[nsp-sec] goaeku.breakinggoodnews.com & chatloveonline.com & ?

Mon Mar 16 16:07:43 EDT 2009

This seems potentially virulent.  They've done a fair job of making the
site(s) automatically include geo data for the IP address that you use.

The target page(s) have both a clickthrough .exe that looks enough like the
usual Flash message that I'm sure a fair few will click it.  (I didn't, and
don't run Flash at all on this account.)

For extra goodness, it includes a 1x1 hidden iframe.  I don't understand
this one, or why it's hidden, when accessed directly it appears to be
Google ads?

With a DNS TTL of 0, I'm seeing a new site for every dig, and none of them
give the Firefox (Google) warning.  Somebody more patient than I might try
to map them all.  Here's 4 each:

goaeku.breakinggoodnews.com. 0	IN	A	68.39.174.34
goaeku.breakinggoodnews.com. 0	IN	A	24.62.27.173
goaeku.breakinggoodnews.com. 0	IN	A	173.32.161.181
goaeku.breakinggoodnews.com. 0	IN	A	66.8.137.101

chatloveonline.com.	0	IN	A	70.125.201.6
chatloveonline.com.	0	IN	A	66.8.137.101
chatloveonline.com.	0	IN	A	24.176.228.219
chatloveonline.com.	0	IN	A	72.49.214.42

===

The page seems to be:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<TITLE>Reuters-United States: Terror attack in Madison Heights</TITLE>
<META NAME="description" CONTENT="Reuters.com brings you the latest news from around the world, covering breaking news in business, finance, politics, entertainment, and more in video and pictures."></meta>
</head>
<body>
<table width="413" align="center" border="0">
<tr><td><img border="0" src="reu.gif"></td></tr>
<tr><td>Powerful explosion burst in Madison Heights this morning. 
 
At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Madison Heights.
Authorities suggested that explosion was caused by "dirty" bomb. Police said the bomb was detonated from close by using electric cables.
"It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running" 
Until now there has been no claim of responsibility.

<a href="contact.exe"><img border="0" src="vid.gif" alt="You need the latest Flash player to view video content. Click here to download."></a> 
You need the latest Flash player to view video content. <a href="contact.exe">Click here</a> to download. 
 
 
Related Links: 
<a href="http://en.wikipedia.org/wiki/Dirty_bomb">http://en.wikipedia.org/wiki/Dirty_bomb</a> 
<a href="http://www.google.com/search?q=Madison Heights+terror+attack">http://www.google.com/search?q=Madison Heights+terror+attack</a> 
</td></tr>
</table>
<iframe src="http://chatloveonline.com/tds/Sah7" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>

</body>
</html>

===
The iframe:

