Mespam: Infecting Web 2.0 with LSP

People using Web 2.0 have personal Web spaces, blogs, and online discussions on forums and public boards. Everyone can create Web content from his or her own computer just by using the browser. So what would be the perfect vector for spreading malwares in the Web 2.0 world? The Web itself, of course.

On Monday we posted a blog about a new variant of Trojan.Mespam distributed via StormWorm/Peacomm botnet. We noticed that this new Mespam takes advantage of new Web technologies and spreads by injecting malicious links when users interact with the Web.

What does it mean? When users are going to post something on any Web site running VBulletin or phpBB, the Trojan will sneakily add a malicious link into the outgoing Web packet. The same also happens when users are sending emails using clients such as Gmail, Yahoo, Lycos, Tiscali, AOL, and many popular Web-based mail applications (for the complete list please check out the Trojan.Mespam writeup).

Users won't be able to notice anything... Or it will be too late – by the time they finally do notice something suspicious, the content will already be posted and sent out. Searching some of the malicious links with Google show interesting results (see below).

Trojan.Mespam is able to add its content on the fly just by looking at the name of the Web site and the URL visited. This is possible because the Trojan installs the library "rvsp32_2.dll" as Layered Service Provider (LSP) in the system.
LSP are special libraries that allow the low-level manipulation of TCP/IP traffic. In fact, by using the LSP component the Trojan can intercept every outgoing packet and add to it a malicious link just before it is sent out.
From user side, this manipulation is totally unnoticed because it happens at the network level. Amazingly, it seems that spammers of the “Nigerian scam” gang got infected by the malicious LSP and started to send out its scam mails with Mespam links attached (as reported in the blog entry “Botnets meet Nigerian spam”).

This spreading technique has a big impact on how people use the Web today. The idea works well in the Web 2.0 world because user interaction is frequent and Web applications are very popular. It will become a real threat in the future if the bad guys behind Mespam and Peacomm add code to spread over other popular Web channels (e.g. injecting malicious content while posting on YouTube, Myspace, RSS feed, or while using Google Office on the Web).

At the moment we observed the following texts be appended in messages sent out by Mespam infected users:
LOL! You must see this! http://[postcards_domain]
Dont forget to see http://[postcards_domain]
lol, look http://[postcards_domain]
have you seen this? http://[postcards_domain]
LOOL!!! http://[postcards_domain]
just look http://[postcards_domain]
:-) http://[postcards_domain]

Where [postcards_domain] is one of the following domains all resolving to the IP address 209.123.8.198 (please, do not visit any of them!):
mailfreepostcards.com
postcardsbargain.com
2007postcards.com
ecolorpostcards.com
bestnetpostcards.com
freewebpostcards.com

The list of domains is probably longer and the text messages are frequently changed by the attackers who have direct controls over the LSP component.

The usual recommendation is to avoid clicking on any suspicious link even if it is coming from friends. And if you notice any of the suspicious “postcards” domains in messages posted by your friends, don’t blame them because probably they have no idea what’s happening!

Finally, if you get infected be very careful when removing the malicious LSP component from the system, since an unsafe removal can break the network connectivity of the machine. Please refer to the last section of Trojan.Mespam removal procedure to get information how to reinstall the TCP/IP Protocol and restore the LSP order.