Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 17 April 2013

Boston Marathon explosion spam leads to Malware

Posted on 11:24 by Unknown
A new malware spam campaign, claiming to provide videos regarding the Boston Marathon explosion tragedy, is infecting computers and sending spam at a rate that is unprecedented in more than a year. The UAB Spam Data Mine, which has partnered with Malcovery Security to offer the "Today's Top Threat Report" received more than 80,000 copies of the malicious email, with more than 50,000 arriving before noon today.

The top spam subjects for this campaign so far have been:


(count listed as of noon)
  5952 | Boston Explosion Caught on Video
  5885 | Explosions at the Boston Marathon
  5873 | Aftermath to explosion at Boston Marathon
  5855 | 2 Explosions at Boston Marathon
  5729 | Explosions at Boston Marathon
  5725 | Explosion at Boston Marathon
  5690 | Video of Explosion at the Boston Marathon 2013
  5530 | Explosion at the Boston Marathon
  4891 | BREAKING - Boston Marathon Explosion
A second spam campaign is also active, using "CNN-related" spam subjects:


    88 | Opinion: North Korean Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
    84 | Opinion: Osama bin Laden's legacy - Boston Marathon Explosions - CNN.com
    82 | Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
    79 | Opinion: Boston Marathon Explosions - Who benefits? - CNN.com
    77 | Opinion: China Official's  child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
    75 | Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
    70 | Opinion: Boston Marathon Explosions - CIA Benefits? - CNN.com
    70 | Undeliverable: Explosion at the Boston Marathon
    69 | Opinion: Osama bin Laden still alive - Boston Marathon Worse Sensation!? - CNN.com
    67 | Undeliverable: Explosions at Boston Marathon
    67 | Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
    65 | Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
    64 | Undeliverable: Boston Explosion Caught on Video
    62 | Opinion: Boston Marathon Explosions - Osama bin Laden still alive? - CNN.com
    61 | Undeliverable: Video of Explosion at the Boston Marathon 2013
    60 | Opinion: Osama death was Faked by CIA - Boston Marathon Explosions Worse News. - CNN.com
The first group of spam messages have the subject line followed by a single URL, consisting of an IP address followed by either "boston.html" or "news.html".


 count |          machine          |  path                                                                       
-------+---------------------------+-------------------
  1667 | 118.141.37.122            | /boston.html
  1564 | 190.245.177.248           | /boston.html
  1533 | 178.137.120.224           | /boston.html
  1507 | 110.92.80.47              | /boston.html
  1484 | 37.229.92.116             | /news.html
  1466 | 188.2.164.112             | /boston.html
  1448 | 178.137.100.12            | /news.html
  1422 | 78.90.133.133             | /boston.html
  1376 | 118.141.37.122            | /news.html
  1363 | 212.75.18.190             | /boston.html
  1356 | 178.137.120.224           | /news.html
  1344 | 110.92.80.47              | /news.html
  1331 | 83.170.192.154            | /boston.html
  1330 | 37.229.92.116             | /boston.html
  1317 | 219.198.196.116           | /news.html
  1314 | 37.229.215.183            | /boston.html
  1312 | 61.63.123.44              | /news.html
  1309 | 61.63.123.44              | /boston.html
  1280 | 219.198.196.116           | /boston.html
  1271 | 85.198.81.26              | /news.html
  1247 | 190.245.177.248           | /news.html
  1214 | 94.28.49.130              | /boston.html
  1171 | 94.28.49.130              | /news.html
  1157 | 94.153.15.249             | /news.html
  1150 | 83.170.192.154            | /news.html
  1137 | 78.90.133.133             | /news.html
  1100 | 95.87.6.156               | /news.html
  1069 | 85.198.81.26              | /boston.html
  1061 | 94.153.15.249             | /boston.html
  1056 | 212.75.18.190             | /news.html
  1055 | 37.229.215.183            | /news.html
  1038 | 95.87.6.156               | /boston.html
  1028 | 188.2.164.112             | /news.html
  1011 | 178.137.100.12            | /boston.html
   960 | 46.233.4.113              | /news.html
   791 | 176.241.148.169           | /news.html
   766 | 176.241.148.169           | /boston.html
   758 | 91.241.177.162            | /news.html
   739 | 46.233.4.113              | /boston.html
   735 | 213.34.205.27             | /boston.html
   651 | 213.34.205.27             | /news.html
   642 | 91.241.177.162            | /boston.html
   626 | 62.45.148.76              | /news.html
   553 | 85.217.234.98             | /boston.html
   511 | 62.45.148.76              | /boston.html
   484 | 85.217.234.98             | /news.html
   205 | 31.133.84.65              | /news.html
   152 | 31.133.84.65              | /boston.html
    47 | 109.87.205.222            | /boston.html
    44 | 109.87.205.222            | /news.html
    19 | 50.136.163.28             | /news.html
    17 | 50.136.163.28             | /boston.html
The second group uses a website address rather than an IP address followed by either "cnn_boston.html" or "bostoncnn.html" 

