Botnets meet “Nigerian” spam

Today I received an email which was a familiar scam sent from West Africa. I receive literally hundreds of them every day. What made this one different was that it carried a link to a malware site.

Any Windows user foolish enough to click the link and run the executable would get his machine infected with “trojan horse” software that gives others access to their computer.

I found five different domains all used to host the same trojan and all the emails to spread them were sent from countries in Africa.

Here is an example:

Dear friend,

I’m Mr.Alfred Kodjo from Lome Togo the only son of late Mr. David Kodjo.My father was poisoned to death on Dec 23, 2005 by his fellow diamond/gold business associate in Accra Ghana.

My father told me my mother suffered high blood pressure and died when I was 3 years old, but now I’m 24 years. In the light of the above, I have contacted you to assist me to transfer out of Togo the sum of $12 million US dollars, which my father deposited in one box as family treasure with a safety company for my future, I would like the fund to get to you so that you safe-keep it for me after which I will come over to your country in due course to live and school. You will invest this money for me in commercial estate or any other business of your choice you deem healthy.

For your effort, I am prepared to give you 20% of the total funds. I am looking forward to hearing from you while thanking you for your anticipated cooperation in this regard.

Please give me also your phone numbers for better communication between us.

Kind Regards,
Mr Alfred Kodjo
just look http://postcardsbargain . com/clip.html

(spaces inserted by me, to make sure it doesn’t show as a clickable link).

The email was sent from an IP address in Togo:

Received: from [80.248.70.177] by web58607.mail.re3.yahoo.com
via HTTP; Tue, 27 Feb 2007 20:29:42 ICT
Date: Tue, 27 Feb 2007 20:29:42 +0700 (ICT)
From: alfred kodjo
Subject: {Spam!} ``Erwin co-operation from Mr. Alfred
To: kodja12@yahoo.co.th

The domain postcardsbargain.com was recently registered:

Domain Name: POSTCARDSBARGAIN.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: MANAGEDNS1.ESTBOXES.COM
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM
Status: clientTransferProhibited
Updated Date: 13-feb-2007
Creation Date: 13-feb-2007
Expiration Date: 13-feb-2008

Other domains in the same series were bestnetpostcards.com, freewebpostcards.com, ecolorpostcards.com and mailfreepostcards.com, which were also registered through Estdomains. Here are the details for the emails in which they were spotted:

212.60.73.44 (Gambia) – moceesay@hotmail.com:
mailfreepostcards.com / show.exe

196.28.250.11 (Nigeria) – mr_ban0x19@hotmail.com:
ecolorpostcards.com / winner.html

196.201.156.161 (Kenya) – info_jabrattofood@yahoo.co.uk:
freewebpostcards.com / show.exe

196.3.63.252 (Nigeria) – william_franca_fw2@yahoo.com.hk:
bestnetpostcards.com / show.exe

80.248.70.177 (Togo) – kodja12@yahoo.co.th:
postcardsbargain.com / clip.html

41.243.148.204 (South Africa) – den_ma006@hotmail.com:
nuclearworldaction.com / video.html / clip.exe

196.3.63.252 (Nigeria) – annahoffmanhome@yahoo.com
nuclearwarinusa.com / news.html

Malicious programs installed via links in emails can log keyboard input to steal passwords and online banking details. They can turn your computer into a remote-controlled spam sending zombie.

Such programs have been used primarily by Eastern European spam gangs for sending spam and for hosting illegal websites, such as for phishing scams. However, until recently the Nigerian gangs made virtually no use of malware.

A few months ago I started seeing a trend where spam for Nigerian “419” scams sent through Webmailers traced to IP addresses of broadband hosts in North America (bellsouth.net, adelphia.net, cox.net, comcast.net, shaw.ca), which was highly unusual at the time. I was wondering if the “lads” (Nigerian scammers) were renting botnets from Russian gangs to evade spam filters that were treating West African Internet cafe IP addresses as suspect.

With the latest malware spam from West Africa it appears the cooperation goes much deeper. While it is possible that the malware links were automatically inserted by a very clever trojan running on PCs in Internet cafes, it seems too much of a coincidence that all of the samples we’ve come across so far originated from Africa.

Close cooperation between the manpower of Nigerian and other advance fee fraud gangs and the brains of high tech crime rings in Eastern Europe is indeed a frightening perspective.