Sponsored by..

Tuesday, 24 April 2007

Malware via AdWords


A typical approach to spreading malware is to hack a site and then inject an IFRAME pointing towards some obfuscated Javascript that then eventually connects to a site with an exploit.

From the point of view of an attacker, this is fine. But what if the natural traffic for the site isn't enough?

Here's one I came across today with a completely new twist.

In this particular case, our antivirus software came up with an alert for what appeared to be some variant of the JS/Petch trojan. The machine didn't appear to be infected, but I investigated further. (Just to be clear, it wasn't my machine!)

An analysis of the machine indicated that this particular user had been doing some fairly innocent lunchtime surfing looking for a particular product.. let's say widgets.

In this case, the user went to Google and search for "widgets" and got the usual load of search results complete with a set of ads along the top and down the side - normal Google AdWords ads. This user then clicked on the top ad apparently promiting a company that we will call widgetsgb.com.. which is where is gets interesting.

Instead of being taken to widgetsgb.com, Google directed the visitor to another site. This in itself is not unusual, sometimes different domains are used for tracking or whatever. However, in this case the site was completely unrelated.. say notwidgetsatall.co.uk in which was buried an exact copy of the front page of widgetsgb.com. So the front page of notwidgetsatall.co.uk looked completely normal, but in a subdirectory notwidgetsatall.co.uk/widgets was an exact copy of the other site.

Well, not an exact copy precisely. This version had some IFRAME goodness pointing to an IP in Germany which had the obfuscated javascript pointing elsewhere. It doesn't really matter where.

What was interesting about this whole thing was that the user had clicked on a paid ad rather then a natural search result. Which means that somebody had to pay for the click... and by the looks of things that somebody had to pay a respectable amount to get the number one position. Of course, the bad guys never pay for anything as it would be uneconomic for them, so the indications are that they were using a hacked AdWords account.

What is strange about this whole thing is the amount of effort that the bad guys put into this.. they targetted a niche site without an awful lot of traffic, made a duplicate and then set up an advertising campaign to drive what was presumably not an awful lot of clicks to their IFRAME.

I guess the AdWords account was picked up with a keylogger installed on another hacked machine. It's the first time I've seen AdWords used in this way, but it shows that the bad guys can squeeze the value out of just about anything.

Monday, 23 April 2007

Al Mustajer Real Estate - Stupid, stupid criminal spammers


It's been a little while since I've seen a spammer as stupid as Al Mustajer Real Estate who decided to hit me with 500 750kb word documents before my host blocked them.. a stonking 375mb or so of spam. But then their company logo does seem to
feature a penis shaped building, which perhaps says a lot.

Criminal spam? Well, yes, this comes from 67.19.27.226 (resolving to srv2.egraphics.ae) in the US (ThePlanet.com) so this spam is non CAN-SPAM compliant. Also that much
mail effectively constitutes a mail bomb which is also an illegal denial of service attack.

Actually there are two spam messages in this run, the largest of which is an introduction to this dubious firm.

Company Profile
AL MUSTAJER REAL ESTATE


Al Mustajer Real Estate established with a view to display an
enduring property in Dubai and within Emirates. The Company has a
dedicated team of Professionals with immense international
experience in real estate business. Our Company is part of the
growing Al Mahdy Group of Companies such as:
• Said Al Mahdy General Trading
• FILCO General Trading
• Tartoub International Massage Centre

As part of this prestigious Company, our main objective is to conduct at
all times business with utmost good faith, integrity and to maintain the
highest standards of expertise, ethics and financial security. Our sales
executives offer dedicated and incessant attention to every client during
their consultation visits. We maintain international professional standard
and provide consistency in service.
Our sales focus is long ranging- we are interested in establishing
enduring relationships of growth and development with our clients. We are
offering the following products:
• Buying Properties
• Selling Properties
• Leasing & Managing Properties
We have already built and become a bench-mark in managing properties
within Emirates:
• AL QUOZ
• AL MUHEISNAH 2
• JEBEL ALI
• MIRDIF
• JUMEIRAH / UMM SUQUEEM
• AL MIZHER
• DEIRA
• BUR DUBAI
• SHARJAH

Abdul Hakeem
Office Manager
050-7568844

The foooter information reads:

PO Box 39121 Dubai, UAE
+971 50 3787819
+971 4 3937709
+971 4 3937798

Al MUSTAJER Real Estate.
Visit us www.almustajer.com / www.supermobawab.com



info@almustajer.com
www.almustajer.com

Both almustajer.com and supermobawab.com appear to be parked.

