I believe the attack is exploited 100% through hacked/infected computers. We know that the e-mails are being distributed by infected computers as we can tell from the e-mail headers, most of the e-mails come from private ADSL or cable lines. One question remains… how are the websites getting owned? Take a second to consider the following possibility…

I own domain.com and I don’t know a whole lot about HTML. I want a flashy website so I go out and buy “Build Your Own Website Software 1.0″. This type of software has several useful features such as a WYSIWYG editor, scripts, images, templates, and automatic FTP upload features.

If my machine is infected with malware it will most definitely search for FTP credentials. If the hackers spent a long enough time harvesting the FTP credentials all they needed to do is write software to upload their malicious pages to each site and then direct their botnet to start spamming the links at the same time.

Let’s look at one of the e-mails we received:
Header:

Received: from *.adsl.alicedsl.de (*.adsl.alicedsl.de [78.4*.15*.28*])

This header shows us that the mail was sent from a private ADSL line on the de TLD.

Body:

Girl trains monkey to give tongue service video hxxp://download.german-railroads.eu/start.html

The body of the e-mail contains a link to a German railroads site. Is this a coincidence?

I feel that my hypothesis is fairly obvious but I have not seen much speculation about the attack vector and I would like some input from our readers. What do you think?

If anyone reading this post has had their website compromised by this attack, please contact me at lithium@malwaredatabase.net as I would like to perform a post-mortem analysis to identify the attack vector.

**Proceed at your own risk**

Site:  hxxp://antivirus-2009pro.com

Results for antivirus-2009pro.com:

Domain Name: ANTIVIRUS-2009PRO.COM

Creation Date: 30-Jul-2008
Expiration Date: 30-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin        (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Hillary and Obama are gay. President Bush killed in Afghan bombing…What’s Next?

We do not mean to bore you with the same old malspam posts every day but after viewing this last e-mail I got to thinking…

What will the next threat be once everyone realizes that almost all e-mail requesting the user to watch a video is malware?  What is the next step for the malware creators? Will exploits increasingly become the delivery of choice? Will site hijacking move to the front of the line?  Will legitimate stories on social media sites like digg, reddit, or twitter compromise the users’ security unknowingly?

We are starting to see that in 2009 many security vendors are tightening the belt on the machine they once had control of 10 years ago.

• https://www.trendbeta.com/index.php?get=358

• http://research.pandasecurity.com/archive/Panda-Internet-Security-2009-BETA.aspx

• http://www.symantec.com/norton-beta/internet-security

Assuming that the industries effort in 2009 is not futile, what will the new pressure create?  My honest opinion is that the malware will continue to get smaller, more efficient, and even less intrusive than it already is.  Rogue Anti-Malware products replaced with stealthier cousins perhaps.

Only a few things remain certain.  The criminals still need our credit card numbers, social security numbers, and any other sensitive data that can be sold on the black market and social engineering with stealth malware will remain the easiest way to obtain such data.

Hoaxes use weaknesses in human behaviour to ensure they are replicated and distributed. In other words, hoaxes prey on the Human Operating System.  -Stewart Kirkpatrick

I am interested in hearing your opinion.  Leave me a message in the comments or just e-mail me at lithium@malwaredatabase.net and we can talk about it.