About an hour ago we started to see yet another new variant of the IRS Refund Scams, this time using "Vishing" or Phish By Phone as a lure.

Here is a sample of the message that we received:

Internal Revenue Service Tax Refund

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $215.

Tax Refund Number:84730004332 - Will Expire on 29 March 2008

Attention!
Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.

To receive your tax refund please call the IRS Tax Refund Department at: 602-427-5984 .


Internal Revenue Service


Upon calling the number (602 is an Arizona area code)  listed in the email you are greeted by a digital voice which introduces itself as being the Internal Revenue Service then asks you to enter your social security number, credit card number, expiration and PIN.  The interesting thing here is that the recording appears to be a poorly repurposed scam.  After asking for your PIN it tells you to please wait while it is "activating your account". 

Wait a minute!  I thought I was getting a refund!

'Tis certainly the season for tax scams and we've been seeing quite a few of them in the Threat Operations Center between the phishing scams that ask for your credit card number on a fake web site with promises of a refund to malware based scams that claim to "update the tax software installed on your computer".  We'll likely only see more of them over the next 2-3 weeks as well as the tax deadline nears.  I would also expect to see similar types of scams with promises of things like advances on your economic stimulus payments as we get closer to early May which is when the initial payments are scheduled to be distributed.

I was forwarded this article this morning regarding an FBI sting operation using fake web links in an effort to catch people who surf to child porn sites.  I am all for prosecuting people who are breaking the law, particularly in relation to offenses relating to child porn, but the method described in the article has an uncomfortably high potential for false positives.

For starters, web sites are in the public domain and are accessible by anyone, anywhere, and at anytime regardless of how they got there.  How is the FBI to know that you found the web site as a result of one of their email lures and didn't stumble upon it some other way having no original intention to visit a child porn site?  Have you ever found yourself on a porn site or some other site that you weren't expecting as a result of a mistyped URL, unintended mouse click, or deceptive web site?  Sure you have! 

The article mentions another real possibility of accessing the site via an unsecured wireless connection.  Could you frame your neighbor with the dog that barks all day that you don't like by jumping on his open wireless network and surfing to this mousetrap site?  What if a bot on your PC was emulating clickthroughs to the site in an attempt to throw authorities on a wild goose chase?

I agree with the author where he states that this potentially sets a dangerous precedent if this type of surveillance continues to be allowed to stand up as evidence.  Granted, we've all heard the "someone must have been using my wireless network" and "I must have had malware on my PC" defenses before, but this situation could have some serious federal level consequences.  Sounds dangerous to me!

Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!

How does this happen?  This is typically a by-product of PCs that are used for things that are outside their intended business purpose.  For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used.  It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites.  Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.

As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring.  This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly.  These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.

Back in May, 2007 Robert Alan Soloway, a "Spam King" (as he was dubbed) was arrested on criminal charges by the Justice Department (read the original blog post with my thoughts on this event) and at the time there was a lot of discussion amongst the media as to whether or not this was a significant event.  Would spam volumes fall?  What effect would it have on the spammer community?  Have we won a major battle in the fight against email and internet pollution?

My opinion then was that it wouldn't have an effect and the numbers over the past 10 months since his arrest have backed up that claim.  Since May, 2007 email spam volumes have actually increased by about 150%! 
So, did this have an effect on the spammer community?  Clearly not from the standpoint of the cyber criminal's use of email as an effective delivery vehicle.  If it had any effect at all, it was from the perspective of further emphasizing that spammers should remain as behind the scenes and as stealthy as possible.  Soloway very much bucked the trend in this regard and even went so far as to mock a lawsuit filed against his company by Microsoft.

Based on Soloway's guilty plea he faces up to 26 years in prison.  His sentencing is scheduled for June 20th.  So, the question remains: "Have we won a major battle in the fight against email and internet pollution?"  I believe the answer to the question is "Yes", but true success in this war is clearly not defined by victories in small, individual battles.  For every spammer arrested, prosecuted, and fined there are many others ready and willing to carry the torch.

Just had this come across one of our honeypots a few minutes ago: Google spam linking to an infected executable file. 

So far AV detection is pretty spotty, and of the ones that are identifying it, it is typically falling under the "generic detection" categories.

Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	TR/Crypt.XPACK.Gen
Authentium	-	-	-
Avast	-	-	-
AVG	-	-	Generic10.BID
BitDefender	-	-	MemScan:Trojan.Downloader.Exchanger.C
CAT-QuickHeal	-	-	(Suspicious) - DNAScan
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	Suspicious File
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	W32/Tibs.WA!tr.dldr
F-Prot	-	-	W32/Tibs.K.gen!Eldorado
F-Secure	-	-	Trojan-Downloader.Win32.Agent.ljx
Ikarus	-	-	Trojan-Downloader.Win32.Agent.ljx
Kaspersky	-	-	Trojan-Downloader.Win32.Agent.ljx
McAfee	-	-	-
Microsoft	-	-	-
NOD32v2	-	-	Win32/Agent.ETH
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Trojan.Downloader
Rising	-	-	-
Sophos	-	-	Troj/Exchan-B
Sunbelt	-	-	-
Symantec	-	-	Downloader
TheHacker	-	-	-
VBA32	-	-	suspected of Downloader.Zlob.8
VirusBuster	-	-	Trojan.Zlob.GMQ
Webwasher-Gateway	-	-	Trojan.Crypt.XPACK.Gen

The spam itself has a porn twist to it (as opposed to the health and pill related spam that we usually see).  The sample that landed in our honeypot has a subject of "Rihanna Exposed" and a short message body which reads "Download and Watch" which is a link to the malware (abusing Google) at   http://www.google.com/pagead/iclk\?sa=l&ai=HvlJeh&num=33195&adurl=http://REDACTED.pl/video.exe (redacted since the site is still hosting live malware).

