[Dshield] Viruses and spam MAY BE connected

John Sage jsage at finchhaven.com
Fri Nov 21 17:13:16 GMT 2003

OK: the issue, as I understand it, is to establish a direct,
one-to-one correlation between a virus-based delivery vehicle, and

Read on...

On Fri, Nov 21, 2003 at 12:55:03AM -0500, David Kennedy CISSP wrote:
> Date: Fri, 21 Nov 2003 00:55:03 -0500
> To: General DShield Discussion List <list at dshield.org>
> From: David Kennedy CISSP <david.kennedy at acm.org>
> Subject: [Dshield] Viruses and spam MAY BE connected
> At 01:21 PM 11/20/03 -0800, Dshield Contributor wrote:
> >Recently, a discussion on this list as to what to do about a virus
> >being sent repeatedly via email was argued to not be spam.

/* snip */

> "Spammers are becoming more technically savvy," said Vincent Weafer,
> senior director of antivirus research for Symantec Security Response.
> "They'll use whatever tool is convenient and effective for them. It's
> a tenuous link right now between spammers and virus writers -- no one
> has been able to prove that link." 
> <<<<
> I am *anxious* to see proof of a connection.  I *think* there
> *most*likely* is a connection.  That's my *opinion.* I have *no*
> proof, not for lack of trying.
> > But no matter how many people *say* there's a connection (or write
> that), no matter how many say it's "most likely" there's a connection
> it does not change the *fact* that so far no one reliable has
> demonstrated for peer review that there is a connection.
> Until a connection is proven or demonstrated I *think* it would be
> useful, especially for the clue impaired (eg. journalists) if clueful
> folks moderated their categorical assertions lacking in proof.

Taking this sparse header:

> From: maitareyesm <maitareyesm at yahoo.es>
> To: jsage at f*nchh*v*n.c*m
> Subject: A  good tool
> Date: Fri, 21 Nov 2003 12:12:06 +0100 (CET)

and this html body:

This is a special  good tool<br>
I hope you would enjoy it.

And given these components:

I 1 <no description>   [multipa/alternative, 7bit, 116K]
I 2 <no description>   [text/html, quoted, us-ascii, 0.1K]
I 3 <name.bat>         [applica/octet-stream, base64, 115K]
I 4 <no description>   [text/plain, 7bit, us-ascii, 0K]
I 5 <goto_sv[1].htm>   [applica/octet-stream, base64, 0.3K]

what would you think? Looks somewhat Klez-ish, no?

But look at the contents of "goto_sv[1].htm:

<body OnLoad='document.pagonet.submit()'>
<form name='pagonet' method='post' action='http://phone.pagonet.com'>
<input name='ref' type='hidden' value='dp3919/promo2'>

[jsage at sparky ~] $ lynx -source http://phone.pagonet.com/

<title>CONEXI&Oacute;N DIRECTA EN 30 SEGUNDOS!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="imagetoolbar" content="no">

/* snip */

<script language="javascript"
<body background="/sextvnet/img/vocal_background.gif" leftmargin="0"
topmargin="0" marginwidth="0" marginheight="0" onLoad="focus()">
<table width="760" height="100%" border="0" align="center"
cellpadding="0" cellspacing="0">

/*snip */

[jsage at sparky ~] $ lynx -source

//byphone Script v1.0
//Copyright (c) 2002-2003 AZ interactive, S.L.
document.writeln("<iframe id='byphone_check' name='byphone_check'
style='width:0px; height:0px; border: 0px; display:none'></iframe><div
style='width:0px; height:0px; display: none'><form name='byphone_form'
method='post' action='http://vocal.azinteractive.com:8080/pagonet/'
target='byphone_check'><input type='hidden'
name='code' value='61021264'><input type='hidden' name='phone'
value='803 51 71 72'><input type='hidden' name='ref'
value='sextvnet'><input type='hidden' name='afi'
value='sextvnet'><input type='hidden' name='serv'
value='sextvnet'><input type='hidden' name='url'

value='www2.sextvnet.com'><input type='hidden' name='pass'

value=''></div>"); function byphone_show(object) {
 if(object.value=="") object.value=" Escribe aquí tu validación ";
function byphone_hide(object) {
 if(object.value==" Escribe aquí tu validación ") object.value="";
var byphone_number = "803 51 71 72";
var byphone_ticket = "61021264#";
var byphone_input = "<input type='text' size='25' maxlength='50'
onblur='byphone_show(this)' onfocus='byphone_hide(this)'
onchange='document.byphone_form.pass.value = this.value' value='
Escribe aquí tu validación '>&nbsp;y a continuaci&oacute;n&nbsp;<input
type='button' value='ENTRAR'

/* snip */

Of course, this is not a *new* virus, written with the intent of
delivering spam, but it's certainly a deliberately written variant.

Why someone would use this method to deliver spam is beyond me, but no
one said spammers were smart...

- John
"Most people don't type their own logfiles;  but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

More information about the list mailing list