ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Malware SPAM - January 2013

•
•
Brent Muir
Brent Muir

The document summarizes malware spam received in January 2013. It received a total of 8 messages, including ones related to Viagra, jobs, banking, and criminal background checks. The messages contained malicious links, attachments, and sender information that indicated they were sent from compromised systems. They often used link masking and domain proxy services to hide the true source.

1 of 2
MALWARE SPAM – JANUARY 2013 Type - Sent from Sent from Contains my Type - Criminal malformed compromised email Total # Type - Type - Green Type - Type - Background Type - Malicious Malicious Attachment Attachment Attachment email known address in Received Viagra Job Card Banking LinkedIn Check Other Link Attachment Type - .ZIP Type - .DOC Type - . PDF header contact "TO" field 8^ 1 1 1 2 0 2 1 7 0 - - - 7 0 5 * Malicious SPAM is defined by me as any unsolicited email that contains a potential information security risk. This does not include the usual marketing newsletter emails. Only those for which there is not a prior affiliation and that make it into my mail box. ^ January 2013 is not a complete month due to the automatic deletion rules of my account
JANUARY 2013 - DETAILS Sent from Sent from Contains my email Malicious Link Malicious Attachment malformed compromised address in "TO" Date Type Link Shortener Link Masking Link Host Link Risks Attachment Type email header known contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) field fineoffr.com - Unknown (do4u.co.il, a.gtld- fineoffr.com - Yes servers.net) USA Green phpconvey.com, fineoffr.com (WhoisGuard) phpconvey.com - Israel (do4u.co.il, digital- fineoffr.com - UK 1 14/01/2013 Card Yes No Yes - Basic phpconvey.com No - Yes No canforward.com (via mail.visimail.org ) phpconvey.com - No campaign.info) phpconvey.com - UK (by eukhost.com) Yes 2 15/01/2013 Job offer No - - - - No - No No hotmail.com hotmail.com N/A Yes 1. Performs File Modification and Destruction. The executable modifies and destructs files which are not temporary. 2. Changes security settings of Internet Explorer. This system alteration could seriously affect safety surfing the World Wide Web. bartstals.be - Belgium bartstals.be - Netherlands (by instep.be) Direct 3. Performs Registry Activities. The executable creates and/or gdoehling.de (via gdoehling.de - Germany gdoehling.de - Germany (by strato.de) 3 23/01/2013 Deposit Bank Yes No Yes - Basic rogercbryan.com modifies registry entries. No - Yes No direct.nacha.org bartstals.be) rogercbryan.com - USA rogercbryan.com - USA (by softlayer.com) Yes Criminal No (ISP background 180.248.23.146 - Yes tpg.com.au listed 4 23/01/2013 check Yes No Yes - Basic amazonaws.com No - Yes No yahoo.com 180.248.23.146 (no Whois record) - 180.248.23.146 - Indonesia (by telkom.net.id) as recipient) nadaorganics.com - USA (by GoDaddy.com) lifeflowki.com - No DNS record 1. Watches MSN Messenger (msmsgs.exe) cswineimports.com - Yes nadaorganics.com - Australia (lifeflowki.com) cswineimports.com - USA (by lunarpages.com) Direct cswineimports.com (via (Network Solutions Private cswineimports.com - Unknown maxime-tortelier.com - Germany (by 5 24/01/2013 Deposit Bank Yes No Yes - Basic maxime-tortelier.com 2. Watches the Windows login (winlogon.exe) No - Yes No direct.nacha.org nadaorganics.com) Registration) maxime-tortelier.com - France oneandone.net) Yes Fake No (yahoo.com emergency 187.151.36.39 - Yes listed as 6 24/01/2013 warning Yes No Yes - Basic amazonaws.com No - Yes No yahoo.com 187.151.36.39 (no Whois record) - 187.151.36.39 - Mexico (by UNINET.NET.MX) recipient) ties.itu.int (International Telecommunication Union) - Switzerland aroni.com.tr - Turkey (by gridtelekom.com / bn.by - Belarus (ties.itu.int) grid.com.tr) Viagra / aroni.com.tr - Turkey (veriturk.com) marijuanarxmedicine.com - UK (by 7 26/01/2013 Stamina Yes No No aroni.com.tr 1. Redirects to marijuanarxmedicine.com No - Yes No None mail.bn.by (via mail.bn) marijuanarxmedicine.com - Russia (cheapbox.ru) as29550.net) Yes Criminal No (ISP background 41.135.96.182 - Yes (no Whois 41.135.96.182 - South Africa (by mweb.com, tpg.com.au listed 8 27/01/2013 check Yes No Yes - Basic amazonaws.com No - Yes No yahoo.com 41.135.96.182 record) - via mweb.co.za, optinet.net) as recipient) TOTAL 7/8 0 6/7 0 7/8 0 5/8 January SPAM emails were analysed on 14/02/2013, therefore some links were no longer active (eg. Amazon Web Services)

