Monday, July 14, 2008

Storm Of Stupidity

I'm pretty certain that if you're reading this blog, you're well aware of these messages promoting "news stories" which are in fact links to hijacked servers pushing out new Storm Worm infections.

For the inbound spam I received over the past several days, 100% of what used to be spam for VPXL (or its bogus new names "PowerEnlarge" or "MaxGain+") is now spam promoting hijacked websites which will attempt to infect you with the Storm worm. But the idiot who's sending it has confused his subject lines and message bodies. More on that later.

Check out this utterly retarded listings of "headlines" the criminals behind the Storm Worm want us to believe are true. (Subject line and body are in sequential order):

Subject lines:


  • Even politicians need a day off

  • Cheap fuel available in Texas

  • Dark Knight free tickets up for grabs

  • Barack Obama pulls out from Presidential Race

  • Orgies discovered in Hollywood

  • Baby borned with 2 privates

  • Barack Obama graft trial begins

  • Afghan captial in mourning

  • Stray javelin kills promising US sprinter

  • Charred bodies found near White House

  • Obama's karma over slip of tongue

  • Local family found hidden gold

  • Best prediction for upcoming lottery

  • Bomb scare in JFK causes delays

  • Google-Yahoo merger announced

  • Microsoft takes over Yahoo Inc



Message Bodies:


  • Osama bin Laden spotted in Texas, vows revenge on US

  • China pulls out of hosting 2008 Olympic games

  • Picture of boss doing secretary

  • Floods in Bahamas claims hundreds of lives

  • Women love it long and hard up their love hole.

  • Don't let your kids out late - 12 juveniles missing in Connecticut

  • Hilary Clinton screams bloody murder over loss, vows revenge on Obama

  • All the best techniques to bed a girl recordered right here.

  • Tasty come is very important to women, enhance its flavor here

  • She likes her kitty stretched and do you have the capability to do it?

  • Dying for a flaming hottie, ram the slutty devil tills she cry foul.

  • Guess the right number and win 10000

  • Magic Johnson dies of AIDS at 49

  • Global warming declared a hoax by US Senate

  • Louis Vuitton gives out free bags to poor in New York

  • Celebrity blogger reveals all



This is to the tune of several hundred messages received per day.

In every single case: these are obvious, outright lies. Not only that: they're extremely poor attempts at outright lies. I know of six-year-olds who would be far more convincing at writing this stuff.

If they genuinely wanted to pique the public's interest in actual, legitimate news (something they were trying before by referring to genuine news stories, claiming that you would be downloading a video) then maybe I wouldn't be so pissed off at receiving this crap. But if they have to stoop to outright bold-faced lies, with no care whatsoever that they be taken the slightest bit seriously, I think I have to ask: who are you idiots who keep clicking on these stupid links in these emails?! How out of touch are you, exactly?

Are you that disconnected that you seriously believe that Osama Bin Laden would actually expose himself to the media in Texas? Or that after the past year and a half of campaigning (and millions of dollars spent,) that Barak Obama would pull out of the US presidential race? And what legitimate news service would ever use the word "borned" in an actual headline?

Who are you people?!

Note also that in several cases this complete moron of a mailer has confused his subject lines for the Storm worm, with message bodies promoting VPXL or PowerEnlarge. It's so obvious that this is the same mailer that it might as well be considered a fingerprint. And in the last case, the subject and body are identical to those for a VPXL spam message received last month. But the link is pointing to a storm site (again: a hijacked site, which has illegally been used for this purpose.)

Here's a sampling (far from complete I'm sure) of the infected servers which are being used in today's spam attacks promoting the Storm worm:


  • http://activiteitenclubs.info/

  • http://tatianavidal.com.br/

  • http://www.asto.sk/

  • http://www.stirparo.net/

  • http://laovejanegraylg.com/

  • http://sweetcharitygifts.org/

  • http://dc-nfz.de/

  • http://www.testforum.familien-cafe.de/

  • http://sohodesign-ec.com/

  • http://www.noniforlife.de/

  • http://neoma-interactive.com/

  • http://franjaderecho.com.ar/

  • http://216.120.229.16/

  • http://def.livenet.pl/

  • http://solscreen.com/

  • http://test-djs.com/



I'm omitting any mention of the target html or exe files which the Russian group has placed on all of these sites. (If you've received these messages, you know what they are already.)

In every case, the resulting page is attempting to mimic the infamous "PornTube" website, featuring what appears to be an underage nude female and several completely bogus (but still offensive) comments. It's most definitely not safe for work, and it's an unconvincing template.

