Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, 21 August 2010

"(Famous person) died" spam

Posted on 17:23 by Unknown
According to my spam inbox, today was a horrible day to be a celebrity:

Alicia Keys died
Angelina Jolie died
Beyonce Knowles died
Bon Jovi died
Brad Pitt died
Cameron Diaz died
David Beckham died
Gwen Stefani died
J.K. Rowling died
Jay-Z died
Jennifer Aniston died
Jennifer Lopez died
Johnny Depp died
Justin Timberlake died
Kanye West died
Madonna died
Miley Cyrus died
Nicole Kidman died
Oprah Winfrey died
Ronaldinho died
Tiger Woods died
Tom Cruise died

In the UAB Spam Data Mine we received between 450 and 539 copies of each of these spam messages.

The body of the email has the same text for each, with only the name varying. The name used in the body of the email doesn't necessarily match the name in the subject line. Here's an example:


Cameron Diaz died along with 34 other people when the Air Force CT-43 "Bobcat" passenger plane carrying the group on a trip crashed into a mountainside while approaching the Dubrovnik airport in Croatia during heavy rain and poor visibility.

Please see attachment


The attachment is called "News.html" is "base64" encoded, but if you click on it, it will launch in a web browser.

The HTML is composed of javascript functions which takes substrings of pieces of code and composes them together to make a URL:


new String("hre3y9b".substr(0,3)+"hv5f5hv".substr(3,1))]=
new String("http:P5v".substr(0,5)+ "//panHSOY".substr(0,5)+
"3aPiplusP3a".substr(3,5) + ".com.V4Hq".substr(0,5)+
"mx/1.0Xq".substr(0,5) + "HFkhtmlFHk".substr(3,4))


So, the "hre3y9b" becomes "hre" the "hv5f5hv" becomes an "f" for "href" etc . . .

It eventually turns into:

hxxp://paniplus.com.mx/1.html

(the "xx" instead of "tt" is to prevent this from being live)

That page has two URLs on it, one pointing to the free domain website 'cz.cc':

cetogilco.cz.cc / scanner10 / ?afid=24

This page goes to a fake anti-virus site . . .

The second URL points to:

analyticspool.in / wiki / index.php ?sid=151 &search=ecard &refresh=on


From cetogilco.cz.cc the file "antivirus.exe" is downloaded.

A VirusTotal Report for this malware, showing 18 of 41 detects, is available. The MD5 is cb38da67e9a96afb0b3674eddee26472.
Email ThisBlogThis!Share to XShare to Facebook
Posted in spam | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Aggrevated Identity Theft Law in Action
    There are so many interesting angles to the story this week about a case in Tucson, Arizona. The conviction actually went down in March 200...
  • More Merger Malware Wachovia Wells Fargo
    Today I received a message from Robert K. Steel, the President and CEO of Wachovia Bank. Actually I received several hundred messages from ...
  • Italian Court declares itself Friend of Pirates (or does it?)
    I couldn't believe this one. The Associated Press reported yesterday that Italian high court says file-swapping is not illegal . In this...
  • AffPower Indictments Scare Affiliates!
    Today I heard the news that the "AffPower" drug network is being shut down, starting with 18 arrests in Texas, Florida, Colorado, ...
  • Bank of America Demo Account - DO NOT CLICK
    Beginning on November 25th, the UAB Spam Data Mine has been receiving messages claiming to be from Bank of America which will explain to us ...
  • Radical Muslim Hackers Declare CyberWar on Israel
    This weekend more than 300 Israeli websites have been defaced in a period of 48 hours. In a website "defacement" a hacker violate...
  • Securing Cyberspace in the 44th Presidency: Part Two
    Yesterday I provided some context for the Center for Strategic and International Studies report which was published yesterday: Security Cyb...
  • Dear CEO . . . You are Commanded to Go Phishing!
    This week has been busy with yet another Spear Phishing campaign being launched against the Execs of US-based companies. This is not a new ...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ▼  August (5)
      • Major Fraud Ring Busted in Largest Chinese Cybercr...
      • "(Famous person) died" spam
      • Viagra Spammers as Hackers?
      • Spam Campaign: Zeus's Greatest Hits spreads malware
      • PhacePhish: New Facebook Attack gives a One-Two Punch
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile