RubyRoyale Casino Spam

Posted by on Thursday, July 8th, 2010  |  5,102 views

I noticed recently an honeypot reported a very high increase of Casino spam emails that contain links to Casino websites that have all .RU as domain extension and in some cases the links are “obfuscated”, with spaces (ex: www . site . com) or other junk characters to avoid anti-spam filters and to not appear as http links.

I tried to visit one of the Casino links found in the spam emails to analyze the website and to view what there is of dangerous on these links. This is a screenshot of the homepage:

Image

It looks like the objective of the website is to make the user click the button “Download” to install an unknown Casino application in the user’s computer, but if we analyze the executable with multiple Antiviruses, this is the result:

Report date: 2010-07-08 18:25:31 (GMT 1)
File name: RubyRoyaleEN.exe
File size: 366648 bytes
MD5 hash: f413ef95815c3e25e9c256a5fd60a9e4
SHA1 hash: a1a0e5de487ae8b01871df3bda4efd5898500298

a-squared 08/07/2010 5.0.0.7 Riskware.OnlineCasino!IK
F-PROT6 20100707 4.5.1.85 W32/Casino.F.gen!Eldorado
Ikarus T3 08/07/2010 1.1.84.0 Riskware.OnlineCasino
NOD32 5262 4.0.474 Win32/PrimeCasino
TrendMicro 293 9.120-1004 ADW_CASINO

The executable is actually detected as Adware or PUP (Potentially Unwanted Application) by many Antiviruses and it is suggested to not execute these kind of applications in a computer. Here is a list of recent Casino websites the honeypot has reported as spam:

topbestcazinos.ru   (61.222.252.99)
bestcazinos-vip.ru   (61.222.252.99)
cazinosvipbest.ru   (61.222.252.99)
cazinosbesttop.ru   (61.222.252.99)
cazinosbestbonus.ru   (61.222.252.99)
bestid-casinos.ru   (61.222.252.99)
id-bestplay.ru   (61.222.252.99)
idbest-casinos.ru   (61.222.252.99)
playid-best.ru   (61.222.252.99)
casinosvipbest.ru   (61.222.252.99)
luxbest-casinos.ru   (61.222.252.99)
besttopcasinos.ru   (61.222.252.99)
vipcasinosbest.ru   (61.222.252.99)
casinoswebclub.ru   (61.222.252.99)
casinosmyweb.ru   (61.222.252.99)
webmycasinos.ru   (61.222.252.99)
casinosluxweb.ru   (61.222.252.99)
bestplay-lux.ru   (61.222.252.99)
casinosbestweb.ru   (61.222.252.99)
playidbest.ru   (61.222.252.99)
bestlux-casinos.ru   (61.222.252.99)
besttop-casinos.ru   (61.222.252.99)

As we can see, all the Casino related domains are hosted in the same IP Address that is located in TW and has ASN 3462 (HINET Data Communication Business Group): 61.222.252.99 – 61-222-252-99.HINET-IP.hinet.net

Posted by on Thursday, July 8th, 2010 at 5:04 pm and filed under Security with tags , , . Both comments and pings are currently closed.

Random Posts

Previous Posts

Comments are closed.