SecurityZone.org - Information Security Blog

In the last few weeks I’ve seen another good increase in Blog comment Spam. At the same time I’ve also noticed a few patterns. The first pattern is the origin of almost all of the comment Spam — Israel. Almost all of the Spam is coming from 84.109.0.0/16 or 84.110.0.0/16. This is from the Israeli telecommunications company Bezeq International (bezeqint.net). This is a completely legitimate company, but some how they are being completely abused.

Allow me to put it in numbers. Since February 10, 2008 I received 201 comments to my blog that were all Spam. 151 of these 201 posts were from the above two IP ranges. That’s just over 75% of my comment Spam. Now that’s pretty exciting stuff, but it still gets better. Almost all of these comments (bezeqint.net or otherwise) are pharmacy/drug related. However, what I also noticed is that a number of them are pointing to legitimate websites that run the vBulletin web-forum software. They point to user profiles each time. Here is an example screen shot:

It appears that these spammers realized they can, perhaps automatically, sign up as users on these web forums and edit their profiles with a bit of HTML to point users to their pharmacy/drug websites. In the above image you can see this particular bulletin board not only allowed links and colors, it also allowed them to put in a large image. I’ve seen tons of different websites with this stuff. It ranges from inappropriate to extremely inappropriate. A few of the websites used in the Spam attacks are at universities on the .edu top level domain. Others are on just different websites with a wide ranges of intended audiences.

I’m not sure if this is a flaw in vBulletin, is by design, or is something that only exists in older versions. However, my guess is that there’s potentially cross site scripting (XSS) issues as well if they are able to edit their profiles with images and other HTML. In any event, vBulletin is seeing wide abuse from this Spam attack vector. Be on the lookout on your website and consider requiring manual approval for new user sign ups if you don’t already.

It looks like SecureWorks with the assistance of Team Cymru and myNetWatchman have solved some of the mystery surrounding this trojan that suddenly found itself in the press. It’s apparently in some ways related to what some AV vendors have previously referred to as “Ozdok”. Interesting name at least. You can read more about this [solved] mystery at http://www.secureworks.com/research/threats/ozdok/?threat=ozdok. I am sure you all have been on the edge of your computer chairs just dying to find out more. Now you can fall off with joy!

Now for the next update you’ve been waiting for: Storm Worm! It’s got a new executable called valentine.exe. Really is that all? Oh man - the excitement does not end there folks. If you are lured onto the website you may be presented with any one of eight different Valentine’s Day themed pictures. The most interesting is one with Pooh Bear and Piglet. Not sure if they’re looking at each other as being each other’s valentine or not though. Anyway, we posted up some information on it Sunday at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080210.

Have a Happy Valentine’s Day! <3

It turns out there’s yet another botnet that’s growing pretty large in size and it’s apparently been dubbed Mega-D. According to this article the botnet presently accounts for 32% of all spam. The article does some comparison of it and the Storm Worm, which I don’t is really an important comparison. The point is there’s yet another fun botnet out there, but it seems we’re short on details. I have no idea if this is just another name for something we’ve looked at already or if this is really something new altogether. If anyone has a little more information or a sample binary, please shoot me an e-mail.

Enjoy the Super Bowl if you’re watching today!