Analyzing the viagra spam

Ok, its sunday and I am pissed to see three more “october 75% off” viagra emails on my corporate account, so i decided to do a little more research on these.These emails are definitely from a botnet of spam zombies, i traced all three originating ip addresses – they are from Chile, Turkey and South Korea. None of them are listed in the spam blacklists, so the only way to block them is to block anything with the keyword viagra in sender name, subject, email, body, etc.

Now for the interesting part – it looks like one spam malware is trying to hijack the other…..if you open any of the email and do a “View Source”, you’ll see that there is a bunch of text in the original spam (which is actually bank spam). The bank spam has a bunch of urls which claim to lead to bank pages, but in reality are all links to parked domains typically registered through godaddy. They are all prefixed with kanaweb.*.com like kanaweb.djfd.com, kanaweb.adnc.com, etc. I checked many of these domains like djfd.com and adnc.com, they are all registered to US folks. Apparently, this kanaweb prefix is common in spam and used with actual banks like bankone.com and chase.com. So these kanaweb emails are the original spam emails, they are all html formatted and contain a bunch of different links.

Now, these viagra emails are really smart; they take the bank spam emails and put some tags to cover up the rest of the text…..for example,

original email…..
<head>
some banner link
</head>
<body>
dear mr. somebody,
some text
some links
</body>

the viagra program hijacks this email and does the following…..
<style>
<head>
some banner link
</head>
<body>
dear mr. somebody,
some text
</style>
viagra image link here
<style>
some links
</body>
</style>

By putting these <style> tags around the actual text of the original spam, it prevents rendering any of it. It inserts a single viagra image link in between the html, making it the only one that is displayable. I looked up the viagra image hosting domains, they’re all in china and are registered to a “liu tao”, who is apparently a chinese film actress. So it looks like whowever these spam zombies are, they are hosting multiple malware programs…..one malware sends a bank spam, another malware which is probably monitoring outgoing smtp hijacks the bank spam and overwrites it with viagra spam. My hats off to the guys who do this kind of stuff, they must be real programming gurus. If only, they put the their talents to better use, we would all save so much time and money.

One Response

  1. Ktcaytix
    Ktcaytix 8 August, 2009 at 11:20 pm | | Reply

    sweet site thx

Leave a Reply