November 10, 2010 By Andrew Brandt

Rogue AV Spam Invades Multiply, Yahoo Mail

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

While nowhere near the size of the mammoth Facebook, the social network Multiply is no slouch. Based in Boca Raton, Florida, the site is designed around not only sharing photos and videos with friends and family, but also a relatively novel concept called social shopping, which permits users of the site to shop together in a virtual marketplace, or even set up an Internet storefront. At last count, according to Multiply’s blog, the site has over 12 million users, which means that the Multiply Market may be one of the largest single shopping Web sites in Southeast Asia, where most of its users live.

I would never have even known about Multiply (it’s one of nearly 200 active social network sites listed on Wikipedia) if it weren’t for one of our Threat Research analysts, Rhoda Aronce, who hails from the Philippines and uses Multiply to keep in touch with family. She received an odd-looking message that appeared to come from Multiply on her Yahoo mail account yesterday, and it set off alarm bells. Good thing, too, because it looks like a spam campaign targeting Multiply users is trying to infect those users’ computers with a rogue AV that calls itself Antivirus Solution 2010 Next.

The initial spam message uses familiar social engineering tropes: It’s a message that looks like it was sent via Multiply’s servers to Rhoda’s Yahoo mail account. The message body reads

heyy! (username), do we know from some place isn’t it? so here’s a special video i did for you, ull recall me!, pls holler me back!!!, kisses <3

The message is dominated with a photo of what looks like a streaming video window that says Click here to see movie. That’s where the fun begins for researchers, but please, don’t click this at home, especially if you’re in the middle of shopping online. Leave getting infected to the professionals. If you see something like this in your email inbox, just delete the message.

The image of a video player was only that — a static picture of a video player. However, it was hotlinked to a bit.ly shortcut. We all remember the old put a + sign after the bit.ly shortlink to see its information page trick, right? Here’s what I was treated to:

So, as of last night, 984 people had clicked the spam message and followed the link. (That doesn’t mean 984 computers were infected — more on that in a minute.) Here are some stats about the geographic location of those people who clicked the links:

Now it starts to make sense. The single largest geographically identifiable collection of victims is based in the Philippines, followed by the US, Singapore, Indonesia, and a dozen other countries. Finally, the referrers tab tells us what page people were reading when they clicked their shortlinks. It looks like the largest percentage came straight from Multiply, while most of the rest were reading their Yahoo mail.

Now, when you click the link (the yourtube URL in the bit.ly window above), you’re taken to a page on a free Web hosting site which looks like this:

Yes, Madeleine, someone has taken a screenshot of Windows Media Player and dressed it up (badly — look at those crops, they cut off the edges of the window) to make it look like a streaming video page. Take note of that text below. Does that remind you of anything? Yeah, me too. Raiting x/10 should be a subtrope of its own.

If you click anywhere in the window, the fake player page displays a warning dialog which reads You must download new video codec to play this video file. Start downloading? with an “OK” and “Cancel” button.

If you click OK, you’re presented with a standard “File Download – Security Warning” dialog that asks whether you want to save or run the file. Anyone who clicks Run at this point is infected. If you click Save, you could still infect yourself by launching the program, named divxplayer.exe (MD5: 1967c9470706360a25afb5a5555d21fe), when it has been saved to your computer.

The installer first checked in with a Web site named httpguard.us (which is actually hosted on a machine in Russia). On our test system, the Trojan sent a query string to that server uniquely identifying the infected computer. The response from the server was just two characters: OK. Afterwards, the Trojan contacts a different site, httpwizard.us (hosted in the Netherlands), and sends a query asking the server for a URL where it can pull down a payload. As of last night, it wasn’t delivering a payload, but it was notable that the IP address hosting httpwizard.us is shared with antivirussolution2010next.com. Coincidence? There ain’t no such thing when it comes to rogue antivirus.

Now, the best part is that the doofus running this scam didn’t bother to protect his server in any way. What does that mean? Well, I was able to navigate through the directories on the server with just a browser and, by chance, happened to run into the source code for a PHP script he’s running on the backend. Here’s a picture of what it looks like.

From all appearances, the script does some geolocation search on the IP address of the visitor, tracks whether the infected user has accepted the EULA and whether or not they’ve installed the rogue. It then adds that information into a database. Looks pretty similar to what a lot of botherders do with their botnets for tracking infected users and analyzing them. It’s nicely commented in Russian, as well, which probably clears up any lingering doubts as to where this dog and pony show originates.

Bottom line, it appears no social network is too small or narrowly focused to be off a malware distributor’s radar screen. And it pays to be cautious, especially with spam, during this holiday shopping season, especially as we’re in the run up to Black Friday.
wordpress blog stats

Share Button
true