Spam of the day: With heat showers!

Most of the spam I get these days is in Spanish. Sometimes, it’s in English. Occasionally, it’s in Russian. Very occasionally, it’s in Arabic. And every so often, it looks like it’s in Russian that was translated into English via Google Translate.

Take, for example, this spam, which I reproduce below for your viewing pleasure unedited save for the reply email:

Subject: You I really liked

Hello Solitary heart!!!

I am a girl with beautiful name Julia, me 27 years. Dream to find the person for serious and long relations! I have interested your profile, since I seem that you search for such relations! Now I shall tell little about itself. I very cheerful and communicative, attractive girl. My growing forms 170 cm, my weight forms 57 kilograms. Much love to read the books, listen the classical music, walk on autumn wood and communicate with interesting people. If I have interested you, that anxiously waits your letter and photographies on my e-mail : m———c@yandex.ru With heat showers! Julia.

Best wishes,
Juliya

I am grateful for Juliya’s concern for the well-being of my romantic life, since truly do I search for such relations, it must be said.

I’m not quite sure, though, what “with heat showers” means. Google Translate renders this back into Russian as “С тепло души,” though of course I haven’t the foggiest notion what that might mean either.

I imagine it to be part of a lengthy blessing of travel in ancient Russian folklore, a ritual to prepare the hero for a journey of particularly perilous peril: “With this ox blood and this stone ax I bless thee, my son. Now go, and bring honor upon our clan, with heat showers.”

You have a package! Surprise, it’s the W32/Kuluoz malware!

About three months ago, I got an email telling me that my FedEx package couldn’t be delivered. The body of the email told me that the UPS courier tried to deliver it, and that it would be sent back if I didn’t click on the attached link.

Naturally, as I wasn’t expecting a FedEx pacakge, and given that FedEx presumably knows it isn’t UPS, I knew immediately that clicking the link was a Very Bad Idea…at least on an unsecured Windows box. Sure enough, clicking it downloaded a Windows executable, which VirusTotal identified as W32/Kuluoz, a backdoor command-and-control software that also attempts to download other malware.

I reported the site hosting the malware and forgot about it.

Then, things started to change.


I’ve been getting more and more copies of this email lately; I’m now averaging several a week. The silly error and grammar mistakes have been fixed, and the emails now look quite polished. Here’s an example I received a couple of days ago:

The “Print Receipt” link leads to http://www.123goplus.com/components/.wye6fb.php?receipt=831_1493393532

CAUTION *** CAUTION *** CAUTION

The links in this blog post ARE LIVE as of the time of writing this. If you attempt to visit them with a vulnerable Windows computer, they WILL try to download malware to your computer. DO NOT visit these links if you don’t know what you’re doing!

The site 123goplus.com belongs to a company that produces business cards and similar printed pieces in Montreal, Canada.

$ whois 123goplus.com

Whois Server Version 2.0

Domain Name: 123GOPLUS.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.MTLEXPRESS.CA
Name Server: NS2.MTLEXPRESS.CA
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 06-jan-2013
Creation Date: 06-may-2006
Expiration Date: 06-may-2014

>>> Last update of whois database: Thu, 14 Mar 2013 22:32:30 UTC <<< Registrant: Pierino Pezzi 8630 Perra #3 Montreal, Quebec H1E5M8 Canada Administrative Contact: Pezzi, Pierino creationexpress@yahoo.com
8630 Perra #3
Montreal, Quebec H1E5M8
Canada
+1.5142741616

Technical Contact:
Pezzi, Pierino creationexpress@yahoo.com
8630 Perra #3
Montreal, Quebec H1E5M8
Canada
+1.5142741616

Domain servers in listed order:
NS1.MTLEXPRESS.CA
NS2.MTLEXPRESS.CA

The site 123goplus.com is running an outdated, insecure copy of the popular Joomla content management software, which has been hacked to have the malware downloader on it. (Joomla is a common target for this kind of attack. If you run Joomla on your Web site, and you don’t keep on top of security patches religiously, it’s a certainty that you will be hacked–it’s not “if,” it’s “when.”)

