Terminally Incoherent

I decided to disable the CAPTCHA in the comments section - at least for a few days. I haven’t seen much spam here lately, and I feel that Akismet and Bad Behavior have been doing an excellent job scooping up all the unwanted crap so far so I decided to do a little experiment. I will keep the CAPTCHA off for few days and see if the level of spam changes.

If I get hammered with spam, I will simply re-enable it. If I don’t, I might just keep it off for good.

Also, if ever got weird error messages when posting here, I apologize. I think these errors might have been triggered by the code in the CAPTCHA/comment preview plugin. Or not. This might help me track down the source of these issues.

What do you think? Is this a good idea, or am I in for a world of pain?

I get more and more of these lame 419 scams lately and they completely bypass gmail’s spam filter. WTF? Is it really that hard to trigger the few key catch phrases these guys use? All those letters are almost exactly the same.

Anyway, this one cracked me up:

Dear Friend,I am Mr Ming Yang of Hang seng bank,hong kong.i have a buisness proposal for you,of ($24,500,000.00) if interested get back to me vie this email (ming_yangceo@yahoo.com.hk)

A 149 scam in 28 words - this guy didn’t waste his time. I really don’t think you can get this any shorter. Maybe he could replace get back to me vie this email with reply to but that’s about it. Heh… That’s what I call succinct and to the point scam bait. No sappy story about dying husband with cancer, no long winded lottery winning notification - just business.

In the morning today I noticed that I got around 10 new friend requests on MySpace. All of them were spam accounts and all but 2 have been deleted since then. Since I’m running Linux I decided to check out what the spammers have in store for me and I clicked on some of these accounts. I don’t think any of the mallware distributed via MySpace would actually affect a non-windows machine.

All of thes accounts used an absolutely positioned div to block out the actual content and display the following text in the middle of the page:

This profile contains adult content.
CLICK HERE to install MS Viewer.

When you click on the link different things happen. Firs account made me download the following file:

MSpaceContentInstall.exe (md5: 81ec383d21a753df6b5e54ef48aea437)

I ran strings on the binary and got some interesting results. Following DLL’s are listed by name in the file:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
ole32.dll
SHELL32.dll
USER32.dll
VERSION.dll

Whatever that thing is, it is messing with the kernel and bunch of integral system libraries and that can’t be good. I ran a virus scan on it, but stupid clamav decided the file was clean. So did Kaspersky online file scanner. On the other hand the Virus.org file scanner (which ran the file through assortment of different engines) gave me much more interesting output:

File: MSpaceContentInstall.exe
SHA-1 Digest: 3a954d79eafe7c0a53bf0ff456218edef23eda96
Packers: Unknown
Status: Infected or Malware
--
ArcaVir Clean
avast! Clean
AVG Anti Virus Clean
BitDefender Generic.Zlob.70EF425F
CAT QuickHeal Clean
ClamAV Clean
Dr. Web Clean
F-PROT Clean
H+BEDV AntiVir DR/Zlob.Gen
Ikarus PSCAN Clean
McAfee Clean
NOD32 Win32/TrojanDownloader.Zlob.ARX trojan
Norman Control Zlob.ACUZ
Panda Clean
Sophos Sweep Clean
Trend Micro Clean
VBA32 MalwareScope.Downloader.Zlob.1
VirusBuster 05 Clean

Only 5 out of 18 AV tools labeled that file as the Zlob Trojan. I had a similar result when using Jotti Online Scanner as well: 4 our of 15 engines labeled it as malicious. It’s surprising how the popular and well respected scanners out there (McAfee, AVG, Avast, TrendMicro, ClamAV) failed to detect anything, while more obscure ones did. I never even heard of H+BEDV AntiVir or Norman Virus Control.

The other page linked from one of those profiles was even more interesting:

It’s an automated CAPTCHA solver using human input. It is much more efficient than fucking around with OCR. Instead of wasting CPU cycles running complex feature extraction algorithms, you can just use the hordes of horny idiots who want to see some MySpace n00dz. I knew these things existed but this is the first time I actually saw one of them in action. Very interesting setup.

