Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-15 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

German Spam...Maybe?; Academia Security Awareness

Published: 2005-05-15
Last Updated: 2005-05-16 04:09:57 UTC
by Scott Fendley (Version: 1)
0 comment(s)

German Spam...Maybe?

Since taking over as handler on duty, I have had a perplexing question that I am trying to understand. Somehow in the past 4-5 hours (as of 5am UTC), I have received a number of "German spams". Getting spam is not an overly out of the ordinary thing for me as I do sift through many mailing lists and work email address aliases that are published on websites here and there. However, I do not remember the last time I had a German Spam show up in my inbox. Chinese, or other Southeast Asian spams do happen some, but I would suspect that English is the primary type of spam we all see.

Well the thing that has struck me is that several of my accounts have now received maybe 15 or 20 different German spams. Each message involves a different set of URLs and has URL(s) to various German news are personal editorial sites (I think).

My real question is whether or not something odd on the web pages people may be clicking on or in the email? So far I do not see anything odd (like IFRAME junk or similar.) So is there a piece of malware that is being used to relay this junk. I suspect so. But what is it? No clue. Is there any other motives other then to spam it out? I don't see a money trail, but that does not mean it is not there.

So to our readers, has anyone else seen a sudden influx of what might outwardly look like German Spam, that may actually have some actual interesting security connections that we need to be aware of before Monday gets here?

Any of you know of a new piece of malware that might be causing some of this, or perhaps old botnet machines being used as spam proxies suddenly?
Updated 13:00 UTC --

It would appear that this may be related to the Sober.Q virus per

Thanks to everyone that responded this morning (overnight for me) with comments and reports of seeing the same thing that I was.

Updated 14:00 UTC --

Some of our readers, who understand German, have visited the sites being sent out and have reported the gist of the content on these sites. As this is 60th Anniversary of the end of World War II, there are many celebrations in some locations There is a lot of respects ceremonially given to those who fought in this war and gave up their lives on the battle field in many European countries. So, many of the sites appear to be related to "antiracism and nazis propaganda". Others have mentioned that this is the "extreme right wing", "Nazi views", and "NeoNazi propaganda." As I do not read German, I cannot verify this. But I am going to trust our German- speaking friends in that respect. But this does remind me of Sober.G from last year.
Another reader (or 3) appears to have had mini-DoS attacks on cell phones and blackberries involving the German Spam involving SMS. Thanks to Jim Mejia and Rich for your reports. For readers that pay to receive text messages on their phones, I highly recommend talking to your provider and make sure you will not have to pay for this junk email that was not filtered out. Thankfully, my provider only charges when I send text messages out so I will not have to deal with a unusually bloated bill.
Updated 15:00 UTC --

One of our readers, Eric provided a postfix regex file that can be used to filter these German spams. Thanks for this Eric.

*** As thes postfix regex file has had several more subject lines added to it in the following update. I have removed this section and place the current most info in the next update section. ***
Updated 20:30 UTC --

This will probably be the last update I will do on the subject of the German spam. As this is the 60th anniversary of the end of WWII, I had guessed that the propoganda was more in response of the events of many years ago. It may still be related, but several of of German Speakers have noted a couple of details that might point the motivation in another direction. Apparently there is an election coming up in the largest population state in Germany on May 22nd. The Diet election (Landtagswahl) in Nordrehein-Westfallen appears to be the most likely case as Sober.G last June also had an element of spamming associated with it prior to the European Parliament election in 2004. Thanks to Philipp Krenn for some of the information about the current election connection.

*I really hope that people are not so naive to be swayed in their votes for their elected officials on account of spam. And I will never trust the political views of a malware writer. So I hope and pray that if the virus and spam was meant to sway the votes of the people in the way that the Madrid terrorist activity last year did, then the people of Germany would have the courage and wisdom to vote as the truly believe. Not the way others would have them believe.*
During the 1500 update, Eric Conrad sent in a set of subject line filters for postfix. Later he sent an updated list, and both the original list and the updated list showed up on,13410941 . Thanks Eric for supplying this.

The postfix regex file is typically enabled via the of postfix like this.

header_checks = regexp:/usr/local/etc/postfix/headfilt.regex

And the contents of this file, I believe involves tab delimiting (which the diary doesn't maintain easily). So please be aware you may have to put a tab or something between the subject and the HOLD command.

