| |
 |
 |
 |
|
|
|
|
Date: 21 January 2008
Click here for printable version
Spamming techniques seem to be taking a more patient approach lately with a slow but steady stream of emails coming in trying to convince users to visit sub domains of nm dot ru. Once the victim visits the site, they are directed off to one of many other sites which download a number of zip files containing malicious content. At this point the executable file located in the zips is not well detected; when detected it is identified as a variant of worm:w32/feebs. A description of this worm can be found here.
These are the sites named in the emails (obfuscated), administrators should consider blocking access to the following infected domains and checking logs for any communications with them:
hxxp://nx-qit,nm,ru
hxxp://krx-kn,nm,ru
hxxp://jy-ycd,nm,ru
hxxp://emam-c,nm,ru
hxxp://vn-wgf,nm,ru
hxxp://msv-ru,nm,ru
hxxp://m-cdft,nm,ru
hxxp://pm-h,nm,ru
hxxp://b-xgcy,nm,ru
Which link off to these sites:
hxxp://softnews,medianewsonline,com
hxxp://gvuy,getenjoyment,net
hxxp://hc-l,t35,com
Which contain these infected zip files (administrators may want to search for and delete suspicious traces of the following files on your system):
- 21book.zip
- sexs.zip
- cm.zip
The standard social networking formats are used implying the email is from a female wanting you to visit their website or judge their photos for an erotic competition (insert alarm bells here). Here is a sample of the email contents:
-------------------------------------------------------------------------------
From: Nikky
To: auscert@auscert.org.au
Cc:
Date: Sun, 20 Jan 2008 20:26:51 +1000
Subject: hi. I Nikky
Please rate me! Competition of eortic photos! Here my pgae: hxxp://b-xgcy,nm,ru
-------------------------------------------------------------------------------
From: Mia
To: auscert@auscert.org.au
Cc:
Date: Fri, 18 Jan 2008 03:50:07 +1000
Subject: Why you do not write? I Mia from Canada
You remember m?e I do! Here my pgae: hxxp://nx-qit,nm,ru
-------------------------------------------------------------------------------
The emails themselves are being delivered at an unusual rate of one email per day, which is quite a different approach to the storm spamming technique. You could say storm uses a shotgun approach, attempting to compromise a user by sending multiple emails hoping that one will contain the right words to lure them into downloading the infected files. Whereas the approach taken for the emails from nm dot ru is more like a sniper rifle, firing off one email to ensure spam traps don't detect it, and making it less likely to be deleted by the user based on multiple copies.
A little common sense is the best precaution from these sort of attacks. If the email is from someone you dont know asking you to visit a site that you have never heard of to view photos or content you wouldn't normally see...delete it!
This domain (nm,ru) was also hosting an e-Bay phishing site earlier this month.
Paul
|
|
|
|
 |
|
 |
|
|