Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - If site not apeared - Click Here InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

If site not apeared - Click Here

Published: 2008-02-25
Last Updated: 2008-02-25 23:42:09 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

We received messages from two ISC readers, who reported an increase in spam messages that include a link to sub-sites of blogspot.com. (Thanks, Matthew O. and J. T.) The fake blogs, set up on blogspot.com for this purpose, briefly display the phrase "If site not apeared - Click Here ." before redirecting the visitor to another site via a meta refresh tag, such as:

<meta content='0;URL=http://gentsoftnowu.com' http-equiv='refresh'/>

(Watch out, that gentsofnowu.com URL is not friendly!)

The spam messages we've seen advertise Microsoft Office Enterprise 2007 software, and use subject lines such as "Microsoft Office ready to download" and "Microsoft Office 2007 OEM version". The body of the email currently looks like this:

Microsoft Office Enterprise 2007 includes:
• Access 2007
• Communicator 2007
• Excel 2007
• Groove 2007
• InfoPath 2007
• OneNote 2007
• Outlook 2007
• PowerPoint 2007
• Publisher 2007
• Word 2007

http://teriwatlerop.blogspot.com

(Watch out, another maliciously-predisposed URL there!)

A Google search for "If site not apeared - Click Here" produced one unfriendly-looking website that resembles the ones hosted on blogspot.com, and a blog posting that describes an incident that might be related to this campaign and vents about Google. A Yahoo search for this phrase leads to two reports on malicious sites hosted on blogspot.com (1, 2). An MSN search produces another report. (Are you surprised I used more than one search engine? Me too.)

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.

Keywords:
0 comment(s)
Diary Archives