The second spam is a Word Document promoting "labour camps". I don't know if they say "Arbeit Macht Frei" on them or not. Quite why this spammer thinks that I'm interested, I don't know. The document itself looks like it has been created by a five year old.



GREAT OFFER

(1) LABOUR CAMP AVAILABLE IN
AL QUOZ
FLEXIBLE PAY MENT MODE, CHEAP PRICE,
GOOD LOCATION

(2)LABOUR CAMP AVAILABLE IN
SONAPUR

FLEXIBLE PAY MENT MODE,CHEAP PRICE,GOOD LOCATION
(3)FULLY FURNISHED VILLA IN JUMEIRAH
AVAILABLE FOR RENT

DAILY, WEEKLY, MONTHLY AND YEARLY RENTL BASIS.

(4)FLAT FOR SALE IN SHARJAH, 1B,2B.

GOOD PRICE, GOOD LOCATION, EXCELLENT PAY MENT MODE.

CALL: 050-3787664
04-3937709



The spam appears to come from JUDE@SMN-ONE.NET which tallies with the sending IP address. The same email appears in the properties of the Word documents, although
in a typical spammer fashion (i.e. "stupid") he also gets confused and
mis-types it as jude@msn-one.net.

Possibly the most stupid spammer I've seen this year.

Tuesday, 3 April 2007

ASUS.com web site, infected with .ANI exploit?

I'm investigating a suspect file called BMW3.PIG which appears to have originated from the asus.com website, it's some sort of .ANI exploit. Can't quite see where it is on the site though.

[time 03/04/2007 10:08:22: ID 14: machine [munged]: response 03/04/2007 10:09:06] The Win32/MSA-935423!exploit was detected in C:\DOCUMENTS AND SE...\BMW3[1].PIG. Machine: [munged], User: System. File Status: Cure failed, file renamed.


It appears that the culprit is an IFRAME hidden on asus.com.tw pointing to http://www[dot]ipqwe[dot]com/app/helptop.do?id=ad003 which is hosted on 222.73.247.123 in China, along with the following websites (which are probably all malware related)

  • Ipqwe.com
  • Mumy8.com
  • Ok8vs.com
  • Okvs8.com
  • P5ip.com
  • Plmq.com
  • Y8ne.com
  • Yyc8.com

I wouldn't advise visiting any of those on a Windows-based PC by the way. I can't manage to deobfuscate the javascript on the other end, but blocking the above sites would be a good way of stopping this particular attack vector.

Monday, 2 April 2007

easyhost.be spam


I really hate web hosts that spam, and easyhost.be is yet another one sending to scraped addresses, with the usual lie "You have received this email because you are subscribed with.." blah blah blah.

Using SpamCop to LART easyhost.be on 195.95.2.123 just sends the abuse report to the spammer, info@easyhost.be. Upstream provider is a firm called scarlet.be who are located in a nearby building, so if you get spam from easyhost.be, try reporting to ronny.schouteden -at- Scarlet.biz

Another telltale sign of spamming is the line that says "Dear,".. dear who? If I'd have subscribed to the spam list I feel certain that I would have remembered to fill in my name.

Dear,

EasyHost has made partnerships with several Antivirus providers.

Starting from today we can offer several Home/SMB/Enterprise Antivirus solutions.
To celebrate our partnerships we have made a special webhosting promotion.

1. With every NEW LINUX hosting package you buy from 01/04/2007 until 30/04/2007 you get a 1 Year FREE AVG 7.5 Antivirus package.

2. With every NEW WINDOWS hosting package you buy from 01/04/2007 until 30/04/2007 you get a 1 Year FREE Kaspersky 6.0 Antivirus package.

