Saturday, July 23, 2011

MasterCard spam leads to Fake AV

The FBI is doing a great job gaining international cooperation in going after cyber criminals. Just last month yet another malware group was arrested, as the public learned about in the June 22, 2011 FBI press release, Department of Justice disrupts international cybercrime rings distributing scareware. In that case, criminals were arrested as part of a scareware ring that had infected more than 1 million computers and caused more than $72 million in losses!

Unfortunately, the end of fake Anti-virus scareware has not yet arrived. Here's an example from today's spam from the UAB Spam Data Mine.

Please see end for an update



We're seeing a significant "spam attached malware" campaign in the past 24 hours with six different attachment MD5s.

uab_spam=> select count(*), sender_domain, md5_hex, size from spam natural join spam_attach where sender_domain = 'mastercard.com' and receiving_date >= '2011-07-22' group by sender_domain, md5_hex, size;

count | received | md5_hex | size
-------+-------------------------+---------------------------------+-------
318 | 7/22 03:15 - 7/22 10:15 | 241cc18918540d6c49dd8b45df31985d | 67584
20 | 7/22 10:45 - 7/22 11:00 | 5f8a95d194f7dcadabf442ed5705c4e0 | 79872
565 | 7/22 11:30 - 7/22 17:30 | 0256a71baefd0f625910bbc44147e432 | 68096
1133 | 7/22 17:45 - 7/23 04:00 | f4aea68ea94d7780a5b1abd709f7730f | 69632
67 | 7/22 12:00 - 7/23 08:15 | 277eb4dacd401a3c520dc5bb9ede70f0 | 77237
439 | 7/23 04:00 - 7/23 08:15 | fe88c3a276d11aa208dac7ae68f55cd3 | 67584
(6 rows)

Most popular email subjects:

count | subject
-------+-----------------------------------------------
24 | WARNING: Your credit card is locked!
26 | WARNING: Your credit card is blocked!
26 | ATTENTION: Your credit card has been blocked!
1116 | Your credit card is blocked
29 | ATTENTION: Your credit card is blocked!
1184 | Your credit card has been blocked
24 | CAUTION: Your credit card is locked!
29 | ATTENTION: Your credit card is locked!
31 | WARNING: Your credit card has been blocked!
19 | CAUTION: Your credit card has been blocked!
34 | CAUTION: Your credit card is blocked!
(11 rows)

The body of the email looks like the attached file:



------------------
Dear User,
Your credit card is locked!
From your credit card has been removed $ 3951,74
Possibly illegal operation!
More details in the attached file.
Instantly contact your bank .
Best regards, MASTERCARD Services.
-------------------


The username portion of the email sender is random, using a classic mis-spelling that has been consistent for this sender (which is the same guy who has been doing the "government imitating" zeus). "cunsumer"

Usernames are a single word, followed by a ".", "_", or "-", followed by a two or three digit number.

The most popular words (by far) are "manager" (770 time), and "support" (757 times), but we've also seen admin, adminnistration, alerts, cunsumer, delivery, e-file, finance, frboard-webannouncements, govdelivery, information, inspector, news, news-alerts, no-reply, protection, public, report, service, stats, subscriber, subscriptions, usttb, and webannouncements.

The attached file is actually named as a ".com" file, using a random-seeming filename in the format "id" followed by a 5-7 digit number (such as id918538.com).

Of the 2,649 IP addresses that have sent us the spam so far, they have come from 1,443 distinct sending IP addresses. Some of our most popular senders have been:

count | sender_ip
-------+--------------------
10 | 113.172.171.155/32
10 | 190.99.213.191/32
9 | 75.145.37.117/32
9 | 187.126.15.108/32
9 | 110.164.112.159/32
8 | 188.81.213.237/32
8 | 201.240.80.96/32
8 | 79.82.153.66/32
8 | 110.138.30.34/32
7 | 180.253.110.135/32
7 | 151.64.138.215/32
7 | 79.178.152.194/32
6 | 95.37.41.218/32
6 | 201.240.215.105/32
6 | 94.20.98.220/32
6 | 122.167.44.208/32
6 | 71.197.255.106/32
6 | 113.190.138.153/32
6 | 90.177.147.202/32
6 | 178.150.237.124/32
6 | 65.10.178.64/32
6 | 178.204.204.172/32
6 | 24.90.102.247/32
6 | 93.75.103.25/32
6 | 190.235.93.183/32
6 | 82.51.62.237/32
6 | 77.236.26.169/32
6 | 110.164.106.145/32
6 | 178.222.27.142/32
6 | 113.53.181.86/32
6 | 123.17.157.159/32
6 | 151.25.53.47/32
5 | 201.68.209.20/32
5 | 180.180.150.248/32
5 | 120.62.24.122/32
5 | 59.182.51.42/32
5 | 182.53.176.152/32
5 | 194.28.88.58/32
5 | 85.186.178.173/32
5 | 41.140.170.143/32
5 | 71.200.55.41/32
5 | 200.91.255.142/32
5 | 190.43.147.223/32
5 | 125.24.202.30/32
5 | 41.140.43.44/32
5 | 59.184.128.238/32
5 | 95.58.34.230/32
5 | 117.201.20.59/32
5 | 186.6.177.39/32

