Change Confirmation
     2 | 2011-07-15 08:45:00 | Federal Tax payment rejected
     2 | 2011-07-15 08:45:00 | Internal Revenue Service
     2 | 2011-07-15 08:45:00 | Internal Revenue Service (IRS)
     4 | 2011-07-15 08:45:00 | Internal Revenue Service United States Department of the Treasury
     3 | 2011-07-15 08:45:00 | IRC.gov
     1 | 2011-07-15 08:45:00 | IRS.gov US
     3 | 2011-07-15 08:45:00 | Payment IRS.gov
     2 | 2011-07-15 08:45:00 | Support IRS.gov
     1 | 2011-07-15 08:45:00 | Treasury Inspector General for Tax Administration
     1 | 2011-07-15 08:45:00 | U.S. Department of the Treasury
     2 | 2011-07-15 08:45:00 | Your IRS payment rejected
     1 | 2011-07-15 07:30:00 | TV murder appeal prompts 40 calls
     1 | 2011-07-14 21:30:00 | US senator requests hacking probe
     1 | 2011-07-14 20:15:00 | Parties unite over BSkyB bid call
     1 | 2011-07-14 19:45:00 | PM Kan urges 'nuclear-free Japan'
     1 | 2011-07-14 18:00:00 | Man tells jury 'I killed Lynette'
     1 | 2011-07-14 15:15:00 | VIDEO: Live: Debate on youth unemployment
     1 | 2011-07-14 07:15:00 | Security update for banking accounts.
    10 | 2011-07-14 07:00:00 | ACH and Wire transfers disabled.
     5 | 2011-07-14 07:00:00 | Banking security update.
     7 | 2011-07-14 07:00:00 | Security update for banking accounts.
     5 | 2011-07-14 07:00:00 | Update for your banking account.
     1 | 2011-07-13 11:30:00 | Hospitals warned over clot deaths
     1 | 2011-07-13 07:45:00 | Does your enterprise listed unpaid tax debt
     3 | 2011-07-13 07:45:00 | Federal Tax payment rejected
     5 | 2011-07-13 07:45:00 | Internal Revenue Service United States Department of the Treasury
     2 | 2011-07-13 07:45:00 | IRC.gov
     7 | 2011-07-13 07:45:00 | Notice of Underreported Income
     1 | 2011-07-13 07:45:00 | Treasury Inspector General for Tax Administration
     2 | 2011-07-13 07:45:00 | U.S. Department of the Treasury
     1 | 2011-07-13 07:45:00 | Your company listed outstanding tax debt
     1 | 2011-07-13 07:45:00 | Your enterprise listed unpaid tax debt
     1 | 2011-07-13 07:30:00 | Internal Revenue Service
     2 | 2011-07-13 07:30:00 | Internal Revenue Service (IRS)
     2 | 2011-07-13 07:30:00 | Internal Revenue Service United States Department of the Treasury
     1 | 2011-07-13 07:30:00 | Notice of Underreported Income
     3 | 2011-07-13 07:30:00 | Payment IRS.gov
     1 | 2011-07-13 07:30:00 | Support IRS.gov
     2 | 2011-07-13 07:30:00 | U.S. Department of the Treasury
     2 | 2011-07-13 07:30:00 | Your IRS payment rejected
     3 | 2011-07-13 05:45:00 | Business accounts updates
     1 | 2011-07-13 05:45:00 | Dear corporate clients
     1 | 2011-07-13 05:45:00 | New settings for wire transfers
     1 | 2011-07-13 05:30:00 | Business accounts updates
     5 | 2011-07-13 05:30:00 | Corporate banking security
     3 | 2011-07-13 05:30:00 | Dear corporate clients
    10 | 2011-07-13 05:30:00 | Federalreserve security update
     4 | 2011-07-13 05:30:00 | New security settings
     4 | 2011-07-13 05:30:00 | New security update
     5 | 2011-07-13 05:30:00 | New settings for wire transfers
     2 | 2011-07-13 05:30:00 | Wire transfers update

We can also ask it to tell us what spammed destinations were being described by those messages and learn that what we see is:

July 13th = usbanking-security.com
July 15th = federalsecusrity.com
July 19th = taxreport-irs.com
July 19th = irs-taxes-report.com
July 19th = irs-report-link.com
July 20th = www.federalreserve.gov
July 20th = reports-federalreserve.com
July 20th = nacha-alert.org
July 20th = nacha-alert.com
July 20th = alerts-federalresrve.com
July 21st = national-security-agency.com
July 21st = federal-secueity-government.com
July 22nd = irs-downloads.com
July 22nd = irs-files.com
July 26th = taxes-irs.net
July 27th = www.nacha-rejected.com
July 27th = taxes-refund.com
July 28th = fdic-updates.com

Again, the query run says "look at my spam history FOR THE IP ADDRESSES USED BY THE GOV-RELATED ZEUS DOMAIN THIS MORNING and see what else they've sent me previously."

I've temporarily included only those links that were DIRECTLY linking to an executable, but we also have all of the "domain-shortener" spam that was sent on July 13th pretending to be a LinkedIn message. In that case, the spam used 25 different shortener services, most of which seem to have been created specifically for that purpose:

1tja.com
4h.biz
4nu.net
coge.la
d3c.co
flyfrm.com
gli.im
gsfn.info
hi2.com
ion.so
ks.gs
lawurl.com
lllll.im
niy.me
nznet.info
sendtourl.com
shoor.tk
smlurl.info
sra.li
tiny.tw
vs0.net
widg.me
wurl.ca
yi.pe
zolp.net

And yes, we can also tie today's spamming botnet to all of those fake LinkedIn spam messages that distributed Zeus on July 13th.

"Wrong Transaction" Hotel Spam

by UAB's Director of Research in Computer Forensics on July 27, 2011

in SBN

One of the features in the new version of the UAB Spam Data Mine is the ability to quickly run "malware links" and "malware attachments" reports for the current day, the previous day, or a date range.

The objective of this functionality is to provide as close to "real time" intelligence on potential new email-based threats as possible. You'll see what I mean below.

I've been playing with it for the past several days, but just so you can join in the fun, let me show you the top results that come back when I do:

\i malware.attachments.sql

Spam Count	Attached MD5	Extension	Subject
6	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Renaissance Chicago made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Hyatt Regency Houston made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Jefferson made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Renaissance Washington made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Westin Oaks made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Westin Diplomat Resort & Spa made wrong transaction
5	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Westin St. Francis made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Hilton Las Vegas made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Intercontinental Buckhead Atlanta made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Rancho Bernardo Inn made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Ritz Carlton Kapalua made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Ritz-Carlton Marina Del Rey made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Latham made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Westin New York at Times Square made wrong transaction
4	c15eb3c47800fec025b6a86a6409f144	zip	Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
3	c15eb3c47800fec025b6a86a6409f144	zip	Hotel Four Seasons Resort Maui at Wailea made wrong transaction
3	c15eb3c47800fec025b6a86a6409f144	zip	Hotel The Whitehall made wrong transaction
3	c15eb3c47800fec025b6a86a6409f144	zip	Wrong transaction from your credit card in Loews Miami Beach
3	c15eb3c47800fec025b6a86a6409f144	zip	Wrong transaction from your credit card in Woodrun V Townhomes

Since we've never seen spam like this before, it's "new" and potentially interesting!

One quick check of whether this is "interesting" is what happens when we ask forty-three different Anti-virus vendors whether the attached file is a virus or not.

We do this by using the services of VirusTotal.com who gave us back this report: VirusTotal Report for c15eb3c47800fec025b6a86a6409f144. At the time of this writing, having already received more than 800 copies of the spam, Sophos and Trend Micro call it "BredoLab", Rising AV of China calls it "suspicious", and NOD32 says it's a "Kryptik" variant. The other thirty-nine AV companies currently don't have published definitions for this malware.

