May 31, 2012Blog Staff By Blog Staff

‘Windstream bill’ themed emails serving client-side exploits and malware

Cybercriminals are currently spamvertising millions of emails impersonating the Windstream Corporation, in an attempt to trick end and corporate users into clicking on links found in the malicious email.

Upon clicking on the links hosted on compromised web sites, users are exposed to client-side exploits served by the BlackHole web malware exploitation kit.

More details:

Screenshot of a sample malicious email used by the cybercriminals:

Spamvertised URL: hxxp://

Redirects to: hxxp:// (responding to, AS20454, ASN-HIGHHO

Client-side exploits served: CVE-2010-1885

Redirection chain for the client-side exploit: hxxp:// ->
hxxp:// -> hxxp:// -> hxxp:// -> hxxp://

Upon successful exploitation, two executables are dropped on the infected hosts, MD5: 088ff8b667d3e6a6f968ad6b41aa4fb0 and MD5: 1b1bbf726902beb3b25d11fbdc58720f – detected by 11 out of 42 antivirus scanners as Worm:Win32/Gamarue.I; Gen:Variant.Kazy.72780.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *