Silent noise - about spam, trojans and other nasty stuff

To start in the middle:
New version of a known malware (or scareware, rogue security software or whatever you prefer to call it) called MalwareDoc, hosted at malware-doc. com.

The file downloaded is called MDSetup.exe, VirusTotal score is 0/39.

A present from the same gang using the name "AntispyKnight".

This is going to be a bit messy.

The starting point

It all started with a spam:
"How many girls you will be able to do happy eating one only pill!"

I earlier wrote that the domains hosted on the Asprox botnet redirected to Canadian/European sites.
That were domains using the usual "naming pattern" of Asprox hosted domains, like site60.co.uk, ioctl2.jp, ole55.us etc.

Now you find other domain names like bestpharmweb.com and alike directly hosted on the botnet.
They still redirect to Canadian Pharmacy sites.
And I have not been able to spot new domain names using the older "naming pattern" the last days.

(First written December 02, last updated December 05)

Now redirecting to "European Pharmacy" sites (aka Canadian Pharmacy). And set up for some phishing.

0secure.bz, 27go.co.uk, 42cert.asia, 42snmp.name, 51apps.gs, 51exec.gs, 63mode.me, 6query.us, 77temp.eu, 79tmp.ws 9batch.tk, ide92.ws, aspx37.me, ioctl2.jp, ole55.us, page65.tk, site60.co.uk

rollick@ / pugilism@

When visiting e.g. ole55. us I get redirected to leastcountry.com via the HTTP-header:
Location: http://leastcountry.com

Screenshot (click on it for a bigger one):

Three weeks ago I briefly mentioned the "Canadian" Pharmacy spammers using Googles blogspot for redirects.
One aspect on its own is the problem with blogspot being abused this way and at the extremly slow space Google is deleting these redirector blogs. Users are upset about this, a very recent thread:
here on Googles "Blogger Help Group"

I don't get much spam these days. The reason is mainly that I have deleted all the emailaddresses I used when posting to usenet some years ago. And that I have turned off catchall everywhere.

With less spam it can be easier to see similarities between the different spam I receive.

Drugs and software

Let's take the previous post about "Canadian" pharmacy using redirects from Googles blogspot. That particular emailaddress has also received spam earlier, so today I started looking for similarities.
Redirectors were used in those too.

Spam in one of my inboxes today:
From "Mowrey Postier" using an emailaddress at a domain named bull.com.
The link in the spam goes to h||p://maryanneeddinspd.blogspot.com/.
Which again redirects to putwish.com via the following metatag:

<meta content='0;URL=http:||putwish.com' http-equiv='refresh'/>


putwish.com says the following in title of their page: "Canadian Pharmacy".
Yeah, right.
The spam came via 62.45.120.67, apparently a hijacked home users cable connection in the Netherlands.
putwish.com is hosted at 123.111.50.189 which is Hanaro Telecom in Korea.