| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Wed Aug 15, 2007 1:43 pm Post subject: New Zhelatin tactics |
 |
|
I was surprised to find something new in my daily bombardment with Zhelatin postcard spams. But first things first....
At first there's the usual "you have a greeting card" mail body:
| Quote: |
Class mate(dam@transfers.corpex.de) has created Musical e-card for you
at 123greetings.com.
To see your custom Musical e-card, simply click on the following link:
http:// 89.40.233.23 /
Send a FREE greeting card from 123greetings.com whenever you want by visiting us at:
This service is provided and hosted by 123greetings.com. |
Spammy has adapted to recent discussions and includes now a fake sender to make it more legitimate. It's the same address as used for the from field and is of course entirely bogus. Also the fake md5 hash is no longer appended as argument to the url.
Clicking the link doesn't trigger any Javascript, but leads us straight to this page:
| Quote: |
To view your ecard, you need to have Microsoft Data Access installed on your computer.
To obtain a free copy of Microsoft Data Access, please click here. |
"click here" points to:
http:// 89.40.233.23 / msdataaccess.exe
Of course that's silly nonsense because there's no reason at all why a greeting card would need to rely on a database application interface for *viewing*. Maybe for storing and retrieving data, but then again that would hardly count as greeting card  . Futher telling signs are the absense of any link to an actual greeting card (which was the reason for the email in the first place) and the insane notion the missing installation of a database application interface could be read by a remote server by means of a plain HTML page (absent any script exploits) or be indicated in any header sent by the visitor's browser. Therefore it's no surprise that "msdataaccess.exe" is reported by Kaspersky's Antivirus as Email-Worm.Win32.Zhelatin.gn and will convert a Windows user to a spam spewing Zombie within seconds.
Email headers for the records:
| Quote: |
Return-Path: <dam@transfers.corpex.de>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 15 Aug 2007 13:12:08 -0000
Received: from static-dsl-158.213-160-177.telecom.sk (HELO static-dsl-158.213-160-177.telecom.sk) [213.160.177.158]
by mx0.gmx.net (mx068) with SMTP; 15 Aug 2007 15:12:08 +0200
Received: from oq.wzsik ([166.157.104.194]) by static-dsl-158.213-160-177.telecom.sk with Microsoft SMTPSVC(6.0.3790.0); Wed, 15 Aug 2007 15:12:04 +0200
Message-ID: <001f01c7df3d$dfe03380$c2689da6@oq.wzsik>
From: <dam@transfers.corpex.de>
To: <spamtrap>
Subject: Musical e-card
Date: Wed, 15 Aug 2007 15:12:04 +0200
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1250";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 |
The presumable sender, static-dsl-158.213-160-177.telecom.sk, is listed on a couple of blocklists like Spamcop or UCEprotect whereas he spamvertised location at 89.40.233.23 resolves to user.u-nite.ro, obviously located in Romania, and isn't listed anywhere:
| Quote: |
inetnum: 89.40.232.0 - 89.40.239.255
netname: SC-UNDERNET-SRL
descr: SC UNDERNET SRL
descr: GEORGE GEORGESCU Nr 54
descr: BUCURESTI SECTOR 4 RO
country: ro
admin-c: SA3357-RIPE
tech-c: SA3357-RIPE
status: ASSIGNED PA
remarks: Registered trough http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: UNDERNET-MNT
source: RIPE # Filtered
person: SMEUREANU ALEXANDRU
address: SC UNDERNET SRL
address: GERGE GEORGESCU Nr 54
address: BUCURESTI SECTOR 4
phone: +40-727 228855
e-mail: abuse at u-nite.ro
nic-hdl: SA3357-RIPE
mnt-by: UNDERNET-MNT
source: RIPE # Filtered |
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
 |
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 20 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Wed Aug 15, 2007 3:26 pm Post subject: |
|
|
Good example. There is a related post here:
http://www.spywarewarrior.com/viewtopic.php?t=25878
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
Chao284
Warrior
Joined: 06 Sep 2004
Last Visit: 06 Aug 2011
Posts: 220
Location: Bremerton, WA
|
| Posted: Thu Aug 16, 2007 11:25 am Post subject: Re: New Zhelatin tactics |
|
|
[quote="a notepet"]I was surprised to find something new in my daily bombardment with Zhelatin postcard spams. But first things first....
At first there's the usual "you have a greeting card" mail body:
| Quote: |
Class mate(dam@transfers.corpex.de) has created Musical e-card for you
at 123greetings.com.
To see your custom Musical e-card, simply click on the following link:
|
And that my friends is also what starts the Storm Worm's infectious attemps to DDoS sites like this, and there will surely be more of them, as well as after the attacks, more pharama-based spam too. |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 20 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Thu Aug 16, 2007 6:01 pm Post subject: |
|
|
I don't understand what you mean by this:
| Quote: |
| the Storm Worm's infectious attemps to DDoS sites like this, |
Can you explain what you mean there? I understand DDoS, but I don't understand how the Storm Worm is attempting to DDoS "sites like this".
The IP addresses in the spams are most often IPs of home based 0wned PCs.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
Nightmaretony
Warrior
Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook
|
| Posted: Thu Aug 16, 2007 8:32 pm Post subject: |
|
|
Methinks what he means is that once a machine is zombified, the botherder will use the machine for a DDOS.
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred
Nightmare Park |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 20 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Thu Aug 16, 2007 8:58 pm Post subject: |
|
|
Ah, that could be it.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
Chao284
Warrior
Joined: 06 Sep 2004
Last Visit: 06 Aug 2011
Posts: 220
Location: Bremerton, WA
|
| Posted: Sun Aug 19, 2007 11:02 pm Post subject: |
|
|
| suzi wrote: |
| Ah, that could be it. |
Correct, and that means more PDF Spam for selected Spam traps while the rest gets hard to find Canadian based copycat phrma-based spam, under Leo Kuvayev and Yambo Finicials's control of each botnet and those who try to target the real source of the spam.
And that is what I am talking about.
I also noticed one of the words is removed in this post, I figure it is for Security and Phishing issues I guess. |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 20 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Mon Aug 20, 2007 8:26 am Post subject: |
|
|
Words removed in what post?
We have a number of word filters in place due to forum spammers and to keep the forum family friendly. If a word has been changed, that's why. We don't remove words or edit users' posts unless there's a violation of forum rules.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Mon Aug 20, 2007 10:22 am Post subject: |
|
|
| Chao284 wrote: |
| suzi wrote: |
| Ah, that could be it. |
Correct, and that means more PDF Spam for selected Spam traps while the rest gets hard to find Canadian based copycat phrma-based spam, under Leo Kuvayev and Yambo Finicials's control of each botnet and those who try to target the real source of the spam. |
Is this just an unsubstantiated claim written as proven fact or can you provide a source where you have this information from? I'm asking because according to Google such a connection does not exist:
| Quote: |
Your search - zhelatin yambo kuvayev - did not match any documents.
Suggestions:
* Make sure all words are spelled correctly.
* Try different keywords.
* Try more general keywords.
* Try fewer keywords. |
| Quote: |
| I also noticed one of the words is removed in this post, I figure it is for Security and Phishing issues I guess. |
The "bad words filter" is nothing but a primitive string replacement procedure. So if a matching word hit the filter blocklist, it would be replaced with "spam". If a message were edited by a Moderator/Admin/God you would notice it by the edit comment line automatically added by the forum software. Whatever it was, it didn't disappear by any of the two common methods described above.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
|
