Verizon spam loads malware

Verizon customers beware. If you are set to receive and pay your bills online, this email scam could very well fool you and infect your PC:

Your bill payment has been applied to your Verizon Wireless account.

Traffic log:

The exploit is located on a Lithuanian server (

Jerome Segura

Look for a job, get malware

If you are looking for a job, don’t blindly click on the first offer you see in your mailbox:

The link loads ‘additional information’ (exploit page)

Traffic log:

Here is the login page for the corresponding exploit kit (BlackHole):

One of the exploits (Java) is not detected by any AV on VirusTotal:

Edu.jar (VirusTotal 0/42)

Jerome Segura

US Bank spam loads malware

A couple of variations for this US Bank scam:

Payload arrives from:

a French site using Parallels’ Plesk interface:

which loads:

And same final payload as previous post:

American Express spam leads to exploit and malware

A phishing scam from Amex is loading malware onto PCs.

“Dear Customer, Our response is ready for you. Please login to the Secure Message Center to read it.”

The link points to:

It contains further links to javascript files:

The javascript js.js loads:


This is the final exploit code:

It comes from a server located in Roubaix, France (

Check out the Wepawet Report here. And the files it drops (89ce2b837bf2dcfa74dacffb07e6d26389ce2b837bf2dcfa74dacffb07e6d263).

First Class ticket to BlackHole Exploit Kit

Here is a spam email pretending to be from US Airways:

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying abroad). Then, all you need to do is print your boarding pass and head to the gate.

Confirmation code: 755536

Check-in online: Online reservation details

Clicking on the link to view flight 8160 takes you to a malicious webpage that loads the BlackHole Exploit Kit where you can expect some turbulence:

Here is the traffic log:

And here is the BlackHole login page:

IP: (Switzerland).

This is where the bad guys keep track of how many PCs they have managed to infect, where they can update the malicious payload, get stats etc…

The email campaigns are getting better and better at circumventing spam filters and the emails use themes that keep on changing. Remember to be very cautious when clicking any link or picture from an email, even if you think it is just an advert.

Jerome Segura

Old PornTube, New Rogue AV

It’s one of those days when you have a bit of nostalgia for the stuff you used to do. Back a year or so ago, I used to hunt down fake AV and the like. It involved fake YouTube sites, porn and more porn.

Out of curiosity, I started some searches, the same that I used to do to find the bad stuff.

Like I said, this is quite old (Feb 2011). I clearly remember, it used to do redirections to various sites using Dynamic DNS.

Guess what? It’s still working!

The DNS service is provided by (click to enlarge):

This page is quite familiar but looks ancient by now…

The file takes forever and a day to download…:

The very low detection rate on VirusTotal makes me wonder whether this file is really old or just too new… (2/41).

Next, I checked whether the file was half broken… but clearly it was working just fine:

It installs a fake AV called “Windows Trouble Taker” (should have been called Trouble Maker IMHO ;-) )

A quick search confirms this is not an old rogue AV, but rather the new kid on the block:

This is one tenacious fake porn tube… Can someone unplug for good?

Jerome Segura

A real life example of a website cleanup after malware infection

Yesterday I cleaned up a site hosted on bluehost. I will show you how I proceeded from malware identification to removal.

First, I did a quick look up on StopBadware’s Clearing House:

It reported three different links containing malware. I opened them in a VM, looked at the source code and confirmed the problem:

It was time for a full website inspection and clean up.

I got access to the cPanel admin account, unfortunately SSH was not enabled (it isn’t by default, and you need to contact customer support). So, I went with FTP instead.

The thing with FTP is that you need to browse each folder by hand and you can’t run a script.

The site being relatively small, I downloaded a local copy. This makes it easy to do all the work with whatever scripts and tools you have installed.

The code was found in almost all the ‘.php’ files (and there were a lot of them!):

A grep command was able to find all the files containing these pieces of code:

Before making any changes, I backed up each file with a ‘.bak’ extension. Each file was then disinfected using a sed command.

Website infections are very common. Because it is easy to set up a website but difficult to maintain it (from a security point of view), most websites fall to automated scripts exploiting vulnerabilities.

This particular website was affected by a XSS vulnerability:

At SparkTrust we look at both ends of the spectrum: We protect your site by doing regular security checks to make sure script kiddies can’t hack the site with readily available tools. But for our new customers that are already infected, we also provide disinfection services.

To learn more about our services please visit

Jerome Segura

Malicious LinkedIn emails force BlackHole exploit kit

LinkedIn has always been target by the bad guys. I remember back a few years ago fake profiles by the thousands were used to load malware onto unsuspecting users’ computers.

Well, spammers have been launching email campaigns with fake LinkedIn invites or notifications:

Clicking on the link means trouble:

Here is one particular domain that was live when I did this bog entry.

That page loads several external javascripts (note they are all identical, but using more than one ensures if one of the sites is down, the next one will be tried, therefore limiting the risk of single point of failure).

The javascript loads the actual exploit toolkit:

This server’s IP is from South Africa, I was expecting more like Ukrainian or Russian based hotspot…

Steer clear!

Jerome Segura