I just recently wrote some php code to start tracking comment spam bots, which has lead to some interesting findings and statistics. The major goal for this script was to identify the most active comment spam bots by IP, but today I decided to follow some of the urls in the comment spam postings to see if any badness was waiting for me. The very first url I followed lead to the rogue Antivirus application that has been blogged about and documented heavily all over the net for about a month now and known by numerous aliases: “Antivirus 2009, Windows XP Antivirus 2009, Antivirus 2008, Antivir64, and XP Antivirus”. In the write ups I read in regards to this rogue Antivirus Software I have not really seen anything on comment spam leading to it. Most of the write ups cover email spam being sent out with catchy subject lines like “Prince Harry Proposes to Paris Hilton, Paris Hilton finds God: God issues denial, Britney Spears Sex Tape, Britney Spears Admits: My Vagina made me shave my head, and Hilton, Lohan, Spears, Duff star in Where The Boys Are remake”.

The instance of comment spam I investigated was posted by IP “189.73.10.64″ which is a host in Brazil with a reverse lookup name of ” 189-73-10-64.dsl.ctame700.brasiltelecom.net.br”. The comment spam was very simple with a message of “Nice site, Thanks” and a URL entry of “hxxp://best-savings-accounts.expectgroup.net/best-high-interest-savings-accounts.html”. I would not recommend following this URL as it leads to malicious content. Doing a simple nslookup of the best-savings-accounts.expectgroup.net returns the IP “84.16.255.84″ and doing a IP search on Malware Domain List shows this IP has been known to serve up badness: Malware Domain List search results. Both of the sites listed in the search results were linked to the Zlob Trojan. The really interesting thing about this URL was it was only a redirect to hxxp://virtualblog5.com. Doing an nslookup for virtualblog5.com returned the IP address: “84.16.252.138″ and then searching this IP address on Malware Domain List showed this IP has also been known to serve up badness as well: Malware Domain List search results. All four search results are classified as “rogue” and given the dates of this IP being reported I would have to assume this is nothing new. Virtualblog5.com was also a redirect to a virtual host on the same server hxxp://scanner-prot.com where the real badness surfaced. I was greeted with some simple javascript that identified my browser by looking at the User Agent and then rendered a pop up and redirection to hxxp://scanner.antivir-64.com. Doing an nslookup for antivir-64.com returned two IPs: “78.157.142.7″ and “91.203.92.64″. Doing the same simple searches at Malware Domain List provided the following results: 78.157.142.7 and 91.203.92.64 showed these IPs have already been identified as rogue application servers, so again nothing new here. Since this was my final destination in the crafty redirects I did some passive DNS investigations to see what other domains were being seen on these two IP address:

• antivirus2008pro-download1.com A 78.157.142.7
• antivirus2008pro-download2.com A 78.157.142.7
• antivir-64.com A 78.157.142.7
• scanner.antivir-64.com A 78.157.142.7
• antivir64.com A 78.157.142.7
• scanner.antivir64.com A 78.157.142.7
• antivirus-2008a-pro.com A 78.157.142.7
• antivirus2008t-pro.com A 78.157.142.7
• antivirus-2008y-pro.com A 78.157.142.7
• 2008pro-download1.com A 91.203.92.64
• antivirus2008pro-download2.com A 91.203.92.64
• antivir-64.com A 91.203.92.64
• scanner.antivir-64.com A 91.203.92.64
• antivir64.com A 91.203.92.64
• scanner.antivir64.com A 91.203.92.64
• antivirus-2008a-pro.com A 91.203.92.64
• antivirus2008t-pro.com A 91.203.92.64
• antivirus-2008y-pro.com A 91.203.92.64

By looking at the domain names associated with these two IPs definitely shows this comment spam I was investigating is linked to the rogue antivirus spam everyone is discussing. Getting back to the URL tracing here is a snapshot of the pop up window I received when redirected to this server:

Clicking “OK” will download the rogue antivirus software, which I would not recommend doing. Interesting enough this rogue antivirus software is very persistent in trying to get the user to install it as clicking cancel will redirect you to a fake online virus scanner shown here:

Taking a look at the source code for this page shows the list of files being shown as scanned is stored in a file called: “fileslist.js”. In this file you will find a JavaScript array containing 443 bogus file names used in the scanning animation. Also if any type of click is performed inside the browser window it will cause another pop up window shown here:

Following the instructions presented in these pop up windows will install the rogue antivrus software, but interesting enough clicking cancel and trying to close the windows will kick off another pop up window show here:

So as you can tell the rogue antivirus application web page is very persistent in trying to get the visitor to download and install it. This persistence is most likely the reason this campaign has been so widely documented as one mistake from a visitor and the badness is installed.