<html><head><title>search</title><base></head><body><style>.adslink { font-size:12px; font-weight:bold; color:#0066a7; font-family: arial,verdana,tahoma; }.adsdescription { font-size:11px; font-weight:normal; color:#000000; font-family: 
arial,verdana,tahoma; }.adsurl { font-size:11px; font-weight:normal; color:#008000; font-family: arial,verdana,tahoma; }.adsborder { background: #336699; }.adsbackground { background: #ffffff; }.adsdown { font-size:10px; font-weight:normal; color:#ffffff; 
font-family: arial,verdana,tahoma; }</style><table border=0 cellpadding=0 cellspacing=1 class=adsborder><tr><td><table border=0 cellpadding=5 cellspacing=0 width="350" class=adsbackground><tr align=left valign=top><td><a class=adslink 
href="http://kytoon.com/mfeed/c.php?id=a959f9c67bd1bb8eb3a6b4f1fd1e2ba8&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.gamblejourney.com';return true;">Online 
Poker Bonuses at a Glance</a> Find new player welcome bonus, no deposit bonuses, monthly bonuses, instant bonuses, free spin bonus, high roller bonus, refer-a-friend bonus and more <a class=adsurl 
href="http://kytoon.com/mfeed/c.php?id=a959f9c67bd1bb8eb3a6b4f1fd1e2ba8&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.gamblejourney.com';return 
true;">http://www.gamblejourney.com</a> </td></tr><tr align=left valign=top><td><a class=adslink href="http://kytoon.com/mfeed/c.php?id=8ab43dff726b901d23099731990f11f2&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" 
onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.PokerStars.com';return true;">PokerStars - 100% Deposit Bonus!</a> 100% First Time Deposit Bonus at PokerStars.com - Poker Stars is the 
largest poker room on the internet and the home of WSOP champions - US Players Welcome! <a class=adsurl href="http://kytoon.com/mfeed/c.php?id=8ab43dff726b901d23099731990f11f2&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" 
onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.PokerStars.com';return true;">http://www.PokerStars.com</a> </td></tr><tr align=left valign=top><td><a class=adslink 
href="http://kytoon.com/mfeed/c.php?id=a2cdf7f30b0945a62cc1e67f31855111&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.FullTiltPoker.com';return true;">Full Tilt 
Poker - Open to USA!</a> 100% Deposit Bonus - Up to $600. <a class=adsurl href="http://kytoon.com/mfeed/c.php?id=a2cdf7f30b0945a62cc1e67f31855111&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" 
onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.FullTiltPoker.com';return true;">http://www.FullTiltPoker.com</a> </td></tr><tr align=left valign=top><td><a class=adslink 
href="http://kytoon.com/mfeed/c.php?id=f7295dddd72baa622f961a68c6b00a9e&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.ultimatebet.com';return 
true;">UltimateBet.com - Play Poker Online</a> Playing online poker games has never been more fun, realistic and exciting. <a class=adsurl 
href="http://kytoon.com/mfeed/c.php?id=f7295dddd72baa622f961a68c6b00a9e&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.ultimatebet.com';return 
true;">http://www.ultimatebet.com</a> </td></tr><tr align=left valign=top><td><a class=adslink href="http://kytoon.com/mfeed/c.php?id=21fe11b50da979107a2ab71e00bb6949&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" 
onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.intercasinocasino.com';return true;">Only Play The Top 100 Online Casinos</a> Don't get cheated by playing at the wrong place. <a 
class=adsurl href="http://kytoon.com/mfeed/c.php?id=21fe11b50da979107a2ab71e00bb6949&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.intercasinocasino.com';return 
true;">http://www.intercasinocasino.com</a> </td></tr><tr align=left valign=top><td><a class=adslink href="http://kytoon.com/mfeed/c.php?id=728d675853f5e25334cc31e668eed9c9&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" 
onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.grouplottocasino.com';return true;">Todays Current Poker Bonuses</a> Looking for the best Online Casino, Online Poker, and Online Bingo 
bonuses? These are the most current and best paying available. <a class=adsurl href="http://kytoon.com/mfeed/c.php?id=728d675853f5e25334cc31e668eed9c9&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return 
true;" onMouseOver="window.status='http://www.grouplottocasino.com';return true;">http://www.grouplottocasino.com</a> </td></tr><tr align=left valign=top><td><a class=adslink 
href="http://kytoon.com/mfeed/c.php?id=eb2d776381f797e1eba6e31e117cf514&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.redsoxwin.com';return true;">Why Gamble 
Anywhere - Bonuses!</a> Get the top rated casino bonuses with Free Slot Machine Pulls and Free Casino Cash. <a class=adsurl 
href="http://kytoon.com/mfeed/c.php?id=eb2d776381f797e1eba6e31e117cf514&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.redsoxwin.com';return 
true;">http://www.redsoxwin.com</a> </td></tr><tr align=left valign=top><td><a class=adslink href="http://kytoon.com/mfeed/c.php?id=08182668a53dfb7db08138f6007b167c&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" 
onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.doylesroom.com';return true;">Online Poker -Back Open to USA Play</a> Get a free Entry into the Bounty Freeroll when you 
register. <a class=adsurl href="http://kytoon.com/mfeed/c.php?id=08182668a53dfb7db08138f6007b167c&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" 
onMouseOver="window.status='http://www.doylesroom.com';return true;">http://www.doylesroom.com</a> </td></tr><tr align=left valign=top><td><a class=adslink 
href="http://kytoon.com/mfeed/c.php?id=1af484a6142367e726e4d0063857620e&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.nlop.com';return true;">Free Poker 
Win Cash and Prizes</a> NLOP-the leading US-legal free-to-play tournamnt poker site. <a class=adsurl href="http://kytoon.com/mfeed/c.php?id=1af484a6142367e726e4d0063857620e&PHPSESSID=6a9be445d37c8896d328507f50c637d0" 
target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.nlop.com';return true;">http://www.nlop.com</a> </td></tr><tr align=left valign=top><td><a class=adslink 
href="http://kytoon.com/mfeed/c.php?id=5e4e6495411471fc263f855f3a112bc7&PHPSESSID=6a9be445d37c8896d328507f50c637d0" target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.onlinevegas.com';return true;">$5,000 FREE 
@ OnlineVegas.com</a> Play the best Vegas games online at OnlineVegas.com. <a class=adsurl href="http://kytoon.com/mfeed/c.php?id=5e4e6495411471fc263f855f3a112bc7&PHPSESSID=6a9be445d37c8896d328507f50c637d0" 
target="_blank" onMouseOut="window.status='';return true;" onMouseOver="window.status='http://www.onlinevegas.com';return true;">http://www.onlinevegas.com</a> </td></tr></table></td></tr><tr><td align=right>Ads by 
Google</td></tr></table></body></html>

===

The initial message is innocuous enough:

Return-Path: <>
Received: from wsip-98-172-59-2.no.no.cox.net (wsip-98-172-59-2.no.no.cox.net [98.172.59.2])
         by mx.google.com with SMTP id f4si9900825nfh.46.2009.03.16.07.26.18;
         Mon, 16 Mar 2009 07:26:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of wsip-98-172-59-2.no.no.cox.net designates 98.172.59.2 as permitted sender) client-ip=98.172.59.2;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of wsip-98-172-59-2.no.no.cox.net designates 98.172.59.2 as permitted sender) smtp.mail=
Received: from localhost.localdomain (ilvrie [192.168.71.182])
	by wsip-98-172-59-2.no.no.cox.net (Postfix) with ESMTP id 20D7819490A
	for <william.allen.simpson at gmail.com>; Mon, 16 Mar 2009 09:19:34 -0600
Message-ID: <ilvrie>
From: "Willy" <nin0521ml-admin at fil.bm>
To: <william.allen.simpson at gmail.com>
Subject: Why did it happen in your city?
Date: Mon, 16 Mar 2009 09:16:39 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4920.2300
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300

I hope that you are fine http://goaeku.breakinggoodnews.com/news.php