Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases. Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites. Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site.
We saw a couple of different iterations of their most recent Valentine's Day campaigns. One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card. Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy. Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites. As with many other Waledac/Storm generated web sites, just about everything on the page is an image. This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped. These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet.
Below is a screenshot representation of the fake couponizer site:
Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.
Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.
Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):
You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next. The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.
Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before.
Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September 2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm. This botnet clearly isn't just about holidays anymore.
Starting earlier this morning our Threat Operations Center started tracking a new Classmates.com themed spam email that links to a video site that contains malware.
The sample messages that we have received have a from line that spoofs that classmates.com domain and would appear in your mail client as "Classmates [random word] Center" where [random word] is words like "updates" or "manager" (So, it would appear in your mail client as "Classmates updates Center" or "Classmates manager Center" (note the lack of capitalization of the added middle word) where "Classmates" and "Center" are capitalized.
The message content is fairly static with a few variations between the samples. Below is a copy of one of the emails:
Special video report February 25, 2009:
One of your classmates has sent you a video invitation:
"Read the story and see photos of my wedding and our tour,Please discover our video invitation to your family. I hope to get back from you soon..."
Proceed to open full message text:
hxxp://classmates.registration.history.messagecentre-nrb7dkn5g.session764.com/videoL83.htm?/initiated/INVITATION=96ots3jbdyachqc
Sincerely, Corine Sutherland.
2009 Classmates Organisation Message Centre.
The elements that we have seen vary between samples are the link to the malware site and the name in the closing of the message.
Once clicked the user is brought to a classmates.com branded site with a link to a executable file posing as a video. The file name downloaded is "Adobemedia10.exe".
Volumes have ranged in the 30-70k per hour range since the 6am MST hour this morning.
The subject lines that we have observed associated with this campaign are:
|
2009 Annual Meeting
|
|
2009 Classmates - 2009 Meeting
|
|
2009 Classmates - Annual Meeting
|
|
2009 Classmates - Getting Video
|
|
2009 Classmates - Ill have more to say about the specifics of the meeting soon
|
|
2009 Classmates - Meetings
|
|
2009 Classmates - Save video fragments from movies with the simplicity of pressing ...
|
|
2009 Classmates Annual Meeting
|
|
2009 Classmates Annual Meeting -- Coming Soon! - Modern ...
|
|
2009 Classmates Annual Meeting & Exposition
|
|
2009 Classmates ANNUAL MEETING March 11, 2009
|
|
2009 Classmates Annual Meeting.
|
|
2009 Classmates FREE VIDEO CONFERENCING,
|
|
2009 Classmates Meeting Registration, Registration information, coming soon. ...
|
|
2009 Classmates Online Meeting - Fast. Easy. Secure
|
|
2009 Classmates start searching for friends, classmates, family
|
|
2009 Classmates TOLL FREE AUDIO, ONLINE …
|
|
2009 Classmates Video Conferencing and Online Meeting Services
|
|
2009 Classmates Videos
|
|
2009 Classmates WEB CONFERENCING,
|
|
Annual 2009 Classmates Meeting has become the premier meeting
|
|
Annual Meeting - 2009 Classmates
|
|
Classmates 2009 Annual Meeting March 4-7
|
|
Classmates annual meeting as soon as possible - invitation
|
|
Get to Know Your Classmates - What Works
|
|
Greetings fellow members of the 2009 Classmates
|
|
Helping Classmates Understand invitations 2009 Classmates
|
|
Invite Your Friends and Get invited! 2009 Classmates
|
|
Meet your classmates -- join our social network
|
|
News > Coming Soon—2009 Classmates Annual Meeting.
|
|
News > Coming Soon—2009 Classmates Annual Meeting.
|
|
One of your classmates have 4 kids...
|
|
One of your classmates have airplan...
|
|
One of your classmates have limo...
|
|
One of your classmates invitation...
|
|
One of your classmates lost...
|
|
One of your classmates old photos...
|
|
One of your classmates sent invitation to you...
|
|
One of your classmates wedding...
|
|
Save The Date! 2009 Classmates Annual Meeting soon.
|
|
Video Clips- 2009 Classmates!
|
|
What are your ol' classmates up to? > General Family & Friends ...
|
|
What is an Annual Return? 2009 Classmates
|
Any new variants will be posted as they become available in addition to any changes in volume.
Today, Adobe has released a patch to address several vulnerabilities within the Flash player (versions 10.0.12.36 and earlier) whereby a specially crafted SWF file could result in a buffer overflow that could allow an attacker to execute arbitrary code on the unpatched system. These patches are to fix an input validation issue that could result in a denial of service, mitigate a couple of clickjacking issues, and a potential privilege escalation issue.
It was not clear from the advisory as to whether or not there is code in the wild currently exploiting any of these vulnerabilties (although I could not find any other announcements that would lead me to believe that exploit code exists). I believe that this begs the question as to why a Flash Player update is being released in advance of any malicious code when verified exploit code is already in the wild for Acrobat and Acrobat reader? I am all for releasing patches proactively, but I would like to see an explanation from Adobe as well as to why we still have to wait 2+ weeks for the Acrobat [Reader] updates. I don't quite understand the prioritization here.
