[Scgeeks] Re: Query: watch.ru

rooster acmeanvil at fishnet.com
Tue Aug 26 17:35:24 EDT 2008 

Farelf wrote:
> rooster wrote:
>> Farelf wrote:

> <snip>

>>> Imagine - hacking a spammer!  "Little fleas have smaller fleas," etc. 
>>> Still, the Russians evidently see spamming in a 'different' light, 
>>> just another kind of advertising to them.
>>
>>
>> "hacking a spammer." Doesn't really make sense though, does it? If I'm
>> understanding you. The spamming agent (spag) would have to have rather
>> intimidating receivables clerks when it came time to collect from 
>> watches.ru
>> for his masters unsolicited promo services; eh?
> 
> What I had in mind is some third party silently inserting code and/or 
> exploit pages into the relatively innocent 'straight up' spammer 
> watch.ru.  There seems to be a lot of this sort of thing happening. 
> Purpose, to assimilate as many visitors as possible into the botnet(s) 
> using the CNN Top 10 and other malicious link spams.  Nothing to do with 
> the unwitting hosts.   See 
> http://forum.spamcop.net/forums/index.php?showtopic=9627 - with links 
> http://www.vivtek.com/projects/despammed/stormspam_explanation.html and
> http://www.vivtek.com/projects/despammed/stormspam.html explaining it 
> more purposefully than I could (and with about 10^4 times the data to 
> play with - probably a bit more spare time too).  Not to mention more 
> knowledge.  And a higher IQ.  And a nice dog.  You get the picture.

"silently inserting code and/or exploit pages " ... that was my original
suspicion. But I was able to tease indications of such threats out of
the html on the target page and/or the redirects on the CNN, MSN, "Top News
Agency" fake  news spews. My working hypothesis on these is that each
iteration presents at least 2 discernible threats per spam. One threat uses
the exploit:
<... URL=get_flash_update.exe" />,
and the other takes the form of click fraud, the 'hook' being an offer 
of free AV Ware, (e.g.,
79.135.167.18/antivirus/

///////////////////////
 From my notes:

^^From: MSNBC Breaking News <Olesya-nesijhr at fiera.ge.it>^^

^^Subject: msnbc.com - BREAKING NEWS: Bulimia Not The Same As Being A
Greedy Bastard, Say Doctors^^
<snip>
Iteration of the bogus CNN alerts.

Maguffin: Trojan Downloader. Infection of MSIE 7 with Trojan or other
malware (e.g., Cbeplay.a) by enticing recipient to click on
"activex_is_here" link to d/l codec: 
<..."location.href='adobe_flash.exe'", 3000>.

Spam URI domain <aksakal.ru> is registered with REGTIME-REG-RIPN, using
ns1.mchost.ru [83.229.187.19] and ns2.mchost.ru [83.229.186.19].
Purported registrant of record is Evgeniy Y Soldatov, but both ns1 & ns2
IPs are nominated to a Roman S Veretelnikov under the auspices of
McHost.Ru, Inc.
/////////////////////////////////

Similar, but not identical, was the run; "Top News Agency" with message
body link to:
<"iispc[dot]net[slash]index1[dot]html">
...which page also had embedded iframe pop-ups (ip. cit.,
79.135.167.18/antivirus/)
which might (does) signify click fraud and therefore the product itself
should be treated as dangerous malware.

The thing of it is, is; the watch.ru spew, AFAICT, doesn't fit the mold.
The reason I posted here instead of the forum was to see if anyone had
sophisticated tools (i.e., geekware) to find indications of some marvelous
malicious thingies embedded at watch.ru that pilgrims like me wouldn't
have a clue about.

My data base isn't large enough to render a high level of confidence WRT the
the spam sources. The CNN, MSNBC appear to be from the same spamming agent,
the "Top News Agency", is probably from an affiliate. But the watch.ru
source profile doesn't seem to have anything in common with them.

If we rule out malware insertion as the mission of the spew, I'm left with
considering that the object of the watch.ru spew is either shameless
self-promotion, an indication of a shift in their business plan to include
phishing for financial info, or is an attempt by other 'fake 
bling-flingers'
to damage the competition.

None of these really satisfies though; does it?. Watch.ru would be
shooting themselves in the foot PR-wise, competitors have more subtle
ways of compromising/attacking a web site, and the short-term effect
might be expected to vector a lot of potential rubes to the watch.ru
main page.

You'd think someone at my time of life would have found enough things
proven to make themself feel stupid without expanding the catalog by
getting caught up obsessing on spammers; eh?

>>
<SNIP>
> 
> Crappy spamware mass-mailer.  You'd think they'd get better gear.
> 
>> No recent reports, no history available
>> Cannot resolve http://www.watchru/
> 
> Of course not. Crappy spamware mass-mailer.

... does a pretty good job most times, don't it? I seldom look at it, so I
wouldn't know. I find it tough enough tracking links by hand. Anybody
who could come up with a way to automate it is a genius AFAIAC.
-- 
Happy trails,
rooster
boundary beach, bc

More information about the SCgeeks mailing list