News:

April 26, 2009
Swine flu and spam

What does the swine flu have to do with spam?

In the past, during an avian flu outbreak in Asia, there was a glut of spam advertising antiviral drugs like Tamiflu. People were afraid there wouldn't be enough of the drug to go around, so they were hoarding. They couldn't get a prescription from their doctors for an illness they didn't even have, so they bought it from spammers.

Of course, there was no pandemic that time. But don't assume that's because the risk was exagerated. A virus like the current human/avian/swine flu can still be as deadly as the one in 1918. Given the way the flu virus mutates, it's more or less inevitable a pandemic will happen someday, even if it doesn't this time. And public health officials around the world are very aware of that, and they have been planning for it .

When the avian flu began to infect people in Asia, public health officials around the world put out warnings to the public, began surveillance for avian flu virus by collecting viral cultures through a network of "sentinel physicians," warned physicians who might come in contact with cases, restricted travel by people who might be infected, and kept antiviral medication on hand. Those actions may actually have been what averted disaster at that time.

The same thing is happening now, and public health agencies are back on alert-- they are trying to identify cases, so they can treat both the ill person and his/her contacts.

If you suspect you may have the flu, contact your doctor or public health department. Public health departments in the US have plenty of Tamiflu, and they are keeping track of cases to make sure the virus doesn't become resistant. They have a system set up to protect you and the people you care about, so let that system work the way it's supposed to. Don't take a chance on a generic counterfeit from a spammer pharmacy. There is a very high chance that the drugs they send have no active ingredient at all, and if the pills have a dose that is too low, it may actually help the virus develop immunity. During the time you waste on spamvertised crap, you could be infecting those you love with a Tamiflu-proof version of the virus.

April 25, 2009
Puppy adoption scam email

If you received one of these, be assured that several thousand other people did, too. The "free" puppy will require all types of fees to get it out of the country. There is no puppy, and they will keep thinking of fees as long as you keep falling for their lies. Any papers they fax you will be forgeries.

There are plenty of dogs available for adoption in the US. Check your local shelters, or visit Petfinder.com . If you were hoping to get a highly valuable dog for "free," don't let your greed blind you. No matter what the dog costs from a legitimate breeder, you will end up paying much more being bled dry with "just one more small fee" for a non-existent dog with forged papers.

April 9, 2009
Open letter to the new chairman of the US Federal Trade Commission

Members of the InboxRevenge.com antispam forum have posted an open letter to the new FTC chairman, Jon Leibowitz. It's about how the types of cybercrime that constitute a threat to national security are closely tied to the spam and fraud that shows up in your inbox:

April 2, 2009
Waledac's "dirty bomb" will make a mess of your computer

The Waledac domain chatloveonline.com is still alive and well. It's been alive so long it's a bit of a trick to visit -- Avira's AntiVir recognizes the URL and won't allow you to open the page. Everyone seems to know it's bad, but no one has taken it down.

The current Waledac theme is a fake Reuters news story about a dirty bomb. The page actually analyzes which IP address you're visiting from, and uses that city's name in the headline:

As is typical, the text is clearly not written by a native English speaker:

If you don't live in Laurel, substitute New York, Washington, Los Angeles, Chicago, Houston, Miami, Seattle, Philadelphia, San Francisco, Dallas, Boston, Cleveland, etc.

Obviously, there is no video, and clicking on the link that claims to download Flash Player really downloads the Waledac trojan. It isn't very well detected by antivirus programs, which isn't surprising -- I grabbed copies from this site twice today, and virustotal.com detects the two copies as different trojans. In that brief period, a new variation was already uploaded:

