Friday, August 22, 2008

Celebrity Spam-Off: Will Paris Hilton Overtake Angelina as Top Spam Bait?

Based on the high volume of "Paris Hilton" spam today (21% of all spam messages received had "Paris Hilton" in the subject line), you're probably wondering "Is Paris Hilton the most popular Spam Celebrity?" No. Actually you are probably aren't wondering that, but its Friday afternoon, and I'm tired of being serious. So, while we waited for the UAB Spam Data Mine to finish a report about spam for a law enforcement case, we went ahead and produced . . .

The August Celebrity Spam Score Card



CelebrityPercentage of August Spam
Angelina Jolie5.2%
Britney Spears3.8%
Paris Hilton3.2%
George Bush0.6%
Barrack Obama0.5%
Lindsey Lohan0.36%
John McCain0.32%
Brad Pitt0.27%
Spongebob0.19%
Pamela Anderson0.16%
Heath Ledger0.14%
Madonna0.12%


Receiving less than 1/10th of 1% of all spam in August were:


Tony Blair
Sara Jessica Parker
Avrile Lavine
J Lo
Miley Cyrus
Christian Bale
Paul McCartney

Face it. Americans want to know what's going on in the lives of our celebrities. The spammers know this. But please resist the bait.

Paris Hilton did not give birth to aliens. Paris Hilton did not lecture on Dickens and Dostoevsky. John McCain did not name Paris Hilton as his running mate. There is not really a movie of Paris Hilton doing THAT with HIM/HER/THEM. Paris HIlton was not nominated for the Nobel Prize, no matter what your spam says. If you follow the link, the website you visit will try to infect your computer with malware.

If you want to know what Angelina Jolie did, subscribe to People magazine. If you want to know what Paris Hilton probably didn't do, read the National Enquirer. But whatever you do: don't click the links in your email!

Oh - for comparison - CNN edged out Angelina Jolie ever so slightly with 5.4% of all the spam for the month of August so far. MSNBC was only a handful of emails behind Paris Hilton, with 3.2% of all spam messages for August so far.

And now for the serious part . . .


120 subject lines used to advertise the virus being pushed by all the Paris/Britney spam we received today.
I'll include a few of the tamer ones here, but many are too offensive for a sensible blog post:

Aliens Deny Impregnating Paris Hilton
Britney Finally Passes Rolling Stones Audition
Britney mind control claims: manager says K-Fed responsible
Britney Spears and Paris Hilton to Visit Burma
Paris Hilton Pregnant By Aliens
Paris Hilton Returned By Aliens
Paris Hilton Seeks New Best Friend Competition


3,732 IP addresses of compromised computers that sent us those Paris/Britney virus links.



175 unique malware links those messages wanted us to click on.


121 websites that were compromised to make them host the virus.

Most have now been shutdown. There are two versions of the virus being distributed. If you have been infected by this virus, the primary symptom will be that your computer will seem to have a new anti-virus program scanning your system, and probably changing your Windows wallpaper.

These sites are all still distributing "play.exe", which is 74,752 bytes in size and has the MD5 of 15e20faa53450a4ff64ef6b3541889fb. Its very well detected, based on this VirusTotal report showing that 32 of 36 anti-virus products know its a virus.

1000millasargentina.com.ar
3kman.com.ar
agmerparana.com.ar
bandaantidoto.com
beta.theindustryresource.com
edr.co.in
elportal.info
evergreen-studio.com
gfportfolio.com.ar
glycerine.servebeer.com
madurezcero.com
marketah.mysteria.cz
roskiman.com
sadsystems.com.ar.elserver.com
scoutik.mysteria.cz
thomasregisterofnj.com
www.bwlapdance.com
www.lenapiel.com

These 26 sites are still actively distributing the other version, which can be called "stream.exe" or "player.exe". They are 78,848 bytes and have the MD5 of a3aec9130af6f69c715dc6eb89949079, which, according to this Virus Total Report is slightly less detectable, with 26 of 36 anti-virus products detecting it.

1000millasargentina.com.ar
3kman.com.ar
7yascokgec.com
agmerparana.com.ar
bandaantidoto.com
beta.theindustryresource.com
crosmedia.ro
dkya.com.ar
elobservadorag.com.ar
elportal.info
eryvelton.adm.br
evergreen-studio.com
fmorigenes.com
glycerine.servebeer.com
hey.ba
madurezcero.com
marketah.mysteria.cz
mundoartegaleria.com
roskiman.com
scoutik.mysteria.cz
thomasregisterofnj.com
vakhariaretail.com
www.bodegasadan.com
www.bwlapdance.com
www.lenapiel.com
www.stoplosslevel.com


Good luck, and have a great weekend.

Gary Warner
Director of Research
UAB Computer Forensics
& Celebrity Spam Score Keeper

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.