Wednesday, January 16, 2008

Storm Loves You!

The Storm Worm (yes, I know its not a worm, but that's what its called!) has mutated once again and is back in the full swing of "SP" mode, or "Storm Propagation" mode.

Beginning around 3 AM on January 15th, we started seeing new spam messages attempting to infect people with the Storm malware by tricking them into viewing a dangerous website.

Not sure if this is a COMPLETE list of subjects and bodies, but I'm seeing quite a few of them. I'm guessing you can mix and match some of the nouns and adjectives in the subjects below. I'm also guessing that the subjects and bodies may be interchangable.

The big news is that the URLs are no longer using Fast Flux domain names, which means that the Storm folks have to go back to using IP addresses as URLs.

Here are some of the Subjects used by the current storm campaign.

A Is For Attitude
A Kiss So Gentle
A Rose for My Love
A Toast My Love
A Token of My Love
Come Dance with Me
Come Relax with Me
Destiny
Eternity of Your Love
Hugging My Pillow
I am Complete
I Love Thee
I Love You Soo Much
In Your Arms
Inside My Heart
Last Night
Love Remains
Magic Power of Love
Miracle of Love
Our Journey
Our Love is Free
Pages from My Heart
Sending You All My Love
Sent with Love
The Mood for Love
When Love Comes Knocking
When You Fall in Love
You... In My Dreams
You're my Dream
You're the One
Your Love has Opened


Bodies:

A Is For Attitude (URL)
A Dream is a Wish (URL)
A Toast My Love (URL)
Come Dance with Me (URL)
Eternity of Your Love (URL)
Hugging My Pillow (URL)
If Loving You (URL)
I Love Thee (URL)
I Love You Soo Much (URL)
Inside My Heart (URL)
Last Night (URL)
Our Journey (URL)
Our Love is Strong (URL)
Our Love Nest (URL)
Sending You All My Love (URL)
Sent with Love (URL)
Miracle of Love (URL)
Path We Share (URL)
The Miracle of Love (URL)
The Mood for Love (URL)
The Moon & Stars (URL)
Words in my Heart (URL)
You're In My Thoughts (URL)
Wrapped in Your Arms (URL)
You're In My Thoughts (URL)

A few IPs I've got spam for:

24.13.25.195
24.29.57.5
24.98.163.49
24.147.84.166
24.158.201.51
24.182.164.166
58.8.154.229
59.93.124.61
61.254.150.135
62.30.214.249
64.130.186.121
64.131.210.85
65.127.69.227
65.189.144.143
66.56.162.236
66.65.246.186
67.170.38.85
68.52.93.226
68.91.149.33
69.153.229.224
69.236.21.121
70.119.36.227
70.237.140.25
70.237.219.11
70.251.159.54
71.224.194.223
71.228.87.148
75.18.129.8
75.46.65.147
75.74.12.93
75.132.167.64
75.176.123.128
75.181.155.252
76.86.247.98
76.87.138.125
76.108.103.196
76.211.9.128
76.223.80.123
76.117.96.98
76.255.55.200
77.244.67.25
79.120.46.50
79.176.169.98
116.126.30.18
125.184.241.30
190.47.48.223
190.50.109.86
190.172.254.93
200.8.248.51
200.126.102.5
201.223.179.88
208.38.67.197
218.238.54.74
218.190.195.185
220.77.192.117
220.79.184.205

--

--------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham

Friday, January 11, 2008

New IRS Virus page taxes users

A phishing site hosts fraudulent bank pages, and an IRS look-alike virus

A new round of spam, first noticed on January 8th, has been observed by anti-phishing researchers at the University of Alabama at Birmingham. In many ways the spam is typical phishing emails, trying to trick users into visiting a fraudulent website. This family of emails uses the domains listed below to host several different phishing campaigns, each in a different subdirectory. For example:

/_mem_bin/formslogin.asp = Intelligent Finance
/default.aspx = NatWest Bank
/confirm.asp = Royal Bank of Scotland

But in addition to the traditional phishing, or bank fraud websites, which try to steal userids and passwords for online banking accounts, this spam campaign also includes a fake Internal Revenue Service website - and it isn't asking for your password!

