Home spam

Cloudy Skies

Before the StormImage by premasagar via Flickr

Storm talk is thundering across the security blog horizon. Despite the consensus that this spam monster is indeed a Storm relative, there is some argument over just how NEW this new Storm is.

Several people have taken a look at the spam spewing samples, digging into the malware’s functionality as well as its communication, and the templates used for generating the various spam emails. They have found major similarities between several aspects of the new and old Storm fronts, including filename usage and user-agent typos (Windoss instead of Windows), but the more recent version has excluded the peer to peer portion of the code.

Atif Mushtaq at FireEye writes that these are all details he observed on a Storm variant back in 2008. So is this old news? Nothing about what is being called Pecoan (another name in the long list: Nuwar, Peacomm, Zhelatin, Dorf) is really more sophisticated than its predecessor and the samples I ran only connected with one static IP, so I don’t think this Storm will be as violent as the last. The creators of the original Storm have had enough time to code a better botnet so perhaps this is just a rediscovery of a forgotten remnant.

Right now compromised systems are sending out online pharmacy, adult dating, and nude celebrity emails. The template design allows for a wide array of sender names, subjects, message content, and destination URLs. The malware harvests email addresses from the victim machines and sends Base64 encoded POSTS to pass information and report in to its C&C.

As always, be cautious while online and when in doubt, don’t click.

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

Fun with Dick and Jane

Fail too fast in bed?

Looking to revive your sleep desires?

What is money in comparison to your potency?

To anyone with an email address those phrases might seem awfully familiar. I’m talking about spam: the scourge of system administrators, the friendly pharmacy to the misinformed. It arrives unrequested, unavoidable, unimaginably hilarious. Now, you too can get in on the game, spamming friends, family, and foes alike thanks to the user-friendly Set-X Mail Service, courtesy of the Set-X Corporation.

Straight from the press release announcing the service:

“- Flexible and convenient Web based interface, detailed statistics while sending, changing any settings (mail databases, texts, macros)

– User-friendly web based interface – start spamming from day one

– Automatic “spamming capabilities” assessments of the bot allowing you to think about your business and not about the technical details behind it

– Daily malware updates, four programmers allocated for every server, sending automatic ICQ notifications whenever the malware gets updated

– Automatic optimization of the spam campaign by first allocating the bots with clean IP reputation

– Optional is the option to chose whether or not a dedicated “spamming engineer” should be allocated to your server

– His responsibilities include introducing a higher number of bots if requested, ensuring that dead bots get disconnected from your server, and providing personal advice on optimizing your campaigns and bypassing anti-spam filtering through the built-in multi RBL checking feature

A brief description of the system:

1. The system is automatically harvesting the outgoing and incoming email addresses on the infected hosts and the associated accounting data, supporting the following clients :
– Mozilla Thunderbird
– Outlook Express
– MS Outlook
– The Bat
– Opera

2. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

3. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

4. The central control server automatically assigns different regional servers to the bots, and rotates them periodically for security purposes

5. All the information about the spam campaigns and the bots can be exported and syndicated with another regional server as requested, with the regional server dynamically establishing links with other regional servers so that it never really knows the address of the central command server

6. There are several different ways of sending spam using this service :

1) Direct spamming from the legitimate email accounts of the infected computers, with the system automatically syndicating all the available legitimate emails whose accounting data naturally stolen due to the malware infection is again, automatically integrated in a “unique legitimate senders” database. Full support for web based email accounts in the form of domain:username:password

2) Sending via Direct SMTP: send messages directly using the MX and PTR records of the infected host’s gateway

3) Sending to direct recipient

4) Sending through open relays and socks servers, both of which can provided at an additional cost

7. SET-X Mail System is highly modular, with unique features easily coded and implemented as requested by the customer

The average speed from one server is 5000/7000 emails per minute, over 1 million emails per day, and if requested you can purchase as many servers as you would like. The price of rent per month is $2000 with additional $1000 for each additional server if the servers are ordered at the same time.”

Capable of creating clever tag lines? Got a couple of thousand bucks lying around? Sign up now and you too can irritate millions of strangers every day.

Thanks to Dancho Danchev for translating the material from Russian.