Now taking a look at what a visitor would see if they were to install this rogue security application. I went ahead and downloaded the binary and ran it in my sandbox. The very first installation pop up window looks very professional and presents a license agreement which even includes a limited warranty. Here is a screenshot of this license agreement pop up:

Once the “Continue” button is clicked the rogue security software is installed and the following scan window pops up:

Once the scan is completed the results are another pop up window telling the user multiple files have been found to be infected in some way or another. Here is a snapshot of the results window:

For my investigation I went ahead and choose the “protect this files now” button. Again a pop up window was presented to me showing the different license packages sold for this rogue security software seen here:

Clicking anyone of the “subscribe now” buttons presents you with the following ordering form:

Well as you can see from reading this post the comment spam I followed was definitely related to the rogue antivirus software everyone seems to be writing about or worse yet experiencing first had it’s badness. I haven’t tried to remove this infection as I did this in a sand boxed computer, but I have read many users have had success getting rid of this rogue software application by following these instructions: Bleeping Computers removal instructions.

I also ran the downloaded binary in several online sandboxes which you can check out here: VirusTotal Results 16/36 (44.45%), ThreatExpert Results, and Anubis Results.

One last thing to keep in mind about this rogue security software is that all of this is just one very large and elaborate phishing scam, so if anyone you know comes into contact with this rogue application make sure to advise them to contact their bank and/or credit card companies if they entered their personal information into the purchase form.

Sorry for the lack of coverage this month, as I have been extremely busy catching up with everything after going to Blackhat and Defcon. Anyways I spent a few hours watching the Storm Worm in my lab last night and this morning and I have identified a few changes since the last time I looked at it. First off the Storm Worm is not using it’s rootkit functionality anymore and the binary installed in the %WINDIR% is now named “neos.exe” with it’s peer hash file being named “crock+mock.config”. The p2p peer hash file contained 857 peers which is right in line with most of the samples I have taken this year. Here is the decoded IP and Port list of those peers found in my sample: peers.txt.

The Storm domain names I have that are still active or more accurately maintain a domain status of “ok”:

• nationwide2u.cn
• worldpostcardart.com
• superlettercard.com
• yourlettercard.com
• freepostcardonline.com
• digitalaudiopostcard.com
• lettercardadvertising.com
• bestlettercard.com
• audiopostcardmail.com
• supergreetingcard.com
• oldpostcardshop.com

None of these domains are resolving right now since their name servers are not answering A record requests at this time. The name servers I could identify are:

• ns.brprbgok6.com 62.33.224.26
• ns2.brprbgok6.com 124.121.82.50
• ns3.brprbgok6.com 201.212.95.89
• ns4.brprbgok6.com 89.109.28.87
• ns5.brprbgok6.com 193.238.128.177
• ns6.brprbgok6.com 74.129.81.83

Interesting enough the brprbgok6.com domain is in a “clienthold” status, so action has been taken against this domain, but that wouldn’t stop the above name servers from answering requests. Another interesting finding is that these name servers have a ttl of 172800, so they are not following the normal double fast flux structure in which the storm worm is famous for. This is not abnormal for the Storm Worm either though as this type of behavior seems to occur at the end of each campaign and can be thought of as a final stage in the limitless transformations of themes that occur. Once the name servers stop participating in the fast flux design you can almost bet on seeing a new theme within a few days. These new themes also seem to start either on Monday or Tuesday mornings, so we will just have to wait and see if this holds true one more time.

