SecurityZone.org - Information Security Blog

Just put up a new post on the Shadowserver page on July 4th/Independence day spam campaign activity.. it includes several new domains:

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090704

Got the full list also being updated and posted on the Shadowserver website at the following URL:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

However, just wanted to reiterate to people that you should block all of these domains:

Registered January 23, 2009:

adorelyric.com
adorepoem.com
adoresongs.com
bestadore.com
bestlovelong.com
funloveonline.com
youradore.com
yourgreatlove.com

Registered January 19, 2009:

bestgoodnews.com
goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

Registered January 15, 2009:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Older:

bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com

Waledac Exploit Domain List:

googol-analisys.com
seocom.name
seocom.mobi
seofon.net

—-

Also, if you are interested in all things Waledac (omghi2u!), check our Jeremy’s Waledac tracker here:

http://sudosecure.net/waledac/

I just got a humorous Spam message that someone else told me about earlier. Apparently it’s supposed to have some sort of Virus attached to it. Only it seems my copy has been made a bit safer. The Spam message looks a little something like this:

Subject: We have hijacked your baby

Body:

Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later…

We has attached photo of your fume

Funny topic and bad grammar all make for a good virus/spam campaign. However, you might be wondering if I am nervous about receiving such an e-mail? Well, e-mail never really makes me nervous and then again I also don’t have a baby. Although I think I would be concerned if I had a baby and someone “hijacked” it. It seems my message got nibbled on by “MIMEDefang”, which was a bit disappointing since I wanted to see the attachment. I wanted to see if the trojan included a picture of a baby or not. I guess I’ll have to wait in suspense until someone shares a copy with me.

Feel free to drop me a line with a copy of this e-mail if you have it intact - steven [at] securityzone [dot] org

Update: 11:40 PM

Got a copy of the e-mail with the attachment in place. Sorry no picture but there is an attachment called “photo.zip” that has “photo.exe” inside of it. File MD5 for the .exe is 807efe034e50327234e83bc9e6a94b32.

This is a piece of malware which then downloads more malware from the known malicious website reddii.org. Stay away from these e-mails and that domain.

It appears that in addition to “supersameas.com”, the Storm Worm is now using and spamming itself out with several new domain names. These domain names are all with Chinese registrars and have been around since at least February but are just now starting to be used. In addition to serving up the executables for download, they are also attempting fire exploits at users that have the Internet Explorer browser. It is highly recommended that you do NOT visit these domains. Here is the list that is currently active:

biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

They are coming through via e-mail as always and continuing their assault against Blogger (blogspot.com) sites. Searching Google shows the standard “love” related campaign. However, there is at least one result on Google showing politically motivated e-mails that are being sent as well. At least one Spam reported on the Google group “news.admin.net-abuse.sightings” shows an e-mail with the subject “Cowen confirmed as next Irish premier Options” and a body of “Police fire on protesters in Nepal” followed by a link to one of the above domains.

If you visit these sites with IE, you will quickly find yourself being attacked via different ActiveX objects. The first set of exploits will attempt to download “load.exe” to the system. It will then ultimately redirect the visitor to “flow.php” which is full of obfuscated JavaScript. It is recommended that you block the above domain names and do not visit them.

There’s a new round of Storm Worm e-mails going around taking advantage of our favorite technique, showing people what looks like a video and telling them they’re missing a codec to view it. Only these guys are using a rather blunt name for the files this time: StormCodec.exe and StormCodec8.exe - Not very subtle for the “Storm” Worm.

Users are lured this time by e-mail that wants them to visit the fast-flux domain “supersameas.com“. You can protect yourself and your organization at this juncture by blocking this domain. Once on the site there is a video looking image in the middle with the following message:

The video and download links point to the aforementioned files. Tip: You don’t want Storm Codec on your PC! Thanks to Jose from Arbor Networks for pointing out the update to me, otherwise I probably wouldn’t have noticed this until much later.

You might have received some e-mails in the last few hours that link to some strange looking blogspot.com pages. A recent example I received a few hours ago pointed me to hxxp://aflmdiovanrd.blogspot.com/. The webpage then wants you to click to download files named “love.exe” or “withlove.exe“, as previously seen with the Valentine’s Day Storm Worm attack.

They are now using a new domain name for their fast-flux network. Each of these URLs presently links to “superdrugtesting.com” followed by the aforementioned binary names. They haven’t used an actual domain name or Google’s Blogger service with these attacks since the Christmas/New Year time frame. Looks like they are back at it again with a new technique.

Here’s a screen shot of what the page looks like:

Be on the look out for these e-mails and consider blocking “superdrugtesting.com” from your networks if possible. Since this domain name is part of a fast-flux network, you must block it by the domain and not IP address as there are thousands of them.

Edit: Let me add that if you were infected with this run of the Storm Worm or the recent Valentine’s Day campaign they did, you would most likely have “aromis.exe” running in your taskbar (not hidden this time) and it will reside in your root WINDOWS folder.

No jokes here - just a quick update on the ever exciting Storm Worm. It seems today it started out on an April Fool’s Day campaign aimed at infecting more systems. It’s still pointing you to infected machines by giving you a URL to an IP address. Right now the file names are “foolsday.exe“, “funny.exe“, and “kickme.exe“.