I chose the most recent MD5 and did a scan at VirusTotal, finding that only 3 of 43 Antivirus products were able to detect this as a virus, according to this VirusTotal report.

Since this was an email attachment, web reputation didn't really help here. This would be a case where your spam blocking would be your best defense!

When the file is launched, it attempts to make connections to a long list of domains that are probably made by a "DGA" or "Domain Generation Algorithm". It's likely that at different times or days this list would be different. My domains included:

syqivolurypugi.com
qotasifelaw.com
tibumuqel.com
suzehebaq.com
sivycaqilugoq.com
levulehup.com
ledimajezociw.com
rabuqibareme.com
fopuvuwupode.com
cinuherijugeg.com

and more.

bakagunaxepo.com responded as 193.164.132.20 <= Gigahosting, Germany
bipuwyqojivu.com responded as 85.17.239.165 <= Leaseweb, Netherlands
civivicuqekexo.com responded as 93.104.208.84 <= Gigahosting
levulehup.com responded as 204.45.120.27 <= FDC Servers, Chicago
levysavasezo.com responded as 85.17.239.215 <= Leaseweb, Netherlands
pafozykavygaj.com responded as 85.17.239.216 <= Leaseweb, Netherlands
pejozehywe.com responded as 50.2.7.242 <= Eonix/GotHost
suzehebaq.com responded as 206.217.134.44 <= Colocrossing
syqivolurypugi.com responded as 206.217.134.43 <= Colocrossing
waciroqohuli.com responded as 64.56.65.213 <= VRTServers.net
zarapetahuryp.com responded as 50.2.7.241 <= Eonix/GotHost

as a few examples . . .

The purpose of the malware? Seems to be just another Fake Anti-virus product. Here's the scan that kicked off:



After the scan, I was of course constantly reminded of the grave danger I was in:



First it did a get for "1038000112" from "bogekizase.com" on 66.197.213.6.

All it got back from there was "OK."

Most of the interaction was from tibumuqel.com on 79.143.178.101.

tibumuqel.com was registered on July 15, 2011 using the contact info:


Ana Ivancic freon@cutemail.org
+385.20324535
Od Domina 5
Dubrovnik,Southern Dalmatia,HR 20000

Searching on her details will show that "Ana" has registered plenty of other malware domains as well, usually with different email addresses.

From the tibumuqel.com domain, we did a get for "10380001124255461742" which was redirected to "buy.html"

That's also the box that my payment information was posted back to, although unfortunately, my credit card was declined. 8-(


That was my "purchase the fake AV product" screen, giving me my pricing options, and letting me know that this fake AV product was an SC Magazine 2011 award finalist!



What are our lessons learned?

Anti-virus can't protect you by itself, as evidenced by the 3 of 43 AV products that new about this malware this morning. You need a robust security strategy that includes:

a. Being Smart about what you click on. (Start with CLICK ON NOTHING)
b. a web-reputation component (stopping traffic to bad websites)
c. a strong spam filter


Update



While looking at a totally different spam message, I saved the attachment and scanned it at VirusTotal. I thought the MD5 looked familiar, and ran a different search in the UAB Spam Data Mine.