I also found that all of the domains listed at the top of this posting except for the older “nationwide2u.cn” were all registered on the same day using the same registrar and registrant information. Here is a copy of the whois record for one of the domains:

Registrar: RegTime.net Limited
Creation date: 2008-08-03
Expiration date: 2009-08-02

Registrant:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Administrative Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Technical Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722
Billing Contact:
Alexey Vasiliev
Email: alexvasiliev1987@gmail.com
Organization: Alexey Vasiliev
Address: Ol. Duducha 21/2 58
City: Novosibirsk
State: NSK
ZIP: 630000
Country: RU
Phone: +7.3834427722
Fax: +7.3834427722

The registrar is Regtime.net Limited a Russian ICANN accredited registrar that has been in business since 2001. This is also the first time I have seen the Storm authors use Regtime.net Limited for registering their domains. Hopefully Regtime.net will take action against these domain names soon as the “love/postcard” theme seems to be the fall back theme for Storm when new themes begin to lose effectiveness.

The Storm spam seems to be right inline with the norm with one small exception. This exception is a phishing email that is going out concerning money laundering. Here is a copy of the email message I captured:

Subject: JOB $1800/WEEK – CANADIANS WANTED!
Date: Fri, 15 Aug 2008 16:27:29 -0500
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=”Windows-1252″;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2499
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499

We are looking for canadians who would like to work from home
in an administrative support function for businesses.
Many of our clients are small businesses and executives
who are busy and on the go.

Administrative Assistants can work full or part time.
PART TIME ASSISTANTS must work a minimum of 10 hours per week.

Salary varies between $5,000 to $10,000 per month!

If interested,
get back to me at

hxxp://www.vik-budget.com

thank you

.
QUIT

Following the link in the email message will bring you to a phpBB forum posting dated Thu Dec 02, 2004 8:30 pm with a subject line of “Getting Started!” by the moderator of the forum going by alias “Supplier” with a total of 34 posts on this message board. This all seemed really odd to me as I have suggested in the past that individuals were paying for spam, but why would someone pay for spam on such an old outdated posting? Interesting enough the vik-budget.com domain seems to be utilizing a fast flux design as well rotating out A records every 180 seconds serving up 17 individual IP addresses at a time. Here is a sample dig output just to clarify what I am trying to say:

;; QUESTION SECTION:
;vik-budget.com. IN A

;; ANSWER SECTION:
vik-budget.com. 180 IN A 86.104.87.45
vik-budget.com. 180 IN A 89.33.209.220
vik-budget.com. 180 IN A 93.81.55.7
vik-budget.com. 180 IN A 89.112.76.91
vik-budget.com. 180 IN A 89.47.118.38
vik-budget.com. 180 IN A 91.124.247.62
vik-budget.com. 180 IN A 93.80.234.159
vik-budget.com. 180 IN A 82.179.235.165
vik-budget.com. 180 IN A 79.112.24.125
vik-budget.com. 180 IN A 190.20.206.241
vik-budget.com. 180 IN A 92.100.98.229
vik-budget.com. 180 IN A 89.45.24.174
vik-budget.com. 180 IN A 92.100.21.65
vik-budget.com. 180 IN A 89.178.231.167
vik-budget.com. 180 IN A 81.181.112.38
vik-budget.com. 180 IN A 69.144.198.226

I went ahead and searched all of these IP addresses against ~180,000 archived IP addresses I have identified in the last six months that may have been associated with the Storm worm at some point in the past. The only one that returned a match against my database was “69.144.198.226″, so I don’t think this phishing phpBB site is operating on the Storm fast flux network, but I could be wrong. The name servers are also different for this phishing domain, so again I don’t think it is operating on the Storm fast flux network. Here is a list of the name servers for vik-budget.com:

• NS1.VIPSAM.COM
• NS2.VIPSAM.COM
• NS3.VIPSAM.COM
• NS4.VIPSAM.COM

One really cool discovery I had concerning these name servers is they seem to be riding a fast flux network using a ttl of 180 seconds at first, but when that initial ttl expires a new ttl of 172800 is seen and the A record changes to a new IP address. Very odd stuff here, so I dug into the VIPSAM.COM domain and found it no longer resolves, but was used back in July to point to another online pharmaceutical site titled: “Online Pharmacy”. This seems to be another very active and large pharmaceutical spam participant with 70 other domain names currently resolving to this host and at least 63 other hosts sharing it’s name servers. Here is a screen shot of this pharmaceutical company website to give you an idea of what it currently looks like:

As you can tell this was all very odd to me, and was actually the first time I was lead to an online pharmaceutical spam site from a money laundering phishing site. I can’t say the two are owned and operated by the same person or organization, but only linked by name servers and shared hosting. I will let you be the judge of that.