UPDATE: As of 12:36 PM Central Time on July 27th, we are now up to 12 of 43 detects. See the Update VirusTotal Report Here. Curiously, just yesterday someone asked me, do you ever see AV vendors change their mind on what something should be called? You'll note that on the first report, Sophos called this Bredolab, but now they are calling it Zbot. It will be curious to see how that rolls out, since no one else among the 12 detectors believes this to be Zeus (aka Zbot).

The spam messages look like this:

We've already seen more than 400 different subjects that are part of this group!

7 | Hotel Courtyard by Marriott Houston Downtown made wrong transaction
6 | Hotel Ritz-Carlton Marina Del Rey made wrong transaction
6 | Hotel Hilton Las Vegas made wrong transaction
6 | Hotel Renaissance Chicago made wrong transaction
6 | Hotel Westin Diplomat Resort & Spa made wrong transaction
5 | Wrong transaction from your credit card in Icon
5 | Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
5 | Hotel The Westin Oaks made wrong transaction
5 | Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
5 | Hotel Renaissance Washington made wrong transaction
5 | Hotel Jefferson made wrong transaction
5 | Hotel Westin St. Francis made wrong transaction
5 | Hotel Rancho Bernardo Inn made wrong transaction
5 | Hotel Intercontinental Buckhead Atlanta made wrong transaction
5 | Hotel Hyatt Regency Houston made wrong transaction

(The complete list concludes at the bottom of this post . . . )

One of the other great things we can do with the UAB Spam Data Mine though, is to ask "what other things are being sent by the computers that sent us this spam?"

Look what happens when I ask "show me the top subjects from YESTERDAY that were spammed by IP addresses that spammed the hotel spam TODAY?"

62 | 2011-07-26 | Credit Card is one week overdue
51 | 2011-07-26 | Credit Card overdue
43 | 2011-07-26 | Your Credit Card is one week overdue
39 | 2011-07-26 | Payment by credit card overdue
39 | 2011-07-26 | Credit card payment of overstayed
25 | 2011-07-26 | Your financial debt overdue
6 | 2011-07-26 | Re: Re: hi bud
5 | 2011-07-26 | Get your first bonus just for registering.
4 | 2011-07-26 | We offer only top grade Replica watches at only a fraction of the original price,
4 | 2011-07-26 | Chase bonuses no more; register at Winner Palacce.
4 | 2011-07-26 | Seeking gaming glory? Sign up and get free bonus.
3 | 2011-07-26 | A dream come true sign up bonus at Winner Palacce.
3 | 2011-07-26 | Gaming glory beckons, register and get free bonus.

The top group - the most prominent in response to this query - was the "MasterCard" version of the Fake AV malware that we blogged about previously on July 23rd -- MasterCard Spam Leads to Fake AV. SC Magazine's Angelina Moscaritolo wrote that up under the headline "Rogue AV Masquerading as SC Awards 2011 Finalist. The same spamming botnet has been sending out Casino spam and Rolex watch spam for more than a month.

We had 120 different subjects from this small IP sample group yesterday -- many of the subjects are "customized" such as "gar@place.com Rolex.com For You - 77%" or "gar@otherplace.com Rolex.com For You - 55%"

So, what do we predict the Hotel Spam will turn out to be? There is a good chance it will be related to the MasterCard Fake AV Spam. Well . . . one way to find out, right?

The .zip file contained this file:

When we launched the malware, it made connection to the webserver at "yomwarayom2001.ru" on IP address 84.247.61.25.

The first link we hit there was an exploit server -- probably the "BlackHole Exploit Kit" that has been very popular recently on similarly structured web pages. We almost immediately ALSO fetched a file called "forum3/load.php?module=grabbers".

This caused us to download a file "soft.exe" from yomwarayom2001.ru.

In a couple minutes, a pop-up announced "Software Installed" and had an "OK" button. Clicking OK caused a connection to "heftyhips.com" on IP 66.197.251.53.

where the file "images/img.php?id=106" was fetched.

Shortly thereafter we had a "Defender" icon on the desktop, which was this file:

Note that "Defender" claims to be written by AVG Software Development, a real antivirus company!

That was enough to convince me we were still in "Fake AV" territory.

