Blocking Another On-going Malware-spam Campaign

September 23, 2011 - By Chris Larsen

Wrapping up our series on recent malware and phishing attacks showing up in our spam buckets, here's a look at another on-going malware-spam campaign.

This sample came in last week, pretending to be from the IRS:

screenshot of fake IRS malware-spam


It reminded me of a big zeus-related spam campaign that Gary Warner blogged about earlier this summer, in his excellent "Cybercrime and Doing Time" blog, but this one isn't linking (directly) to a malware download. Instead, much like the other spam in last week's post about malware-spam, the first-level relay site returned an apparently empty page, but when I looked at the HTML, I could see that it included an invisible iFrame linking to the actual attack site:

screenshot of relay page HTML showing iFrame link to malware site


The overall style of this attack is very similar to the one in last week's post, and I thought that it might be the same network. On the other hand, the name of the junk domain hosting the malware in this attack ( doesn't have the same believeability as a name like, so that might indicate a different network.

The WebPulse logs settled the question: the answer is yes, attack sites are indeed part of the same network.

Then, just yesterday, yet another example showed up, this time pretending to be from NACHA, another recurring malware-spam theme:

screenshot of nacha-themed malware-spam


Like its siblings, the relay domain was using a visually empty page with an iFrame to load the malware site (, in this case). No surprise that it's also linking down into the same malware network, or that WebPulse had automatically identified the new server a couple of days before when it first came into use, keeping our customers safe.

As usual, even though WebPulse was dynamically blocking these sites, I went to add them to the database, so as not to leave any loose ends. However, in both cases a new WebPulse that auto-adds its malware finds had beaten me to the punch... Now if I could just get WebPulse to write the blogs for me, I could retire!


P.S. Quick Update: Just had a new sample forwarded from a friend at Blue Coat. This one purported to come from the "Australian Business Registry" and "Australian Taxation Office", and talked about some new tax changes coming Jan 1, 2012. The link looked like it was to "" but actually went to "". This latter domain is a throwaway hosted on a Yahoo server farm (where we see malware ecosystem sites on a regular basis, although they're usually careful not to host actual malware payloads there, as Yahoo would probably detect those). Like the above examples, it returns a visually empty page with an iFrame linking to the actual attack site (which in this sample was a domain called WebPulse was already blocking this domain when I checked, having automatically linked it back to a known malware network early this morning.