Sponsored by..

Friday, 27 April 2007

"Emirates Industrial Filters LLC" spam

Another baffling spam from the UAE, this time advertising industrial filters. Attached to this spam is a whooping 970KB of attachments covering pictures of.. well, industrial filters. Or perhaps femidoms. It's hard to say.

Dear Sirs,

Below are the details of our product range.

We are an ISO 9001:2000 certified manufacturer of Industrial Filter bags for solid and liquid filtration & separation for either process or environmental industrial applications.

Please look us up if you have any filtration requirements.

Please scroll down for more information and images.

Sincerely,


Emad El-Sakka
Emirates Industrial Filters LLC
eif@eim.ae
Tel: +971 6 743 7093
Fax: +971 6 743 7094
P.O. Box: 2365
Ajman
Unites Arab Emirates


And they didn't just send this spam once, but dozens of times. Looking at the spam, it seems to be part of a directory harversting attack (DHAs) which was blocked automatically. In my book,
DHAs are an attempt to disrupt computer systems and would be illegal in many countries. Connect IP was 213.42.1.90 which is a fairly active one according to NANAS.

So, Emirates Industrial Filters LLC - you're a bunch of evil spammers and I can't see why anyone would want to do business with you.

Wednesday, 25 April 2007

BAT/IRCFlood false positive in change.log.2

I've been seeing a few false positives caused by the CA-VET virus scanner used in ZoneAlarm, CA eTrust and the CA ITM products (probably some others too) as follows:

[time 25/04/2007 15:08:22: ID 14: machine xxxxx.xxxxx: response 25/04/2007 15:09:13] The BAT/IRCFlood was detected in C:\SYSTEM VOLUME INF...\CHANGE.LOG.2. Machine: XXXXX, User: NT AUTHORITY\SYSTEM. File Status: Cure failed, file renamed.

This is just a log file that's part of the Windows XP system restore feature - the files are held in C:\System Volume Information in a folder to which users don't usually have access.

I'm pretty convinced this isn't a virus - it's just a log file - and I even ran it through VirusTotal which found nothing at all. I've contacted CA about it to see what they think.. we'll see.

In the meantime, if the antivirus alert is bugging you, you can delete the log file from your System Volume Information folder at your own risk. You will need to change permissions on the folder to do this (see this MS Technet article) and then drill down and delete the individual file in question. Like I said.. do this at your own risk!

Tuesday, 24 April 2007

Malware via AdWords


A typical approach to spreading malware is to hack a site and then inject an IFRAME pointing towards some obfuscated Javascript that then eventually connects to a site with an exploit.

From the point of view of an attacker, this is fine. But what if the natural traffic for the site isn't enough?

Here's one I came across today with a completely new twist.

In this particular case, our antivirus software came up with an alert for what appeared to be some variant of the JS/Petch trojan. The machine didn't appear to be infected, but I investigated further. (Just to be clear, it wasn't my machine!)

An analysis of the machine indicated that this particular user had been doing some fairly innocent lunchtime surfing looking for a particular product.. let's say widgets.

In this case, the user went to Google and search for "widgets" and got the usual load of search results complete with a set of ads along the top and down the side - normal Google AdWords ads. This user then clicked on the top ad apparently promiting a company that we will call widgetsgb.com.. which is where is gets interesting.

Instead of being taken to widgetsgb.com, Google directed the visitor to another site. This in itself is not unusual, sometimes different domains are used for tracking or whatever. However, in this case the site was completely unrelated.. say notwidgetsatall.co.uk in which was buried an exact copy of the front page of widgetsgb.com. So the front page of notwidgetsatall.co.uk looked completely normal, but in a subdirectory notwidgetsatall.co.uk/widgets was an exact copy of the other site.

Well, not an exact copy precisely. This version had some IFRAME goodness pointing to an IP in Germany which had the obfuscated javascript pointing elsewhere. It doesn't really matter where.

What was interesting about this whole thing was that the user had clicked on a paid ad rather then a natural search result. Which means that somebody had to pay for the click... and by the looks of things that somebody had to pay a respectable amount to get the number one position. Of course, the bad guys never pay for anything as it would be uneconomic for them, so the indications are that they were using a hacked AdWords account.

What is strange about this whole thing is the amount of effort that the bad guys put into this.. they targetted a niche site without an awful lot of traffic, made a duplicate and then set up an advertising campaign to drive what was presumably not an awful lot of clicks to their IFRAME.

I guess the AdWords account was picked up with a keylogger installed on another hacked machine. It's the first time I've seen AdWords used in this way, but it shows that the bad guys can squeeze the value out of just about anything.

Monday, 23 April 2007

Al Mustajer Real Estate - Stupid, stupid criminal spammers


It's been a little while since I've seen a spammer as stupid as Al Mustajer Real Estate who decided to hit me with 500 750kb word documents before my host blocked them.. a stonking 375mb or so of spam. But then their company logo does seem to
feature a penis shaped building, which perhaps says a lot.

Criminal spam? Well, yes, this comes from 67.19.27.226 (resolving to srv2.egraphics.ae) in the US (ThePlanet.com) so this spam is non CAN-SPAM compliant. Also that much
mail effectively constitutes a mail bomb which is also an illegal denial of service attack.