The rest of the hotel spam subject list

5 | Hotel Marriott Houston Airport at George Bush Intercontinental made wrong transaction
4 | Hotel Fairmont & Towers made wrong transaction
4 | Hotel Mondrian South Beach made wrong transaction
4 | Wrong transaction from your credit card in Westin St. Francis
4 | Wrong transaction from your credit card in Courtyard by Marriott Houston Downtown
4 | Hotel The Westin New York at Times Square made wrong transaction
4 | Wrong transaction from your credit card in Rouge
4 | Hotel Ritz Carlton Kapalua made wrong transaction
4 | Hotel Marriott Marquis San Francisco made wrong transaction
4 | Hotel Sonesta Orlando Downtown made wrong transaction
4 | Hotel The Whitehall made wrong transaction
4 | Hotel Renaissance New York Times Square made wrong transaction
4 | Hotel The Drake made wrong transaction
4 | Hotel Four Seasons Resort Palm Beach made wrong transaction
4 | Hotel Hyatt Regency Washington made wrong transaction
4 | Hotel Doubletree by Hilton Orlando at SeaWorld made wrong transaction
4 | Hotel Four Seasons Resort Maui at Wailea made wrong transaction
4 | Hotel The Latham made wrong transaction
4 | Wrong transaction from your credit card in Sheraton Chicago and Towers
4 | Hotel Red Rock Casino Resort & Spa made wrong transaction
4 | Hotel Mona Lisa Suite made wrong transaction
3 | Wrong transaction from your credit card in Ritz-Carlton Orlando, Grande Lakes Resort
3 | Wrong transaction from your credit card in The Westin Chicago River North
3 | Hotel Grand Wailea Resort made wrong transaction
3 | Hotel Washington Court on Capitol Hill made wrong transaction
3 | Wrong transaction from your credit card in Hyatt Regency Scottsdale Resort
3 | Hotel Disney's Grand Californian made wrong transaction
3 | Hotel George made wrong transaction
3 | Wrong transaction from your credit card in Woodrun V Townhomes
3 | Hotel Ritz-Carlton San Francisco made wrong transaction
3 | Wrong transaction from your credit card in Courtyard by Marriott Capitol Hill/Navy Yard
3 | Hotel Four Seasons made wrong transaction
3 | Hotel Se San Diego made wrong transaction
3 | Wrong transaction from your credit card in JW Marriott Las Vegas Resort, Spa & Golf
3 | Wrong transaction from your credit card in Ritz-Carlton Central Park
3 | Hotel Sheraton Maui Resort made wrong transaction
3 | Wrong transaction from your credit card in Embassy Suites Chevy Chase Pavilion
3 | Wrong transaction from your credit card in Loews Miami Beach
3 | Hotel Hilton Grand Vacations Club made wrong transaction
3 | Wrong transaction from your credit card in Owl Creek Homes
3 | Hotel Marriott at Metro Center made wrong transaction
3 | Wrong transaction from your credit card in Le Meridien San Francisco
3 | Wrong transaction from your credit card in The Ritz-Carlton Buckhead
3 | Wrong transaction from your credit card in Renaissance Chicago
3 | Hotel La Valencia made wrong transaction
3 | Wrong transaction from your credit card in Campton Place
3 | Wrong transaction from your credit card in Mondrian South Beach
3 | Hotel InterContinental made wrong transaction
3 | Hotel One Bal Harbour Resort & Spa made wrong transaction
3 | Hotel JW Marriott Pennsylvania Avenue made wrong transaction
3 | Hotel W Seattle made wrong transaction
3 | Wrong transaction from your credit card in Helix Boutique
3 | Hotel Dunton Hot Springs made wrong transaction
3 | Hotel Vdara & Spa made wrong transaction
3 | Hotel Fairmont Kea Lani made wrong transaction
3 | Hotel Marriott Chicago Downtown Magnificent Mile made wrong transaction
3 | Hotel Campton Place made wrong transaction
3 | Hotel Breakers Palm Beach made wrong transaction
3 | Hotel Mandalay Bay made wrong transaction
3 | Wrong transaction from your credit card in Four Seasons Resort Lanai at Manele Bay
3 | Wrong transaction from your credit card in Sanctuary on Camelback Mountain
3 | Hotel Ritz-Carlton Palm Beach made wrong transaction
3 | Hotel Mauna Kea Beach made wrong transaction
3 | Hotel The Ritz-Carlton Laguna Niguel made wrong transaction
3 | Hotel Four Seasons Resort Lanai at Manele Bay made wrong transaction
3 | Wrong transaction from your credit card in Fairmont & Towers
3 | Wrong transaction from your credit card in Four Seasons Resort Palm Beach
3 | Wrong transaction from your credit card in The Setai
3 | Hotel The Westin Embassy Row made wrong transaction
3 | Wrong transaction from your credit card in Renaissance Houston Greenway Plaza
3 | Hotel Disney's Grand Floridian made wrong transaction
3 | Wrong transaction from your credit card in Vdara & Spa
3 | Wrong transaction from your credit card in The Houstonian Club & Spa
3 | Wrong transaction from your credit card in Hyatt Regency Grand Cypress
3 | Hotel Windsor Court made wrong transaction
3 | Hotel JW Marriott Orlando Grande Lakes made wrong transaction
3 | Hotel The Chatwal made wrong transaction
3 | Hotel Hyatt Regency Scottsdale Resort made wrong transaction
3 | Hotel Wyndham Grand Desert made wrong transaction
3 | Hotel The Alex made wrong transaction
3 | Wrong transaction from your credit card in Intercontinental Buckhead Atlanta
3 | Hotel Kahala Resort made wrong transaction
2 | Hotel Embassy Suites North Charleston made wrong transaction
2 | Hotel The Fairmont Washington made wrong transaction
2 | Wrong transaction from your credit card in Sheraton Suites San Diego at Symphony Hall
2 | Wrong transaction from your credit card in The Wit-A Doubletree
2 | Wrong transaction from your credit card in Omni Chicago
2 | Hotel Granduca made wrong transaction
2 | Hotel Grand Bohemian made wrong transaction
2 | Wrong transaction from your credit card in Sheraton Moana Surfrider
2 | Wrong transaction from your credit card in Monaco Washington DC
2 | Hotel The Peninsula made wrong transaction
2 | Hotel Beverly Hills & Bungalows made wrong transaction
2 | Hotel Hilton Chicago made wrong transaction
2 | Hotel The St. Regis Monarch Beach made wrong transaction
2 | Hotel London West Hollywood made wrong transaction
2 | Wrong transaction from your credit card in Four Seasons San Francisco
2 | Hotel Conrad Miami made wrong transaction
2 | Hotel Michelangelo made wrong transaction
2 | Wrong transaction from your credit card in The Westin Mission Hills Resort & Spa
2 | Hotel Ritz-Carlton Orlando, Grande Lakes Resort made wrong transaction
2 | Hotel Walt Disney World Swan and Dolphin made wrong transaction
2 | Wrong transaction from your credit card in The Ritz-Carlton Georgetown
2 | Hotel Ritz-Carlton Battery Park made wrong transaction
2 | Hotel Royal Hawaiian made wrong transaction
2 | Wrong transaction from your credit card in Ritz Carlton Naples Golf Resort
2 | Wrong transaction from your credit card in The Westin Oaks
2 | Hotel The Westin Chicago River North made wrong transaction
2 | Wrong transaction from your credit card in Westin Princeville Ocean Resort Villas
2 | Hotel Breakwater made wrong transaction
2 | Hotel Hyatt Regency Waikiki made wrong transaction
2 | Hotel Camelback Inn, A JW Marriott Resort & Spa made wrong transaction
2 | Hotel Florida Choice Executive Pool Homes made wrong transaction
2 | Wrong transaction from your credit card in JW Marriott San Francisco
2 | Wrong transaction from your credit card in SLS at Beverly Hills
2 | Wrong transaction from your credit card in Fairmont Chicago
2 | Wrong transaction from your credit card in The Fairmont Orchid
2 | Wrong transaction from your credit card in The Iroquois
2 | Wrong transaction from your credit card in La Costa Resort & Spa
2 | Hotel W Hollywood made wrong transaction
2 | Hotel Crowne Plaza The Hamilton made wrong transaction
2 | Hotel Taj Boston made wrong transaction
2 | Hotel Palms Place & Spa made wrong transaction
2 | Hotel Hyatt Regency Huntington Beach made wrong transaction
2 | Hotel Sofitel Lafayette Square made wrong transaction
2 | Hotel JW Marriott San Francisco made wrong transaction
2 | Wrong transaction from your credit card in The Westin New York at Times Square
2 | Wrong transaction from your credit card in Four Seasons Resort Scottsdale
2 | Hotel Four Seasons Resort Scottsdale made wrong transaction
2 | Wrong transaction from your credit card in Ritz Carlton South Beach
2 | Hotel Madera made wrong transaction
2 | Wrong transaction from your credit card in The Fairmont
2 | Hotel La Costa Resort & Spa made wrong transaction
2 | Hotel Intercontinental San Francisco made wrong transaction
2 | Hotel Residence Inn by Marriott Capitol made wrong transaction
2 | Wrong transaction from your credit card in The Westin Seattle
2 | Hotel Sheraton Suites Houston Near The Galleria made wrong transaction
2 | Wrong transaction from your credit card in Mondrian
2 | Hotel Wardman Park Marriott made wrong transaction
2 | Hotel The Villa By Barton G made wrong transaction
2 | Hotel Trump International & Tower made wrong transaction
2 | Hotel The Ritz-Carlton Buckhead made wrong transaction
2 | Hotel The Westin Grand made wrong transaction
2 | Wrong transaction from your credit card in Lowell
2 | Wrong transaction from your credit card in Peabody Orlando
2 | Hotel Enchantment Resort made wrong transaction
2 | Hotel The Carlyle, A Rosewood made wrong transaction
2 | Hotel The Peninsula Beverly Hills made wrong transaction
2 | Wrong transaction from your credit card in Park Hyatt Resort & Spa
2 | Wrong transaction from your credit card in Doubletree by Hilton Orlando at SeaWorld
2 | Wrong transaction from your credit card in Marriott at Metro Center
2 | Hotel Ritz Carlton Naples Beach Resort made wrong transaction
2 | Wrong transaction from your credit card in Marriott Marquis San Francisco
2 | Wrong transaction from your credit card in The St. Regis Aspen
2 | Wrong transaction from your credit card in Trump International Sonesta Beach resort
2 | Wrong transaction from your credit card in Sheraton Maui Resort
2 | Wrong transaction from your credit card in The Villa By Barton G
2 | Wrong transaction from your credit card in Renaissance Charleston Historic District
2 | Hotel Aria made wrong transaction
2 | Hotel Charleston Marriott made wrong transaction
2 | Wrong transaction from your credit card in Sheraton Suites Houston Near The Galleria
2 | Hotel Universal Royal Pacific Resort a Loews made wrong transaction
2 | Wrong transaction from your credit card in Casa Del Mar
2 | Wrong transaction from your credit card in The Fairmont Washington
2 | Wrong transaction from your credit card in Kahala Resort
2 | Hotel JW Marriott Miami made wrong transaction
2 | Hotel JW Marriott Las Vegas Resort, Spa & Golf made wrong transaction
2 | Hotel Loews Regency made wrong transaction
2 | Hotel Tamarack by Destination Resorts Snowmass made wrong transaction
2 | Wrong transaction from your credit card in Marriott Houston Airport at George Bush Intercontinental
2 | Hotel The Langham Huntington & SPA made wrong transaction
2 | Wrong transaction from your credit card in Hilton Boston Logan Airport
2 | Hotel The Enclave made wrong transaction
2 | Wrong transaction from your credit card in Hyatt Grand Aspen
2 | Hotel The Houstonian Club & Spa made wrong transaction
2 | Wrong transaction from your credit card in The Latham
2 | Hotel Embassy Suites Washington made wrong transaction
2 | Wrong transaction from your credit card in Hyatt Regency Maui Resort and Spa
2 | Hotel Fairmont Chicago made wrong transaction
2 | Hotel The Setai made wrong transaction
2 | Wrong transaction from your credit card in Del Coronado
2 | Hotel Jerome made wrong transaction
2 | Wrong transaction from your credit card in Ritz Carlton Kapalua
2 | Wrong transaction from your credit card in The Enclave
2 | Hotel Ritz-Carlton Laguna Niguel made wrong transaction
2 | Hotel Courtyard by Marriott Capitol Hill/Navy Yard made wrong transaction
2 | Wrong transaction from your credit card in Ritz-Carlton Battery Park
2 | Hotel Sutton Place made wrong transaction
2 | Hotel W Boston made wrong transaction
2 | Wrong transaction from your credit card in Swissotel Chicago
2 | Wrong transaction from your credit card in The Westin Embassy Row
2 | Hotel The Henley Park made wrong transaction
2 | Hotel W Atlanta Midtown made wrong transaction
2 | Wrong transaction from your credit card in The Ritz-Carlton Orlando, Grande Lakes
2 | Wrong transaction from your credit card in Sofitel Lafayette Square
2 | Wrong transaction from your credit card in La Valencia
2 | Hotel Beverly Wilshire, A Four Seasons made wrong transaction
2 | Wrong transaction from your credit card in Rancho Las Palmas Resort & Spa
2 | Hotel Trump International Sonesta Beach resort made wrong transaction
2 | Hotel Biltmore made wrong transaction
2 | Hotel Icon made wrong transaction
2 | Hotel Sorrento made wrong transaction
2 | Wrong transaction from your credit card in Avalon
2 | Hotel Le Meridien San Francisco made wrong transaction
2 | Wrong transaction from your credit card in The Peninsula
1 | Hotel The Fairmont Olympic made wrong transaction
1 | Hotel Hilton Atlanta Airport made wrong transaction
1 | Wrong transaction from your credit card in Royal Palms Resort & Spa
1 | Hotel Ritz Carlton Naples Golf Resort made wrong transaction
1 | Wrong transaction from your credit card in The Alexander
1 | Hotel The Fairmont Copley Plaza made wrong transaction
1 | Wrong transaction from your credit card in JW Marriott Buckhead Atlanta
1 | Hotel Encore at Wynn made wrong transaction
1 | Hotel Carlton on Madison Avenue made wrong transaction
1 | Hotel Hyatt Regency San Francisco made wrong transaction
1 | Wrong transaction from your credit card in Boston Marriott Copley Place
1 | Wrong transaction from your credit card in Granduca
1 | Hotel M Resort Spa & Casino made wrong transaction
1 | Wrong transaction from your credit card in Ritz Carlton Key Biscayne
1 | Wrong transaction from your credit card in Four Seasons Los Angeles at Beverly Hills
1 | Hotel Loews Miami Beach made wrong transaction
1 | Hotel Mandarin Oriental made wrong transaction
1 | Hotel Westin Maui Resort & Spa made wrong transaction
1 | Hotel Fairmont Miramar made wrong transaction
1 | Wrong transaction from your credit card in The Fairmont Copley Plaza
1 | Wrong transaction from your credit card in Wyndham Grand Desert
1 | Hotel St. Regis Washington made wrong transaction
1 | Hotel Skylofts at MGM Grand made wrong transaction
1 | Wrong transaction from your credit card in Encore at Wynn
1 | Hotel Mondrian Scottsdale made wrong transaction
1 | Wrong transaction from your credit card in Inn at Perry Cabin
1 | Wrong transaction from your credit card in Sheraton Waikiki
1 | Hotel The Ritz-Carlton Bachelor Gulch made wrong transaction
1 | Wrong transaction from your credit card in Tamarack by Destination Resorts Snowmass
1 | Wrong transaction from your credit card in Dunton Hot Springs
1 | Hotel Hilton Hawaiian Village made wrong transaction
1 | Wrong transaction from your credit card in Willard InterContinental
1 | Wrong transaction from your credit card in Grand Hyatt New York
1 | Wrong transaction from your credit card in Grand Hyatt Atlanta in Buckhead
1 | Wrong transaction from your credit card in Grand Hyatt Seattle
1 | Wrong transaction from your credit card in Amsterdam Hospitality
1 | Wrong transaction from your credit card in The Langham Huntington & SPA
1 | Hotel The Cosmopolitan Las Vegas made wrong transaction
1 | Wrong transaction from your credit card in Intercontinental San Francisco
1 | Wrong transaction from your credit card in Acqualina Resort & Spa
1 | Wrong transaction from your credit card in Waldorf Towers
1 | Wrong transaction from your credit card in Omni
1 | Hotel McCoy Peak Lodge made wrong transaction
1 | Wrong transaction from your credit card in Park Hyatt Chicago
1 | Wrong transaction from your credit card in Taj Boston
1 | Wrong transaction from your credit card in Lauberge Del Mar
1 | Hotel Monaco Washington DC made wrong transaction
1 | Hotel Avalon made wrong transaction
1 | Hotel Royal Pacific Resort made wrong transaction
1 | Hotel Embassy Suites - Convention Center made wrong transaction
1 | Wrong transaction from your credit card in Charleston Place
1 | Hotel Ritz-Carlton Boston Common made wrong transaction
1 | Wrong transaction from your credit card in Royal Hawaiian
1 | Wrong transaction from your credit card in Hilton Las Vegas
1 | Hotel Ocean Key Resort & Spa made wrong transaction
1 | Wrong transaction from your credit card in Ocean Key Resort & Spa
1 | Hotel Mandarin Oriental Miami made wrong transaction
1 | Hotel Anglers made wrong transaction
1 | Hotel The Westin Peachtree Plaza made wrong transaction
1 | Wrong transaction from your credit card in The Venetian Resort and Casino
1 | Hotel The Washington Court On Capital Hil made wrong transaction
1 | Hotel The Palmer House Hilton made wrong transaction
1 | Hotel Hyatt Grand Aspen made wrong transaction
1 | Wrong transaction from your credit card in The Ritz-Carlton Fort Lauderdale
1 | Hotel Peninsula New York made wrong transaction
1 | Wrong transaction from your credit card in Shore Club
1 | Wrong transaction from your credit card in Hilton Americas Houston
1 | Wrong transaction from your credit card in Monaco Boutique
1 | Wrong transaction from your credit card in Embassy Suites Washington
1 | Wrong transaction from your credit card in The Hay-Adams
1 | Wrong transaction from your credit card in Lodge At Koele
1 | Hotel Hilton Orlando Bonnet Creek made wrong transaction
1 | Hotel Trump Las Vegas made wrong transaction
