« April 2010 · October 2010 »
|
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 15.08.2010: Spam using RU domains - Who's your nameserver?
- 13.08.2010: Binary Whitelisting Service
- 02.08.2010: Of Opinions and Anti-Virus Testing
- 05.07.2010: Lies, Damn Lies, and Botnet Size
- 09.06.2010: Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
Wednesday, 1 April 2009
Waledac Joe Jobbing Blizzard Image Hosting?
It is April 1, 2009 and the Internet has not yet melted! Conficker is real and not just an April Fools Day joke but it seems everything is still functioning for the most part. Despite all of this we have been keeping our eyes on a few other things. One such thing is some of the Spam activities of the Waledac Trojan.
We noticed for the last five days that Waledac has been regularly spamming the services of Blizzard Image Hosting. Looking through our logs and at the website being spammed it immediately stood out for a few reasons. First most of the Spam runs by Waledac generally change the bodies, subjects, and have multiple different URLs. This has not been the case. The information being spammed about Blizzard Image Hosting has not changed at all and has dominated large parts of the Waledac Spam runs. Second the website did not appear to be pushing pharmaceuticals, pornography, or other cheap products for sale and did not attempt fire exploits at our browser either. The Spam e-mails look a lot like this:
From: <constantly changing spoofed address> Subject: Free Image Hosting BlizzardImageHosting[.]com is a new leader in online image & photo hosting, portfolios, and slideshow creation. We offer features you wont find at other image hosting sites and we offer it FOR FREE! - Upload Unlimited Images - Share Images With Anyone and Anywhere - Get Gigabytes of Monthly Bandwidth and much more... Sign up now! hxxp://blizzardimagehosting[.]com/ (c) 2003-2009 Blizzard Image Hosting All Rights Reserved
At this point we immediately suspected that either Blizzard Image Hosting either bought advertising from the Spammers behind Waledac or that they were being Joe Jobbed. In other words we were expecting they took a sleazy advertising route or they upset someone who is now blasting out their website and services to the Internet in order to cause them a lot of grief. Initially we had no real evidence to support one claim versus another. However, the owner of Blizzard Image Hosting website has come out and publicly posted in multiple locations that they are being victimized and are not behind these Spam runs. At the time of this writing, the main page of their website partially reads:
PLEASE READ: My website is under DDoS attack!! I know who is behind it, and have referred all their personal information, and background information to the FTC and DOJ, as well as my registrar, web hosting legal departments and attorney's who've been in contact. I, Blizzard Image Hosting, is not spamming you!
This posting and the fact the Waledac trojan has been spamming the same messages and links for several days would lend credence to the Joe Job theory. However, just being the paranoid skeptics we are, we really can't say for sure. We are curious as to why the people behind Waledac would choose to attack this website out of the blue. Could it be random? That is doubtful.
Update: April 1, 2009 19:30 GMT
It looks like the web-host for Blizzard Image Hosting may have suspended their website. While it looks like a message you often see on some malware sites, it may actually be accurate in this case. Of course as previously mentioned, we are skeptical of the whole thing. Here's what the index page currently presents to visitors:
=>Posted April 01, 2009, at 05:56 AM by Steven Adair