This query says "show me the most popular subjects since yesterday where the email had an attachment with the MD5 = "277eb..."

uab_spam=> select count(*), subject from spam natural join spam_attach where md5_hex = '277eb4dacd401a3c520dc5bb9ede70f0' and receiving_date >= '2011-07-22' group by subject order by count desc;

The search results reveal that in addition to the MasterCard spam ("Your credit card is blocked") the BINARY IDENTICAL malware is being distributed in a set of spam messages calling themselves a new "love card" game, and also as a "FedEx" message.


count | subject
-------+------------------------------------------------
187 | Your credit card is blocked
179 | Your credit card has been blocked
6 | Gift from Your Babbie
6 | LOVE-CARD from Your Babbie
5 | Nice Gift only for YOU
5 | Nice Gift from Your Babbie
5 | LOVE - CARD from YOUR BABY
5 | Gift for special YOU
4 | LOVE GIFT from Your GirlFriend
4 | Love-Card from Your Babbie
4 | Gift from YOUR BABBIE
4 | Gift from Your Love
4 | LOVE GIFT from Your Baby
4 | Gift for YOU
4 | LOVE - CARD only for YOU
4 | LoveCard from YOUR PUSSY
4 | LOVECARD for YOU
4 | Gift from YOUR PUSSY
3 | Love Gift from Y
3 | LOVE GIFT from YOUR BABBIE
3 | LOVECARD from YOUR BABBIE
3 | LOVECARD from Your Pussy
3 | NICE GIFT only for YOU
3 | LOVE GIFT from Your Love
3 | Nice Gift from YOUR LOVE
3 | NICE GIFT from Your GirlFriend
3 | Love-Card from Your GirlFriend
3 | Love-Card from YOUR BABY
3 | Love-Card from YOUR LOVE
3 | LOVE - CARD for YOU
3 | LOVECARD from Your Love
3 | LOVE - CARD from Your Pussy
3 | FedEx Delivery Confirmation 959256
3 | LOVE GIFT special for YOU
3 | Nice Gift from Your Baby
2 | Love-Card from Your Baby
2 | Love-Card from Your Love
2 | Love Gift special for YOU
2 | Love Gift from Your GirlFriend
2 | Nice Gift from YOUR BABBIE
2 | LOVECARD from YOUR PUSSY
2 | NICE GIFT from Your Pussy
2 | Love-Card for YOU
2 | GIFT from YOUR BABY
2 | Love Gift from YOUR BABY
2 | our Love
2 | GIFT from YOUR GIRLFRIEND
2 | Love Gift from Your Baby
2 | LOVECARD from YOUR GIRLFRIEND
2 | LOVECARD from YOUR LOVE
2 | LoveCard from YOUR BABY
2 | Nice Gift from YOUR PUSSY
2 | LOVE GIFT from YOUR GIRLFRIEND
2 | LOVECARD only for YOU
2 | LoveCard from YOUR LOVE
2 | Love-Card only for YOU
2 | LOVE-CARD from Your Love
2 | GIFT from Your GirlFriend
2 | LoveCard only for YOU
2 | GIFT from Your Pussy
2 | LOVE GIFT only for YOU
2 | NICE GIFT from YOUR BABY
2 | LoveCard from YOUR BABBIE
2 | Nice Gift from Your GirlFriend
2 | Love Gift from YOUR PUSSY
2 | Gift from Your GirlFriend
2 | Love Gift from Your Babbie
2 | NICE GIFT from YOUR GIRLFRIEND
2 | LOVE-CARD for YOU
2 | Nice Gift from YOUR BABY
2 | NICE GIFT from Your Love
2 | Gift from YOUR BABY
2 | LOVE-CARD only for YOU
2 | LOVE-CARD from YOUR PUSSY
2 | LOVE - CARD from YOUR GIRLFRIEND
2 | LOVE GIFT from YOUR LOVE
2 | LOVE-CARD from YOUR BABY
1 | Your Fed Ex id. 1261345
1 | From Fed Ex 1608374
1 | Fed Ex id. 72663522
1 | Fed Ex: DELIVER CONFIRMATION - FAILED 61010754
1 | From FEDEX 66810145
1 | FEDEX: DELIVER CONFIRMATION - FAILED 77170773
1 | Your FedEx id. 1629114
1 | Your Fedex id. 32327869
1 | FEDEX Attention 29219918
1 | Fed Ex Attention 67868668
1 | DELIVERY CONFIRMATION FROM Fedex 9190176
1 | Fedex: DELIVER CONFIRMATION - FAILED 41984219
1 | Fedex ATTENTION 6338557
1 | FEDEX Attention 046196
1 | Fed Ex Attention 387314
1 | Your Fedex id. 434089
1 | Fed Ex Delivery Confirmation 2241136
1 | Fed Ex DELIVERY CONFIRMATION 87476541
1 | Fed Ex: DELIVER CONFIRMATION - FAILED 3022529
1 | Fed Ex Delivery Confirmation 4749239
1 | FEDEX Delivery Confirmation 3963252
1 | FEDEX ATTENTION 856587
1 | FEDEX id. 1677134
1 | FedEx ATTENTION 76569153
1 | From Fed Ex 9733307
1 | FedEx Delivery Confirmation 35208363
1 | FEDEX: DELIVER CONFIRMATION - FAILED 806406
1 | DELIVERY CONFIRMATION FROM FedEx 290057
1 | From Fed Ex 630972
1 | Fedex ATTENTION 415495
1 | FEDEX Attention 72445407
1 | FEDEX Attention 9647476
1 | From Fed Ex 6560851
1 | FedEx id. 7689961
1 | FEDEX Attention 3225080
1 | Fedex Attention 0014817
1 | Fed Ex DELIVERY CONFIRMATION 17629587
1 | FEDEX DELIVERY CONFIRMATION 97113221
1 | FedEx Attention 76468884
1 | Fed Ex Delivery Confirmation 32603804
1 | FEDEX: DELIVER CONFIRMATION - FAILED 5347890
1 | FedEx Delivery Confirmation 20606057
1 | Fedex: DELIVER CONFIRMATION - FAILED 804651
1 | FedEx DELIVERY CONFIRMATION 9137898
1 | Fedex Delivery Confirmation 60516598
1 | Fed Ex Attention 166784
1 | From Fedex 491840
1 | From FEDEX 55788940
1 | Fed Ex ATTENTION 82103305
1 | From Fed Ex 0947757
1 | FedEx DELIVERY CONFIRMATION 399387
1 | Fed Ex Delivery Confirmation 15166031
1 | Fedex ATTENTION 692266
1 | FedEx: DELIVER CONFIRMATION - FAILED 229436
1 | From Fedex 490430
1 | FEDEX ATTENTION 021008
1 | DELIVERY CONFIRMATION FROM Fedex 443617
1 | FedEx Delivery Confirmation 73541619
1 | Fed Ex Delivery Confirmation 4746337
1 | DELIVERY CONFIRMATION FROM FedEx 571030
1 | FEDEX: DELIVER CONFIRMATION - FAILED 146965
1 | FEDEX id. 4571782
1 | FedEx ATTENTION 668706
1 | DELIVERY CONFIRMATION FROM Fed Ex 7294665
1 | From Fed Ex 072503
1 | Fed Ex DELIVERY CONFIRMATION 87980984
1 | From Fed Ex 04974153
1 | DELIVERY CONFIRMATION FROM Fed Ex 8260718
1 | Your FEDEX id. 095521
1 | LOVE-CARD from YOUR LOVE
1 | Your Fed Ex id. 11329550