/importantpubs/index.htm = Internal Revenue Service

After giving a warning to "Business/Corporate Treasury Managers and Accountants", the fraudulent IRS website claims to have "important recent changes to business and corporate tax laws".




Each of the links which claim to be a new document with important tax information actually is a link to a virus! With file names like:

ALL_TAXPAYERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
ESTATE_AND_TRUST_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
EXCISE_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
EXEMPT_ORG_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
FOREIGN_ISSUES_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
INDIVIDUALS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
IRA_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE

the virus attempts to trick users into opening the file. If successful, the user will think he is getting information to share his taxes with the IRS, but actually the user will begin to share their information with criminals instead!

Some of the domains hosting this virus so far:

New Sites
jan77.net
aut33.com
pid28.com
com61.net
inf32.net
sid24.net
chcpi.com
chk08.net
dll57.com
idp56.us
user94.net
Older sites
ssl--jan08.com
ssl--site.com
ssl-jan08site.com
url-sslsite.com
update-ssl.com
url-ssl.com
confirm--07jan.com
6jan-update.in
securesafesite.net
myupdatesite.net
comssl.net
secure--confirm.net
06jan--confirm.net
7jan--verify.net

REMEMBER! The IRS is not going to send you an email to warn you about new documents or ask you to login. Several major anti-virus products do not yet detect this virus! Be safe! Do not click on links sent to you in email. If you need new tax documents, visit the real website at: http://www.irs.gov/.



As we have seen in so much recent malware, the websites are being rotated to include hosting on many servers. Here are the sites which are serving the malware according to our most recent query, but there may be many many more.


83.9.136.40 - Warsaw, Poland
77.253.113.235 - Warsaw, Poland
24.93.127.106 - Columbus, Ohio
69.201.136.16 - New York, New York
128.118.145.125 - Penn State University
87.209.100.8 - Amsterdam, the Netherlands
144.162.93.16 - Dallas County Community College
80.85.229.201 - Tarnow, Poland

_-_
gary warner
http://www.cis.uab.edu/forensics/

Thursday, January 3, 2008

Ralsky: Going Down

***IMPORTANT UPDATE*** January 11, 2008!
Today Alan Ralsky was taken into custody - arrested after arriving from Germany and taken into custody.
**********************

Congratulations to First Assistant US Attorney Terrence Berg and his colleagues in Detroit for being willing to prosecute one of the top spammers, as revealed in a 41-count indictment unveiled today in Detroit!

According to the January 3, 2008 announcement by the US Department of Justice today, Scott Bradley and Judy Devenow were in court after being arrested today to hear the charges. John Hui was arrested in New York on January 2nd. The other defendants are at large and being sought. (Hint: You might check the Dominican Republic? Oh wait. Wrong spammer. That was Rizler.)

The full list of defendents is given below:

Alan M. Ralsky, 52, of West Bloomfield, Michigan

Scott K. Bradley, 46, of West Bloomfield, Michigan

Judy M. Devenow, 55, of Lansing, Michigan

John S. Bown, 47, of Poway, California

William C. Neil, 45, of Fresno, California

Anki K. Neil, 36, of Fresno, California

James E. Bragg, 39, of Queen Creek, Arizona

James E. Fite, 34, of Whittier, California

Peter Severa, age unknown, of Russia

How Wai John Hui, 49, of Vancouver, Canada and Hong Kong

Francis A. Tribble, of Los Angeles, California

Ralsky, who has his own Wikipedia page became one of the most famous spammers after an interview with the Detroit News in 2002. Pictures of his ill-gotten mansion are available at Archive.org.

The FBI raided Ralsky's home in 2005, and apparently today's indictments are the conclusion of that investigation, which DOJ says is now three years old!

While a total pricetag may never be placed on all of Ralsky's illegal profits, DOJ says he earned $3 Million just in the summer of 2005!