Following up on January's publication of the Top 25 Most Dangerous Programming Errors, today the SANS Institute has released Draft 1.0 of the Consensus Audit Guidelines (CAG), a set of recommendations that organizations should implement in order to improve their security posture.
Strong coding standards and following network security best practices can go a long way towards increasing your security position as an organization. These published practices provide a solid roadmap to help you get there.
As with the Top Programming Errors list, I do not believe that anything in the CAG is revolutionary in its thinking, but at the same time it provides a starting point for companies who are looking for a checklist of items to implement to make themselves less vulnerable to a successful attack by a cyber criminal. One of the nice things about this list as well is that it breaks down its recommendations into several different categories from Quick Wins to Advanced. This type of categorization is especially important for those who are just starting their security programs and wish to show quick, meaningful successes to their executive teams. These types of small, early wins can help build executive support, a crucial element to the success of any security program.
The CAG is broken up into 20 individual controls ranging from internal hardware and software inventories to vulnerability testing and remediation and wireless device control. Each control is introduced by a description on how hackers are utilizing the lack of implementation of best practices to their advantage. This is followed by a categorized outline of each of the recommendations for that control and how to measure its effectiveness. Using this information an IT Manager can start to answer the "What", "Why", and "How" questions that go into making a strong business case for implementation of these practices.
As experienced security professionals, it is important that we not take neither the CAG nor the Top 25 Programming Errors lists for granted. These types of guidelines are not always as well known or practiced as we might expect. That isn't to say that everyone should go out of their way to implement every single one of these practices either. Identify the guidelines that are most pertinent to your organization, map out a plan, and hold people responsible for making sure they are carried out. If you are just starting out in your security career or with your security program you have an increasing number of tools at your disposal to help increase your chances of success. Use them wisely and reap the rewards of building a solid security program and culture within your organization.
It's nice to be back home after a long, but very productive week in San Francisco for the 15th General Meeting of the Messaging Anti Abuse Working Group (MAAWG).
Thanks to a delayed flight out of Denver on Monday morning I arrived in San Fran that afternoon only about 90 minutes before an afternoon of pre-meeting meetings were to begin. The meetings were worth it because they were followed by a wonderful dinner with Paul Vixie, Joe St Sauver, Steve Champeon, Suresh, and many others who I either knew or got the opportunity to know better.
Once the conference got rolling there were many informative sessions with a wide ranging variety of experts from many fields. Having been to just about every MAAWG since I think meeting #3 a few years ago, I can honestly say that I think this was one of the best MAAWG meetings to date, and that isn't because I either moderated or was a panelist in 3 of the sessions either :-D
I know that I have said this before, but if you are some flavor of xSP and are not currently attending the MAAWG sessions, you are missing out. We have a lot of fun when the day is done, but we have been getting a lot accomplished as well. The group has built up quite a head of steam over the past couple of years and is really moving forward with some great initiatives with motivated people from across the anti-abuse industry leading the charge. Unfortunately, if you want more information, you'll need to start attending the meetings. *wink nudge*
For more information about MAAWG, please visit www.maawg.org.
Follow me on Twitter.
Adobe has released a security bulletin warning users of a new vulnerability found in both their Acrobat and Acrobat reader products for which an exploit is currently available in the wild.
According to a post by the folks over at shadowserver.org the exploit requires Javascript to implement so in the meantime it is recommended that you disable JavaScript in Adobe Acrobat and Adobe Reader in order to mitigate this vulnerability.
Adobe is aware of the problem and is said to be releasing an update to fix versions 9.x on March 11, 2009 with an update for 8.x versions shortly afterward followed later by 7.x updates.
If you wish to signup for security alerts from Adobe on their products so that you can be alerted when new security advisories are posted you can do so here.
In an article posted today by SC Magazine Andre De Mino, founder and director of shadowserver.org warned that he expects exploitation of this vulnerability to be widespread based on users' frequent willingness to trust and open PDFs. I would agree.
Microsoft has announced that they have added Srizbi botnet code detection to their Malicious Software Removal Tool (MSRT) with its latest update. As mentioned in the article, Microsoft claimed victory over the Storm botnet by cleaning up over 91,000 Storm infected PCs within 24 hours of their initial Storm heuristics were released back in September 2007.
As with when the original Storm botnet was mostly eradicated, Srizbi isn't a major player in the spam wars these days. The Srizbi botnet never quite recovered from its days as one of the most prevalent spam botnets after McColo was shut down back in November. The Cutwail and Mega-D botnets who were also largely affected by McColo are doing quite well for themselves, however.
