A closer look at a Swine Flu spam
Friday May 1, 2009 at 3:44 am CST
Posted by Guilherme Venere
It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:
The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.
As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.
Links lead to two different malware files:
http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar
=> Foto.29.04.2009.com
http://[removed].ru./uploaded/alerta.php?atencao=ver
=> Foto.29.04.2009.jpg.exe
They are identified as PWS-Banker-dldr and PWS-banker-gen.g
The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe
http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif
And this file is identified as PWS-Banker-gen.b
This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data:
The information about the hacked machine and banking data are then posted to the sites below:
hxxp://[removed-1].100webspace.net/post.php
hxxp://[removed-2].100webspace.net/post.php
hxxp://[removed-3].100webspace.net/post.php
hxxp://[removed-4].100webspace.net/post.php
This is the strings appended to the URLs above:
tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&
But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:
They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!
As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.
May 1st, 2009 at 07:09
[...] these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and [...]
May 1st, 2009 at 10:34
[...] these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and [...]
May 2nd, 2009 at 00:49
[...] have of course noticed this and their already taking advantage of the fear for Swine Flue. McAfee is reporting about spam emails trying to use Swine Flue to sell pills. If you follow the links in [...]
May 2nd, 2009 at 01:02
[...] McAfee is reporting about spam emails trying to use Swine Flue to sell pills. If you follow the links in any of the emails mentioned you end up at web sites trying to infect your computer with maleware, so you really shouldn’t trust any such emails. [...]
July 29th, 2009 at 10:21
[...] have of course noticed this and their already taking advantage of the fear for Swine Flue. McAfee is reporting about spam emails trying to use Swine Flue to sell pills. If you follow the links in [...]