One of the features in the new version of the UAB Spam Data Mine is the ability to quickly run “malware links” and “malware attachments” reports for the current day, the previous day, or a date range.
The objective of this functionality is to provide as close to “real time” intelligence on potential new email-based threats as possible. You’ll see what I mean below.
I’ve been playing with it for the past several days, but just so you can join in the fun, let me show you the top results that come back when I do:
|Spam Count||Attached MD5||Extension||Subject|
|6||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Renaissance Chicago made wrong transaction|
|5||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Hyatt Regency Houston made wrong transaction|
|5||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Jefferson made wrong transaction|
|5||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Renaissance Washington made wrong transaction|
|5||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction|
|5||c15eb3c47800fec025b6a86a6409f144||zip||Hotel The Westin Oaks made wrong transaction|
|5||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Westin Diplomat Resort & Spa made wrong transaction|
|5||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Westin St. Francis made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Hilton Las Vegas made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Intercontinental Buckhead Atlanta made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Rancho Bernardo Inn made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Ritz Carlton Kapalua made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Ritz-Carlton Marina Del Rey made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Hotel The Latham made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Hotel The Westin New York at Times Square made wrong transaction|
|4||c15eb3c47800fec025b6a86a6409f144||zip||Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort|
|3||c15eb3c47800fec025b6a86a6409f144||zip||Hotel Four Seasons Resort Maui at Wailea made wrong transaction|
|3||c15eb3c47800fec025b6a86a6409f144||zip||Hotel The Whitehall made wrong transaction|
|3||c15eb3c47800fec025b6a86a6409f144||zip||Wrong transaction from your credit card in Loews Miami Beach|
|3||c15eb3c47800fec025b6a86a6409f144||zip||Wrong transaction from your credit card in Woodrun V Townhomes|
Since we’ve never seen spam like this before, it’s “new” and potentially interesting!
One quick check of whether this is “interesting” is what happens when we ask forty-three different Anti-virus vendors whether the attached file is a virus or not.
We do this by using the services of VirusTotal.com who gave us back this report: VirusTotal Report for c15eb3c47800fec025b6a86a6409f144. At the time of this writing, having already received more than 800 copies of the spam, Sophos and Trend Micro call it “BredoLab”, Rising AV of China calls it “suspicious”, and NOD32 says it’s a “Kryptik” variant. The other thirty-nine AV companies currently don’t have published definitions for this malware.
The spam messages look like this:
We’ve already seen more than 400 different subjects that are part of this group!
7 | Hotel Courtyard by Marriott Houston Downtown made wrong transaction
6 | Hotel Ritz-Carlton Marina Del Rey made wrong transaction
6 | Hotel Hilton Las Vegas made wrong transaction
6 | Hotel Renaissance Chicago made wrong transaction
6 | Hotel Westin Diplomat Resort & Spa made wrong transaction
5 | Wrong transaction from your credit card in Icon
5 | Wrong transaction from your credit card in Ritz Carlton Naples Beach Resort
5 | Hotel The Westin Oaks made wrong transaction
5 | Hotel Sheraton Suites San Diego at Symphony Hall made wrong transaction
5 | Hotel Renaissance Washington made wrong transaction
5 | Hotel Jefferson made wrong transaction
5 | Hotel Westin St. Francis made wrong transaction
5 | Hotel Rancho Bernardo Inn made wrong transaction
5 | Hotel Intercontinental Buckhead Atlanta made wrong transaction
5 | Hotel Hyatt Regency Houston made wrong transaction
(The complete list concludes at the bottom of this post . . . )
One of the other great things we can do with the UAB Spam Data Mine though, is to ask “what other things are being sent by the computers that sent us this spam?”
Look what happens when I ask “show me the top subjects from YESTERDAY that were spammed by IP addresses that spammed the hotel spam TODAY?”
62 | 2011-07-26 | Credit Card is one week overdue
51 | 2011-07-26 | Credit Card overdue
43 | 2011-07-26 | Your Credit Card is one week overdue
39 | 2011-07-26 | Payment by credit card overdue
39 | 2011-07-26 | Credit card payment of overstayed
25 | 2011-07-26 | Your financial debt overdue
6 | 2011-07-26 | Re: Re: hi bud
5 | 2011-07-26 | Get your first bonus just for registering.
4 | 2011-07-26 | We offer only top grade Replica watches at only a fraction of the original price,
4 | 2011-07-26 | Chase bonuses no more; register at Winner Palacce.
4 | 2011-07-26 | Seeking gaming glory? Sign up and get free bonus.
3 | 2011-07-26 | A dream come true sign up bonus at Winner Palacce.
3 | 2011-07-26 | Gaming glory beckons, register and get free bonus.
The top group – the most prominent in response to this query – was the “MasterCard” version of the Fake AV malware that we blogged about previously on July 23rd — MasterCard Spam Leads to Fake AV. SC Magazine’s Angelina Moscaritolo wrote that up under the headline “Rogue AV Masquerading as SC Awards 2011 Finalist. The same spamming botnet has been sending out Casino spam and Rolex watch spam for more than a month.
We had 120 different subjects from this small IP sample group yesterday — many of the subjects are “customized” such as “email@example.com Rolex.com For You – 77%” or “firstname.lastname@example.org Rolex.com For You – 55%”
So, what do we predict the Hotel Spam will turn out to be? There is a good chance it will be related to the MasterCard Fake AV Spam. Well . . . one way to find out, right?
The .zip file contained this file:
When we launched the malware, it made connection to the webserver at “yomwarayom2001.ru” on IP address 220.127.116.11.
The first link we hit there was an exploit server — probably the “BlackHole Exploit Kit” that has been very popular recently on similarly structured web pages. We almost immediately ALSO fetched a file called “forum3/load.php?module=grabbers”.
This caused us to download a file “soft.exe” from yomwarayom2001.ru.
In a couple minutes, a pop-up announced “Software Installed” and had an “OK” button. Clicking OK caused a connection to “heftyhips.com” on IP 18.104.22.168.
where the file “images/img.php?id=106″ was fetched.
Shortly thereafter we had a “Defender” icon on the desktop, which was this file:
Note that “Defender” claims to be written by AVG Software Development, a real antivirus company!
That was enough to convince me we were still in “Fake AV” territory.
(source: CyberCrime & Doing Time)