Archive for the ‘Storm’ Category

« Older Entries
Newer Entries »

Ongoing Waledac Botnet and Spam Operation

Wednesday, January 7th, 2009

Creating, operating and expanding the Waledac botnet is an ongoing effort, similar to the Storm operation that had dwindled this past year.

The Waledac operators have automated a fairly predictable registration and setup of their malicious web sites and corresponding online pharmaceutical sites reported as fraudulent. They are abusing fast flux dns at an impressive rate as well.
DO NOT VISIT THESE SITES. THEY ARE MALICIOUS AND MAY INFECT YOUR SYSTEM IF YOU CHOOSE TO VISIT THEM WITH A WEB BROWSER. Here are a few that were registered and set up this morning. Be aware that this spamming/botnet operation is an ongoing one:
hxxp://topgreetingsite.com
hxxp://www.greetingsupersite.com
hxxp://www.greetingcardgarb.com
hxxp://greetingcardcalendar.com
hxxp://directchristmasgift.com

You get the idea. Do not fall for the links being spammed out in email messages as ecard deliveries and do not fall for the current “card.exe” being distributed.

Posted in Adware, Exploit, Social Engineering, Spam, Spyware, Storm, Trojan, Vulnerability, Waledac | No Comments »

Card.exe is not Brought to you by 123Christmas-Greetings!

Tuesday, January 6th, 2009

Unfortunately, a handful of legitimate online greeting card sites continue to be spoofed as parts of the ongoing successful Waledac threat.
While it is similar to the Storm threat, the shameless ripoff of multiple greeting card sites are even more blatent than Storm’s crafted web sites in 2007. Here is a snapshot of one of the legitimate sites:

And here is an example message spammed out by the Waledac worm:
“Jeff has mailed a e-card.
Just click on the following Internet address:
hxxp://your regards.com/ ?ID=5b830b13b073c19cabc3a06878d
Brought to you by 123Christmas-Greetings!”

Spammed message here using the Christmasbuzz name:
“Thomas has sent an e-card.
Click on the following link or copy and paste the following link into your web
browser’s address bar: hxxp:// smart cardgreeting.com/ ?code=844e643ab7
(c) Christmasbuzz.com”

Legitimate Christmasbuzz site looks like this snapshot:

Another spammed message from the worm:
“Thomas sent you a ecard.
Click on the following link to see your Ecard:
hxxp://world greetingcard.com/ ?id=1025025ecd
Thanks for Using Card Fountain!”

And the corresponding legitimate Card Fountain web site here:

Do not randomly click on links emailed to you, as pointed out previously. Ecards and greetings can be a sore spot for a lot of users before and after the holiday seasons, but it can be nice to receive holiday wishes when they come from legitimate sites.
Also note that most of the legitimate sites provide users with flash movies and other animated cards, instead of the “card.exe” malcode.

Current malicious sites are serving exploit pages and “card.exe” at the following domains, do not visit them. Some were registered by the botherders earlier today, along with a slew of domains that are now hosting online canadian pharmacy sites:
eternalgreetingcard.com
worldgreetingcard.com
smartcardgreeting.com
superyearcard.com
cardnewyear.com
newyearcardonline.com
youryearcard.com
newyearcardcompany.com
bestyearcard.com
newyearcardservice.com
newyearcardfree.com
The guys over at Shadowserver posted a writeup on the worm to close out 2008, and included a list of domains being used by the botherders at the time. The distributors continue to be active.

And why might this Storm copycat scheme come back in vogue? Spam, of course!
In addition to the links to malicious attacking sites being sent out (posted in the description above), holiday-themed, seasonal spam containing links to online Canadian pharmacies peddling viagra and “enhancement” drugs are being blasted by infected systems as well:

“Subject: When going on holiday take bluepills with you to ensure potence!
We have everything to make your love more passionate.
hxxp:// thank believe.com/”

“Be ready for spring love marathon! hxxp:// character effect.com/”

“Start enjoying your xxxlife! hxxp:// grew ten.com/”

“Subject: How intresting is your bedroom life?
Dont put your health at stake! hxxp:// what least.com/”

“Subject: Latest news from your doctor.
Our experts recommend! hxxp:// steam coast.com/”

It appears to be a fairly international spamming effort with DNS domains rapidly being registered in China and Latvia, exploit pages served in the U.S., and pharma sales coming out of Canada off of servers hosted in China.

Posted in Adware, Exploit, Spam, Storm, Waledac, Worm | 1 Comment »

Season’s Greetings with a postcard.exe

Tuesday, December 30th, 2008

In a throwback to the Storm campaigns that we heavily reported on in 2007, another group has been spamming out links to malicious Season’s Greetings’ sites (a list of domains previously serving up “ecard.exe” variants can be found here), attempting to fool users into running “postcard.exe”. Here is a screenshot of one server currently up this afternoon on an infected host on the Comcast network at 71.233.193.xx:

A visit to this page results in multiple client side exploits, delivered by multiple redirected web pages, which TF prevents. ThreatFire also stops the attacking executable file as Trojan.Waledac.

The attackers make it obvious what web site they are attempting to mimic in their social engineering scheme. The entire HTML header for the attacking web page on the malicious site was ripped directly from 123greetings.com, a popular ecard site. Here is some of the header from the malicious web page:
Title: New Year Cards, Free New Year eCards, Greeting Cards
meta name =”keywords” content=”new year cards,free new year ecards,greeting cards,greetings,wishes for the new year,free e cards for new year,christmas and new year wishes,free new year greetings,free ecards for new year”
meta name=”description” content=”2009 is here! Fill your heart with new hopes, reach out for new opportunities and celebrate the New Year! Reach out to your friends, family,…”

Keep in mind that the legitimate www.123greetings.com site appears to send out ecards as Flash videos, and not as “postcard.exe” files.

Update (1/5/2008): Waledac variant card.exe continues to be distributed — we’re seeing hxxp://direct christmas gift.com as an offending server up and running with the same card store front.

Posted in Exploit, Social Engineering, Spyware, Storm, Trojan, Vulnerability, cybercrime | No Comments »

« Older Entries
Newer Entries »