Order you webhosting today at http://www.easyhost.be

If you want to buy other Antivirus solutions please contact us at sales@easyhost.be



Each day, more and more people are discovering that EasyHost domain names provide greater value, more features, are easier to manage and are backed by a readily available, knowledgeable support team. If you are already a domain reseller, and have all advantages of the easy control panel and live registrations, please contact us before ordering.

*Pricing ex 21% VAT and first year only

Best Regards,

EasyHost Sales
sales@easyhost.be
http://www.easyhost.be

195.95.2.0 - 195.95.2.255 is the range to block. I can't imagine that you'd want to get mail from some Belgian spam outfit.

Thursday, 29 March 2007

"Internet Explorer 7 Downloads" - IE7.0.exe


Another bit of malware this time masquerading as a terse email message to encourage the downloading of a fake version of IE7. It's a simple graphic pointing to an executable called IE7.0.exe - it looks like the graphic and executable are hosted on compromised Apache servers.

VirusTotal indicates that detection is a bit thin at the moment.



AntivirusVersionUpdateResult
AhnLab-V32007.3.30.003.29.2007no virus found
AntiVir7.3.1.4603.29.2007TR/Proxy.Agent.CL
Authentium4.93.803.29.2007no virus found
Avast4.7.936.003.29.2007no virus found
AVG7.5.0.44703.29.2007no virus found
BitDefender7.203.29.2007no virus found
CAT-QuickHeal9.0003.29.2007(Suspicious) - DNAScan
ClamAVdevel-2007031203.29.2007no virus found
DrWeb4.3303.29.2007no virus found
eSafe7.0.15.003.29.2007no virus found
eTrust-Vet30.6.352203.29.2007no virus found
Ewido4.003.29.2007no virus found
FileAdvisor103.29.2007no virus found
Fortinet2.85.0.003.29.2007suspicious
F-Prot4.3.1.4503.28.2007no virus found
F-Secure6.70.13030.003.29.2007Virus.Win32.Grum.a
IkarusT3.1.1.303.29.2007no virus found
Kaspersky4.0.2.2403.29.2007Virus.Win32.Grum.a
McAfee499503.29.2007no virus found
Microsoft1.230603.29.2007no virus found
NOD32v2215403.29.2007no virus found
Norman5.80.0203.29.2007no virus found
Panda9.0.0.403.29.2007Suspicious file
Prevx1V203.29.2007Covert.Sys.Exec
Sophos4.16.003.29.2007no virus found
Sunbelt2.2.907.003.29.2007VIPRE.Suspicious
Symantec1003.29.2007Trojan Horse
TheHacker6.1.6.08003.23.2007no virus found
UNA1.8303.16.2007no virus found
VBA323.11.303.29.2007suspected of Trojan-PSW.Pinch.1 (paranoid heuristics)
VirusBuster4.3.7:903.29.2007no virus found
Webwasher-Gateway6.0.103.29.2007Trojan.Proxy.Agent.CL

Wednesday, 28 March 2007

"The system is not fully installed": Windows XP, WMP 11 and Sysprep


Kudos to lizardking009 for this post at the 2cpu.com forums.

After using Sysprep to prepare a new Windows XP build for distribution to some Dell laptops, I got the a message saying The system is not fully installed when trying to restart the machine.

It turns out that this is due to the presence of Windows Media Player 11 which screws up the Sysprep process somehow. I can't say that I'm a big fan of this DRM-laded stuff, but generally speaking you always load the latest version of everything before resealing the machine to take an image from it.

Microsoft have this knowledgebase article showing how to recover from the problem, although I discovered that this does not work very well on machines that have already been built from a Sysprep (such as Dells). If you're working in a reasonably well equipped environment with another XP machine and a suitable external USB drive enclosure then it's probably easier to edit the registry on the affected PC's hard disk by plugging it into the USB port of another machine, i.e.:

  • Load REGEDIT
  • Select HKEY_USERS
  • Go into File.. Load Hive..
  • Browse to the \WINDOWS\System32\Config\System file on the USB connected drive
  • Name the hive "system" or whatever you like
  • Find the Setup key on the newly loaded hive and locate SystemSetupInProgress.
  • Change the data from 1 to 0.
  • Unload the Hive
Then, once the hard disk is reinserted into the original machine, bring it up in Safe Mode, deinstall Windows Media Player 11 and reboot. This should start the setup process (you can choose to take an image at this point, if you wish).