Here’s where things get cool.

Visiting this URL from a Mac browser or a Linux browser returns a 404 Not Found page, presumably to fool folks like me into thinking that the problem has been fixed.

Visiting the URL http://www.123goplus.com/components/.wye6fb.php without the “?receipt=831_1493393532” at the end also returns a 404 error; presumably, that code identifies a target that the email has been sent to. The 404 error looks like this:

But hang on! Let’s go to http://www.123goplus.com/fghfghghf and see what a REAL 404 error looks like on this server:

See the difference? The 404 error that you get when you go to the malware dropper is phony. The malware dropper is there, and it does live at that address.

If you visit the malware dropper with your browser user-agent set to, say, Internet Explorer 6 (God help you), you won’t see an error message. Instead, it will download a .zip file called “PostalReceipt.zip”.

I have downloaded several copies of this file from several different compromised hosts over the past couple of months, all of them from nearly identical FedEx emails.

The payload sites vary. Many different sites have been hacked and used to download this malware: 123goplus.com, yourinternationalteam.com, youknowlee.com, theqcontinuum.com, canyonlakeboatstorage.com.

In every case, the site is running an outdated, insecure copy of WordPress or Joomla. The hackers hack the site (which is trivial to do), place a PHP script that downloads the malware, then send out a bunch of these phony emails about a non-existent FedEx package, hoping to trick people into clicking the link.

Most of these sites remain infected, weeks or months after being reported to the ISPs, because either the ISPs don’t care or the ISPs aren’t paying attention to the fact that the malware scripts return phony 404 pages. (GoDaddy and OVH, I’m especially looking at you here.)

The people behind this attack are adapting the malware rapidly. I downloaded three samples of the PostalReceipt.zip file, one on January 25 aqnd two on January 30, and they differ from one another. VirusTotal identifies the earliest one as W32/Kuluoz, the second as W32/Kuluoz.B, and the third as W32/Kuluoz.3.


There are some interesting things about this attack.

The group–and I bet it is a group–of criminals responsible for this attack are taking care to cover their tracks and to keep abuse teams from removing the malware from infected sites. Each spam email contains a code at the end of the malicious URL, and the URL returns a phony error message if it doesn’t see a valid code.

The virus downloader script is smart enough to examine the browser user-agent to see what kind of computer and what Web browser the victim is using. If it sees a browser or a computer that it can’t exploit, it returns a fake error message.

Only if it sees a vulnerable browser does it attempt to download the malwarewhich then surrenders the computer to the control of the hackers.

The malware droppers are installed, probably automatically, on sites running insecure WordPress or Joomla software. The phony 404 error messages slow down the Web hosting companies’ response, so the malware droppers stay active for long periods of time.

I’ve said it before, and I’ll say it again: If you run a Web site that uses a content managemet or blogging or ecommerce package, you *** ABSOLUTELY *** MUST *** check periodically for software updaes and install them immediately. (When a software update comes out, the organized crime gangs that do this kind of attack will analyze it and figure out what security holes it patches. Within days, they will start taking over any Web site that hasn’t installed the update.)

The fact that malicious scripts will cloak themselves behind fake error messages means that you can never trust that a problem has been fixed just because you see a 404 error if you try to look at a suspicious URL.

Onyx, the Game of Sexual Exploration, version 3.5 now available!

  • New Optional Rules
  • New Resizeable Gameboard
  • New Special Squares
  • New Actions
  • Newly Redesigned Graphics
  • New Roles
  • Improved Card Editor
  • Free Update for Registered Users!

Finally, after many months of coding, the new version of my sex game Onyx is ready! This new version is a significant overhaul, and contains tons and tons of new features and new game-play mechanics. It also contains lots of new actions (coming up with lists of hundreds of sexy things that people can do to each other is harder than it sound!).

To celebrate, I’m offering a special discount on registration if you want to play the full version. Of course, the free version is still free, and Onyx 3.5 is a free upgrade for registered users.

