NEWS FROM THE LAB - Wednesday, October 8, 2008

You've Got Spam Posted by Response @ 04:41 GMT

Everyone gets malware-tainted spam nowadays. Here's one targeted at the Brazilian online banking crowd.

spam e-mail

Clicking on the imagen2.jpg link will prompt a popup link asking you to download "the image". That link downloads a file detected as Trojan-Downloader:W32/Banload.FUA. Executing this file downloads and executes Trojan-Spy:W32/Agent.BSV and Trojan-Spy:W32/Banker.ITH. These trojan-spies harvest personal and banking information from the infected machine.

Trojan-Spy:W32/Agent.BSV gathers e-mail addresses, then uploads a text file containing the harvested data to the server ftp://ftp.golfacil.web.br.com/[...]/[...]/. As you can see in the code for the spam e-mail below, all the addresses in the text file are then targeted for more spam. Chances are, most of these e-mails won't reach native Portuguese speakers. Reading spam e-mail — great reason to learn a new language.

Spamming harvested e-mail addresses

Incidentally, the server also has PHP files used for spamming. One is detected as HackTool:PHP/Spammer.A, and the other is detected as HackTool:PHP/Spammer.B.

Meanwhile, Trojan-Spy:W32/Banker.ITH gathers banking information and posts the data into a php file of the same server.

To hide all this activity, the attacker(s) put up this message on the home page.

Under Construction

Hmm. The page is "under construction", but there's a live URL leading to it in spam e-mails? Cute.

Response team post by � Lordian