Now getting back to the vik-budget.com phishing forum site. Here is a screen capture of the forum post that is presented by following the link in the Storm spam message:

So as you can see it looks like a money laundering scheme in which the poster claims this to be good and legal way of making money. I am not a layer or agent of the law, but this just doesn’t seem like it would be a good and legal way of making money. So I did a little digging and found this exact forum structure to include identical forum content could be found on other domains such as hdd-manager.com, WCA-Manager.com, xrs-capital.com, and can-budget.com. With all of the content being identical I would venture to say this is most likely a phpBB template in which the phisher simply changes the domain name and it modifies everything inside the forum to reflect this change such as his or her email address. Looking into the whois records for these sites all 4 domains hdd-manager.com, wca-manager.com, xrs-capital.com, and can-budget.com were created on March 11, 2008 with matching information registrant information. Here is an the whois record for wca-manager.com:

Domain Name………. WCA-Manager.com
Creation Date…….. 2008-03-11 10:22:01
Registration Date…. 2008-03-11 10:22:01
Expiry Date………. 2009-03-11 10:22:01
Organisation Name…. xiaowen
Organisation Address. No.12 chang’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. gr wen
Admin Address…….. No.12 chang’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 3498@34.com
Admin Phone………. +86.103093034
Admin Fax………… +86.103493934

Tech Name………… gr wen
Tech Address……… No.12 chang’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 3498@34.com
Tech Phone……….. +86.103093034
Tech Fax…………. +86.103493934

Bill Name………… gr wen
Bill Address……… No.12 chang’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 3498@34.com
Bill Phone……….. +86.103093034
Bill Fax…………. +86.103493934
Name Server………. ns4.nsi-centre.com
Name Server………. ns3.nsi-centre.com
Name Server………. ns2.nsi-centre.com
Name Server………. ns1.nsi-centre.com

Now the whois record for vik-budget.com wasn’t an exact match, but I am sure you can spot the similarities between the two:

Domain Name………. vik-budget.com
Creation Date…….. 2008-07-23 17:34:04
Registration Date…. 2008-07-23 17:34:04
Expiry Date………. 2009-07-23 17:34:04
Organisation Name…. xiaowen
Organisation Address. No.12 chan’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. xiaowen
Admin Address…….. No.12 chan’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 232@242.com
Admin Phone………. +86.102092094
Admin Fax………… +86.102482940

Tech Name………… xiaowen
Tech Address……… No.12 chan’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 232@242.com
Tech Phone……….. +86.102092094
Tech Fax…………. +86.102482940

Bill Name………… xiaowen
Bill Address……… No.12 chan’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 232@242.com
Bill Phone……….. +86.102092094
Bill Fax…………. +86.102482940
Name Server………. ns4.vipsam.com
Name Server………. ns3.vipsam.com
Name Server………. ns2.vipsam.com
Name Server………. ns1.vipsam.com

I also did so checking into the ICQ number which seems to be legitimate: supplier, I didn’t try contacting this person for some social engineering, but I sure thought about it. I believe this to be the administrator or operator behind this scam as his ICQ number is the only thing that never changes in this template. In my digging I also ran across a post at scamfraudalert.com where an administrator posted this same email template under the work-at-home scam section of their forums back in July: scamfraudalert.com posting. A little more Google magic and I was able to uncover even more information about this money laundering scam which seems to have been around for over a year now: forum.419eater.com cs-funds and forum.419.com lvs-money.com.

The last thing I noticed in regards to the vik-budget.com domain was it was currently being hosted on the same host as these two PhishTank reported phishing sites: hsbc.update.citapedor.com, and update.citapedor.com, which were phishing sites targeting the HSBC bank back in mid July as far as I can tell. Could this be the same phisher? Well I will let you be the judge again by simply posting the whois record for citapedor.com:

Domain Name………. citapedor.com
Creation Date…….. 2008-07-10 20:19:29
Registration Date…. 2008-07-10 20:19:29
Expiry Date………. 2009-07-10 20:19:29
Organisation Name…. xiaowen
Organisation Address. No.12 chan’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. xiaowen
Admin Address…….. No.12 chan’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 232@242.com
Admin Phone………. +86.102092094
Admin Fax………… +86.102482940

