The spammer who loved me

Last night, a colleague beat me to the punch with a posting about hacked websites and spam. I was planning to write a similar article this morning. My perspective on the spam was a little different so I am going to forge ahead.

This particular series of hacked sites is the same as one posted earlier this month. At the time we had seen a few sites, mainly in Greece, hacked and being used for various types of medical spam (viagra and stop-smoking). Now the hacked sites are spread more globally and are serving dating spam.


You will have to zoom-in to the large image.

The sites on the top are nearly all infected with Troj/Rectoun-A and all point to the same ‘attack site’.

In his post Dmitry mentioned the links to count and log the hits to this website. However, as the above image shows it will attempt to access a file doexe.php.

Quick Scanning

>>> Virus 'Mal/EncPk-BD' found in file doexe.php

1 file scanned in 6 seconds.
1 virus was discovered.
1 file out of 1 was infected.

Currently, this file is detected as Mal/EncPk-BD previously however, the file was detected as Troj/Agent-GEA.

SophosLabs will continue to monitor this threat and update detections where appropriate. However, as we mentioned in an earlier posting the speed at which web attacks move means our job just gets more complex.