Over the last few weeks we have seen a significant increase in what is known as Google Spam in the Threat Operations Center; sometimes peaking at almost 5% of our overall spam volume.
Google spam is defined as spam that abuses the Google PageRank system by artificially inflating the ranking of a spam site.  Once a spam site has been ranked on the top of the Google search engine based on certain keywords, spam blasts are sent out which craft URLs that query on these keywords and emulate the Google "I'm Feeling Lucky" button which automatically redirects users to the query's top ranking site. 

Most of the Google spam that we have seen thus far redirects to different variations of pharmacy sites pushing pills and enhancement products, typical to most health related spam.

One element of Google spam that hasn't received much attention, however is the potential for attachment based malware distribution via this tactic.  The potential for drive-by malware download as a result of malicious javascript or iframes is obvious and well documented, but another potential threat vector is the possibility of Google Spam directing a user to a malicious PDF. 

Many users by default have their PCs setup to automatically open common attachment types like PDFs without so much as a confirmation box asking the user whether or not they are sure they want to open the file.  This convenient feature is a wide open hole for malware injection, especially considering the PDF exploits that have been published over the last several months. 

To better protect themselves users should not be allowing any attachment type to be opened by default, no matter how common.  Although it might be an inconvenience to have to click a button on a confirmation dialog every time we open file types that we are used to using and that we may open 50 times per day, it at least puts one more step between ourselves and potentially malicious downloads.  Allowing any file to be opened on your PC without your prior knowledge and consent enables a level of trust from an untrusted network that should never exist.

Tax Season is here and the IRS scams just keep on coming.  We've already seen and talked about many different variants of the IRS phishing emails that say you are due a refund that they will gladly refund to your credit card, but now it appears that the scams have moved into malware downloads.

We've seen a new IRS scam over the past couple of days which is trying to trick users into thinking that they need to update the tax software on their system.  Why would the IRS care what tax software you have on your system or if you have any at all?  Of course, the real answer is, "They don't." 

An example of the message that we are seeing:

Dear Tax Payer, 

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, please visit hxxp://nzkaa . info and click "Open" when asked how to begin the download.

After doing so, no further action is required on your part.

Thank you for your cooperation,

IRS.GOV Agent #4[3

The URL above is obfuscated in the event that it is still hosting malware.  At the time that I visited the site it appeared as if it had been taken down, however the registration of the domain is still active, so it is possible that it could move to another IP and be a malignant site again. 

A couple of interesting/humorous things about this new spam:

-- Every spam message that has hit our systems relating to this scam has come from the same IP address: 92.48.88.145, an IP out of the UK (I wasn't aware that the IRS had offshored their email distribution :) )
-- The web site in the spam is currently (subject to change while the domain is still active) being hosted on an IP out of the Bahamas.  Another thing the government has decided to offshore, apparently.
-- Every message has HELOd (the start of the SMTP conversation) as "Exploit".  At least they're honest :)

As with the other government agency scams that we have seen to date, volume is low.  The MX Logic Threat Operations Center processed around 2,000 of these messages on 2/4, 1,600 on 2/5, and about 550 so far today (as of 1pm MST). 
As with the other IRS and other government agency scams that have preceded this one, the government does send personal email to alert you of software updates, refunds, or any other official matter.  The IRS knows how to get a hold of you if they need to do so. 

I came across an article this morning on the SC Magazine site talking about a new virus called "MonaRonaDona" which takes a bit of a different twist when put next to most strains of malware released over the past couple of years. 

As we know malware made the move from a vehicle used to achieve fame or notoriety to a method used to make large amounts of money a few years ago.  Similar to how MBR rootkits are a bit of a throwback to a time when attacking the MBR was a popular method of virus infection, the MonaRonaDona worm is a throwback to the time when worms were written mostly for recognition.  Granted, there is a financial component to MonaRonaDona as well, it is not likely to be very successful.

MonaRonaDona appears to be spreading via malicious advertisements being posted on web sites.  The user will not know they are infected until they reboot their machine when they will receive a popup that states: "Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity."  This malware will also prevent the user from opening common programs on their PC such as Microsoft Office and Adobe applications.

Very noble, but I fail to see how preventing me from opening Word does anything to remedy crimes against humanity in places like Darfur.

Part of the intention of the worm author as well is to socially engineer the user of the infected PC to perform a search in the Google search engine for the name of the worm.  Among other fake sites engineered by the malware authors is a site to purchase a product named Unigray.  For $40 Unigray alleges that it can clean your PC of MonaRonaDona.  Of course, all it really cleans is your wallet out of $40 :)

Personally, this worm seems like a lot of work for what will likely be very little reward.  It is different though, especially with the hacktivism angle, from most other malware which makes it interesting. 

We've discussed before that we expect to see more political based spam as the presidential election year wears on, especially closer to Democratic and Republican convention times.  Expect to see more political based hacktivism type malware lures as the year progresses and as the race for the White House intensifies.  As we saw with the Ron Paul spam last November, the stage has been set to use spam as a method for propaganda distribution pertaining to the upcoming election!