Beware of malicious Rapidshare links sent to you by a friend.

0 Malware, SophosLabs, Spam
by

I’ve got this e-mail from my former classmate about a week ago:

Followed by another one last night:

Needless to say, the links point to malware. The first URL was taken down. But the last one is still active, though I hope the abuse team at Rapidshare.com will see my report soon enough.

The e-mail’s To: address list includes other friends and relatives of the sender. This suggests that the e-mail was sent by the malware running on his computer, through his Yahoo! Mail account using his address book and not through spam. This trend may create challenges to e-mail filtering software and gives a certain amount of credibility to the message itself that may fool many people.

The URL leads you to an executable that then downloads various malicious software from “TheInstalls.com” affiliate network and its related sites.

The “The Installs” network is one of the so-called PPI (Pay Per Install) partner sites, where an affiliate can earn $0.15 for installing “special” software on a US-based PC. One method to earn an “install” is to spread malicious e-mails like the one described above. The most common end result is “fake anti-virus” software deployed to a controlled PC forcing its owner to pay ~$40 to stop being annoyed for awhile.

The site appears to be owned and operated by a Russian gang and was known to be malicious since early 2008

So far it has managed to avoid the fate of other Russian partner networks responsible for “rogue anti-virus” software distribution.

The network graph below reveals other related PPI sites, like the YA!BUCKS.com which is ready to share 70% of its “pay-per-install” revenue with those who bring the “installs”.



$ whois 74.54.241.100
OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    315 Capitol
Address:    Suite 205
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US
...
network:ID:THEPLANET-BLK-14
network:Auth-Area:74.52.0.0/14
network:Network-Name:TPIS-BLK-74-54-241-0
network:IP-Network:74.54.241.96/28
network:IP-Network-Block:74.54.241.96 - 74.54.241.111
network:Organization-Name:bNetworks
network:Organization-City:Kharkiv
network:Organization-State:NA
network:Organization-Zip:NA
network:Organization-Country:UKR
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20080515
network:Updated:20090216

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.