Speaking of which:

If you actually were stupid enough to click on one of these links, assuming you'd be seeing news footage of "floods in the Bahamas": why on earth would you continue to allow this download to take place even after you discovered (essentially) that the site was instead pornographic?

Why are you people using a computer at all?

If you are reading this and you are the operator of one of these domains, you should be aware that the spammer behind this (or more likely his sponsor) have complete control over your server. If you're the ISP who is hosting one of these sites: you should really upgrade your systems.

You can discover a variety of methods this criminal group has used to gain full access to your web server at the following url:

http://www.malwaredomainlist.com/forums/index.php?topic=1878.0

That research is ongoing of course.

Spammers and their supporters love to boast about how stupid Westerners are (or basically: non-Russian's / non-Romanian's.) If you've gotten infected by knowingly clicking on links in these completely idiotic messages: you are only proving their point.

I have to ask again: Who are you people?!

Stop clicking on links within spam messages!! Whenever you do so, you are supporting known criminal organizations. Turn your computer off now.

Honestly, people...

SiL / IKS / concerned citizen

6 comments:

why-not-order-at-spammers said...

People are n00bs, simply as that. New users buy computers every day.

Btw. is there a resource of your famous Prestige Replicator? The old seems not to work anymore. Would be nice if there is a fix URL which also have updates ever so often.

IKillSpammerz said...

> People are n00bs, simply as that. New users buy computers
> every day.


I agree, but given that this is the year 2008: shouldn't there be some basic level of security provided when setting a user up with their new computer?

It's aggravating that this is still not in place. Microsoft (above all) should be ashamed that they have essentially provided the complete platform for organized crime to bombard the entire world with scams and illegal propositions on a daily basis.

> Btw. is there a resource of your famous Prestige Replicator?
> The old seems not to work anymore. Would be nice if there is
> a fix URL which also have updates ever so often.


Not anymore, thanks to the sponsors behind these spam operations DDOS'ing them out of existence. I still maintain contact with a large number of colleagues who still keep these in operation. For obvious reasons any static location for that or any of the other tools I maintain would be attacked relentlessly. That's because they work. :)

SiL

Anonymous said...

Oh yeah that's another thing, it's all one group of people infecting and distributing proxy trojans. People don't understand that there are hundreds of thousands of people doing this but this is kind of good in a way because usually a few people go down for the whole ordeal. 'fall guys' people think like they all know eachother or something lol.. it' so easy , you can get a simple proxy trojan bot coded on any freelance programming website for very little money and then mail it out or use browser exploits. simple winsock.

why-not-order-at-spammers said...

>> People are n00bs, simply as that. New users buy computers
every day.

> I agree, but given that this is the year 2008: shouldn't there be some basic level of security provided when setting a user up with their new computer?

No. They are just newbies, no basic knowledge.

People in my environment just don't care. They want to do their work, not interested in security. A neighbor installs a new virus every week, I wipe his Windows and reinstall it and next week he did it again. I can tell him 1000 times that a pr0n.exe is no video. He does not learn.

Then there are a mentioned newbies. Every day some clueless guys buy a new computer, not reading computer news or interested in TV. That won't change even if it's 2020.

>> Btw. is there a resource of your famous Prestige Replicator? [...]

> Not anymore, thanks to the sponsors behind these spam operations DDOS'ing them out of existence. I still maintain contact with a large number of colleagues who still keep these in operation. For obvious reasons any static location for that or any of the other tools I maintain would be attacked relentlessly. That's because they work. :)

I understand and agree, though I would like to contribute to it. In case you have my email addy from this post it'll be nice if you could update me with them ever so often. If not, I'd understand it, as you don't know me and thus cannot trust.

Anonymous said...

I did some investigation into this. If you don't want to infect them yourselves, there are plenty of people you can pay for loads/installs nothing really to it. when the bot gets detected you recrpyt it with a simple cryptor. Meanwhile, MSRT is trying frantically to patch wasting their time. These people are making millions. too much money involved, now with this botmailing technology.. you don't even need the broadband.. it's all web admin interface and you can send alot of volume in a short amount of time. pay $20 per 1k loads or run an exploit loader sit back and watch the stats go wild.

IKillSpammerz said...

Yes, that's correct, it is a profit-based model to get as many infections as possible.

However this is not done the same way as most of the known "loads" are handled, which are typically done by placing a hidden iframe into the html of a site, allowing for a "drive-by" install.

It doesn't really matter how it's being done, though. Spammers get paid different rates depending on where, geographically, the newly-infected computer is located.

It's frustrating that so many computer users are so gullible that they'll continually re-infect their computer.

SiL