IT Security Blog

They've been changing domains linked to in the email that is directing you to the malware download. So far we have seen:

happycards2008.com

newyearcards2008.com

happynewyearcards2008.com

uhavepostcard.com

All of the above sites are currently active except for happynewyearcards2008.com which appears to be offline.

If the link in the email is clicked it takes you to a site where it tells you that your download will begin shortly (actually it is scanning for vulnerabilities for it to exploit on your PC) and that if your download doesn't start to click to download the file manually. When the link is clicked the malware is downloaded so that people can infect themselves. This is akin to other Storm Worm variants which operated in a similar fashion.

The downloaded file is changing names also. Currently the file is happynewyear2008.exe, but previous variants have downloaded happy2008.exe, happy-2008.exe, and happynewyear.exe.

Have a Happy New Year, but don't party with the Storm Worm Gang!

2007 will most certainly be known in the anti-spam and anti-malware worlds as the year of the Storm Worm. From late January when Storm was first discovered all the way through the end of the year where even up to this weekend we continued to see additional Christmas e-card variants popping up, Storm Worm volumes not only eclipsed every other piece of malcode that we saw in our Threat Center, but it also surpassed volumes seen previously only by the outbreaks of the Sober worm back in 2005. Since the Storm Worm has been so adept at refining its social engineering tactics and has primarily been releasing new variants around major events like holidays, expect this to continue into 2008 likely morphing into political spam as the presidential races continue to heat up.

Speaking of social engineering, we saw several refinements this year not only in how it is used as a lure to attempt to get a user to open a message, but in how spam mail itself is targeted. Starting in late May and continuing through June (there was another that popped up in December also) spammers were forging emails purporting to be from government agencies like the FTC and non-profits like the Better Business Bureau in an attempt to make the message look like a complaint was being filed against the target company. What made these messages so unique and effective is that they were targeted and sent directly to C-level executives. If the target opened the attachment/clicked the link within the message body they were infected with a keylogger which would log any information input into the infected machine and upload it to a web site where cyber criminals were then selling that information for profit.

We also saw a significant shift away from image based spam, a tactic that had been prevalent in larger volumes since December, 2005. Image spam had been the big spam story throughout all of 2006 and even into the early parts of 2007, reaching almost 40% of spam volumes in April of this year. As it reached its peak, however, it quickly started to decline. As image spam waned, we saw the dawn of a new spam: PDF spam!

PDF spam forced the industry to react quickly and make sure that it was treating messages as holistic entities examining not only message headers and body content, but the content of attachments to ensure that spam content was not being hidden in there.

Although PDF spam volumes were short lived, they highlighted the rapid movement away from image spam to the point where image spam is currently less than 3% of all spam volume that we see. PDF spam also introduced additional challenges that image spam did not. Not only were messages larger due to the existence of the PDF attachment (this was a similar characteristic of what we saw with image spam so at least this in itself did not introduce any new challenges), but since PDFs need to be scanned for potential malcode they required the additional system resources of a virus scan. Many more CPU cycles were being chewed by processing PDF spam as opposed to its image based predecessor. PDF spam lasted in large quantities for only about a month.

As PDF spam waned we have been seeing some minimal increases in other types of attachment based spam with spam sometimes appearing within the body of a Word doc or an Excel spreadsheet. Volumes of this type of spam are still quite low, but could easily be leveraged for a wide scale attack similar to how PDF spam was used. Most of the tactics now have gone back to what I call "old school" style spam where spammers have been resorting back to text obfuscations in an effort to get their junk through spam filters.

So, as you can see, a lot has happened in 2007 and the forecast for 2008 looks to bring about some new challenges as these existing threats evolve and as new ones emerge. If you'd like some more information on what we expect to see next year and forward, feel free to read my 2008 predictions blog. In the meantime, here's to hoping everyone has a safe and wonderful holiday season.

Might we finally be seeing the traffic increase that we normally get around this time of year? More to come...

Standard Spam Disclaimer: If you believe what you read in spam, I have a small country I'd like to sell you.

It said: "mild dizziness; headache; nasal congestion; diarrhea; Vi.agr.a 1,41 per pill. cheaapest meedications"

The folks who sell "cheaapest meedications" could make quite a bit more money if they marketed Viagra as a Pepto Bismol alternate. Who knew that Viagra could really help all of those things? ...and you thought it was only for folks with erectile dysfunction! :)

So, as we close out 2007 we start to look forward to 2008. What are some of the 2007 trends that we expect to continue in 2008? What will be new? How will current trends evolve?

Here are some of my random thoughts:

-- We will see an increased prevalence of Web 2.0 attacks.