Ralsky has long been on the excellent Spamhaus Registry of Known Spam Offenders and was featured in the book "Spam Kings". Brian McWilliams, the author of Spam Kings, called Ralsky "the most successful spammer" in this Tech Soup Interview in 2004. Partly because he was still in business after the successful 2001 Verizon lawsuit against him. Three years later and he's still spamming!

Joel Kurth did an excellent profile on Ralsky in August of 2002 for the Detroit News, where Ralsky admits to maintaining a 150 million email address mailing list (though he points out there were 87 million email addresses that he does NOT send spam to because they unsubscribed.)

I wonder how many millions more people he's offended since 2002?

Congratulations again, Detroit, CCIPS, and thanks to the FBI, Postal Inspectors, and IRS Agents who assisted in bringing this to indictment.

Now if they can just get the other 8 co-defendants into custody . . .

Wednesday, January 2, 2008

And on January 1st EVERYBODY SPAM!

Its been a while since I've looked at a virus with a date-triggered behavior change, but that seems to be the case with the one I'm currently looking into.

I spent most of the day yesterday playing with a new spamming virus which "triggered" on January 1st to begin spamming "VPXL" male organ enlargement pills, after being dormant on a machine for almost two weeks.

I would very much appreciate any reports (which will be kept anonymous) regarding how wide-spread this virus may be, or whether anyone can identify the original point of infection.

This is currently the most widely spread spam campaign being observed by our Spam Data Mine at UAB. Its the same group that has been previously using the brands "King Replica" for counterfeit watches and "EliteHerbal" for pills.

The machine I was studying became infected on December 17th, after a "drive-by infection" sent it to the website "www.injectpanel.com" where it hit a file called "/us/ret.php", which caused it to download "index[1].exe". (We are working to get this site shutdown already).

Infected machines will be easily identified (now that Jan 1 has passed), by an enormous number of outbound SMTP connections.

Infected machines will probably have a large number of files in their root directory ending in ".tmp". Some of these files may be 42,496 bytes in size, which are copies of the .exe, while others will be 0 bytes in size.

Infected machines ARE rootkitted, with a couple files of true interest:
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll

(I found these with "RootKit Revealer", a Most Useful Tool!)

Infected machines will contact on each boot "www.injectpanel.com", and may also connect on each boot "www.botsys.net".

AV vendor PREVX had received 11 copies of this virus since December 18th, most commonly called "index[1].exe".

VirusTotal received its first copy on December 30th, and had a 43% detection. It was NOT detected by ClamAV, F-Prot, McAfee, NOD, Sunbelt, or Symantec. As of Jan 1, it showed 53% detection. (17 of 32 AV products could detect the virus.)

The copy I was dealing with had the MD5:

b7f085411871026218cc30b4a6c0363e

Other secondary infections have been seen being "dropped" from injectpanel.com. Including "Nurech" (AKA "Chepvil"), which also showed only a 13 of 32 detection rate on Jan 1.

Nurech places a large number of files in the Windows\System32 directory.
Some example names were:
imapi.exe
mnmsrvc.exe
msdtc.exe
netdde.exe
alg.exe.tmp
cisvc.exe.tmp

These will be copied to a "numbered" temp file, such as:

124671.exe
147359.exe

which can be found in memory and in the C:\Windows\Temp\ directory.

The file size of these files is "8,704".

MD5 for Nurech = 337915d40c893b64ef57fe3866dadb8f

If anyone else is experiencing these viruses, I'd love to learn any more details you might be able to share, but most importantly I'm trying to gage how widespread the infection is.

Windows XP Machines infected with Nurech may demonstrate the characteristic of "falling off" networks, getting stuck in an "acquiring network device" state. (Which may be an overwhelmed TCP stack from the many many copies of "svchost" that are trying to drive TCP connections.)

Thanks for any help!

Gary Warner
Director of Research in Computer Forensics
http://www.cis.uab.edu/forensics/