New e-card scam?

Discussion in 'malware problems & news' started by Chato, Jan 22, 2008.

Thread Status:
Not open for further replies.
  1. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Today I received two mails which looks like the e-card-scam (Storm).
    Both e-mails came from the IP (219.65.86.56), which is located in India.
    They where send from two different domains: [name]@navigant.in and [name]@bbyonre.org

    The first mail has the subject "I am complete" and the message contains only one line:
    The second mail has the subject "In your arms"
    Message:
    (The original message contains 'http' instead of 'hxxp')

    Because I was very curious I clicked both links (in VME/Sandboxie) and I expected that I should be prompted to download an "e-card" (Zhelatin, Nuwar, Peacomm, etc).
    But both links are dead.

    Does anybody here know more about this scam/spam?
    Could it be an attempt to drop malware? Or is it just 'regular' spam?

    Thanks in advance.
     
    Last edited: Jan 22, 2008
  2. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    I've been getting a bunch of these as well.
    Fortunately, my spam filter is identifying them and putting them in the appropriate folder.
    The IP link takes you to a site where you're prompted to DL "withlove.exe".
    (Isn't that sweet?)
    Although I didn't bother to DL it and submit (out of curiosity) to Jotti, I found references to "withlove.exe" as containing Stormy or I-Worm/Nuwar.L
    http://www.prevx.com/filenames/1664974208280366732-0/WITHLOVE.EXE.html
    http://free.grisoft.com/doc/6/us/frt/0
     
  3. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Thanks for posting this, Bob D.

    The spam/scam you mentioned is refered to a website where you're prompted to download the Peed/Nuwar/Peacomm etc or other Storm-trojan variants.
    In my case the link was dead.

    Unfortunately for me. I was expecting (or hoping) to find a new variant.
    I know this sounds strange, but since christmas last year I investigate almost everything that has to do with the Storm-trojan.
    Since I published a summary of the first analysis-results I receive several requests for further analysis. At the moment I'm working on this.

    Can you please give me the URL where the link takes you and where you're prompted to DL an e-card. (in case it is a 'new' one)
    I don't know if it is allowed to post malicious URLs in this forum, but the PM works fine here ;)

    Thanks,

    Chato
     
    Last edited: Jan 22, 2008
  4. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    I'll give the mods / admins time to comment on posting.
    Otherwise, I'll PM you.
    I only have maybe two left that I haven't deleted, but I'll save them for u.

    cheers
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    We very much would appreciate that route so as not to violate our terms of service as it relates to "malicious URLs".

    Thanks,
    Bubba
     
  6. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Thanks for your reply, Bubba.
    I already received the URLs from Bob by PM.

    But still my question is not answered.

    Did I receive an e-mail with an attempt to download a variant of Storm? Did anybody else receive a similar e-mail the last days? Why does somebody/something send me an e-mail with the 'request' to visit a webpage which is not online? Or has it nothing to do with Storm?

    Any comment, recommendation, etc is welcome!

    regards,

    Chato
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The technique of fast flux pretty much insures that the domains and binaries change quickly. In the second diary below, the updates note these changes.

    http://isc.sans.org/diary.html?storyid=3778

    http://isc.sans.org/diary.html?storyid=3784

    http://isc.sans.org/diary.html?storyid=3855

    Because my ISP effectively blocks these ecards, I'm limited to what comes through on my yahoo account.

    Part of the "problem" if you will, also is fast response time to take down these sites -- only once this month has any URL worked.


    ----
    rich
     
    Last edited: Jan 23, 2008
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I just received a live URL at my Yahoo acct. (check your PM). I downloaded one, and again after about 15 minutes -- As noted in the above diary, the binary changes after about 15 minutes. A check of both files at VirusTotal yielded no results from any AV.

    Of course, this particular e-card exploit should be a no-threat, since it's a social-engineered attack.

    Also, e-cards are not executable files.

    And, it's not a remote code executed exploit, rather, the user has to click to download/install.

    EDIT: regarding the VirusTotal results, note this comment from sans.org (3rd link above):
    Best protection, of course, is for the user not to execute it. And the user should not, because in this particular case, she/he would break at least two rules that should be followed,

    1) Not to pay attention to an email from an unknown source

    2) Not to click on an unknown link


    ----
    rich
     
    Last edited: Jan 23, 2008
  9. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Thanks to Rmus and Bob D
    Now I'm sure that this is the latest Storm-variant.
    One of the links in the received scam e-mails is active now.
    (Screenshot)

    After download I submitted it to Virustotal.
    Some results:
    AVG I-Worm/Nuwar.L
    BitDefender Trojan.Peed.ITU
    F-Prot: W32/Zhelatin.D.gen!Eldorado
    Kaspersky Email-Worm.Win32.Zhelatin.tr

    The malware wasn't detected by Symantec, Nod32, Mcafee, Avast and some others.
    All the VT-results you can find here ~Screenshot link removed per Policy....Bubba~


    Now it's time for the next analysis ;)

    Thanks for all your help and PM's.

    Regards
     
    Last edited by a moderator: Jan 23, 2008
  10. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Curious, in that 'withlove.exe' was first seen on Jan 16.
    Is this malware morphing into variants or are some top-shelf AVs missing something?
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Most ITW variants of Nuwar/Zhelatin have next to zero detection by file scanners. Signatures are too slow and heuristics are bypassed by server-side polymorphism and the custom packers.
    The next time you see a Nuwar sample in someone's inbox, think that the AVs in those mail servers were blind at that time.
     
Loading...
Thread Status:
Not open for further replies.