Below is a screenshot of the spammed email message in the spam run we’ve been monitoring since last week (still pointing to the bogus PornTube page). Only this time, the landing page of the email link is not R.HTML, but rather MAIN.HTML.
Figure 1. Sample spam with the main.html link.
The following are some of the subject lines used:
• US government war brothels
• Barack Obama graft trial begins
• Obama outrageous lies exposed
• Iran announces completion of nuclear weapon
On the other hand, the email message bodies used included the following:
• Have a break, have a Kit Kat – free online chocolate bar giveaways
• Pump prices in the US jump 40% on announcement
• American kids found to have the highest level of cholesterol in latest health survey
• Millions outraged over Medicare benefit cuts across the board for all Americans
As of this writing, there are 44 MAIN.HTML URLs seen. As usual, the M.HTML landing page is peppered with links to a VIDEO.EXE file, which Trend Micro now detects as TROJ_AGENT.AKCF.
Here is a screenshot of the fake PornTube site:
Figure 2. Screenshot of the fake PornTube site.
Another infection vector that we have seen is through a legitimate Web site’s homepage. We have seen and are monitoring several homepages that have been inserted with the following meta tag:
The script file PERL.PHP will download an MSVideoCodec.exe binary. Trend Micro is currently processing a detection for the said executable file. The said .PHP file, meanwhile, apparently has IP logging, since going to the compromised page a second time will only redirect you to Google. This incident has all the trappings of a toolkit being uploaded to compromised sites. The question that remains is how have these sites been compromised in the first place?