 count |           machine            |                         path                         
-------+------------------------------+------------------------------------------------------
   191 | www.domcomfort.ru            | /bostoncnn.html
   176 | www.whchivast.com            | /cnn_boston.html
   142 | relax-perm.ru                | /bostoncnn.html
    80 | www.peaceofchristparish.org  | /cnn_boston.html
    71 | imdh.knu.ac.kr               | /cnn_boston.html
    63 | create-serv.ru               | /popeabuse.html
    59 | skinnee.net                  | /cnn_boston.html
    56 | numeralarmowy-112.pl         | /cnn_boston.html
    56 | imdh.kyungpook.ac.kr         | /cnn_boston.h
    41 | higherthanab.com             | /cnn_boston.html
    40 | ufferichter.dk               | /cnn_boston.html
    37 | business-link.net            | /cnn_boston.html
    25 | ochronaprawkonsumenta.pl     | /cnn_boston.html
    24 | mannesmann.cz                | /cnn_boston.html
    20 | kuzenergo.ru                 | /cnn_boston.html
    20 | siemsrl.com                  | /bostoncnn.html
    18 | alex-spil.dk                 | /cnn_boston.html
    17 | host321.ru                   | /cnn_boston.html
    13 | www.vdnh.kiev.ua             | /cnn_boston.html
    10 | www.theophany.co.nz          | /cnn_boston.html
     8 | yanjingedu.org               | /cnn_boston.html
     6 | china-ptjc.com               | /cnn_boston.html
     5 | econ-group.com               | /cnn_boston.html
     3 | mezdustrok.com.ua            | /cnn_boston.html
     2 | alltomforsakringar.nu        | /cnn_boston.html
     2 | ufferichter.com              | /cnn_boston.html
We self-infected by visiting one of the IP address links in a web browser. The page had a series of YouTube videos, including this one:

However, if we look at the source code of the page, we notice something that certainly seems out of place!

The last IFRAME there calls a site called "spareroomwebdesign.com" and a file "waiq.html"

One of the changes to our machine was the addition of a registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SonyAgent: "C:\WINDOWS\Temp\temp86.exe"

When we checked, we found a hidden file, 815,616 bytes in size in that location.

The MD5 of the file is: fdbc94958b8f0ec2b24302c6d4685c46

As of this writing, only 8 of the 46 Anti-virus programs at VirusTotal are aware of this malware and able to detect it. https://www.virustotal.com/en/file/560766fc73edf8eff02674a220e2794c008caeefc476c8fef04c21a16eb23a0f/analysis/

Once infected, your machine BECOMES THE SPAMMER, and begins to distribute emails. In a 48 second run our infected machine attempted to send 348 spam messages, all with a subject from the list above.

The SECOND, CNN-themed spam campaign is a Financial Crimes malware infector, known as Cridex.

Both campaigns have been thoroughly documented in the Malcovery Security Top Threats Today report, normally reserved for our paying subscribers. Due to the extremely prolific nature of the Boston Marathon Explosion spam campaign, we are offering that T3 report as a free sample for any interested parties.

Free Malcovery T3 Report: Boston Marathon Explosion Spam.
Click Logo for your Free T3 Report
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ▼  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ▼  April (3)
      • Boston Explosion Spammer shifts to Texas Fertilize...
      • Boston Marathon explosion spam leads to Malware
      • New Spam Attack accounts for 62% of our spam!
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile