PandaLabs has discovered XRumer, a tool designed to post spam and links pointing to web pages infected by malware on forums, websites, blogs, etc.Ã‚Â It is sold in different online forums for US$450. According to its creator, XRumer can post over 1100 comments in less than fifteen minutes.
This program works in the following way: First, cyber-crooks specify the message and link they want XRumer to post on the different forums, as well as the user name, email address, etc. with which it must register. Usually, the spam message contains a link to pages infected with malware, even though this tool can also be used to advertise websites through spam.
Then, cyber-crooks search the Internet for pages, blogs or forums that allow visitors to add their comments. To do this, cyber-crooks usually use Hrefer, a tool that uses Internet search engines to find these types of pages, and which can be purchased together with XRumer for an additional US$50.Ã‚Â Next, the malicious program registers as a user and publishes its comment.
These websites usually contain security measures such as captcha (number and letter codes used to check registration is carried out by a person), or blocking of suspicious IP addresses to avoid automatic registration via robots. XRumer, however, is designed to bypass such security measures. It can recognize text included in several image types, and it has a long list of computers whose IP address can be used as proxies to avoid using cyber-crooks’ addresses, which could be blocked.
XRumer can publish comments on sites created by phpBB, PHP-Nuke (with some modification), yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB, and phorum.org.