----- headfilt.regex file contents -------

/^Subject:.*Armenian Genocide Plagues Ankara/ HOLD

/^Subject:.*Augen auf/ HOLD

/^Subject:.*Auslaender bevorzugt/ HOLD

/^Subject:.*Auslaenderpolitik/ HOLD

/^Subject:.*Blutige Selbstjustiz/ HOLD

/^Subject:.*Can you believe this still happens today/ HOLD

/^Subject:.*Deutsche Buerger/ HOLD

/^Subject:.*Deutsche werden kuenftig beim/ HOLD

/^Subject:.*Dresden 1945 / HOLD

/^Subject:.*Dresden Bombing Is To Be Regretted Enormously/ HOLD

/^Subject:.*Du wirst ausspioniert/ HOLD

/^Subject:.*Du wirst zum Sklaven gemacht/ HOLD

/^Subject:.*Gegen das Vergessen/ HOLD

/^Subject:.*Graeberschaendung auf bundesdeutsche/ HOLD

/^Subject:.*Hier sind wir Lehrer die einzigen Auslaender/ HOLD

/^Subject:.*Jahre Befreiung/ HOLD

/^Subject:.*Massenhafter Steuerbetrug durch auslaendische/ HOLD

/^Subject:.*Multi\-Kulturell/ HOLD

/^Subject:.*Osteuropaeer durch Fischer-Volmer Erlass/ HOLD

/^Subject:.*Paranoider Deutschenmoerder kommt/ HOLD

/^Subject:.*Polizei schlaegt Alarm/ HOLD

/^Subject:.*Schily ueber Deutschland/ HOLD

/^Subject:.*Transparenz ist das Mindeste/ HOLD

/^Subject:.*Trotz Stellenabbau/ HOLD

/^Subject:.*Tuerkei in die/ HOLD

/^Subject:.*Turkish Tabloid Enrages Germany with Nazi Comparisons/ HOLD

/^Subject:.*Verbrechen der deutschen Frau/ HOLD

/^Subject:.*Volk wird nur zum zahlen/ HOLD

/^Subject:.*Vorbildliche Aktion/ HOLD

/^Subject:.*Whore Lived Like a German/ HOLD

/^Subject:.*wirst ausspioniert/ HOLD

---- end of file contents ------
Eric also has a ready made Spam Assassin set of subject rules to reset the scoring for this virus. As this file is a little long, I would be happy to send it to you on request. But generally, each line takes a subject line from above and transforms it like the following

header SOBER_Q_SUBJ7 Subject =~ /Deutsche Buerger/
describe SOBER_Q_SUBJ7 Subject is from Sober.Q worm
score SOBER_Q_SUBJ7 3.0

-- Updated May 16

Okay. I lied. One more update and I am done.

One of our readers pointed out that the below website has a way to filter Sober-P without relying on the Subject line filters. So here is another option if this things is still spamming into Monday morning work days. Thanks Dirk Mueller for this.

Academia Security Awareness

Alas some piece and quiet has arrived on my university Campus. The ResNet is effectively empty for a few weeks until our first summer session. So despite the virus/spam junk from this morning/last night, I am looking forward to what we can do better on my campus.

For those of us that work in a sometimes more challenging environment, now is the time to start developing a strategy of how to deal better with the return of infected student computers this fall.

On my campus, I know that we have a small list of things we need to do better.
1) Push students to install patches and current AntiVirus software.

2) Spyware prevention measures (for us this is going to be a part of our new AV version used on campus).

3) Local password complexity problems. (I think this is the root of my botnet activity recently)

4) Better way of notifying students about security events on campus. ***
So to those in academia, "What appears to be your biggest problems you believe need to be addressed before the fall semester?", "What ideas do you have on communicating to your students effectively about security?", and "What can you do to push the students into a better security posture the day they arrive on campus?". If you have ideas, please send them to sfendley _at_ .

I will be compiling the answers over the next week for a report to all next week.
*** It is amazing to me that students refuse to read information coming to them via email from campus administration, or through the student newspaper. But sidewalk chalking still appears to be the preferred method by the students. I am still unsure about how well students really pay attention to closed circuit announcement TV system.
0 comment(s)
Diary Archives