File save.exe received on 04.03.2009 03:19:31 (CET) Result: 6/39 (15.39%) Antivirus ----- Version ----- Result a-squared ----- 4.0.0.101 ----- - AhnLab-V3 ----- 5.0.0.2 ----- - AntiVir ----- 7.9.0.129 ----- - Antiy-AVL ----- 2.0.3.1 ----- - Authentium ----- 5.1.2.4 ----- - Avast ----- 4.8.1335.0 ----- - AVG ----- 8.5.0.285 ----- Win32/Cryptor BitDefender ----- 7.2 ----- - CAT-QuickHeal ----- 10 ----- - ClamAV ----- 0.94.1 ----- - Comodo ----- 1096 ----- - eSafe ----- 7.0.17.0 ----- - eTrust-Vet ----- 31.6.6433 ----- - F-Prot ----- 4.4.4.56 ----- - F-Secure ----- 8.0.14470.0 ----- Packed:W32/Waledac.gen!I Fortinet ----- 3.117.0.0 ----- - GData ----- 19 ----- - Ikarus ----- T3.1.1.49.0 ----- - K7AntiVirus ----- 7.10.690 ----- - Kaspersky ----- 7.0.0.125 ----- - McAfee ----- 5572 ----- - McAfee+Artemis ----- 5572 ----- - McAfee-GW-Edition ----- 6.7.6 ----- Worm.LooksLike.Rbot Microsoft ----- 1.4502 ----- Trojan:Win32/Waledac.gen!A NOD32 ----- 3984 ----- a variant of Win32/Kryptik.LP Norman ----- 6.00.06 ----- - nProtect ----- 2009.1.8.0 ----- - Panda ----- 10.0.0.14 ----- Suspicious file PCTools ----- 4.4.2.0 ----- - Prevx1 ----- V2 ----- - Rising ----- 21.23.32.00 ----- - Sophos ----- 4.40.0 ----- - Sunbelt ----- 3.2.1858.2 ----- - Symantec ----- 1.4.4.12 ----- - TheHacker ----- 6.3.4.0.300 ----- - TrendMicro ----- 8.700.0.1004 ----- - VBA32 ----- 3.12.10.2 ----- - ViRobot ----- 2009.4.2.1673 ----- - VirusBuster ----- 4.6.5.0 ----- - Additional information File size: 412672 bytes MD5...: c81c4d99487ce04bf8c0e697f453c4e0

The clueless registrars for this domain are Xiamen Ename (for chatloveonline.com) and Xin Net (for its nameservers, extendedman.com)

As usual, it's hosted on a fast-flux botnet with a zero-second refresh rate. That means that if you just keep checking continuously, you get new IP's as fast as your computer can do a nslookup.

This is what you get if you create a Notepad file called "test.txt" and then fill it with line after line that just says

etc., etc. as many times as you want.

Save it, close it, change the name of the saved file from "test.txt" to "test.cmd", and then open the "test.cmd" file to start it running. You'll see a "command" window open and repeatedly do the nslookup. Within a few seconds you'll get a long list of IP addresses like this in the "test.out.txt" file it's going to create:

I'm just guessing that all the people who own computers at those IP addresses were in a panic about Conficker worm's April 1 variation. They needed to panic a little sooner when they downloaded the trojan that handed control of their computers over to the Waledac authors.

Here are many of the recent live domains. While many domain names have "news" themes, chatloveonline.com isn't the only one still surviving since Valentine's day. (These are dangerous sites: Visit only if you know what you're doing, have disabled javascripts, have your browser set to open a dialog window whenever it downloads anything, and are not using Internet Explorer):

adorepoem.com
adoresong.com
antiterroralliance.com
antiterroris.com
antiterrornetwork.com
bayhousehotel.com
bestadore.com
bestbreakingfree.com
bestgoodnews.com
bestjournalguide.com
bestlifeblog.com
bestlovehelp.com
bestusablog.com
blogginhell.com
blogsitedirect.com
bluevalentineonline.com
boarddiary.com
breakinggoodnews.com
breakingkingnews.com
breakingnewsfm.com
breakingnewsltd.com
chatloveonline.com
cherishletter.com
cherishpoems.com
extendedman.com
farboards.com
fearalert.com
funnyvalentinessite.com
gonesite.com
goodnewsdigital.com
goodnewsreview.com
greatcouponclub.com
greatsvalentine.com
greatvalentinepoems.com
linkworldnews.com
longballonline.com
lovecentralonline.com
lovelifeportal.com
mobilephotoblog.com
photoblogsite.com
spacemynews.com
terroralertstatus.com
terrorismfree.com
thevalentinelovers.com
thevalentineparty.com
tntbreakingnews.com
urbanfear.com
whocherish.com
wirelessvalentineday.com
worldlovelife.com
worldnewsdot.com
worldtracknews.com
worshiplove.com
yourbreakingnew.com
yourcountycoupon.com
yourgreatlove.com
yourlength.com
yourlol.com
yourvalentinepoems.com
yourwent.com

