The top spam subjects for this campaign so far have been:
A second spam campaign is also active, using "CNN-related" spam subjects:
(count listed as of noon)
5952 | Boston Explosion Caught on Video
5885 | Explosions at the Boston Marathon
5873 | Aftermath to explosion at Boston Marathon
5855 | 2 Explosions at Boston Marathon
5729 | Explosions at Boston Marathon
5725 | Explosion at Boston Marathon
5690 | Video of Explosion at the Boston Marathon 2013
5530 | Explosion at the Boston Marathon
4891 | BREAKING - Boston Marathon Explosion
The first group of spam messages have the subject line followed by a single URL, consisting of an IP address followed by either "boston.html" or "news.html".
88 | Opinion: North Korean Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
84 | Opinion: Osama bin Laden's legacy - Boston Marathon Explosions - CNN.com
82 | Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
79 | Opinion: Boston Marathon Explosions - Who benefits? - CNN.com
77 | Opinion: China Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
75 | Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
70 | Opinion: Boston Marathon Explosions - CIA Benefits? - CNN.com
70 | Undeliverable: Explosion at the Boston Marathon
69 | Opinion: Osama bin Laden still alive - Boston Marathon Worse Sensation!? - CNN.com
67 | Undeliverable: Explosions at Boston Marathon
67 | Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
65 | Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
64 | Undeliverable: Boston Explosion Caught on Video
62 | Opinion: Boston Marathon Explosions - Osama bin Laden still alive? - CNN.com
61 | Undeliverable: Video of Explosion at the Boston Marathon 2013
60 | Opinion: Osama death was Faked by CIA - Boston Marathon Explosions Worse News. - CNN.com
The second group uses a website address rather than an IP address followed by either "cnn_boston.html" or "bostoncnn.html"
count | machine | path
-------+---------------------------+-------------------
1667 | 118.141.37.122 | /boston.html
1564 | 190.245.177.248 | /boston.html
1533 | 178.137.120.224 | /boston.html
1507 | 110.92.80.47 | /boston.html
1484 | 37.229.92.116 | /news.html
1466 | 188.2.164.112 | /boston.html
1448 | 178.137.100.12 | /news.html
1422 | 78.90.133.133 | /boston.html
1376 | 118.141.37.122 | /news.html
1363 | 212.75.18.190 | /boston.html
1356 | 178.137.120.224 | /news.html
1344 | 110.92.80.47 | /news.html
1331 | 83.170.192.154 | /boston.html
1330 | 37.229.92.116 | /boston.html
1317 | 219.198.196.116 | /news.html
1314 | 37.229.215.183 | /boston.html
1312 | 61.63.123.44 | /news.html
1309 | 61.63.123.44 | /boston.html
1280 | 219.198.196.116 | /boston.html
1271 | 85.198.81.26 | /news.html
1247 | 190.245.177.248 | /news.html
1214 | 94.28.49.130 | /boston.html
1171 | 94.28.49.130 | /news.html
1157 | 94.153.15.249 | /news.html
1150 | 83.170.192.154 | /news.html
1137 | 78.90.133.133 | /news.html
1100 | 95.87.6.156 | /news.html
1069 | 85.198.81.26 | /boston.html
1061 | 94.153.15.249 | /boston.html
1056 | 212.75.18.190 | /news.html
1055 | 37.229.215.183 | /news.html
1038 | 95.87.6.156 | /boston.html
1028 | 188.2.164.112 | /news.html
1011 | 178.137.100.12 | /boston.html
960 | 46.233.4.113 | /news.html
791 | 176.241.148.169 | /news.html
766 | 176.241.148.169 | /boston.html
758 | 91.241.177.162 | /news.html
739 | 46.233.4.113 | /boston.html
735 | 213.34.205.27 | /boston.html
651 | 213.34.205.27 | /news.html
642 | 91.241.177.162 | /boston.html
626 | 62.45.148.76 | /news.html
553 | 85.217.234.98 | /boston.html
511 | 62.45.148.76 | /boston.html
484 | 85.217.234.98 | /news.html
205 | 31.133.84.65 | /news.html
152 | 31.133.84.65 | /boston.html
47 | 109.87.205.222 | /boston.html
44 | 109.87.205.222 | /news.html
19 | 50.136.163.28 | /news.html
17 | 50.136.163.28 | /boston.html
We self-infected by visiting one of the IP address links in a web browser. The page had a series of YouTube videos, including this one:
count | machine | path
-------+------------------------------+------------------------------------------------------
191 | www.domcomfort.ru | /bostoncnn.html
176 | www.whchivast.com | /cnn_boston.html
142 | relax-perm.ru | /bostoncnn.html
80 | www.peaceofchristparish.org | /cnn_boston.html
71 | imdh.knu.ac.kr | /cnn_boston.html
63 | create-serv.ru | /popeabuse.html
59 | skinnee.net | /cnn_boston.html
56 | numeralarmowy-112.pl | /cnn_boston.html
56 | imdh.kyungpook.ac.kr | /cnn_boston.h
41 | higherthanab.com | /cnn_boston.html
40 | ufferichter.dk | /cnn_boston.html
37 | business-link.net | /cnn_boston.html
25 | ochronaprawkonsumenta.pl | /cnn_boston.html
24 | mannesmann.cz | /cnn_boston.html
20 | kuzenergo.ru | /cnn_boston.html
20 | siemsrl.com | /bostoncnn.html
18 | alex-spil.dk | /cnn_boston.html
17 | host321.ru | /cnn_boston.html
13 | www.vdnh.kiev.ua | /cnn_boston.html
10 | www.theophany.co.nz | /cnn_boston.html
8 | yanjingedu.org | /cnn_boston.html
6 | china-ptjc.com | /cnn_boston.html
5 | econ-group.com | /cnn_boston.html
3 | mezdustrok.com.ua | /cnn_boston.html
2 | alltomforsakringar.nu | /cnn_boston.html
2 | ufferichter.com | /cnn_boston.html
However, if we look at the source code of the page, we notice something that certainly seems out of place!
The last IFRAME there calls a site called "spareroomwebdesign.com" and a file "waiq.html"
One of the changes to our machine was the addition of a registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SonyAgent: "C:\WINDOWS\Temp\temp86.exe"
When we checked, we found a hidden file, 815,616 bytes in size in that location.
The MD5 of the file is: fdbc94958b8f0ec2b24302c6d4685c46
As of this writing, only 8 of the 46 Anti-virus programs at VirusTotal are aware of this malware and able to detect it. https://www.virustotal.com/en/file/560766fc73edf8eff02674a220e2794c008caeefc476c8fef04c21a16eb23a0f/analysis/
Once infected, your machine BECOMES THE SPAMMER, and begins to distribute emails. In a 48 second run our infected machine attempted to send 348 spam messages, all with a subject from the list above.
The SECOND, CNN-themed spam campaign is a Financial Crimes malware infector, known as Cridex.
Both campaigns have been thoroughly documented in the Malcovery Security Top Threats Today report, normally reserved for our paying subscribers. Due to the extremely prolific nature of the Boston Marathon Explosion spam campaign, we are offering that T3 report as a free sample for any interested parties.
Click Logo for your Free T3 Report
No comments:
Post a Comment