These days, German users receive emails announcing that a company called IT-Electronics is looking for professionals in search of extra income.

Here is a rough translation of the email message:

Dear recipient,

IT Electronics, the leading Asian firm in the field of information technology, announces again its intention to employ workers in Germany. We give you another chance to work with us and to have extra income.

We are looking for honest, responsible and industrious people aged 21 to 67 years old for the representation of our company at your region. To optimize our company’s work in Germany and for the improvement of our business development, we need people who can afford 2-3 hours per day. This is an opportunity to work from home and to earn 300-500 € (Euro) per week.

We invite you to the visit IT-Electronics web site to overview our job vacancy.

There are no fees and expenses required, we offer a real and honest opportunity to work from home for an extra income.

The link in the email connects to what seems to be the IT-Electronics website, where the careers tab contains a job offer written in German (the rest of the web page is in English). While this is so far nothing new or unexpected, it turns out that the job description is something very similar to the infamous Nigerian Scam:

The job description translates to the following:

Process:
1. Our client (which might be located in your region) informs us about his desire to enter a supply contract.
2. We give our customers your contact data and he transfers funds directly to your bank account. You must tell us when the funds are received.
3. In the same or in the next day, we proceed with the shipment of our production to the customer.
4. You’ll get instructions, how these funds may be transfered to our bank account.

We pay you a percentage of each transaction. Typical amount is 5-7% of the funds received in your bank account. You will receive this commission immediately, after the customer’s payment is received by us. We will also cover all cost associated with the money transfer.

The job aspirant only needs a phone and a bank account, using the phone to arrange money transfer with potential customers of IT-Electronics, and the bank account to facilitate the money transfer to IT-Electronics.

Analysis reveals that the emails were sent by accounts located in Columbia, Mexico, US, Germany – most probably by botnet-zombies. The IT-Electronics website is hosted in China, which is quite infamous for hosting rogue sites.

Well in case you’re interested in taking the job, here is one important fact that they didn’t put in the job description: money laundering is illegal.

Shortly after a phishing attack that targeted the 200 million users of immensely popular social networking site, Facebook, another attack was launched by cybercriminals. This time however, the attack targets not only Facebook users but also members of Tagged, Friendster, MySpace and other networking sites as well.

A new Koobface attack was found, which uses the very same fake YouTube site utilized in another recent Koobface attack, which scared users into breaking CAPTCHA codes for cybercriminals.

Once executed, the Koobface worm searches the affected system for cookies related to social networking sites, then attempts to extract login credentials from them. Once done, it sends a HTTP POST request to a remote server. The server then answers the request with data that triggers the creation of a message that contains a link to a copy of the worm. The said message is then sent to the contacts of the affected user.

Samples of this Koobface worm are detected by Trend Micro as WORM_KOOBFACE.ET, WORM_KOOBFACE.EY, and WORM_KOOBFACE.EX, while the Facebook phishing page has been blocked since May 15, 2008.

Here are previous reports related to Koobface:

• Koobface Tries CAPTCHA Breaking
• Bogus Facebook, Malware, and a Dancing Girl
• New Variant of Koobface Worm Spreading on Facebook
• Malevolent Social Networking: Now on Friendster
• Malevolent Social Networking: Now on Friendster
• Worms Wriggling Their Way Through Facebook

Check out the first, second, and third part of this report.

The bad guys behind this botnet are sly and evil, you have to give them that!

From their end, this is just pure business. They cater to Russian companies to advertise their services, be it a law firm or a dance academy, but they have a problem: how to ensure that those spammed messages have been delivered? Well the Pushdo gang have come up with a way of doing just that – by sniffing all emails being sent from every infected machine. That’s right–they added an inbuilt network sniffer to the growing list of compontents of the Pushdo threat

When the computer first becomes infected, one of the modules drops a device driver (“tcpsr.sys“) that intercepts all outgoing email traffic being sent and logs the recipients of each message. Every now and then, it then sends this information to a server that collects all this data allowing the gang to know exactly how many mails for each campaign have been sent.

An appropriate side effect for them is that Pushdo increases their database every time the user sends a legitimate email from the infected PC, as the recipient is being sent along with the rest of the sniffed data. The sniffer driver is deleted from the disk immediately after becoming active.

This is yet another feature used by the Pushdo gang which shows exactly how business-oriented they are. These guys are in it to get money and this shows in the attention to detail they put into their evil creations. I can already picture a nice web interface on their end to see the status of every bot around the world at each moment. After all what self-respecting evil overlord does not have a giant plasma screen showing a map of the world–its practically on page 1 of their handbook.

Don’t miss our final installment of the series: “Pushdo/Cutwail: Traditional AV is useless”.

Previous Pushdo/Cutwail posts from this series can be read at following links :
Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)