As Joe Stewart said in the article, Microsoft would have served itself better to go after one of the newer botnets on the scene, like Xarvester or Donbot, or even Cutwail or Mega-D. With all of the news surrounding Confickr and how that botnet still lies in waiting to come alive that would be another prime candidate to target. I agree with Joe where he said it will be nice to get these machines cleaned up, but it isn't going to have an affect on spam volumes.
It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.
The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):
----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"
You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------
We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain.
Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:
Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2). As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign.
The commercial AV guys don't appear to be up on this one yet so keep your eyes open! We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.
One of the topics that we discussed during Episode 18 of the Security Buzz podcast (and also reported other places, like here) was a reported design flaw (Microsoft said this was working as designed, albeit it was poor design) in the Windows 7 UAC that would not prompt for confirmation when the UAC notification settings were being changed. This left the door open for malicious code to come in (proof of concept code is available online. Buyer beware as this code WILL change your UAC settings, so be sure to change them back!) and change your UAC notification settings to never prompt for confirmation when system changes were being made. So, not only would you no longer receive notifications going forward, but because of this design flaw you wouldn't be prompted before the initial change was made either.
Microsoft had said that this feature would not be changed prior to the next release of Windows 7, but in the face of public scrutiny has decided to back down on that stance. There are a lot of philosophical discussions as to whether or not UAC, originally introduced in Windows Vista, actually improves security at all. If this feature is going to be the most in your face, user visible element of the operating system's security, they better darn well get it right. In my opinion, this was a good move by Microsoft.
Here's a great story about social engineering from the folks over at the Internet Storm Center that originates with fake parking tickets being placed on car windshields. The recipient of the "ticket" is then asked to visit a website to get more information about the ticket. When the "offender" visits the web site, they would see photos of various cars parked in parking lots.
The article gives much more detailed information about how the plan was carried out and some of the technical analysis of the malware, if you are interested.
Although the lure used by putting a fake parking ticket on someone's car is certainly something new and different (and probably duped a few people). Based on the description of the behavior of the BHO that was installed where it tries to get users to download a fake antivirus application, this tactic sounds very similar to the Confickr/Downadup botnet that has received quite a bit of press lately although no definitive link has been made yet between the two. One would guess that there was some customization of the malware that users were downloading that would benefit the person who was placing the "tickets" as this method of social engineering is clearly not conducive to wide scale infection.
...or maybe that should be SPAM-CAN?
A co-worker sent me a link this morning to this energy drink called SPAM. Before you go any further, this is NOT a product endorsement :)
I remembered pretty quickly that I have actually had this drink before.
A couple of years ago I was in Brussels for the annual European MAAWG conference and while walking the streets around the main square in town I pass by a convenience store with an advertisement that took up about a quarter of the doorway that said "SPAM Energy Drink. Living on the Edge". Obviously I couldn't travel one-third of the way across the world for an anti-spam conference and not take up the opportunity to confront my primary nemesis in a lowly can form. Surely, I could conquer SPAM now! I was about to climb the mountain and reach the pinnacle of my career! I was about to eliminate SPAM!! Who needs wild predictions from Bill Gates on the demise of SPAM. SPAM was in the palm of my hand!
Unfortunately, its demise wasn't to be...
As with several other energy drinks, it had this Liquified PEZ candy taste to it. At first it wasn't too bad and I slowly sipped from the can while walking so that I could enjoy every last moment of what I thought would be SPAM's existence. SPAM eventually started to overtake me, however. Each sip became less and less savory and my stomach started to feel more and more nauseas. As I approached the world famous Mannequin Pis statue I could no longer tolerate the taste and was looking for the nearest trash container despite the fact that I still had about half the can to go.
SPAM won. I tried my best, but at the end of the day it was not to be. I'll be heading to Amsterdam this June for another MAAWG conference and rest assured I will be looking for an opportunity to even the score! Last time I didn't know what to expect and it kind of took me by surprise. It won't happen again!
IT Security podcast sponsored by MX Logic
I am proud to announce the public launch of the Security Buzz podcast, sponsored by MX Logic. Security Buzz is produced by Charles Var and features Erik Boles, senior sales engineer at MX Logic and Sam Masiello, VP of Information Security (yours truly). Every week Erik, Charles, and I talk about some of the more interesting and relevant topics in IT Security. If you are of the podcast persuasion, I would highly recommend that you give it a listen.
We've actually been at this for a little while now (you probably already knew this if you follow me on Twitter) in an effort to get some good momentum behind the podcasts before going forward with our public announcement and currently have 17 episodes posted for your listening pleasure. Your time is also very important to us, and as such we keep each episode to around 20 minutes. That is a perfect amount of time to listen while walking the dog, driving to work, or during your lunch break.
You can access the podcast either via the MX Logic web site here, search for "Security Buzz" on iTunes or click here.
If you have any podcast feedback or suggestions for content, please contact either myself at sam at mxlogic dot com or Erik at eboles at mxlogic dot com. We'll be more than happy to incorporate your comments into future episodes of Security Buzz. If you like the show, please leave us a comment on iTunes as well.
Hope you enjoy the podcast!
|
