Saturday, June 30, 2007

More greeting card spam

The greeting card spam wave continues. Subject lines vary somewhat; here's a sampling from today:
  • You've received a greeting card from a class-mate!
  • You've received a greeting card from a colleague!
  • You've received a greeting card from a family member!
  • You've received a greeting card from a friend!
  • You've received a greeting card from a neighbor!
  • You've received a greeting card from a school mate!
  • You've received a greeting ecard from a class-mate!
  • You've received a greeting ecard from a colleague!
  • You've received a greeting ecard from a family member!
  • You've received a greeting ecard from a friend!
  • You've received a greeting ecard from a neighbour!
  • You've received a greeting ecard from a partner!
  • You've received a greeting ecard from a worshipper!
  • You've received a greeting postcard from a colleague!
  • You've received a greeting postcard from a family member!
  • You've received a greeting postcard from a friend!
  • You've received a postcard from a class-mate!
  • You've received a postcard from a colleague!
  • You've received a postcard from a family member!
  • You've received a postcard from a partner!
  • You've received an ecard from a partner!
  • You've received an ecard from a worshipper!
They are now linking to IP addresses (as opposed to .hk sites in the early stages).

The Internet Storm Center has an excellent analysis.

Here's a sample 'index.html' file:


The hex code goes on for awhile:


The file is obfuscated with XORed hexadecimal. The key in this case is '227' (it changes with each copy, for a simple form of polymorphism). This perl snippet will decode the XORed hex:

perl -e 'while(<>){
s/\\x([a-f0-9]{2})/chr(227)^pack(C,hex($1))/eg;print;}'


If you are analyzing your own code, change the '227' in the perl code to match the key in the index.html file.

The de-obfuscated code looks like this:


Among other nastiness, it retrieves the file http://XX.252.250.104/file.php, which is really a Windows executable that BitDefender identifies as: "Generic.Malware.dld!!.2526793B"

3 comments:

Anita said...

Anyone can get rid off of spam emails from unknown and unwanted senders. There's an anti spam software that can be installed in your computer to filter spam emails. I have this software in my computer as well to stay away from spam emails.

Jhon Rock said...


Makar Sankranti 2017
Makar Sankranti 2017 images
Makar Sankranti wishes sayings
Makar Sankranti quotes images

Jhon Rock said...

indian wells live streaming
indian wells tennis 2017 schedule
indian wells tennis live scores