Fighting malware and spam

Return of the animated spam

May 2007

At the end of 2006 we saw spam messages which consisted of advertisements in animated GIF format. These were seen in huge quantities, but by the end of the year they had almost completely disappeared.

Recently, however, an increasing number of similar animated spam messages have been seen in the wild. The emails advertise all the usual 'meds' at very low prices and instruct the recipient to type the URL of the website being advertised into their browser. The domain names of the websites being advertised generally end in '.org' - which may be an attempt to make them sound more reputable.

An example of such a spam message is shown below, frame by frame.

Frame 1:

Frame 2:

Frame 3:

Frame 4:

And the complete image:

I've always maintained that the only reason spam still exists today is because some people do actually buy from spam messages. I was curious, therefore, to visit the website advertised in the emails as shown above.

Of course, the website offers a lot more for sale than the pharmaceuticals in listed in frame number two, which is not surprising. One thing I found amusing about the site, but not entirely surprising, was the 'unsubscribe' feature of the website. On clicking the 'unsubscribe' link you are redirected to a random domain available for resale: http://www.esagtdepcz.org. So much for the unsubscribe function.

Another interesting thing I noticed was the way in which the website was constructed. The links are in the following format: 'http://cgq5qa.eforclass.org:8088/cg/privacy.php?PHPSESSID=<id>', which indicates that it was probably a dropped application. I visited the eforclass.org website and also searched its whois information. It was registered to the person as had registered rx4ever.org. However, if you type only 'eforclass.org' into a browser, you are redirected to a legitimate website, which appears to have nothing to do with the business.

Like any online store, rx4ever.org has a 'strict' privacy policy:

'We have the following privacy statement in order to demonstrate our firm commitment to privacy. We are here disclosing our practices regarding information gathering and practices for this website. With the "Order" form we collect contact information (like your email address) and financial information (credit card numbers). This information is only used to fulfill our customer orders. Financial information that is collected is used to bill the user for products and services. Medical information is used by our medical staff to approve or decline orders for specific medications.'

There is no assurance that the company won't sell or otherwise pass on your confidential information to third parties. Which, again, is not surprising.

What about the products on sale? Here's what the site says about them:

'The images of pills on the site are for display only. The product you receive may be different in shape and color.'

Indeed! However, perhaps the reason the product you receive from this site may be different in shape and colour is because the images are of genuine pharmaceutical products, and the ones you are delivered from the site are fakes!

Sorin Mustaca, Avira

Poll

Malware Prevalence

Agent
Zbot
Suspect packers
Dropper-misc
Delf