ADP Funding Notification – Debit Draft

Weve been quiet recently, but we havent stopped our work. Behind the scenes weve been developing some new tools and techniques that we hope will enable us to more efficiently track the bad guys. We used some of these new tools and techniques in our analysis of a new spam run today that spoofed communications from ADP. We observed spam messages with the subject line “ADP Funding Notification – Debit Draft”. The spam sample we analyzed was sent from – a known Cutwail spambot.

The link in this message directed victims to Note that our bad guys are still using the same /8-random-character/index.html pattern. This page contained the following two malicious javascript redirectors:

These javascripts redirector victims to a Blackhole Exploit kit at This Blackhole exploit kit was hosting at least 9 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:


All of these binaries appear, upon initial inspection, to be Pony downloaders.


One Comment

  1. Posted July 6, 2012 at 3:25 pm | Permalink | Reply

    So what dose it do?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: