The courts are busy with these 5 viral samples from the Ximian Evolution spammer (Nov 5 /...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

So these are showing detection rates of 25 to 30 (out of 54).  They've
been in circulation anywhere from 42 to 17 hours prior to submission to
VT:


https://www.virustotal.com/en/file/2ff399253c8d4a5af2d3f0ca3129ff9d2928ae1492eedc2898d74e371370cf68/analysis/1415281082/

https://www.virustotal.com/en/file/783633059ec8460836213723e723d334928cd8c6b288c9dca2a99edd883f3e1f/analysis/1415281089/

https://www.virustotal.com/en/file/b76d73da310e08271d76ce1e8cf1ed0b66856a234caa4fbea2fb6d7197786f0d/analysis/1415281094/

https://www.virustotal.com/en/file/90ce65ada5b65554edb2a998118df4bff9d750de5604a712a91c0ce1e3f31fad/analysis/1415281101/

https://www.virustotal.com/en/file/0a067aee4ca3b3568a991ed7d71102dd6abc09c9e31256b2eec7606f1faa5c84/analysis/1415281106/


The following 23 AV/AM products detected all 5 samples:

Ad-Aware    AhnLab-V3     Avast     AVG         Avira
AVware      BitDefender   DrWeb     Emsisoft    ESET-NOD32
Fortinet    F-Prot        F-Secure  GData       McAfee
nProtect    Rising        Sophos    SUPERAntiSpyware
Symantec    Tencent       TrendMicro-HouseCall  VIPRE


The companies responsible for the following 8 products are clearly
*trying* to develop or endow these products with the ability to detect
these droppers, but are not doing so with the same efficiency or
technical competency as the above 23 companies:

Cyren       Microsoft     McAfee-GW-Edition  NANO-Antivirus
Norman      TrendMicro    Kaspersky          Antiy-AVL

The above 8 products detected only 3 of these samples as malware, except
for Kaspersky (detected only 2) and Antiy-AVL (only 1).

The difference in detection capability between the TrendMicro-HouseCall
and TrendMicro products continues to be unexplained.

6 of these products gave the same identifier (BGKM) for these samples,
indicating they share a common scan engine or database.  These samples
were also identified as Kuluoz (3 times), Zortob (twice), Wonton (once)
and only once as Aspxor (which I understand these really should be
called).


The following 15 products did not detect any of these 5 samples as
malware:

AegisLab            Agnitum        Baidu-International
Bkav                ByteHero       CAT-QuickHeal
ClamAV              CMC            Comodo
Ikarus              Jiangmin       K7AntiVirus
K7GW                Kingsoft       Malwarebytes


You can receive your court orders here:

http://www.filedropper.com/notice-to-appear


What is strange about this long-running malware distribution campaign is
that:

1) presumably it is easy to block, given the very simple and  
   repeating contents of the message body, and the diagnostic  
   X-Mailer: XimianEvolution1.4.6 header line.

2) my server is blocking upwards of 60% of the entire routable IPv4
   address space.  The amount of spam I get from botnets and
   "rentable" IP's (what I will call Black IP's) is almost nil for
   the past 2 months - so these Ximian Evolution spams are making
   up a significant portion of the spam that's I'm receiving from
   these "Black" IP's.  These IP's are usually associated with  
   other types of spam (notable drug, expensive watches, purses,
   etc and info phishing).  So it seems to me that these more
   "valuable" black IP's (valuable because they probably have little
   or no previous history of sending spam) are being put to use to
   distribute the Aspxor dropper as opposed to sending the far more
   mundane sorts of spam that has direct commercial or financial
   motives.

So I have to ask why would the Ximian Evolution spammer, who is being
tasked to employ his botnet to distribute these Aspxor droppers, using
perhaps his most valuable bots (from an IP pov) - why is he not being
more creative in terms of spam header and body construction?

These spams are trivial to block at level of the header and body level.  
I have to wonder who the spammer thinks are receiving these spams...?


Spam headers:

==================
Received: from institutionalinvestorlawyers.com ([206.205.91.75])
Wed, 5 Nov 2014 02:45:58 -0500
From: "Notice to Appear"
Subject: Urgent court notice
X-Mailer: XimianEvolution1.4.6

Received: from minnesota-injurylawyers.com ([216.195.253.26])
Wed, 5 Nov 2014 15:36:03-0500
From: "Notice to Appear" <loginMUNG@minnesota-injurylawyers.com
Subject: Notice to Appear in Court
X-Mailer: XimianEvolution1.4.6

Received: from career-lawyers.com ([132.217.151.12])
Tue, 4 Nov 2014 14:04:32-0500
Subject: Hearing of your case in Court
X-Mailer: XimianEvolution1.4.6

Received: from hcvlawyers.com ([24.141.14.8])
Tue, 4 Nov 2014 23:18:51 -0500
Subject: Notice to appear
X-Mailer: XimianEvolution1.4.6

Received: from diabetes-lawyers.com ([98.175.21.67])
Wed, 5 Nov 2014 09:28:17-0500
From: "Notice to Appear" <customerMUNG@diabetes-lawyers.com
Subject: Notice to appear
X-Mailer: XimianEvolution1.4.6

==================


Spam message bodies:

-------------
Notice to Appear,
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Truly yours,
Clerk to the Court,
Jennifer Tailor
-----------
Notice to Appear,
The copy of the court notice is attached to this letter.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Truly yours,
Clerk to the Court,
Emma Smith
-----------
Notice to Appear,
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Truly yours,
Clerk to the Court,
Chloe Tailor
-----------
Notice to Appear,
The copy of the court notice is attached to this letter.
Please, read it thoroughly.
Truly yours,
Clerk to the Court,
Evie Tailor
-----------
Notice to Appear,
The copy of the court notice is attached to this letter.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Truly yours,
Clerk to the Court,
Evie Mason

Site Timeline