Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Is This the World’s Dumbest Digital Criminal?

Created: 29 Dec 2006 08:00:00 GMT • Updated: 23 Jan 2014 18:54:01 GMT
Ollie  Whitehouse's picture
0 0 Votes
Login to vote

While speaking with an industry friend recently, he mentioned that he had received some spam. When viewed in plain text, the spam looked like this (the filename has been changed to save the compromised):

Subject: You have received a greeting from a family member! You can pick up your postcard at the following web address http://62.75.XXX.XXX/~XXXXXXXX/XXXXXXXXXX.exe

However, if you remove the executable from the URL, you get a directory listing:

OW_dcrim_index.jpeg

So, from this we can see the machine had been compromised for two months prior to the malicious code being placed upon the site (one day before my friend received the message). However, the individual in this case is obviously not the sharpest knife in the drawer – “file.php” was in actual fact “PHPShell – the attacker’s back door:

This would allow anyone to access the compromised host without prior authentication. Yep, you guessed it: it would also allow any other enterprising bot herder to replace the original malicious code with their own! What this demonstrates is that bot herders don't need to be ultra tech-savvy elite professionals to the core. This also demonstrates that just like any organized crime, there exists the potential for turf wars. *sigh* – 'til next time.