... but I'll settle for having a laugh at a spam that's just came in. Laughing you ask? Well yes - for starters there's no plain text content, no subject and no HTML content.
It would seem these silly spammers have decided it best to include the content in the actual headers (likely a bug in their auto-mailer);
As you'll notice from the headers, the e-mail originated from 220.127.116.11 (18.104.22.168/17 - AS23352 SERVERCENTRAL Server Central Network), which is home to;
Best I can tell, every single one looks like someones poor attempt at SEO.
But wait, there's also an advert there for eco-antivirus-2010.com. Wonder what happens if I click that "advert"? Well, the URLs we're taken through are;
With the payload (Eco_Install.exe, MD5: 3de085a41b50d0c038aa29a5e9888bf2) coming from;
This malicious goodness is hosted surprise surprise, by AS32613
IWEB-AS iWeb Technologies Inc. http://www.iweb.com/ (22.214.171.124/16), on 126.96.36.199/24. You'll no doubt recognize some of the other domains listed.
VirusTotal shows 26 vendors detecting this particular variant;
The file is packed with 7zip, and unpacking it shows several dll files, one batch file (DD.bat), and of course, the nsis.nsi file.
Looking at the NSIS file showed some rather interesting strings, such as;
If we load ahah3h884.eco-av.net (also hosted at 188.8.131.52), we're automagically 302'd to macacafe.com (184.108.40.206, AS21740 DemandMedia AS DemandMedia);
Rather surprising given this domain isn't live - it's parked (though given this behaviour is seen when loading several other mysterious sub-domains associated with Eco AntiVirus/Green AntiVirus, it wouldn't surprise me if this was deliberate).
Looking further down the NSIS file, we also see it attempts to kill the task of varying security programs, including NOD32, Windows Defender and McAfee;
I'm planning on running the installer later (assuming it'll run on my 2000 test machine (64MB Ram, so probably not)), as there's also references to additional files being downloaded, but due to the NSIS file containing a ton of "Invalid" lines, I'm suspecting either the installer I've got is corrupted, or I've missed a string somewhere (Anubis reports the same thing, as does CWSandbox, but the report shows the URL's returning a 404). I'll report back on that once I'm done.
Malwarebytes AntiMalware users will be pleased to know this is already detected as Rogue.EcoAntiVirus.