For a malware researcher, getting an e-mail from a family member, friend, or co-worker about something fishy they found in their in-box is just like getting a tiny little Christmas present. It’s always fun to do a quick investigation and report back.
A few days ago, I got such an e-mail from a fellow Blue Coater:
The below link came through in an email sent from someone I know, but looks like it was spammed from her address book. …so I thought I would send it your way.
The link in question was a page on 109mdr.co.uk.
As is typical of spam e-mails, the 109mdr.co.uk domain appears to be a one-time-use junk domain with very incomplete camouflage, set up by the spammer. These domains are typically only used in one spam campaign, and then discarded.
The spam relayed to a domain called walgreensrxpharmacy.net — a more “realistic” (and therefore useful) name that a Bad Guy would hope to get some mileage out of in several spam campaigns.
Anyway, I added both domains to our database as Suspicious. (Well, actually, as I went to add the walgreensrxpharmacy.net domain, I saw that our Background Checker had just added it about an hour previously. Curses! Beaten again by the computer!)
Which brings us to one of the main points of this blog post:
We’ve been doing some experimenting lately with focusing the Background Checker’s “Death Ray” on spammer networks, under the theory that their networks are also sufficiently large and complex to have characteristics that it can track. And it turns out that our theory was right… Consequently, while the WebPulse team continues to have malware as its primary focus, you can expect better filtering of generic spam networks going forward, not just the malicious ones. Consider it a July Christmas present from us to you.
As for my colleague’s friend? Here was my advice:
As for your friend, a trip to a local computer doctor is in order, as sending out pharma-spam is pretty conclusive evidence that her computer is now part of a botnet. She should also immediately refrain from doing any on-line banking, or shopping where she’s entering credit card numbers, until her box gets a clean bill of health. I would also advise against logging into Facebook or Email until then, as the Bad Guys love to grab those credentials as well, for targeted spam and “snam” [social networking spam] attacks.
Oh, and tell her to install K9, as K9 + AV is absolutely required on home computers these days.
–C.L.
Leave a reply
