Malware Database

My e-mail inbox has been flooded since breaking the CNN malspam story. Everyone wants to know where this attack is coming from and how it’s releasing itself into the wild so quickly. I’m sorry to say that I do not have the answer yet… but I do have a hypothesis.

I believe the attack is exploited 100% through hacked/infected computers. We know that the e-mails are being distributed by infected computers as we can tell from the e-mail headers, most of the e-mails come from private ADSL or cable lines. One question remains… how are the websites getting owned? Take a second to consider the following possibility…

I own domain.com and I don’t know a whole lot about HTML. I want a flashy website so I go out and buy “Build Your Own Website Software 1.0″. This type of software has several useful features such as a WYSIWYG editor, scripts, images, templates, and automatic FTP upload features.

If my machine is infected with malware it will most definitely search for FTP credentials. If the hackers spent a long enough time harvesting the FTP credentials all they needed to do is write software to upload their malicious pages to each site and then direct their botnet to start spamming the links at the same time.

Let’s look at one of the e-mails we received:
Header:

Received: from *.adsl.alicedsl.de (*.adsl.alicedsl.de [78.4*.15*.28*])

This header shows us that the mail was sent from a private ADSL line on the de TLD.

Body:

Girl trains monkey to give tongue service video hxxp://download.german-railroads.eu/start.html

The body of the e-mail contains a link to a German railroads site. Is this a coincidence?

I feel that my hypothesis is fairly obvious but I have not seen much speculation about the attack vector and I would like some input from our readers. What do you think?

If anyone reading this post has had their website compromised by this attack, please contact me at lithium@malwaredatabase.net as I would like to perform a post-mortem analysis to identify the attack vector.