More Related Content

Malware SPAM - January 2013

  • 1. MALWARE SPAM – JANUARY 2013 Type - Sent from Sent from Contains my Type - Criminal malformed compromised email Total # Type - Type - Green Type - Type - Background Type - Malicious Malicious Attachment Attachment Attachment email known address in Received Viagra Job Card Banking LinkedIn Check Other Link Attachment Type - .ZIP Type - .DOC Type - . PDF header contact "TO" field 8^ 1 1 1 2 0 2 1 7 0 - - - 7 0 5 * Malicious SPAM is defined by me as any unsolicited email that contains a potential information security risk. This does not include the usual marketing newsletter emails. Only those for which there is not a prior affiliation and that make it into my mail box. ^ January 2013 is not a complete month due to the automatic deletion rules of my account
  • 2. JANUARY 2013 - DETAILS Sent from Sent from Contains my email Malicious Link Malicious Attachment malformed compromised address in "TO" Date Type Link Shortener Link Masking Link Host Link Risks Attachment Type email header known contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) field fineoffr.com - Unknown (do4u.co.il, a.gtld- fineoffr.com - Yes servers.net) USA Green phpconvey.com, fineoffr.com (WhoisGuard) phpconvey.com - Israel (do4u.co.il, digital- fineoffr.com - UK 1 14/01/2013 Card Yes No Yes - Basic phpconvey.com No - Yes No canforward.com (via mail.visimail.org ) phpconvey.com - No campaign.info) phpconvey.com - UK (by eukhost.com) Yes 2 15/01/2013 Job offer No - - - - No - No No hotmail.com hotmail.com N/A Yes 1. Performs File Modification and Destruction. The executable modifies and destructs files which are not temporary. 2. Changes security settings of Internet Explorer. This system alteration could seriously affect safety surfing the World Wide Web. bartstals.be - Belgium bartstals.be - Netherlands (by instep.be) Direct 3. Performs Registry Activities. The executable creates and/or gdoehling.de (via gdoehling.de - Germany gdoehling.de - Germany (by strato.de) 3 23/01/2013 Deposit Bank Yes No Yes - Basic rogercbryan.com modifies registry entries. No - Yes No direct.nacha.org bartstals.be) rogercbryan.com - USA rogercbryan.com - USA (by softlayer.com) Yes Criminal No (ISP background 180.248.23.146 - Yes tpg.com.au listed 4 23/01/2013 check Yes No Yes - Basic amazonaws.com No - Yes No yahoo.com 180.248.23.146 (no Whois record) - 180.248.23.146 - Indonesia (by telkom.net.id) as recipient) nadaorganics.com - USA (by GoDaddy.com) lifeflowki.com - No DNS record 1. Watches MSN Messenger (msmsgs.exe) cswineimports.com - Yes nadaorganics.com - Australia (lifeflowki.com) cswineimports.com - USA (by lunarpages.com) Direct cswineimports.com (via (Network Solutions Private cswineimports.com - Unknown maxime-tortelier.com - Germany (by 5 24/01/2013 Deposit Bank Yes No Yes - Basic maxime-tortelier.com 2. Watches the Windows login (winlogon.exe) No - Yes No direct.nacha.org nadaorganics.com) Registration) maxime-tortelier.com - France oneandone.net) Yes Fake No (yahoo.com emergency 187.151.36.39 - Yes listed as 6 24/01/2013 warning Yes No Yes - Basic amazonaws.com No - Yes No yahoo.com 187.151.36.39 (no Whois record) - 187.151.36.39 - Mexico (by UNINET.NET.MX) recipient) ties.itu.int (International Telecommunication Union) - Switzerland aroni.com.tr - Turkey (by gridtelekom.com / bn.by - Belarus (ties.itu.int) grid.com.tr) Viagra / aroni.com.tr - Turkey (veriturk.com) marijuanarxmedicine.com - UK (by 7 26/01/2013 Stamina Yes No No aroni.com.tr 1. Redirects to marijuanarxmedicine.com No - Yes No None mail.bn.by (via mail.bn) marijuanarxmedicine.com - Russia (cheapbox.ru) as29550.net) Yes Criminal No (ISP background 41.135.96.182 - Yes (no Whois 41.135.96.182 - South Africa (by mweb.com, tpg.com.au listed 8 27/01/2013 check Yes No Yes - Basic amazonaws.com No - Yes No yahoo.com 41.135.96.182 record) - via mweb.co.za, optinet.net) as recipient) TOTAL 7/8 0 6/7 0 7/8 0 5/8 January SPAM emails were analysed on 14/02/2013, therefore some links were no longer active (eg. Amazon Web Services)