Click the thumb nail below for a larger view of what the full website looks like:

Nothing too fancy this time around again and it seems they’re a little late in their delivery. Normally they start a little earlier. Anyway, just be on the look out and don’t infect yourself accidentally.

I have written a blog or two in the past about comment spam to the blog. However, after having more time and a larger sampling, I can easily tell you 13 domains that are nearly the bane of my comment area’s existence. There is a set of 13 domains that all belong to the same individual or group that continually bombard my blogs with comment spam. They have been doing this for about 6 months now and always use different IP addresses. The following domain names are always used:

What is even more interesting is that these guys also easily get past my comment spam honey pot. They haven’t ever been caught by it. My comment spam has been reduced by 80% or so, as I now receive a couple new spams a day that aren’t caught by the comment spam honey pot. These, however, make it right through each time. It seems that all of these domain names involved are hosted on one of the following three IP addresses (at least right now):

These are all under a hosting provider at Ezzi.net. No idea if these are legitimately paid for boxes or compromised. I do not have evidence one way or another. I just know it’s really shady to spam so heavily from so many different IP addresses.

Just doing a Google search on a few of these domains like “airline333tickets.com” and “xanax7777pills.com” reveals over 65,000 search results. It would seem I am not the only one being heavily spammed by these guys. They’ve left hundred of blog comment spams in my queue. Here is an example one from earlier today:

—–

alumnimb | triath@Ced.com | phentermine-1-pills.com | IP: 68.185.223.151

How do you do…
Good stuff, very nicely done.
Good stuff, very nicely done!
http://viagra-77-pills.com/discount__viagra.html
http://viagra-77-pills.com/cheap–viagra.html

I simply mad about this forum!
There was merrily!

Like! Thank you!
The Author, you - super hero!
http://airline333tickets.com/allegiant_airline_tickets.html
http://cialis-l-pills.com/cialis_10_levitra.html
http://xanax777pills.com/order_10_xanax.htm

I am glad to find this forum !
Excellent forum, added to favorites!
http://phentermine-gl-pills.com/phentermine-9-online.html
http://cialis-l-pills.com/cialis_online.html

Thank you! I delighted!
Pretty nice forum, wants to see much more on it!
I Will be back!

Mar 16, 9:14 AM

—–

As we can see, our comments make superior use of the English language and link us to littering of exciting domains to visit. For what it’s worth, all of the domains are registered with either PUBLICDOMAINRESGISTRY.COM or ESTDOMAINS.

In the last few weeks I’ve seen another good increase in Blog comment Spam. At the same time I’ve also noticed a few patterns. The first pattern is the origin of almost all of the comment Spam — Israel. Almost all of the Spam is coming from 84.109.0.0/16 or 84.110.0.0/16. This is from the Israeli telecommunications company Bezeq International (bezeqint.net). This is a completely legitimate company, but some how they are being completely abused.

Allow me to put it in numbers. Since February 10, 2008 I received 201 comments to my blog that were all Spam. 151 of these 201 posts were from the above two IP ranges. That’s just over 75% of my comment Spam. Now that’s pretty exciting stuff, but it still gets better. Almost all of these comments (bezeqint.net or otherwise) are pharmacy/drug related. However, what I also noticed is that a number of them are pointing to legitimate websites that run the vBulletin web-forum software. They point to user profiles each time. Here is an example screen shot:

It appears that these spammers realized they can, perhaps automatically, sign up as users on these web forums and edit their profiles with a bit of HTML to point users to their pharmacy/drug websites. In the above image you can see this particular bulletin board not only allowed links and colors, it also allowed them to put in a large image. I’ve seen tons of different websites with this stuff. It ranges from inappropriate to extremely inappropriate. A few of the websites used in the Spam attacks are at universities on the .edu top level domain. Others are on just different websites with a wide ranges of intended audiences.

I’m not sure if this is a flaw in vBulletin, is by design, or is something that only exists in older versions. However, my guess is that there’s potentially cross site scripting (XSS) issues as well if they are able to edit their profiles with images and other HTML. In any event, vBulletin is seeing wide abuse from this Spam attack vector. Be on the lookout on your website and consider requiring manual approval for new user sign ups if you don’t already.

It looks like SecureWorks with the assistance of Team Cymru and myNetWatchman have solved some of the mystery surrounding this trojan that suddenly found itself in the press. It’s apparently in some ways related to what some AV vendors have previously referred to as “Ozdok”. Interesting name at least. You can read more about this [solved] mystery at http://www.secureworks.com/research/threats/ozdok/?threat=ozdok. I am sure you all have been on the edge of your computer chairs just dying to find out more. Now you can fall off with joy!

Now for the next update you’ve been waiting for: Storm Worm! It’s got a new executable called valentine.exe. Really is that all? Oh man - the excitement does not end there folks. If you are lured onto the website you may be presented with any one of eight different Valentine’s Day themed pictures. The most interesting is one with Pooh Bear and Piglet. Not sure if they’re looking at each other as being each other’s valentine or not though. Anyway, we posted up some information on it Sunday at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080210.

Have a Happy Valentine’s Day! <3