UPDATEDx1: Boston-Related Malware Campaigns Have Begun - Now with Waco Plant Explosion Fun

Published: 2013-04-17
Last Updated: 2013-04-18 15:12:32 UTC
by John Bambenek (Version: 1)
2 comment(s)

UPDATE: 04-18-2013 @ 10:10 AM CDT -

Some of the spam campaigns are now changing over to the Waco plant explosion. Basically the lure is the same, a subject that talks mentions the video and then an IP only url with /texas.html or /news.html.  The landing page has a few embedded YouTube videos and an iframe with malicious content at the end.

** End Update 1 **

About mid-afternoon yesterday (Central time - US), Boston related spam campaigns have begun. The general "hook" is that it sends a URL with a subject about the video from the explosions. Similar to when Osama Bin Laden was killed and fake images were used as a hook, in this case, the video is relevant to the story and being used as a hook.  Right now, very roughly 10-20% of all spam is related to this (some spamtraps reporting more, some less).  Similar IPs have also been sending pump & dump scams so likely the same group has re-tasted itself.

Here is a list of subjects I've seen hit spam traps:

Subject: 2 Explosions at Boston Marathon
Subject: Aftermath to explosion at Boston Marathon
Subject: Arbitron. Dial Global. Boston Bombings
Subject: Boston Explosion Caught on Video
Subject: BREAKING - Boston Marathon Explosion
Subject: Explosion at Boston Marathon
Subject: Explosion at the Boston Marathon
Subject: Explosions at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
Subject: Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com
Subject: Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com
Subject: Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
Subject: Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
Subject:[SPAM] 2 Explosions at Boston Marathon
Subject:[SPAM] Boston Explosion Caught on Video
Subject:[SPAM] Explosions at the Boston Marathon
Subject:[SPAM] Video of Explosion at the Boston Marathon 2013
Subject: Stiri:EXPLOZIILE de la maratonul din Boston/Spaga este negociata la granita Romaniei/A inventat bautura care INLOCUIESTE MANCAREA/TUNELUL cu mecanisme de NEINTELES al lui STALIN/70 % din infrastructura RCS-RDS este amplasata ILEGAL/BOMBA ANULUI IN SHOWBIZ
Subject: Video of Explosion at the Boston Marathon 2013

Here is a list of malicious URLs in those messages (use at your own risk):

hxxp://109.87.205.222/boston.html
hxxp://109.87.205.222/news.html
hxxp://110.92.80.47/boston.html
hxxp://110.92.80.47/news.html
hxxp://118.141.37.122/boston.html
hxxp://118.141.37.122/news.html
hxxp://176.241.148.169/boston.html
hxxp://176.241.148.169/news.html
hxxp://178.137.100.12/boston.html
hxxp://178.137.100.12/news.html
hxxp://178.137.120.224/boston.html
hxxp://178.137.120.224/news.html
hxxp://188.2.164.112/boston.html
hxxp://188.2.164.112/news.html
hxxp://190.245.177.248/boston.html
hxxp://190.245.177.248/news.html
hxxp://212.75.18.190/boston.html
hxxp://212.75.18.190/news.html
hxxp://213.34.205.27/boston.html
hxxp://213.34.205.27/news.html
hxxp://217.145.222.14/boston.html
hxxp://217.145.222.14/news.html
hxxp://219.198.196.116/boston.html
hxxp://219.198.196.116/news.html
hxxp://24.180.60.184/boston.html
hxxp://24.180.60.184/news.html
hxxp://24.214.242.227/boston.html
hxxp://24.214.242.227/news.html
hxxp://31.133.84.65/boston.html
hxxp://31.133.84.65/news.html
hxxp://37.229.215.183/boston.html
hxxp://37.229.215.183/news.html
hxxp://37.229.92.116/boston.html
hxxp://37.229.92.116/news.html
hxxp://46.233.4.113/boston.html
hxxp://46.233.4.113/news.html
hxxp://46.233.4.113/xxxxx.html
hxxp://50.136.163.28/boston.html
hxxp://50.136.163.28/news.html
hxxp://61.63.123.44/boston.html
hxxp://61.63.123.44/news.html
hxxp://62.45.148.76/boston.html
hxxp://62.45.148.76/news.html
hxxp://62.45.148.76/xxxxx.html
hxxp://78.90.133.133/boston.html
hxxp://78.90.133.133/news.html
hxxp://83.170.192.154/boston.html
hxxp://83.170.192.154/news.html
hxxp://85.198.81.26/boston.html
hxxp://85.198.81.26/news.html
hxxp://85.204.15.40/boston.html
hxxp://85.204.15.40/news.html
hxxp://85.217.234.98/boston.html
hxxp://85.217.234.98/news.html
hxxp://91.241.177.162/boston.html
hxxp://91.241.177.162/news.html
hxxp://91.241.177.162/xxxxx.html
hxxp://94.153.15.249/boston.html
hxxp://94.153.15.249/news.html
hxxp://94.28.49.130/boston.html
hxxp://94.28.49.130/news.html
hxxp://95.69.141.121/boston.html
hxxp://95.69.141.121/news.html
hxxp://95.87.6.156/boston.html
hxxp://95.87.6.156/news.html
 
Some of these are already down, but basically plain pages with a handful of embedded YouTube videos that are relevant.  Early versions would redirect to fetch a file: boston___________AVI.exe and on down the rabbit hole it goes.  It was pretty loud so most AV should have sigs already.
 
H/T to Nick Tabick and Corbin Souffrant, two of my students at the University of Illinois who helped dig into this last night.
 

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

Keywords: boston marathon boston marathon explosions boston marathon scams waco fertilizer plant explosion
2 comment(s)

Apple iTunes Services Outage

Published: 2013-04-17
Last Updated: 2013-04-17 14:26:46 UTC
by Richard Porter (Version: 1)
3 comment(s)

UPDATE: All seems to be well and the interuption was brief. You can check status @ http://www.apple.com/support/systemstatus/

We are getting reports of an Apple services outage and or diffuculty connecting to iTunes services. If you are seeing this please report it?

 

Richard Porter

--- ISC Handler on Duty

Keywords: apple outage
3 comment(s)
ISC StormCast for Wednesday, April 17th 2013 http://isc.sans.edu/podcastdetail.html?id=3248

Comments

cwqwqwq

www

Nov 17th 2022
4 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
4 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
4 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
4 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
4 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
4 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
3 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
3 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
3 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
3 months ago

Login here to join the discussion.


Diary Archives