Tech Name………… xiaowen
Tech Address……… No.12 chan’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 232@242.com
Tech Phone……….. +86.102092094
Tech Fax…………. +86.102482940

Bill Name………… xiaowen
Bill Address……… No.12 chan’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 232@242.com
Bill Phone……….. +86.102092094
Bill Fax…………. +86.102482940
Name Server………. ns2.godns1334.com
Name Server………. ns1.godns1334.com
Name Server………. ns3.godns1334.com
Name Server………. ns4.godns1334.com

So if your seeing what I am seeing I would be fairly certain this is the same person or organization responsible for the past phishing attempts. I just have to wonder why they would use the same false information to register domains. If any of this really interests you I would suggest Googleing using these suggested strings: “No.12 chang’an road”, “xiaowen phisher”, and “Organisation Name xiaowen” which should provide you with an overall picture of just how long this phisher has been around and just how many different types of phishing scams this phisher has attempted with out being caught to include ebay, paypal, facebook, linkedin, and numerous financial institution phishing sites. With unique whois records being the center of my little investigation it is almost dumbfounding to think we can’t put a stop to at least this one individual or organization.

The only other spam I saw coming out of the Storm worm was the normal Pharmacy express and Canadian pharmacy stuff. I have noticed the Canadian Pharmacy spam is riding a little more complex fast flux network and makes up about 75% of all the spam coming from Storm Worm infected hosts. Here is a list of the domain names I captured during this analysis:

• areatry.com
• boardcow.com
• boughttool.com
• claimtie.com
• drawbe.com
• groupyellow.com
• pitchinclude.com
• presentalso.com
• probablewide.com
• whetherthus.com

Here is a sample dig query against one of the domains “areatry.com”:

;; ANSWER SECTION:
areatry.com. 120 IN A 89.139.42.151
areatry.com. 120 IN A 89.142.143.19
areatry.com. 120 IN A 89.169.184.21
areatry.com. 120 IN A 91.66.127.14
areatry.com. 120 IN A 118.168.25.176
areatry.com. 120 IN A 210.194.144.198
areatry.com. 120 IN A 213.211.44.132
areatry.com. 120 IN A 218.171.174.108
areatry.com. 120 IN A 218.190.85.230
areatry.com. 120 IN A 59.188.130.110
areatry.com. 120 IN A 61.224.205.217
areatry.com. 120 IN A 69.66.219.190
areatry.com. 120 IN A 75.139.130.32
areatry.com. 120 IN A 77.41.88.195
areatry.com. 120 IN A 77.127.162.69
areatry.com. 120 IN A 79.164.122.160
areatry.com. 120 IN A 79.172.80.138
areatry.com. 120 IN A 85.250.12.186
areatry.com. 120 IN A 85.250.27.81
areatry.com. 120 IN A 89.110.48.125

;; AUTHORITY SECTION:
areatry.com. 163448 IN NS ns1.er909erede.com.
areatry.com. 163448 IN NS ns1.ijekrii9.com.
areatry.com. 163448 IN NS ns0.er909erede.com.
areatry.com. 163448 IN NS ns0.ijekrii9.com.

As you can clearly see the ttl is 120 seconds and 20 A records are severed up as available for each look up. This is definitely more complex than the pharmacy express spam.

The pharmacy express spam domains I discovered during this run were:

• denvermedicaldoc.sg
• doctordoctorlist.sg
• funmedicaldoctor.sg
• medicaldoc.sg
• medspecialist.sg
• medvisiondoctor.sg
• medwaydoc.sg
• ozmeddoc.sg
• yourrecoverydoc.sg

These domains are also riding on a fast flux network, but only serve up one new A record every 5 minutes. Here is the output for my dig command for the “ozmeddoc.sg” domain:

;; ANSWER SECTION:
ozmeddoc.sg. 590 IN A 204.95.101.99

Don’t get the wrong idea here I am not saying the Pharmacy Express site/domain is any less of a threat or nuisance than the Canadian Pharmacy site/domain, but what I am saying is the fast flux design is simplified for the Pharmacy Express when compared to the Canadian Pharmacy design.