1 | Wrong transaction from your credit card in The Huntington and Nob Hill Spa
1 | Hotel Grand Hyatt New York made wrong transaction
1 | Hotel Lodge At Torrey Pines made wrong transaction
1 | Hotel Royal Palms Resort & Spa made wrong transaction
1 | Hotel Charleston Place made wrong transaction
1 | Hotel ZaZa Houston made wrong transaction
1 | Hotel Shangri-La made wrong transaction
1 | Wrong transaction from your credit card in Beverly Hills & Bungalows
1 | Hotel Hilton Atlanta made wrong transaction
1 | Wrong transaction from your credit card in Lodge At Torrey Pines
1 | Hotel Hyatt Regency Atlanta made wrong transaction
1 | Hotel Helix Boutique made wrong transaction
1 | Wrong transaction from your credit card in Taj Campton Place
1 | Hotel Four Seasons Los Angeles at Beverly Hills made wrong transaction
1 | Hotel Sanctuary on Camelback Mountain made wrong transaction
1 | Hotel Rio Suite and Casino made wrong transaction
1 | Hotel The Phoenician made wrong transaction
1 | Hotel Acqualina Resort & Spa made wrong transaction
1 | Wrong transaction from your credit card in Wynn Las Vegas
1 | Wrong transaction from your credit card in Hyatt Regency Washington
1 | Wrong transaction from your credit card in Crowne Plaza The Hamilton
1 | Wrong transaction from your credit card in The Washington Court On Capital Hil
1 | Wrong transaction from your credit card in Westin Diplomat Resort & Spa
1 | Wrong transaction from your credit card in Waldorf Astoria & Towers
1 | Wrong transaction from your credit card in St. Regis Washington
1 | Wrong transaction from your credit card in The Whitehall
1 | Hotel Sun Harbour Boutique made wrong transaction
1 | Wrong transaction from your credit card in Grand Hyatt San Francisco
1 | Wrong transaction from your credit card in George
1 | Hotel Embassy Suites made wrong transaction
1 | Wrong transaction from your credit card in Star The Michelangelo
1 | Hotel Washington Suites Georgetown made wrong transaction
1 | Hotel The Venetian Resort and Casino made wrong transaction
1 | Wrong transaction from your credit card in Morenas Resort Morrison-Clark Historic Inn
1 | Wrong transaction from your credit card in The Pierre
1 | Hotel Grand Hyatt Atlanta in Buckhead made wrong transaction
1 | Wrong transaction from your credit card in The Ritz-Carlton Laguna Niguel
1 | Hotel Swissotel Chicago made wrong transaction
1 | Wrong transaction from your credit card in Ritz-Carlton San Francisco
1 | Wrong transaction from your credit card in Royal Pacific Resort
1 | Hotel Palomar made wrong transaction
1 | Wrong transaction from your credit card in Indian Creek
1 | Hotel Tides South Beach made wrong transaction
1 | Hotel The Equinox Resort & Spa made wrong transaction
1 | Wrong transaction from your credit card in The Helmsley Carlton House
1 | Wrong transaction from your credit card in Palomar
1 | Hotel The Westin Atlanta Airport made wrong transaction
1 | Wrong transaction from your credit card in Nolitan
1 | Hotel Gansevoort South made wrong transaction
1 | Hotel The Helmsley Carlton House made wrong transaction
1 | Hotel The Lenox made wrong transaction
1 | Wrong transaction from your credit card in Enchantment Resort
1 | Hotel The Wit-A Doubletree made wrong transaction
1 | Wrong transaction from your credit card in Sutton Place
1 | Wrong transaction from your credit card in Ritz-Carlton Boston Common
1 | Hotel Renaissance Charleston Historic District made wrong transaction
1 | Wrong transaction from your credit card in Renaissance Waverly
1 | Wrong transaction from your credit card in The Alex
1 | Hotel Park Hyatt Resort & Spa made wrong transaction
1 | Hotel Inn at the Ballpark made wrong transaction
1 | Hotel Renaissance Houston Greenway Plaza made wrong transaction
1 | Hotel Grand Hyatt Kauai Resort & Spa made wrong transaction
1 | Wrong transaction from your credit card in Trump International Waikiki Beach Walk
1 | Wrong transaction from your credit card in Loews Santa Monica Beach
1 | Wrong transaction from your credit card in Peninsula New York
1 | Hotel Sheraton Chicago and Towers made wrong transaction
1 | Hotel Boston Harbor made wrong transaction
1 | Hotel Le Parker Meridien made wrong transaction
1 | Wrong transaction from your credit card in Renaissance Washington
1 | Hotel Sheraton Waikiki made wrong transaction
1 | Hotel Fairmont Scottsdale made wrong transaction
1 | Hotel The Carlyle Suites made wrong transaction
1 | Wrong transaction from your credit card in Hyatt Regency Waikiki
1 | Hotel Pocono Palace made wrong transaction
1 | Hotel The Westin Michigan Avenue made wrong transaction
1 | Hotel The Ritz-Carlton Georgetown made wrong transaction
1 | Wrong transaction from your credit card in Pierre A Taj
1 | Wrong transaction from your credit card in Red Rock Casino Resort & Spa
1 | Hotel Woodrun V Townhomes made wrong transaction
1 | Wrong transaction from your credit card in The Carlyle Suites
1 | Hotel SLS at Beverly Hills made wrong transaction
1 | Wrong transaction from your credit card in Loews Coronado Bay Resort
1 | Wrong transaction from your credit card in Halekulani
1 | Wrong transaction from your credit card in Trump Soho
1 | Wrong transaction from your credit card in Hilton Atlanta Airport
1 | Hotel Rancho Las Palmas Resort & Spa made wrong transaction
1 | Wrong transaction from your credit card in Grand Bohemian
1 | Wrong transaction from your credit card in The Little Nell
1 | Hotel Shore Club made wrong transaction
1 | Hotel Hyatt Regency Maui Resort and Spa made wrong transaction
1 | Hotel Hilton Americas Houston made wrong transaction
1 | Wrong transaction from your credit card in Skylofts at MGM Grand
1 | Hotel Loews Santa Monica Beach made wrong transaction
1 | Wrong transaction from your credit card in South Beach Marriott
1 | Wrong transaction from your credit card in Hilton Grand Vacations Club
1 | Hotel The Setai Fifth Avenue made wrong transaction
1 | Wrong transaction from your credit card in Shangri-La
1 | Wrong transaction from your credit card in Carlton on Madison Avenue
1 | Wrong transaction from your credit card in Four Seasons
1 | Hotel The Orchard made wrong transaction
1 | Hotel Plaza Athenee made wrong transaction
1 | Hotel Trump Soho made wrong transaction
1 | Wrong transaction from your credit card in Hilton Garden Inn Washington DC Franklin Square
1 | Wrong transaction from your credit card in Jefferson
1 | Hotel The Westin Seattle made wrong transaction
1 | Wrong transaction from your credit card in The Westin Michigan Avenue
1 | Hotel Jumeirah Essex House made wrong transaction
1 | Wrong transaction from your credit card in Conrad Miami
1 | Wrong transaction from your credit card in Seattle Marriott Waterfront
1 | Wrong transaction from your credit card in Beverly Wilshire, A Four Seasons
1 | Hotel Ritz-Carlton made wrong transaction
1 | Wrong transaction from your credit card in Waldorf Astoria Orlando
1 | Hotel Conrad Chicago made wrong transaction
1 | Wrong transaction from your credit card in McCoy Peak Lodge
1 | Wrong transaction from your credit card in Disney's Grand Californian
1 | Hotel Waldorf Astoria & Towers made wrong transaction
1 | Hotel Sheraton Keauhou Bay Resort & Spa made wrong transaction
1 | Hotel The Fairmont Orchid made wrong transaction
1 | Hotel Rouge made wrong transaction
1 | Hotel The Hay-Adams made wrong transaction
1 | Wrong transaction from your credit card in The Quincy
1 | Wrong transaction from your credit card in Se San Diego
1 | Wrong transaction from your credit card in The Equinox Resort & Spa
1 | Wrong transaction from your credit card in Trump International & Tower
1 | Hotel Sheraton Moana Surfrider made wrong transaction
1 | Hotel Lodge At Koele made wrong transaction
1 | Wrong transaction from your credit card in Sheraton Keauhou Bay Resort & Spa
1 | Wrong transaction from your credit card in Breakwater
1 | Wrong transaction from your credit card in Pocono Palace
1 | Wrong transaction from your credit card in The Westin Atlanta Airport
1 | Wrong transaction from your credit card in Hilton Atlanta
1 | Hotel Signature at MGM Grand made wrong transaction
1 | Wrong transaction from your credit card in The Phoenician
1 | Hotel Hilton Houston Plaza made wrong transaction
1 | Hotel Park Hyatt Chicago made wrong transaction
1 | Wrong transaction from your credit card in JW Marriott Pennsylvania Avenue
1 | Wrong transaction from your credit card in Breakers Palm Beach
1 | Wrong transaction from your credit card in Mandalay Bay
1 | Wrong transaction from your credit card in Marriott San Francisco Fisherman's Wharf
1 | Hotel JW Marriott Desert Ridge Resort & Spa made wrong transaction
1 | Wrong transaction from your credit card in New York Marriott Marquis
(434 rows)

