I’ve got this e-mail from my former classmate about a week ago:
Followed by another one last night:
Needless to say, the links point to malware. The first URL was taken down. But the last one is still active, though I hope the abuse team at Rapidshare.com will see my report soon enough.
The e-mail’s To: address list includes other friends and relatives of the sender. This suggests that the e-mail was sent by the malware running on his computer, through his Yahoo! Mail account using his address book and not through spam. This trend may create challenges to e-mail filtering software and gives a certain amount of credibility to the message itself that may fool many people.
The URL leads you to an executable that then downloads various malicious software from “TheInstalls.com” affiliate network and its related sites.
The “The Installs” network is one of the so-called PPI (Pay Per Install) partner sites, where an affiliate can earn $0.15 for installing “special” software on a US-based PC. One method to earn an “install” is to spread malicious e-mails like the one described above. The most common end result is “fake anti-virus” software deployed to a controlled PC forcing its owner to pay ~$40 to stop being annoyed for awhile.
So far it has managed to avoid the fate of other Russian partner networks responsible for “rogue anti-virus” software distribution.
The network graph below reveals other related PPI sites, like the YA!BUCKS.com which is ready to share 70% of its “pay-per-install” revenue with those who bring the “installs”.
$ whois 220.127.116.11 OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 315 Capitol Address: Suite 205 City: Houston StateProv: TX PostalCode: 77002 Country: US ... network:ID:THEPLANET-BLK-14 network:Auth-Area:18.104.22.168/14 network:Network-Name:TPIS-BLK-74-54-241-0 network:IP-Network:22.214.171.124/28 network:IP-Network-Block:126.96.36.199 - 188.8.131.52 network:Organization-Name:bNetworks network:Organization-City:Kharkiv network:Organization-State:NA network:Organization-Zip:NA network:Organization-Country:UKR network:Description-Usage:customer network:Server-Pri:ns1.theplanet.com network:Server-Sec:ns2.theplanet.com network:Tech-Contact;I:email@example.com network:Admin-Contact;I:firstname.lastname@example.org network:Created:20080515 network:Updated:20090216