If you look closely at the image the screenshot, you will see that it actually comes from MySpace registration form. Ot at least that’s what it looks like. So the codes that you inptut at the prompt are used to create new accounts that could be used for more spamming. It’s quite brilliant actually - you set it up once, and given enough traffic this thing could run forever. Deleting these accounts won’t help - since you will most likely get 3-4 new accounts from each “hit” (ie. an average dumbass who falls for this scam will likely try to type in the CAPTCHA 3-4 times before he gets bored, or realizes he is being fucked with).

This is a serious design flaw. When you alow your users to inject HTML and CSS into your page, you are asking for trouble. Stripping javascript, iframes and such will not help because these guys are not using any. They are using the standard mundane tricks that everyone else abuses to “beautify” their profiles.

Note how Facebook does not have this problem. This is the difference between good design, and an ugly hack from hell.

The problem with these damn 419 letters is that spam filters sometimes don’t catch them. This one is short and sweet - the dude doesn’t even give me imaginative the back story or tell me how many millions of “US American Dollars” I will get out of this:

Date: Mon, 5 Feb 2007 18:59:11 -0800
From: Mou Xinsheng
Reply-To: mou_xinshengxxmx@yahoo.com.hk
Subject: Greeting From China

Hello,
I want to solicit your attention to recieve money on my behalf.

The purpose of my contacting you is because my status will not permit me to do this alone.
When you reply this message,

I will send you details of the business and more information about myself.

My personal email is: mou_xinshengxx1@yahoo.com.hk
Thank you.
Mou Xinsheng

Of course the poor English grammar and spelling is intact, even in this super condensed version of the 419.

They are getting creative or what? This time it’s not a rogue prince, a rich political refuge with a diamond mine, or a wealthy British lady dying from a cancerous stroke. Oh no, this time I won a friken lottery:

Date: Mon, 5 Feb 2007 11:56:14 -0800
From: UK NATIONAL LOTTERY HEADQUARTERS
Reply-To: claimsagent0607@sify.com
Subject: REFERENCE NUMBER: UK/9420X2/68

UK NATIONAL LOTTERY HEADQUARTERS:
28 TAN FIELD ROAD,
CROYDON, LONDON.
CUSTOMER SERVICE
(24hours)
Ref: UK/9420X2/68
Batch: 074/05/ZY36

WINNING NOTIFICATION:FROM THE DESK OF THE DIRECTOR/CO-ORDINATOR UK NATIONAL LOTTERY

We happily announce to you the draw (#1019) of the UK NATIONAL LOTTERY,online Sweepstakes International program held on the 5th Febuary,2007,Your e-mail address was attached to ticket number:56475600545 188 with Serial number 5368/02 drew the lucky numbers:21-32-41-42-43-46, and a bonus number of(17) which subsequently won you the lottery in the 2nd category.You have therefore been approved to claim a total sum of £251,420 (two hundred and fifty-one thousand,four hundred and twenty pounds) in cash credited to file KTU/9023118308/03.This is from a total cash prize of £1,005,680 shared amongst the (4) lucky winners in this category that is Match 5 plus bonus.DO CONTACT OUR CLAIMS AGENT BELOW WITH YOUR FILLED FORM

fiduciary Agent: MR: MICHAEL MARTINS
Email address: claimsagent0607@sify.com

(Form HLP)
REFERENCE NUMBER: UK/9420X2/68
FULL NAME………………………………………..
FULL ADDRESS:…………………………………….
SEX:……………………………
AGE……………………………..
OCCUPATION………………………..
TEL…………………..FAX…………….. (If any)
COUNTRY…………………………..
E-MAIL…………………………….
WINNING NUMBER………………….

Congratulations once more from all members and staffs of this program.

Yours Truly,
Richard K Lloyd.
Co-ordinator (Online Promo Programme).

How lucky am I! I didn’t even sign up for any lottery! An here I won one that does not even exist! It must be my lucky day.

I post these kind of emails here so that they get indexed by Google and serve as a reference for people who get these in the future. I leave the spammer’s email address in plain text because I think they fully deserve to get on all sorts of spam lists.