MailWasher spam filter for links to .htm files with huge query strings
For the past week, I have been seeing and reporting (to SpamCop), scam email messages claiming to come from various financial agencies, or banks, with unusual links; all leading to malware servers. This is a continuation of the ACH, FDIC, etc., malware fraud that has been making the rounds for the past few months.
What's different about the links in these new scams is that they are HUGE! They all start out like any normal hyperlink, with a domain name and a particular file. But, appended to the end of the file name is a humongous "query string" (query strings begin with a question mark), containing multiple long groups of letters and numbers, separated by = signs. I have just analyzed one that has 214 alpha-numeric characters in the query string!
But, like octopus ink, things aren't always as they appear to be!
Being a Webmaster and web page writer, it didn't take me long to figure out that the file type that had the query string appended to it was not a valid active content file. Sure, it could possibly have been rigged to be such a file, like a php type, but these are not. They are Plain Jane simple html files, ending in the extension .htm. The .htm file type does not accept any query strings. If you append such a string of characters to it, the server will ignore them completely. All you see is the htm, or html file contents.
All of the rigged links I have traced are placed on compromised websites hosted on Apache web servers. The standard configuration of Apache web servers does NOT parse .htm, or .html files for active content. They are treated as "static" or flat files. No matter what the characters are that follow the file name and extension, the Apache servers where these links are pointing will ignore the phony query strings.
But, the .htm file type link in the scam emails is not where this story ends. The contents of each and every one I have analyzed contains a few simple lines of straight forward HTML code and an "iframe" (inline frame) - which imports a page hosted on a Russian website named csredret.ru (or variation thereof), containing a JavaScript array that leads to targeted attacks based on the brand of browser you are using and the installed plug-ins, especially unpatched versions of Java.
After seeing another such scam email link tonight, I decided to write a spam filter to detect this type of link. I named the filter: "Fake Query String In Link." The filter is for the anti-spam program MailWasher Pro.
First, here is a sample of the kind of link this article is referring to:
http://mtbtrforum(DOT)com/cxqud(DOT)htm?R2WG=8SSFNEH63Q53K575GB9UY1&96E=NDVRCCPYBA8MXYMK1B1CC7&PV3FM46=EU8T4XXL5&U9W=XLH3I5KPL377639HT9&WVDSSH0=64FCA8OGDFC&
MailWasher Pro has been available for 10 years now, and I have been using it that long. Some people are using the "old" version, which ended with version 6.5.4, in 2010. Others have moved up to the new version, which is now version 2012. I write spam filters for both the old and new versions. My MailWasher custom spam filters are here.
Filter codes UPDATED on Dec 15, 2011, at 3:30 PM EDT.
Here is my "Fake Query String In Link" spam filter for people using MailWasher Pro version 6.5.x:
[enabled],"Fake Query String In Link (Dangerous!)","Exploit Link",255,OR,Delete,Body,containsRE,"(?-i)http://.+\.[a-z]{2,4}/.+\.html?\?[A-Z0-9=&]+="
Here is the same filter written in XML format for people using MailWasher Pro versions 2011 or newer (you can set it to auto-delete if you wish):
<Filter Name="Fake Query String In Link (Dangerous Link!)" Enabled="True">
<Description>Exploit Link</Description>
<MatchAll>False</MatchAll>
<Rating>-200</Rating>
<Colour>#FFCC0098</Colour>
<TextColour>White</TextColour>
<AutoDelete>False</AutoDelete>
<HideEmail>False</HideEmail>
<HideEmailOption>All</HideEmailOption>
<Rule>
<Field>Body</Field>
<Operator>Contains</Operator>
<Type>RegEx</Type>
<Expression>(?-i)http://[a-z0-9]+\.[a-z]{2,4}(\.[a-z]{2,4})?/.+\.html?\?[A-Z0-9=&]+=</Expression>
</Rule>
</Filter>
These filters have already been added to my published custom spam filters, in both old and new formats. If you already use MailWasher Pro, you can download the format for your version of the program and either merge your own filters into it, or use it as is. Instructions are found on the landing page.
If you aren't using MailWasher Pro yet, but want to learn more about it, go to my MailWasher Pro program description page. You can read about it, download a trial version there, or buy into a subscription. I do make a small commission on sales through my links, which puts beer in the fridge occasionally!
If you don't use MailWasher Pro and still want some protection for your computers (against this particular Russian domain), you can edit a read-only, normally hidden system file with the name HOSTS (with no file extension!) - to include the following line of code:127.0.0.1 csredret.ru
If you don't know about the tricks of editing and saving changes to the HOSTS file, use the links in the previous paragraph, or leave it alone.
I hope none of you have been tricked into clicking on one of these links, because the payload is very nasty. Your identity and bank accounts could be stolen by the Trojans downloaded by the scripts and attack kits hosted on the Russian malware server I listed earlier in this article. But, if you did, you should run a scan for malware using your up-to-date and updated security program or programs. If you are using Windows XP or newer, you may be able to salvage your system by running System Restore to a day or time before you clicked on the link.
If your security program is out-dated, or you have none at all, I use and recommend Trend Micro Internet Security and Malwarebytes Anti-Malware to secure my PCs.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.