Monday, 26 March 2007

Fake "BlueMountains Greetings" message with a trojan


Fake greetings cards are a common way of spreading trojans, and this latest Fake Bluemountain.com Email is a case in point.

The message looks similar to the following one:

From:
BlueMountains Greetings <greetings@BlueMountain.com>
Subject:
You just received an Electronic Greeting.

Hello,
you just received an electronic greeting from a
friend !

To view your eCard, please click
on the following link :

http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999

(Your postcard will be available for 60 days.)

If you
have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

Thanks
for using BlueMountain.com.


In fact, the links actually lead to bluemountains.kokocards.com (do not visit this site). A more detailed writeup can be found here.

There's very little need to accept this type of "greetings card" into corporate environments, and this seems to be a common vector for malware attacks.

If you use Postini, you can create a custom content filter:
  • Select Match Any
  • Sender | contains | bluemountain.com
  • Body | contains | kokocards.com
  • Body | contains | bluemountain.com
  • Set message disposition to Quarantine Redirect
  • Don't forget to copy it to sub-orgs if you need to!

Saturday, 3 March 2007

Lunar Eclipse



Clear skies and not too chilly, and the best lunar eclipse in years. This one taken at about about 2230 GMT (click the image to enlarge).

Thursday, 8 February 2007

Frozen Roadster II

Big fat tyres + only 800kg in weight = no traction.

Couldn't even get the Roadie out of the drive this morning on the snow! Fortunately, Mrs Dynamoo's rather heavier Rover 25 did.

Still, it's funny seeing all those people who've spend a fortune on BMW X5s and X3s to discover that they've got all the offroad capabilities of a milk float in this weather. :)

Snow... brrrr...

As the country grinds to a halt under a few inches of snow (that have been predicted for a couple of days), here are some pictures of Elstow Village in Bedfordshire. Snow.. in winter.. who would have guessed it?






Wednesday, 7 February 2007

Frozen Roadster


A chilly minus eight degrees overnight.. and a tricky problem for my Smart Roadster. After opening the passenger door, the darned thing just wouldn't shut properly.

Now, the Roadster has a design fault in the door where (I understand) there is a pin holding in part of the mechanism which is basically mounted upside down, and this drops out which means that the door cannot be opened from the inside. Smart's first fix for this was to glue to pin in.. but of course, the pin will still work loose eventually and has a tendency to drop out again. I mention this because Smart's measly 2 year warranty would mean that this might end up as an expensive repair.

The problem was simpler than that - it looks like the very cold weather had frozen the mechanism in place after it opened. About three buckets of warm water over the door unfroze the mechanism and it started working properly. This led to another problem.. a clean bit of the car. So, the Roadster ended up with an early morning bath (as pictured).

The next problem is how to deal with the threatened six inches of snow in a car with only about four inches of ground clearance..

Friday, 26 January 2007

One Invalid Recipient..

In my opinion, one of the great underappreciated Microsoft Knowledgebase articles is KB147093 which explains one of those mysteries you see with Exchange servers from time-to-time.

The symptom is this - a remote sender transmits a message to multiple recipients on your Exchange server, but one or more of the recipients is incorrect. This causes the mail transaction to fail and NO recipients get the message.

Although KB147093 refers to X400, in fact this is the behaviour that you'll see on an Exchange 5.5 Internet Mail Connector, and it works with other SMTP-based mail servers too.

The problem is this - when sending to multiple recipients at one remote domain, the software at the sender's end will make a single connection to the remote mail servers.. and it's an all-or-nothing proposition.

The problem is compounded if you suppress NDRs (nondelivery reports) to the internet, because a remote sender will never receive a bounce message to say that the mail transaction failed. In these circumstances, it can take some time to work out that there's a problem at all.. but in this case you need to carefully check the recipient list for invalid users and remove them.

Now, if you have NDRs enabled, the problem will probably be spotted much sooner. But these days a lot of organisations turn them off, especially if they are the targets of mass spamming or directory harvesting attacks. It's one of those cases where the current levels of spam have unexpected adverse impacts on infrastructure.

