Archived Blog
Spammers' Innovations Throughout a Spam Campaign
07.22.2008 - 1:50 PM
It seems that this campaign keeps constantly re-emerging to spam different page names on newly compromised sites. These attacks are socially engineered and are usually complemented by drive-by exploits located inside IFrames in the loaded pages. The first massive wave was seen in the middle of June; it used a template of PornTube. It is worth mentioning that Web site templates have become very popular lately, and this latest trend is also mentioned in Dancho Danchev’s blog.
The spam wave re-emerged after three weeks using, yet again, the PornTube template and embracing different compromised hostnames in the spammed URLs which, at that time, ended with main.html. After this wave, more waves related to it were spotted days later, changing rapidly and again holding different characteristics.
These spam waves can be accumulated together and seen as one continuous campaign which keeps evolving over time. Here is a quick summary of some of the changes:
Each time a new wave emerges, some of the variables change and mainly different hostnames and page names are spammed. A number of the waves re-use compromised hostnames; these are used mainly to avoid filtering services which rely heavily on reputation. Furthermore, we can see that the social engineering vector keeps changing constantly over time, starting with the PornTube template and continuing with a streaming video player template which can be considered a more generic one. The last seen template added a banner and the template of a missing ActiveX object. The banner supplies some fake details regarding the fake movie at the bottom to entice users to see the movie.
Right about the middle of the continuous campaign there was a twist of the social engineering vector by involving Angelina Jolie, as spammed messages included a nude picture to entice users to watch the video. Another change at that time was that spammed messages also contained links to the Trojans using open redirects at DoubleClick.
Here are some examples of the redirects: http://ad.doubleclick.net/click;h=tQVMVhK *snip* ;~sscs=%3Fhttp://<removed>/msvideoc.exehttp://ad.doubleclick.net/click;h=zrVBGVv *snip* ;~sscs=%3Fhttp://<removed>/msvideoc.exehttp://ad.doubleclick.net/click;h=yISdqOA *snip* ;~sscs=%3Fhttp://<removed>/msvideoc.exe
Figure 1: Some spam samples:
Figure 2: The PornTube and Streaming video player templates:
Figure 3: The tweaked streaming video player template:
It seems that spammers use everything they have in their arsenal; they use different hostnames, change page names, change executable names and use different templates. Another characteristic that varies is that spammed messages sometimes embed a link directly to a malicious executable and at other times to a Web page with a malicious template. Binaries are also changed as the campaign progresses, but they are changed thriftily, as we see the different spam waves overlapping and using the same binaries although bearing different names. Last but not least, the obfuscation codes in the exploit pages, mainly loaded by IFrames, change as well.
It is not really shocking that spammers need to change their campaigns often in order to gain success with them; one can really say that they are very consistent in being inconsistent. It looks as if they get feedback immediately and react to it, so these spam waves keep changing rapidly. In this Blog we wanted to show how these changes in a continuous campaign look on the surface and to note how spam waves are quick to emerge. In the next blog, we’ll attempt to dig in more to take an in-depth look at subjects like: spam sources and how long it takes for spammers to actually change the malicious executables on servers. Meanwhile, we keep our eyes peeled for any more innovations to keep our customers protected and you updated.
Security Researchers: Elad Sharf & Sumeet Prasad