MasterCard spam leads to Fake AV

by UAB's Director of Research in Computer Forensics on July 23, 2011

in SBN

The FBI is doing a great job gaining international cooperation in going after cyber criminals. Just last month yet another malware group was arrested, as the public learned about in the June 22, 2011 FBI press release, Department of Justice disrupts international cybercrime rings distributing scareware. In that case, criminals were arrested as part of a scareware ring that had infected more than 1 million computers and caused more than $72 million in losses!

Unfortunately, the end of fake Anti-virus scareware has not yet arrived. Here's an example from today's spam from the UAB Spam Data Mine.

We're seeing a significant "spam attached malware" campaign in the past 24 hours with six different attachment MD5s.

uab_spam=> select count(*), sender_domain, md5_hex, size from spam natural join spam_attach where sender_domain = 'mastercard.com' and receiving_date >= '2011-07-22' group by sender_domain, md5_hex, size;

count | received | md5_hex | size
-------+-------------------------+---------------------------------+-------
318 | 7/22 03:15 - 7/22 10:15 | 241cc18918540d6c49dd8b45df31985d | 67584
20 | 7/22 10:45 - 7/22 11:00 | 5f8a95d194f7dcadabf442ed5705c4e0 | 79872
565 | 7/22 11:30 - 7/22 17:30 | 0256a71baefd0f625910bbc44147e432 | 68096
1133 | 7/22 17:45 - 7/23 04:00 | f4aea68ea94d7780a5b1abd709f7730f | 69632
67 | 7/22 12:00 - 7/23 08:15 | 277eb4dacd401a3c520dc5bb9ede70f0 | 77237
439 | 7/23 04:00 - 7/23 08:15 | fe88c3a276d11aa208dac7ae68f55cd3 | 67584
(6 rows)

Most popular email subjects:

count | subject
-------+-----------------------------------------------
24 | WARNING: Your credit card is locked!
26 | WARNING: Your credit card is blocked!
26 | ATTENTION: Your credit card has been blocked!
1116 | Your credit card is blocked
29 | ATTENTION: Your credit card is blocked!
1184 | Your credit card has been blocked
24 | CAUTION: Your credit card is locked!
29 | ATTENTION: Your credit card is locked!
31 | WARNING: Your credit card has been blocked!
19 | CAUTION: Your credit card has been blocked!
34 | CAUTION: Your credit card is blocked!
(11 rows)

The body of the email looks like the attached file:

------------------
Dear User,
Your credit card is locked!
From your credit card has been removed $ 3951,74
Possibly illegal operation!
More details in the attached file.
Instantly contact your bank .
Best regards, MASTERCARD Services.
-------------------

The username portion of the email sender is random, using a classic mis-spelling that has been consistent for this sender (which is the same guy who has been doing the "government imitating" zeus). "cunsumer"

Usernames are a single word, followed by a ".", "_", or "-", followed by a two or three digit number.

The most popular words (by far) are "manager" (770 time), and "support" (757 times), but we've also seen admin, adminnistration, alerts, cunsumer, delivery, e-file, finance, frboard-webannouncements, govdelivery, information, inspector, news, news-alerts, no-reply, protection, public, report, service, stats, subscriber, subscriptions, usttb, and webannouncements.

The attached file is actually named as a ".com" file, using a random-seeming filename in the format "id" followed by a 5-7 digit number (such as id918538.com).

Of the 2,649 IP addresses that have sent us the spam so far, they have come from 1,443 distinct sending IP addresses. Some of our most popular senders have been:

count | sender_ip
-------+--------------------
10 | 113.172.171.155/32
10 | 190.99.213.191/32
9 | 75.145.37.117/32
9 | 187.126.15.108/32
9 | 110.164.112.159/32
8 | 188.81.213.237/32
8 | 201.240.80.96/32
8 | 79.82.153.66/32
8 | 110.138.30.34/32
7 | 180.253.110.135/32
7 | 151.64.138.215/32
7 | 79.178.152.194/32
6 | 95.37.41.218/32
6 | 201.240.215.105/32
6 | 94.20.98.220/32
6 | 122.167.44.208/32
6 | 71.197.255.106/32
6 | 113.190.138.153/32
6 | 90.177.147.202/32
6 | 178.150.237.124/32
6 | 65.10.178.64/32
6 | 178.204.204.172/32
6 | 24.90.102.247/32
6 | 93.75.103.25/32
6 | 190.235.93.183/32
6 | 82.51.62.237/32
6 | 77.236.26.169/32
6 | 110.164.106.145/32
6 | 178.222.27.142/32
6 | 113.53.181.86/32
6 | 123.17.157.159/32
6 | 151.25.53.47/32
5 | 201.68.209.20/32
5 | 180.180.150.248/32
5 | 120.62.24.122/32
5 | 59.182.51.42/32
5 | 182.53.176.152/32
5 | 194.28.88.58/32
5 | 85.186.178.173/32
5 | 41.140.170.143/32
5 | 71.200.55.41/32
5 | 200.91.255.142/32
5 | 190.43.147.223/32
5 | 125.24.202.30/32
5 | 41.140.43.44/32
5 | 59.184.128.238/32
5 | 95.58.34.230/32
5 | 117.201.20.59/32
5 | 186.6.177.39/32

I chose the most recent MD5 and did a scan at VirusTotal, finding that only 3 of 43 Antivirus products were able to detect this as a virus, according to this VirusTotal report.

Since this was an email attachment, web reputation didn't really help here. This would be a case where your spam blocking would be your best defense!

When the file is launched, it attempts to make connections to a long list of domains that are probably made by a "DGA" or "Domain Generation Algorithm". It's likely that at different times or days this list would be different. My domains included:

syqivolurypugi.com
qotasifelaw.com
tibumuqel.com
suzehebaq.com
sivycaqilugoq.com
levulehup.com
ledimajezociw.com
rabuqibareme.com
fopuvuwupode.com
cinuherijugeg.com

and more.

bakagunaxepo.com responded as 193.164.132.20 <= Gigahosting, Germany
bipuwyqojivu.com responded as 85.17.239.165 <= Leaseweb, Netherlands
civivicuqekexo.com responded as 93.104.208.84 <= Gigahosting
levulehup.com responded as 204.45.120.27 <= FDC Servers, Chicago
levysavasezo.com responded as 85.17.239.215 <= Leaseweb, Netherlands
pafozykavygaj.com responded as 85.17.239.216 <= Leaseweb, Netherlands
pejozehywe.com responded as 50.2.7.242 <= Eonix/GotHost
suzehebaq.com responded as 206.217.134.44 <= Colocrossing
syqivolurypugi.com responded as 206.217.134.43 <= Colocrossing
waciroqohuli.com responded as 64.56.65.213 <= VRTServers.net
zarapetahuryp.com responded as 50.2.7.241 <= Eonix/GotHost

as a few examples . . .

The purpose of the malware? Seems to be just another Fake Anti-virus product. Here's the scan that kicked off:

After the scan, I was of course constantly reminded of the grave danger I was in:

First it did a get for "1038000112" from "bogekizase.com" on 66.197.213.6.

All it got back from there was "OK."

Most of the interaction was from tibumuqel.com on 79.143.178.101.

tibumuqel.com was registered on July 15, 2011 using the contact info:

Ana Ivancic freon@cutemail.org
+385.20324535
Od Domina 5
Dubrovnik,Southern Dalmatia,HR 20000

Searching on her details will show that "Ana" has registered plenty of other malware domains as well, usually with different email addresses.

From the tibumuqel.com domain, we did a get for "10380001124255461742" which was redirected to "buy.html"

That's also the box that my payment information was posted back to, although unfortunately, my credit card was declined. 8-(

That was my "purchase the fake AV product" screen, giving me my pricing options, and letting me know that this fake AV product was an SC Magazine 2011 award finalist!

What are our lessons learned?

Anti-virus can't protect you by itself, as evidenced by the 3 of 43 AV products that new about this malware this morning. You need a robust security strategy that includes:

a. Being Smart about what you click on. (Start with CLICK ON NOTHING)
b. a web-reputation component (stopping traffic to bad websites)
c. a strong spam filter

My Friend’s Been Hacked!

by UAB's Director of Research in Computer Forensics on July 17, 2011

in SBN

Have you ever received an email like this?