Love Card Version



The "Love card" version of the spam reads like this:

-------

GOOD AFTERNOON! Do you like games ?

Service www. lovecard. ge Present New Game For Amateurs Strawberries
This game is still freeware. You can find it in Attached. Please test it and send us Your comments and suggestions !
With Best Wishes !.. www. love-card. org

-------

or

-------

Attention! Do you like games ?

Service www. mylovecards. com Present New Game For Amateurs Strawberries
This game is still freeware. You can find it in Attached. Please test it and send us Your comments and suggestions !
With Best Wishes !.. www. love-card. org

-----

The "love card" version ends with "white on white" text in tiny letters that reads:




Are you tired of routine romance and love making? Are you looking for a little more fun and excitement? Games are light-hearted and lots of fun. They take the pressure off and allow you and your partner to really let loose. Whether you're trying to get to know each other better, spark the romance, or improve your sex life, a game is a fun way to do it! www. love-card. org is the recognised industry leader in adult games for lovers who want to explore a deeper level of intimacy, sexuality and romance. We have been offering couples in loving relationships pleasurable and educational entertainment to enhance their relationship since 1987. Developed with the assistance of professionals, our games and products are tasteful, sensitive and respectful.

FedEx Version




The "FedEx" version looks like this:

GOOD DAY!
DEAR CONSUMER , Delivery Confirmation: FAILED
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT
Pack it. Ship ip. No calculating , Your FedEx TEAM

or

Hello!
DEAR USER , DELIVERY CONFIRMATION: FAILED
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT
With respect , FedEx .com Customer Services

or

Good day!
DEAR USER , We were not able to delivery the post package
Please print out the invoice copy attached and collect the package at our department
Best Regards , Fedex Customer Services

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.