Another MSN Privacy / Spam Threat awesomezz.com

August 21, 2008

Hi,

Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat.

The structure is completely equal to ultimatestufff, but changes the End-Point Domain.

Online contacts receives an offline message composed in this way http://_mail_address.awesomezz.com

Let’s dissect it!

From HTTP headers we can see that this domain is runned by a little Webserver

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 242
Date: Thu, 21 Aug 2008 15:00:41 GMT
Server: lighttpd/1.4.19

And this is the html code

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=”">
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink” alt=”" border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”" border=”0″ width=0 height=0></a></noscript>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

-> indexx.php

The way is always the same, the user lands to a certain Website by passing from another Website that installs some Tracking Cookies. Indeed as we can see indexx.php points to Incentaclick

http://www.incentaclick.com/nclick.php?id=17133&cid=4804&sub=newadx_ita

that trasparently (a common user will not see that passage) installs some cookie:

Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com

Redirection points to

http://www.flycell.it/offer/?ref=2650&transid=17133-newadx_ita

The Pattern is totally similar to Ultimatestufff.com, with the difference that the End-Points seems to be a Website for Cellulars, but probabily user is asked to give MSN Credentials

Here the Domain Analysis:

Registry Data

ICANN Registrar: ENOM, INC.
Created: 2008-08-20
Expires: 2009-08-20
Updated: 2008-08-20
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 96,391 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

See you to the next post

21 Comments | (In)Security | Tagged: , , , | Permalink
Posted by evilcodecave

New MSN Privacy Threat – ultimatestufff.com

August 17, 2008

Hi,

Today I was informed of a new Privacy Threat spreaded through MSN.

Offline contacts sends to all online contacts the following link http://ultimatestufff.com/

Let’s see how ultimatestufff works..

At a first analysis dissection we can see that this Webservice is runned surely from
a little private server;

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 345
Date: Sun, 17 Aug 2008 13:04:33 GMT
Server: lighttpd/1.4.19

Because lighttpd is used.

The content of the first page is similar to my previous MSN-Malicious-Website discovery,
indeed we have:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>

<frame src=”indexx.php” name=”">
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>

</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

Looks perfectly similar to the previous case, but without java obfuscation.

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink&#8221; alt=”" border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”" border=”0″ width=0 height=0></a></noscript>

And finally the most intersting, indexx.php that performs a redirection to:

http://www.incentaclick.com/nclick.php?id=14955&cid=3674&sub=newadx

This time the entity of the Webservice is more important, is used a famous service Incentaclick
that installs some Tracking Cookies:

HTTP/1.1 200 OK
Date: Sun, 17 Aug 2008 05:06:08 GMT
Server: Apache
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
P3P: CP=”NOI DSP COR NID”
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8

And this is the source code:

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://www.perfspot.com/join.asp?LanguageID=1&p=98958&t=14955-newadx“></head><body></body></html>

As you can see there is a Meta Renfresh that redirects (instantly!) the user to another
website:

http://www.perfspot.com/join.asp?languageid=1&p=98958&t=14955-newadx

A common visitor will not see the passage from Incentaclick, but will have its cookies..

Perfspot is a Website that offers a Meeting Service.

It’s interesting to see that during registration the user is asked to provide MSN/Linkedin/Live account, and is this the point where dumb user allows perfspot to reach other users.

Another interesting point is that, after you have completed the registration you’re automatically prompted to a geo-location that corresponds to the location of the Offline user that sent you the Advisory.

Here the Domain Informations for ultimatestufff.com

Domain Informations

ICANN Registrar: ENOM, INC.
Created: 2008-08-15
Expires: 2009-08-15
Updated: 2008-08-15
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 94,989 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

What to say..I’m a proud paranoid!!! :)

See you to the next post..

PS: I’m open to job offerings! :)

7 Comments | (In)Security | Tagged: , , , , , , , , , , | Permalink
Posted by evilcodecave

Follow

Get every new post delivered to your Inbox.