Subject: RE: URGENT RESPOND NEEDED‏

Hello,
I am sorry I didn't inform you about my traveling to Europe for a program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of Education,the program is taking place in three major countries in Europe which are Dublin,Scotland and England,I am persently in England,London.

I misplaced my wallet on my way to the hotel where my money,and other valuable things were kept.I will like you to assist me with a soft loan urgently with the sum of $2,800 US Dollars to sort-out my hotel bills and get myself back home.

I will appreciate whatever you can afford to send the money today.i'll pay you back as soon as i return,Let me know if you can assist. please use this information to send the money to me.I wait your quickly respond

I posted a copy of that email on my blog in February of 2009 (See: Traveler Scams: Email Phishers Newest Scam). Since that time ALMOST EVERY DAY I receive an email from someone thanking me for my post and telling me that one of their friends seems to have fallen victim. Then they say "What do I do next?"

Normally I tell them they need to contact their friend and have their friend report to their email provider that they have had their password stolen.

Please note that this is DIFFERENT than just getting a weird email that says it came from a friend. In this traveler scam, if you reply to the email, the bad guy will often reply with personal information about you "that only your friend could know." That's because they are actually in your friend's email account reading emails from you to try to find a way to convince you to wire them money.

Another indicator that someone may have had their email hacked is when there are several people on the "To:" or "CC:" line that you know your friend knows. When spammers randomly forge a "from" address, it doesn't necessarily mean they have stolen your friend's password, but when SEVERAL of your friend's acquaintances are in the "To:" line, it means the criminal has access to your friend's address book or email messages.

Hotmail: My Friend's Been Hacked!

Microsoft has just announced this week a new way that you can help your friend (if both of you use hotmail.) Dick Craddock writes in the "Inside Windows Live" blog on July 14th, Hey! My Friend's Account Was Hacked! about a new feature that is being offered to hotmail and live.com customers.

With the new feature, when you are reading the offending email, you can pull down the "Mark As" menu and choose "My Friend's Been Hacked!:

When you take the time to mark the message like that, it sends a high priority request to Microsoft to put this account "on hold." Now, there has to be some OTHER circumstances true as well, you can't use this to just cause trouble for people who annoy you, but when your report is combined with other factors about your friend's email usage -- such as sending an unusually high number of messages, or logging in from an IP in another country -- the account will be placed on hold.

That immediately stops the criminal from being able to use the account to send spam, AND let's your friend begin an Account Recovery Process the next time they try to log in.

Yahoo! and Gmail?

What if your friend doesn't use Hotmail?

Microsoft has now begun pushing the "My Friend's Been Hacked!" reports to Yahoo! and Gmail as well. So if YOU are a hotmail user, and your hacked friend is using Yahoo! or Gmail using the reporting mechanism on hotmail will still send an alert to Yahoo! or Google and let them know of the suspicious email you've received.

Hopefully this will become a new industry standard practice and we'll be able to send reports from any of our mail clients!

Here's some advice from other providers on what to do if a Friend seems to be compromised:

- Gmail: Report A Security Problem

- Google: How to Recover Your Email Account

- Facebook Security

- Yahoo! Account Helper

(If you have a suggestion of a better link, please let me know . . .)

FBI + Romanian DIICOT = 117 Search warrants and 100+ arrests

by UAB's Director of Research in Computer Forensics on July 15, 2011

in SBN

In one of the largest international cybercrime enforcement actions in history, the FBI and the Romanian DIICOT (Directorate for Investigating Infractions of Organized Crime and Terrorism) have performed at least 117 searches and arrested 21 in America and more than 90 in Romania.

All across Romania, scenes such as this were being conducted:

The Romanian news source that provided the photos above shared this quote with Adrian Hood, Chief Prosecutor of DIICOT, Craiova Territorial Service:

"Specifically, defendants are charged for activities from 2009 to 2011 involving posting notices of sale of fictitious, non-existent goods such as cars, motorcycles, boats, and electronics on e-commerce platforms such as www.eBay.com and www.craigslist.org through advertisements made with false information."

(See the Original story for the Romanian original of that quote...

The FBI has issued a press release on the matter today, Organized Romanian Criminal Groups Targeted by DOJ and Romanian Law Enforcement.

The case centers on criminals in Romania who would post luxury items and vehicles for sale on Internet auction websites, such as eBay. They would then instruct the potential buyer that for safety of the transaction they would be using an escrow service and provide them instructions to wire the funds to the escrow service, rather than making their payment through the auction company. US-based co-conspirators would then go pick up the money from American bank accounts. These intermediaries are called "money mules" in the US, but in Romanian cybercrime parlance they are referred to as "arrows."

According to the FBI Press Release . . . "Since May 2010, the FBI and the U.S. Attorney’s Office for the Southern District of Florida have arrested and prosecuted numerous individuals from Romania, Moldova and the United States allegedly involved in this fraud scheme. Vadim Gherghelejiu, 29, of Moldova; Anatolie Bisericanu, 25, of Moldova; Jairo Osorno, 22, of Surfside, Fla.; Jason Eibinder, 22, of Sunny Isles Beach, Fla.; and Ciprian Jdera, 25, of Romania, have been convicted in the Southern District of Florida of conspiracy to commit wire fraud."

On February 22, 2010, a Miami court returned an indictment against "Pedro Pulido, 41, of Pembroke Pines, Fla.; Ivan Boris Barkovic, 19, of Sunny Isles Beach; Beand Dorsainville, 20, of North Miami Beach, Fla.; Sergiu Petrov, aka “Serogia,” 27, of Moldova; Oleg Virlan, 32, of Moldova; Marian Cristea, 22, of Romania; and Andrian Olarita, 26, of Moldova, with conspiracy to commit wire fraud and substantive counts of wire fraud. Pulido, Barkovic, Dorsainville and Olarita have pleaded guilty to conspiracy to commit wire fraud. Petrov, Virlan and Cristea remain at large and are considered fugitives."

Romanian news is buzzing today with news of many search warrants being issued all over Romania.

FBI Searches Romania - 20 million dollars stolen by hackers in eight countries

Photographers were present at many of today's Romanian arrests . . .

Here a dentist, Horace Balanescu, and his wife are being arrested in Bumbesti-Jiu Romania:

(photos from "adevarul.ro")

Romanian news says that there were more than 1,000 victims who collectively lost more than $20 million USD.

We'll have more details here in the near future . . .

Congratulations to all of the fine agents in Romania and the FBI who took part in this historical arrest, and to those at eBay and Craigslist and other companies who assisted with information.

A New Car! (or Zeus spam Campaign)

by UAB's Director of Research in Computer Forensics on June 25, 2011

in SBN

If you believe my email today, everyone is getting a new car but me.

There are actually many different spam message subjects that make up this campaign. Those like the one above use a random person name in the subject line, like these:

Remember [name]?
It's [name]'s new car!
Saw new [name]'s car?
Do you remember [name]?

There were also quite a few "non-random" ones. Here's a sampling from yesterday's spam, when we received a total of more than 60,000 emails that are part of this malware distribution campaign:

count | subject
-------+------------------------------------
1398 | info
1389 | Hello
1357 | look
1344 | Hello!
1343 | Hi!
1341 | hello!
1333 | Look!
1328 | hello
1320 | hello.
1314 | Hello.
1305 | hey buddy!
1286 | hi buddy!
1282 | Hey!
590 | Is this your boyfriend?
580 | Do you remember me?
577 | Remember me?
549 | Is This Your Boyfriend?
539 | Is this your girlfriend bro?
538 | Is This Your Girl Bro?
533 | Is This Your Boy?
529 | Is this your boy?
507 | Is this your girl bro?
487 | Is This Your Girlfriend Bro?
482 | Is this your girlfriend buddy?
480 | Is This your Girlfriend?

Those numbers are the count of the email messages we received from that portion of the campaign that pretended to be related to LinkedIn. In the graphic above, you can see that the "From" address is on "live.com" and the "Reply-To" is on "linkedin.com". Actually neither one of those things were true.