Wednesday, 17 January 2007

Travelocity Template Spam


A couple of days ago, we saw a pump and dump spam using an Incredimail template to bypass spam filters. We pointed out that Incredimail messages could be scored as being somewhat spammy.

With a new twist, spammers are now using a Travelocity template [click image on right to enlarge] with an embedded image in the middle. Businesses are more likely to allow Travelocity mail than ones with Incredimail templates.

Clever.. but these messages don't come from a Travelocity email address, nor a Travelocity IP (whatever that might be). So, if you roll your own filters you can look for elements of the Travelocity template in messages that don't originate from Travelocity.

If you use Postini, add an inbound filter something like:
  • Select "Match All"
  • Body | contains | 1-888-709-5983
  • Sender | does not contain | travelocity
  • Set Message Disposition to "User Quarantine"

What's clear is that the spammers have found a new technique here and there's probably (sadly) quite a bit of mileage in it. Expect to see more variants of this soon.

Monday, 15 January 2007

"Incredimail" spam


A novel twist to the CBFE pump and dump spam that's been doing the rounds is a large scale run of spam messages using an Incredimail template to fool spam filters. [Click the image to enlarge]

The trick here is that Incredimail uses a lot of embedded images, as does the recent batch of P&D messages.. so if a filter has been "detuned" to let these templates through, then the spam can slip through on the back of it.

In this particular case, the CBFE spam is encoded with the Windows-1251 Cyrillic character set which makes it distinctive, although that will probably change.

If you roll your own filters, look for X-Mailer: IncrediMail in the headers, and charset="windows-1251" on each MIME boundary.

If you use Postini, you could create an inbound filter of Header | contains | X-Mailer: IncrediMail and set Message Disposition to "User Quarantine".

There's probably no harm for most people in scoring messages with Incredimail templates higher for spam as very little of it will be business related.

Wednesday, 10 January 2007

Patch Tuesday - January


A very small number of patches this month, none of which are critical for servers (assuming you don't read email, process office documents or surf the web on a server) and which may not even require a reboot on most client PCs. I've ordered these roughly in order of importance.

MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
This addresses an active exploit in IE and should be applied as soon as possible.
Client impact: high
Server impact: low

MS07-003 Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938)
http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
A series of potentially serious flaws that could lead to an exploit if the user opens a specially crafted email message. Outlook 2000 is vulnerable to this, but cannot be patched via WSUS so this would need to be applied manually where possible. Replaces MS06-055.
Client impact: high
Server impact: low

MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)
http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
Similar to MS07-003, and Excel 2000 is similarly impacted with no WSUS remediation.
Client impact: high
Server impact: low

MS07-001 Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585)
http://www.microsoft.com/technet/security/Bulletin/MS07-001.mspx
This only impacts Office 2003 with the Brazilian Portuguese language pack. It should be a big problem for most users.
Client impact: low
Server impact: low

Monday, 8 January 2007

Braindead spam from eReplicaShop.com

eReplicaShop.comeReplicaShop.com is a particularly persistent spammer, using image spam from zombie PCs and a large variety of domains. Most of these domains are registered to "Paul Gregoire" or a number of other aliases.. the smart money is that this is actually Alex Polyakov.

Unusually, the eReplicaShop servers are rented from fairly legitimate web hosts.. but bearing in mind that Polyakov is linked with phishing and money laundering scams it's quite likely that at least some of these services are being paid for by stolen credit cards.

Rule 3 of the Rules of Spam states that "Spammers are stupid". In this case, the eReplicaShop.com spam is particularly stupid as it often gets sent to abuse@ addresses. Most mail admins get really pissed off about abuse@ spam.. and this often leads to a satisfyingly short lifespan for the eReplicaShop mirrors.

If you do end up reporting one of these, it's always worthwhile to point out to the host that they might not be getting paid for the services they're providing. That normally gets a very quick response.

Welcome

Well.. alright, I've come to the blogging thing pretty late on, I know. But sometimes it's just too much work to break out the web editor and fiddle around, and at least this way I can get things to press more quickly.

Anyway, here's a completely gratuitous shot of a Compaq Portable II for you..