Actually there are two spam messages in this run, the largest of which is an introduction to this dubious firm.

Company Profile
AL MUSTAJER REAL ESTATE


Al Mustajer Real Estate established with a view to display an
enduring property in Dubai and within Emirates. The Company has a
dedicated team of Professionals with immense international
experience in real estate business. Our Company is part of the
growing Al Mahdy Group of Companies such as:
• Said Al Mahdy General Trading
• FILCO General Trading
• Tartoub International Massage Centre

As part of this prestigious Company, our main objective is to conduct at
all times business with utmost good faith, integrity and to maintain the
highest standards of expertise, ethics and financial security. Our sales
executives offer dedicated and incessant attention to every client during
their consultation visits. We maintain international professional standard
and provide consistency in service.
Our sales focus is long ranging- we are interested in establishing
enduring relationships of growth and development with our clients. We are
offering the following products:
• Buying Properties
• Selling Properties
• Leasing & Managing Properties
We have already built and become a bench-mark in managing properties
within Emirates:
• AL QUOZ
• AL MUHEISNAH 2
• JEBEL ALI
• MIRDIF
• JUMEIRAH / UMM SUQUEEM
• AL MIZHER
• DEIRA
• BUR DUBAI
• SHARJAH

Abdul Hakeem
Office Manager
050-7568844

The foooter information reads:

PO Box 39121 Dubai, UAE
+971 50 3787819
+971 4 3937709
+971 4 3937798

Al MUSTAJER Real Estate.
Visit us www.almustajer.com / www.supermobawab.com



info@almustajer.com
www.almustajer.com

Both almustajer.com and supermobawab.com appear to be parked.

The second spam is a Word Document promoting "labour camps". I don't know if they say "Arbeit Macht Frei" on them or not. Quite why this spammer thinks that I'm interested, I don't know. The document itself looks like it has been created by a five year old.



GREAT OFFER

(1) LABOUR CAMP AVAILABLE IN
AL QUOZ
FLEXIBLE PAY MENT MODE, CHEAP PRICE,
GOOD LOCATION

(2)LABOUR CAMP AVAILABLE IN
SONAPUR

FLEXIBLE PAY MENT MODE,CHEAP PRICE,GOOD LOCATION
(3)FULLY FURNISHED VILLA IN JUMEIRAH
AVAILABLE FOR RENT

DAILY, WEEKLY, MONTHLY AND YEARLY RENTL BASIS.

(4)FLAT FOR SALE IN SHARJAH, 1B,2B.

GOOD PRICE, GOOD LOCATION, EXCELLENT PAY MENT MODE.

CALL: 050-3787664
04-3937709



The spam appears to come from JUDE@SMN-ONE.NET which tallies with the sending IP address. The same email appears in the properties of the Word documents, although
in a typical spammer fashion (i.e. "stupid") he also gets confused and
mis-types it as jude@msn-one.net.

Possibly the most stupid spammer I've seen this year.

Tuesday, 3 April 2007

ASUS.com web site, infected with .ANI exploit?

I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though.

[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.


It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related)

  • Ipqwe.com
  • Mumy8.com
  • Ok8vs.com
  • Okvs8.com
  • P5ip.com
  • Plmq.com
  • Y8ne.com
  • Yyc8.com

I wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector.

Monday, 2 April 2007

easyhost.be spam


I really hate web hosts that spam, and easyhost.be is yet another one sending to scraped addresses, with the usual lie "You have received this email because you are subscribed with.." blah blah blah.

Using SpamCop to LART easyhost.be on 195.95.2.123 just sends the abuse report to the spammer, info@easyhost.be. Upstream provider is a firm called scarlet.be who are located in a nearby building, so if you get spam from easyhost.be, try reporting to ronny.schouteden -at- Scarlet.biz

Another telltale sign of spamming is the line that says "Dear,".. dear who? If I'd have subscribed to the spam list I feel certain that I would have remembered to fill in my name.

Dear,

EasyHost has made partnerships with several Antivirus providers.

Starting from today we can offer several Home/SMB/Enterprise Antivirus solutions.
To celebrate our partnerships we have made a special webhosting promotion.

1. With every NEW LINUX hosting package you buy from 01/04/2007 until 30/04/2007 you get a 1 Year FREE AVG 7.5 Antivirus package.

2. With every NEW WINDOWS hosting package you buy from 01/04/2007 until 30/04/2007 you get a 1 Year FREE Kaspersky 6.0 Antivirus package.

Order you webhosting today at http://www.easyhost.be

If you want to buy other Antivirus solutions please contact us at sales@easyhost.be



Each day, more and more people are discovering that EasyHost domain names provide greater value, more features, are easier to manage and are backed by a readily available, knowledgeable support team. If you are already a domain reseller, and have all advantages of the easy control panel and live registrations, please contact us before ordering.

*Pricing ex 21% VAT and first year only

Best Regards,

EasyHost Sales
sales@easyhost.be
http://www.easyhost.be

195.95.2.0 - 195.95.2.255 is the range to block. I can't imagine that you'd want to get mail from some Belgian spam outfit.