UPDATEDx1: Boston-Related Malware Campaigns Have Begun - Now with Waco Plant Explosion Fun

Published: 2013-04-17
Last Updated: 2013-04-18 15:12:32 UTC
by John Bambenek (Version: 1)

UPDATE: 04-18-2013 @ 10:10 AM CDT -

Some of the spam campaigns are now changing over to the Waco plant explosion. Basically the lure is the same, a subject that talks mentions the video and then an IP only url with /texas.html or /news.html. The landing page has a few embedded YouTube videos and an iframe with malicious content at the end.

** End Update 1 **

About mid-afternoon yesterday (Central time - US), Boston related spam campaigns have begun. The general "hook" is that it sends a URL with a subject about the video from the explosions. Similar to when Osama Bin Laden was killed and fake images were used as a hook, in this case, the video is relevant to the story and being used as a hook. Right now, very roughly 10-20% of all spam is related to this (some spamtraps reporting more, some less). Similar IPs have also been sending pump & dump scams so likely the same group has re-tasted itself.

Here is a list of subjects I've seen hit spam traps:

Subject: 2 Explosions at Boston Marathon

Subject: Aftermath to explosion at Boston Marathon

Subject: Arbitron. Dial Global. Boston Bombings

Subject: Boston Explosion Caught on Video

Subject: BREAKING - Boston Marathon Explosion

Subject: Explosion at Boston Marathon

Subject: Explosion at the Boston Marathon

Subject: Explosions at Boston Marathon

Subject: Explosions at the Boston Marathon

Subject: Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com

Subject: Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com

Subject: Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com

Subject: Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com

Subject: Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com

Subject:[SPAM] 2 Explosions at Boston Marathon

Subject:[SPAM] Boston Explosion Caught on Video

Subject:[SPAM] Explosions at the Boston Marathon

Subject:[SPAM] Video of Explosion at the Boston Marathon 2013

Subject: Stiri:EXPLOZIILE de la maratonul din Boston/Spaga este negociata la granita Romaniei/A inventat bautura care INLOCUIESTE MANCAREA/TUNELUL cu mecanisme de NEINTELES al lui STALIN/70 % din infrastructura RCS-RDS este amplasata ILEGAL/BOMBA ANULUI IN SHOWBIZ

Subject: Video of Explosion at the Boston Marathon 2013

Here is a list of malicious URLs in those messages (use at your own risk):