April 1, 2009
USAA phish

It's a typical phish. The brand isn't as widely known as targets like PayPal and Bank of America, so someone who really deals with this company could be caught off guard. Also, while the more popular targets pay people to investigate and shut down phishing sites, a new target may not yet have such an arrangement.

And yes, it really did say "hank you." There wasn't an image of a "T" there or anything.

This one is tricky. In addition to having images that come from the real USAA site, there are also several links to the real site. You have to search through to find out which one is the phish:

(The links were live in the original email).

If you look carefully, while most of the links have "usaa.com" right before the first single "/", there is one different one:

usaa.com.h1llf.com/

That's the link that showed the phishing site:

There is no reason your bank needs to ask you for this information, since they are the ones that gave it to you. And a PIN number is only for in-person transactions. Notice also that the link began "http://" not "https://". The last "s" means it's a secure site, so the information going back and forth is encrypted. No site should ever ask for a credit card number if it doesn't have a secure server.

This particular phish is hosted on a botnet:

That's 15 "seats," or 15 different computers hosting this site at one time.

The "1800" number is the "time to live," or "TTL." When your computer wants to visit a website, it has to ask where it is, it's IP address. The nameserver is the official place to ask that information. But rather than having everyone's computer asking the one that hosts the nameserver every time someone wants to visit, other computers around the internet will save the answer as a "cache." They will then give that information again the next time someone wants to visit the site, so the query doesn't have to travel so far. They will continue to give the same answer until the cache expires. The time to live tells them how long the information should be stored before checking back with the nameserver to see if anything has changed.. It's timed in seconds.

The typical TTL is 24 hours. But h1llf.com is only committing itself to stay at these IP addresses for 1800 seconds, or half an hour. Then it may have 15 completely different IP addresses. That's a pretty good indication these are not the IP addresses of ISP's paid to host this site. These are the computers of innocent people with malware ("bad software") infections that have allowed the phishers to gain access to use their computers. And yes, your little home computer can host a website that everyone on the internet can come and visit if you download something like that.

h1llf.com is registered with Interdomain. The nameservers for h1llf.com are

ns1.americans-tool.com
ns1.bus-on-line.com

Both of those are registered with Gandi. That's not a bright move if you want your criminal domains to stay alive long, as Gandi's abuse desk positively enjoys shutting these things down and cooperating with law enforcement to investigate them.

Searching turns up a number of similar domains using those nameservers:

i1hh1.com
jil1.com
h1ll1.com
hj1li.com
ji1fj.com
1jl1l.com
jj1fl.com
1hhl.com
ij1il.com
jl1il.com
americans-tool.com
dmoderss.com
imoderss.com
lmoderss.com
f1hj.net
f1hi.biz

Almost all of them are either shut down or have moved to other nameservers that have been suspended already. So the registrars involved seem to be jumping all over this one. The only question is whether USAA has its own investigation team to try to help the victims.

Castlecops' PIRT team used to do this for all brands. While they were working, the recommendation was to report phish to PIRT rather than shut it down yourself. That way they could investigate and try to find the "drop file," the file containing all the information that victims had entered into the form. The victims could then be contacted and their accounts could be shut down.

There is no way of knowing which phishing targets handle this takedown for themselves. Some will have a link on their real websites, so it's a good idea to notify them that way. But otherwise, it's probably best to just report them via Complainterator and get them shut down as quickly as possible.