Check it out!

Fuck Comcast right in their stupid EAR. And also, polyamory!

I am on TV right now. Or, at least, I think I am. I don’t know, because Comcast is the most miserable tech company I’ve ever had to deal with.

Err, actually the second most miserable, but only by a nose.

Some time ago, i got contacted by producers from the Oprah Winfrey network. They were shooting a segment of “Our America” about polyamory. I pointed them to some friends of mine, who they liked so much they set up a camera crew in their house for weeks. They also filmed a smigeon of zaiah and I, and… Anyway, I was curious to see how it all turned out.

The show was set to air today, something I didn’t realize ’til this afternoon. So zaiah went down to the Comcast Worker’s Dormitory, Public Relations Orifice, and Meat Processing Plant to pick up a cable box. We plugged it in. Went through a lengthy process on Comcast’s miserable Net-site to “activate” the box, whatever that means. Web site said “OK, now activating your cable box, please wait 45 minutes.”

Which is a little weird; in 45 minutes, Russian organized crime can infect 250,000 American PCs with malware, so taking 45 minutes to program a cable box seems inefficient. But whatever.

Then the Web site said “Success! Your cable box has been activated.”

It lied.

Connect the box to the TV, nothing. Okay, bad cable maybe? Go outside the house, in the rain, diddle with the cable connection. Nothing. Replace the cable. Nothing. Run a known-good cable through the window into the house. Still nada.

Take the cable connector out of the wall. Looks good. Replace the cable that came with the cable box, the one that goes from the wall to the box. Still nada.

Call tech support. “No problem, we’ll reset your cable box. Should take ten minutes.”

10 minutes later, I’m 10 minutes older but no closer to working cable.

Move the cable box around the house in a bizarre game of whack-a-cable-outlet. Nothing works anywhere. (Seriously, who uses cable any more, anyway?)

OWN is not available streaming over the Internet; presumably, Oprah, who is, like, the richest woman in he world or something, isn’t getting enough fees to allow Net streaming.

Okay, back on the phone with tech support. “We can’t see your cable box.”

Uh…

Okay, fine. Move it to a different cable outlet. “We still can’t see it. You’re on a TV show, you say? About polyamory? What’s that?”

The inevitable “what is polyamory?” conversation over, we start playing this whack-a-cable-outlet game again. No matter where we go, the tech says “I sill can’t ping your cable box.”

Go back online to Comcast’s miserable activation page on Comcast’s miserable Web site. “You have 1 cable device (1 not activated).”

Apparently, it will tell you “activation successful” even if the device in question is disconnected, turned off, shot repeatedly with a 12-gauge, and buried in a lead-lined box outside of Roswell, New Mexico beneath a crumpled up ball of aluminum foil and two empty cans of baked beans. When the Web site says “activation successful,” that doesn’t mean that the activation was successful, you see…it simply means that enough time has passed that the Comcast Central Babbage Engine should have been able to align the gears and pulleys to the right configuration to activate the box.

zaiah is still on the phone with the tech this whole time, while our dinner slowly turns to charcoal and then catches fire on the stove. The tech is being really patient (and curious), but nothing works.

Finally, I yank the cable out of the cable modem, which we know works on account of I was able to communicate through the web-net on the Internet-tubes to the Babbage engine that runs Comcast’s Net-site, and plug it straight into the cable box.

“Oh,” chirps the tech, “your cable box is defective. Please bring it to your nearest Comcast cable Box Redemption Center and place it on the redemption line.”

Which might have explained why when zaiah picked it up from the Comcast Worker’s Dormitory, Public Relations Orifice, and Meat Processing Plant the person-unit behind the counter mentioned casually as if in passing that she’d plug the box in and make sure the blinkenlights came on because “we’ve had a bunch of bad boxes lately.”

So after four plus hours of work, we were unable to see the show. We had several friends over who were also on the program, because, like, who the fuck has cable nowadays anyway?

If you could even begin to feel one one-hundredth of the depth of my frustration and rage at Comcast right now, your monitor would catch fire.