An E-mail Thread About: Many New Viri, SPAM and the Harvesting of Email Addresses from Webpages (as well as, email address spoofing)

A multitude of new viri... at least 3 separate viri... both coming multiple times from various computers. (i.e. apparently significant depth and breadth)

...this is combined with an ever increasing volume of SPAM

... making it hard to tell what the hell is going on 'round here.

here are some points of clarity... or less mud --

1) all (the SPAM and all of the new viri) appear to use some version of email harvesting from webpages and/or compromise the cache of your browser (to find email addresses from the stored webpages.)

2) at least one of these varmints appears to use a new technique... whether intentional, or not, i do not know... but, it appears to harvest email addresses from the same webpage/site and mail to the other people on that page [thus, the spoofing of sid sending me a virus... and me appearing to have sent him one... our email addresses appear on the same webpage]

So... i am collecting and testing some things... including the removal of me as middle man when it comes to SPAM... and maybe viri? ya know... why not let the harvesters harvest the email addresses directly?

also, here is a partial copy of what the 3 new viri look like as they come in:

A)Klez

From: boris 
To: sid@membrane.com
Subject: Japanese lass' sexy pictures
X-Apparently-From: TForker874@aol.com
--Ho6p1557K304o0Uma1r5yq1yQF14NQ78
Content-Type: audio/x-wav;
        name=65_7[1].scr
Content-Transfer-Encoding: base64
Content-ID: 

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS BydW4gaW4g

B) the multinational game viri (I've gotten a variety of these with different broken English versions in the subject line):

>From daemon Thu Apr  4 07:03:29 2002
Date: Tue, 2 Apr 2002 18:14:16 -0500 (EST)
From: tvd_documentation 
To: boris@lyonesse.membrane.com
Subject: A very  excite game
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary=JT5l3n1n60F6LI9f9Rp161y0
X-Apparently-From: JENEADGBE@aol.com

--JT5l3n1n60F6LI9f9Rp161y0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable



This is a very  excite game

This game is my first work.

You're the first player.

I wish you would like it.

--JT5l3n1n60F6LI9f9Rp161y0
Content-Type: application/octet-stream;
        name=install.exe
Content-Transfer-Encoding: base64
Content-ID: 

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS BydW4gaW4g

3) the fake returned mail viri --

>From daemon Fri Apr  5 23:27:28 2002
Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49])
        by lyonesse.membrane.com (8.9.3/8.9.3) with ESMTP id XAA08421
        for ; Fri, 5 Apr 2002 23:27:26 -0500
Received: from logs-tq.proxy.aol.com (logs-tq.proxy.aol.com [152.163.201.5])
          by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
          with ESMTP id XAA15346 for ;
          Fri, 5 Apr 2002 23:26:18 -0500 (EST)
Received: from Shpvdc (AC9FEC4D.ipt.aol.com [172.159.236.77])
        by logs-tq.proxy.aol.com (8.10.0/8.10.0) with SMTP id g364CNh91686
        for ; Fri, 5 Apr 2002 23:12:25 -0500 (EST)
Date: Fri, 5 Apr 2002 23:12:25 -0500 (EST)
Message-Id: <200204060412.g364CNh91686@logs-tq.proxy.aol.com>
From: postmaster 
To: boris@membrane.com
Subject: Undeliverable mail--"congratulations"
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary=BJ8l840V9DO7Fm3034B7ym2w42D
Status: R

--BJ8l840V9DO7Fm3034B7ym2w42D
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

The following mail can't be sent to Carlson512@aol.com:

From: boris@membrane.com
To: Carlson512@aol.com
Subject: congratulations

--BJ8l840V9DO7Fm3034B7ym2w42D
Content-Type: application/octet-stream;
        name=this .bat
Content-Transfer-Encoding: base64
Content-ID: 

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS BydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAACYl33g3PYTs9z2E7Pc9hOzp+ofs9j2E7Nf6h2zz /YTszTp GbPm9hOzvukAs9X2E7Pc9hKzq/YTszTpGLPO9hOzZPAVs932E7NSaWNo3PYTswA AAAAAAAAA UEUAAEwBBABcmkI8AAAAAAAAAADgAA8BCwEGAADAAAAAgAgAAAAAAHi AAAAAEAAAANAAAAAA QAAAEAAAABAAAAQAAAAAAAAABAAAAAAAAAAAUAkAABAAAAAAAAA CAAAAAAAQAAAQAAAAABAA ABAAAAAAAAAQAAAAAAAAAAAAAAAY1gAAZAAAAABACQAQAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA ANAAAOQBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAA AGq2AAAAEAAAAMAAAAAQ AAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAADqDwAAANAAAAAQAAAA0A AAAAAAAAAAAAAAAAAA QAAAQC5kYXRhAAAA7FMIAADgAAAAQAAAAOAAAAAAAAAAAAAAAAAAA EAAAMAucnNyYwAAABAA

FOLLOW-UP & SUMMARY

This is the really sloppy brief i'd write if i was sending any analysis and investigation request to, say CERT FBI/NIPC OSU systems people - meaning the decision makers

+-+-+-+-+-+-+-+-+

A series of email-address capture softwares are used to gather legitimate email addresses from major ISP's internationally. E.g.: Roadrunner Yahoo AOL Neweb/Dion in Japan XYZ.my in Malaysia

Using the legitimate email addresses gathered in this manner, the perps then send spam mail (advertising or other product and service pitches and promotions) in very large quantities and in multiple close-quarters sends - sometimes juts minutes apart - to millions of targeted recipients.

Many of the spam sender email addresses possess the same root name sender - the same five or six letters are used in various forms by the spam sender perps.

Many of the spam emails are traced to email addresses with Chinese (PRC) .gov domains.

This draws complaints in record numbers from spam recipients directed to both ISPs and the U.S. FTC (uce@ftc.gov)

In response, the FTC expands its spam program, employing more assets, people and money in the process.

Also in response, many major US ISPs literally lock out other ISPs email - e.g., RoadRunner in the US has locked out all email originating with an otherwise legit ISP domain in Japan - Neweb/Dion.ne.jp.

Many of the spams, whether virus-contaminated or not, contain spoofed sender-email addresses.

This scenario, if implicitly correct, could represent an asymmetric, low intensity east-west infrastructure attack which blends spam, spoofs and virus intended to cause havoc.