In the same vein as the recent fake CNN and MSNBC malspam campaigns, a new one is floating around with the subject line of “Weekly top news”, with the sender’s name “Top News Agency”:
The content of the e-mail purports to link to a number of “breaking” news items and “shocking” videos:
The infected sites look rather plain (no images from real news sites) with another false video embed and “ActiveX Object Error”:
Funny enough, clicking on the “Close this page” button at the top attempts to redirect to hxxp://79.135.167.18/antivirus, but due to a bit of a coding error on the behalf of the bad guys/gals, it looks like they only appended that URL to the existing one, e.g. hxxp://[infected site]/URL=hxxp://79.135.167.18/antivirus…yielding a 404:
Now, when attempting to navigate away from the page (or reload, too, of course), the user is presented with another warning dialog, stating that they haven’t finished their virus scan! GASP!
The dropper looks to be very similar to the ones we’ve already seen in the fake CNN and MSNBC campaigns, so nothing terribly new here. Two different filenames, scaner.exe [sic] and install.exe. Same tactic to get the user to download the dropper, too (simply direct them to it). Judging by what we’ve seen so far, this one’s going to download “Antivirus XP 2008″ again, so nothing new there, either.
SHA256(install.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca
SHA256(scaner.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca
It’s not just in the same vein, it’s the same exploit; same injecting IP pool, same hijacked server pool, common code, same payload.
The result of way too much of my time is here: http://www.vivtek.com/projects/despammed/stormspam.html
Great work! Thank you for sharing!
@michael
Agreed. All of the droppers are identical, short of the typical nuances that come about with packing them. As for your research, very familiar with it. One of a few sources I’m tracking right now. Keep up the good work