Here are the actual mail headers (although I've redacted a couple things from this one):

In this image, the "fake" values are highlighted in green while the "real" values are highlighted in yellow. This email did NOT come from LinkedIn's IP 63.211.90.176. It really came from 173.200.78.57. (Many hundreds of IPs were used.)

We actually saw this same style of mail-header faking beginning last November, especially during a rampant USAA Phishing campaign where the destination websites were all on '.tk' domains. Although I didn't focus on that aspect in the story (instead we found the REAL sender IP addresses and wrote about those) it was partly because at the time I didn't understand how it was possible!

All of the spam messages listed above, whether they are the "New Car" version or the "Is that Your Boyfriend?" or even the "Hello!" versions have a common website location being advertised. They use random numbers in the hostname portion of the website address, but the all point to:

arcid_[RND#].oposumcruiser.com/arc/file/

That website looks like this:

UPDATE!!

I've received an update from my friend Steven Burn who runs the websites of Ur I.T. Mate Group. He pointed out to me that even if you don't download the .exe file from this page, you are still at risk just by visiting the site. There is an IFRAME hidden in the source code of the page that directs all visitors to load the Blackhole Exploit Kit from another location. As of this writing that other location is:

http://motorssmonito.com/forum.php?tp=778973f6b2977050

(Visit at your own risk - it WILL try to infect you! )

The excellent folks at UCSB's Wepawet project provide this decoding of the page:

Wepawet decode of the MotorSSMonito blackhole exploit kit

which shows all the little tricks it tries to use to infect you, including loading malicious .jar files, .pdf files, .avi files,

/End Update - Thank you, Mr. Burn!

One of the characteristics of the "Avalanche" botnet that we believed was associated with the USAA phish back in November was that the destination website is "Fast Flux" hosted -- meaning that the IP address is being constantly changed by modifying the nameserver to resolve the domain name to many different locations.

The first time I looked at this website, it was resolving to the IP address 112.71.69.76 in Japan. But when I asked the nameserver for its location, it gave back eight different IP addresses:

80.171.37.243
81.203.1.104
82.159.38.56
85.86.48.130
91.117.147.33
112.71.69.76
114.183.247.117
217.50.208.196

Only a few minutes later when I rechecked, I found the additional IP addresses:

83.213.31.242
90.168.201.126
95.125.232.109
212.225.173.8

all resolving the "oposumcruiser.com" random hostnames.

One of the many projects we have at the UAB Computer Forensics Research Lab is a Fast Flux tracker. Some of the other domains that are currently fluxing on this same space include perfectcheck2011.com, safeyourwork.net, personalsyscheck.com and safetylife2011.org which use the nameservers ns1.lonfd.net and ns1.cazonet.com. Most of those are autoforwarders for pharmaceutical websites such as sportsmedsrxpills.net which purports to be the "Canadian Health & Care Mall".

The fake website offers a download for you as an executable file "archive.exe"

According to the AV products on the VirusTotal website, this is either the Zbot trojan (commonly known as Zeus) or Kazy.

(Click the image to go to the VirusTotal Report for this malware

MD5: a653ef80a47f5ec646a2ce0fdbc1068d

Trojan-Spy.Win32.Zbot.buax, Gen:Variant.Kazy.28222, Win32/Spy.Zbot.YW, Trojan/Win32.Zbot

I put the malware in our Malware Analysis VM and watched to see what it would do.

The version of the malware that I self-infected with made DNS calls for
the following domains, many of which have not yet been registered.

lrnsxmztnqiomiq.com
rqnorekziuhmsxr.biz
rqnorekziuhmsxr.org
vlolhmcjlpqntm.net
vlolhmcjlpqntm.com
zqpyuykzovrsjw.info
zqpyuykzovrsjw.biz
wzmkrojrutomsg.net
wzmkrojrutomsg.org
nnpgpskekyrtyoq.info
nnpgpskekyrtyoq.com
stqbbjuqsoefcpcq.biz
stqbbjuqsoefcpcq.com
xljpkdlnzniocjpu.info

It also modified many registry keys, primary related to Outlook Express, which means there was probably going to be some spamming going on if I left the infection up.

The only one of these I can tell that WAS registered was here...using a
privacy service.

Domain Name: LRNSXMZTNQIOMIQ.COM

Administrative Contact:
Reinecker, Beverly ap9cm76v4sv@nameprivacy.com
ATTN:
P.O. Box 430 c/o NameSecure
Herndon, VA 20171-430
US
570-708-8782

When it was live, it was hosted on 72.249.171.121.

Also seen on that IP, according to bfk.de, are:

www.realgirlfights.org CNAME realgirlfights.org
lrnsxmztnqiomiq.com A 72.249.171.121
wqonlrwkuswjzmm.net A 72.249.171.121
lmnqnxypfulhgxo.biz A 72.249.171.121
kmxpiylvojgjcus.biz A 72.249.171.121

That IP is Colo4Dallas LP (AS36024) in Dallas, Texas.

Steven Burn provided the following list of related domains, as well as the path which hosts their respective badness. Again, please don't follow these links unless you are a malware researcher in a safe environment.

cgywgtcwpngrzgk.net/news/?s=195341
cpgfkybtkljjwvsk.org/news/?s=195341
futplqwsqqiopntn.com/news/?s=195341
ijqrqinymhjsvr.net/news/?s=195341
imwftfprsbxzgiy.info/news/?s=195341
iruwoekurjzrpko.biz/news/?s=195341
jptptmlpqnzdnpl.biz/news/?s=195341
jtpknvosaiwoxqs.info/news/?s=195341
jwqqrkosoqqglvpk.biz/news/?s=195341
jxatmxeojvhwhvd.com/news/?s=195341
ktznowypsmswqtjl.net/news/?s=195341
kxzjfqomtyjhhhzr.com/news/?s=195341
lhourmoptjoejd.info/news/?s=195341
lqwryghqqpiujsp.com/news/?s=195341
mjeqpkukusnkkhtm.info/news/?s=195341
mpwpxgmpjqkrpfzd.biz/news/?s=195341
mrjuqpqqzqikin.org/news/?s=195341
nfumumsidtqtynr.com/news/?s=195341
oopmeozgtsxerenn.com/news/?s=195341
orelrxnwtuiuplhn.biz/news/?s=195341
ounwukdlrpflento.com/news/?s=195341
pluufpyllzrqpnot.com/news/?s=195341
ppjjvmomiiwtkyn.com/news/?s=195341
prminhfvfmsckzjw.info/news/?s=195341
psiscguokswppvys.biz/news/?s=195341
pxcoprkgsoeyoiej.info/news/?s=195341
quujzvhhutfvtlq.info/news/?s=195341
rcjemwpzhygppmuo.net/news/?s=195341
rggfymzrkzpnpsjl.com/news/?s=195341
rheovalxkdmspe.net/news/?s=195341
rhtjdemtypbpow.com/news/?s=195341
rnosovkotqwbk.info/news/?s=195341
rpjrewwqsditwtky.org/news/?s=195341
rwfstvftrzwwtjxu.info/news/?s=195341
rxtrpjvcuikyipt.net/news/?s=195341
sklyzjonvkikpjt.org/news/?s=195341
soilvjyksytnfp.net/news/?s=195341
ssmkoqkrgimsnwe.com/news/?s=195341
tjtoehpzjmtnigs.net/news/?s=195341
ttzoxhbzvgpijlwk.biz/news/?s=195341
twsrnyyfnvrqhht.org/news/?s=195341
ydvkmqunnnnwqop.info/news/?s=195341
yjlmfeinqhupvtnh.info/news/?s=195341
yphxjkymmnqynogh.com/news/?s=195341

← Previous Entries

Next Entries →

UAB's Director of Research in Computer Forensics

Update 01AUG2011

Following the Botnet Back in Time

The rest of the hotel spam subject list

Hotmail: My Friend's Been Hacked!

Yahoo! and Gmail?

UPDATE!!

/End Update - Thank you, Mr. Burn!

Contributors