hxxp://109.87.205.222/boston.html

hxxp://109.87.205.222/news.html

hxxp://110.92.80.47/boston.html

hxxp://110.92.80.47/news.html

hxxp://118.141.37.122/boston.html

hxxp://118.141.37.122/news.html

hxxp://176.241.148.169/boston.html

hxxp://176.241.148.169/news.html

hxxp://178.137.100.12/boston.html

hxxp://178.137.100.12/news.html

hxxp://178.137.120.224/boston.html

hxxp://178.137.120.224/news.html

hxxp://188.2.164.112/boston.html

hxxp://188.2.164.112/news.html

hxxp://190.245.177.248/boston.html

hxxp://190.245.177.248/news.html

hxxp://212.75.18.190/boston.html

hxxp://212.75.18.190/news.html

hxxp://213.34.205.27/boston.html

hxxp://213.34.205.27/news.html

hxxp://217.145.222.14/boston.html

hxxp://217.145.222.14/news.html

hxxp://219.198.196.116/boston.html

hxxp://219.198.196.116/news.html

hxxp://24.180.60.184/boston.html

hxxp://24.180.60.184/news.html

hxxp://24.214.242.227/boston.html

hxxp://24.214.242.227/news.html

hxxp://31.133.84.65/boston.html

hxxp://31.133.84.65/news.html

hxxp://37.229.215.183/boston.html

hxxp://37.229.215.183/news.html

hxxp://37.229.92.116/boston.html

hxxp://37.229.92.116/news.html

hxxp://46.233.4.113/boston.html

hxxp://46.233.4.113/news.html

hxxp://46.233.4.113/xxxxx.html

hxxp://50.136.163.28/boston.html

hxxp://50.136.163.28/news.html

hxxp://61.63.123.44/boston.html

hxxp://61.63.123.44/news.html

hxxp://62.45.148.76/boston.html

hxxp://62.45.148.76/news.html

hxxp://62.45.148.76/xxxxx.html

hxxp://78.90.133.133/boston.html

hxxp://78.90.133.133/news.html

hxxp://83.170.192.154/boston.html

hxxp://83.170.192.154/news.html

hxxp://85.198.81.26/boston.html

hxxp://85.198.81.26/news.html

hxxp://85.204.15.40/boston.html

hxxp://85.204.15.40/news.html

hxxp://85.217.234.98/boston.html

hxxp://85.217.234.98/news.html

hxxp://91.241.177.162/boston.html

hxxp://91.241.177.162/news.html

hxxp://91.241.177.162/xxxxx.html

hxxp://94.153.15.249/boston.html

hxxp://94.153.15.249/news.html

hxxp://94.28.49.130/boston.html

hxxp://94.28.49.130/news.html

hxxp://95.69.141.121/boston.html

hxxp://95.69.141.121/news.html

hxxp://95.87.6.156/boston.html

hxxp://95.87.6.156/news.html

Some of these are already down, but basically plain pages with a handful of embedded YouTube videos that are relevant. Early versions would redirect to fetch a file: boston___________AVI.exe and on down the rabbit hole it goes. It was pretty loud so most AV should have sigs already.

H/T to Nick Tabick and Corbin Souffrant, two of my students at the University of Illinois who helped dig into this last night.

http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/UPDATE: Trend Micro has a write up too.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

Keywords: boston marathon boston marathon explosions boston marathon scams waco fertilizer plant explosion

2 comment(s)

Apple iTunes Services Outage

Published: 2013-04-17
Last Updated: 2013-04-17 14:26:46 UTC
by Richard Porter (Version: 1)

3 comment(s)

UPDATE: All seems to be well and the interuption was brief. You can check status @ http://www.apple.com/support/systemstatus/

We are getting reports of an Apple services outage and or diffuculty connecting to iTunes services. If you are seeing this please report it?

Richard Porter

--- ISC Handler on Duty

Keywords: apple outage

3 comment(s)

ISC StormCast for Wednesday, April 17th 2013 http://isc.sans.edu/podcastdetail.html?id=3248

Comments

What's this all about ..?

password reveal .

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

https://thehomestore.com.pk/

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

https://defineprogramming.com/

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

Enter corthrthmment here...

Internet Storm Center

UPDATEDx1: Boston-Related Malware Campaigns Have Begun - Now with Waco Plant Explosion Fun

Apple iTunes Services Outage

Comments

Anonymous

Dec 3rd 2022
9 months ago

Anonymous

Dec 3rd 2022
9 months ago

Anonymous

Dec 26th 2022
8 months ago

Anonymous

Dec 26th 2022
8 months ago

Anonymous

Dec 26th 2022
8 months ago

Anonymous

Dec 26th 2022
8 months ago

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

Dec 26th 2022
8 months ago

https://defineprogramming.com/

Dec 26th 2022
8 months ago

rthrth

Jan 2nd 2023
8 months ago

UPDATEDx1: Boston-Related Malware Campaigns Have Begun - Now with Waco Plant Explosion Fun

Apple iTunes Services Outage

Comments

Anonymous

Dec 3rd 20229 months ago

Anonymous

Dec 3rd 20229 months ago

Anonymous

Dec 26th 20228 months ago

Anonymous

Dec 26th 20228 months ago

Anonymous

Dec 26th 20228 months ago

Anonymous

Dec 26th 20228 months ago

Anonymous

Dec 26th 20228 months ago

https://defineprogramming.com/

Dec 26th 20228 months ago

https://defineprogramming.com/

Dec 26th 20228 months ago

rthrth

Jan 2nd 20238 months ago

Dec 3rd 2022
9 months ago

Dec 3rd 2022
9 months ago

Dec 26th 2022
8 months ago

Dec 26th 2022
8 months ago

Dec 26th 2022
8 months ago

Dec 26th 2022
8 months ago

Dec 26th 2022
8 months ago

Dec 26th 2022
8 months ago

Dec 26th 2022
8 months ago

Jan 2nd 2023
8 months ago