Tuesday, April 10, 2007

Shots from the Malicious Wild West - Sample Four

My previous "shots" related to various pieces of malware, packers, or on the fly malicious URL analysis will continue to expand with the idea to provide you with screenshots of things you only read about, but never get the chance to actually see. In the first shot I discussed ms-counter.com, in the second the Pohernah crypter, and in the third The Rat! Keylogger. You may also find a recent post related to the dynamics of the underground's economy, as well as the related screenshots very informative.

In this virtual shot I'll discuss the High Speed Verifier, a commercial application spammers use to filter out the fake and non-existent emails in their spam databases in order to not only achieve a faster speed while sending their message out, but also improve the quality of their databases which I love poisoning so much. What the High Speed Verifier all about? As its authors state :

"HSV detects about 20-30% of invalid addresses in a mailing list, though theoretically it is possible to detect up to 60-70% using a software product. This figure seems relatively small, but actually it might make 10% of a list. Besides, HSV provides for optimal checking mode in terms of time and data traffic. More thorough checking (with which the rest 40% of invalid addresses could be detected) takes 10 times longer and requires 5 times greater traffic for each address, hence it's not that advisable with huge lists."

So once emails are harvested, they have to be verified and then abused for anything starting from phishing attacks to good old fashioned social engineering tricks decepting users into executing malware or visiting a site for them to do so. Don't get too excited, the advanced version has even more interesting features :

"The program works on the same algorithm as ISP mail systems do. Mail servers addresses for specified address are extracted from DNS. The program tries to connect with found SMTP-servers and simulates the sending of message. It does not come to the message sending — AMV disconnect as soon as mail server informs does this address exist or not."

The old dillema is still place - direct online marketing VS spam or what's the difference these days if any? Marketed as tools to assist online marketers these programs are logically abused by spammers, phishers and everyone in between.