While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service. Certain bad guys have latched onto this and are attempting to take advantage of the situation to push malware. In this case the malware in question is Backdoor.Tidserv. It’s also worth pointing out Google Wave was only selected because of its current popularity. Using a trusted brand like this also increases the chance of success for the attacker. This technique is something we see all of the time.



This particular campaign tries to trick people who want to get into the Google Wave community by promising not only an application that generates Google Wave invites, but also untold riches by selling these invites to other people who want to ride the Google Wave. This is typical of this type of marketing campaign—promise the world but give nothing! (Just to be clear, the invite generator does not work!)



Yet another campaign that is peddling malware to unsuspecting victims. What is interesting about this particular campaign is that it accidentally gave valuable insight into how the bad guys are making these campaigns successful.



Getting the word out there

Figure 1. Example of a spam message on a forum

The hard sell

Figure 2a – The sales pitch

Figure 2b – The Twitter page pushing this malware

Download the malware

Figure 3 – Download page for the malware

Figure 4 – Configuration URLs for xRumer

Figure 5 - Spintax



Xrumer – The Swiss Army spam kit

Figure 6 – Cover page of the Xrumer Guide

Figure 7 – How to generate keyword lists

Figure 8 – Anonymous VPN advice

Figure 9 – Spintax

Figure 10 – Xrumer in action

Figure 11- Author’s welcome to Club Spam.

Figure 12 – Additional information on using the framework to decode CAPTCHAs

Figure 13 – NIS 2010 to the rescue

Figure 14 – The GUI of the malware. This drops Backdoor.Tidserv to the victim’s machine.