When we talk about "Web 2.0" we are talking mostly about interactive communities like blogs, wikis, and social networking sites like MySpace and Facebook. Web 2.0 sites provide a richer, more interactive internet experience for its users which extends the internet beyond just your typical "download content and view pages" approach and puts users in more control over the content.

From a user experience perspective, this is a great idea, but typically what makes things easier for the user carries along with it some level of security implication.

As part of the Web 2.0 experience, more code execution is being pushed to the client browser. This doesn't necessarily change the types of attacks that exist in Web 2.0 applications versus Web 1.0 applications (attacks like XSS, SQL Injection, and CSRF still exist just as they did before), but now will manifest themselves in different ways. As such it will be the responsibility of the application developer to be more aware of client side input validation and make sure that potentially malicious code never makes it from the "untrusted" user environment to a site's "trusted" backend infrastructure. Cyber criminals will try to exploit these potential vulnerabilities in code validation as much as possible.

-- We will see an increase in "blended threats" in 2008.

If you are not familiar with the term "blended threat" it is a combination type of threat which will mix the data stealing capabilities of malware with backdoor botnet capabilities. What this means is that if you are infected with one of these hybrid types of malware you could have a keylogger installed on your machine which is logging your keystrokes and sending your potentially confidential and personally identifiable information to a cyber crook for sale in the underground community, but your machine is also available as a spam zombie such that botnet herders can rent time on your computer to send out spam/viruses/etc.

The holiday season is a particularly interesting time to potentially see these types of threats also because of the amount of online shopping that takes place in the 5 weeks between Thanksgiving and Christmas. comScore recently released their Cyber Monday 2007 Statistics which showed that $733 million dollars was spent online on Cyber Monday (the Monday after the Thanksgiving weekend) alone. This is obviously a target that is too large for criminals to ignore.

-- Abuse will continue to move into other forms of communication

We've already seen some of this in 2007, but is something that we expect to continue not only into 2008 but beyond.

Mobile phone and PDA abuse is already a big problem in places like Europe and Japan. It isn't so much so yet in the United States, but as smartphones make more of a movement into the space where they allow the development and installation of third party applications users will need to be continually wary of the security implications of these new conveniences. The line between the PC and the phone is becoming blurrier every day and as such mobile computing devices will soon need to deploy the same types of security suites that should be installed on every desktop and laptop PC.

We also expect to see more tele-spam (spam sent via VoIP technologies) and voicemail injection (the compromising of vulnerable VoIP systems to inject spam voicemail directly into a user's voicemail inbox.

In the vein of "targets too large for criminals to ignore" the smartphone industry is expected to be a $250B industry by 2011. You can be sure that cyber criminals will do whatever they can to get a piece of that pie!

-- Continued movement of malware away from email as a primary distribution vector.

This is another one of those trends that we have seen shift over the past year or two. Malware authors have already begun the movement from the "push" based method of infection that we have talked about previously (where static malware content is pushed to the user via an email attachment) to a "pull" based model where users pull the content from a web site, typically lured to by a link in either an email or an instant message.

The Storm Worm is actually a great example of this transition in action. Early versions of the Storm Worm pushed executable file attachments to unsuspecting users when opened would infect the user's PC with Storm. Later variants used social engineering tactics like fake, malicious e-cards to lure people to web sites to download more dynamic pieces of malware.

More and more viruses have been following this trend over the last year or two and we expect this trend to continue. By 2009 or 2010 we expect malware distribution by internet pull based methods to surpass email as a distribution vector making it the primary method of infection. The email virus is likely to never completely go away, but the dynamic nature of the web as a way to distribute malware carries many advantages that email's static nature does not.

-- More targetted phishing/malware attacks

What discussion about social engineering would be complete without a mention of the evolution of tactics by cyber criminals in an effort to establish legitimacy with their targets?

Social engineering has always been the key ingredient to the success or failure of any cyber crime campaign. If you can do it well, you will have a significant greater chance of success than if you don't. The Storm and Sober worms (the last two really successful email-borne malware campaigns) were successful because of the social engineering tactics they used (Paris Hilton videos, free World Cup tickets, and e-cards as a few examples). As cyber criminals continue to launch new campaigns, you can be certain that they will refine their social engineering tactics to the point where even the trained eye will have trouble quickly determining the (il)legitimacy of an email.

These attacks will also become more targeted similar to the government agency scams from earlier this year that were sent primarily to high C-level executives. Effective social engineering combined with good targeting methods virtually ensure that there will always be people who will fall for these scams which will always leave spam as a virtually 100% profitable venture.