IT Security Blog

Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites.  This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.

The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites. 

We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see.  They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity.  No work required on a hacker's part to organically generate interest.  That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years. 

An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera.  These fake websites are being used to inject malware onto curious users' computers.  They could also very easily be used in phishing campaigns to steal user's personal information.

Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post. 

As predicted in this month's MX Logic Threat Forecast and Report, cyber criminals have decided to take advantage of the July 4th holiday to send out spam that links to a malware infected web site.

All of the messages that our Threat Operations Center have observed thus far have July 4th themed subject lines and brief message bodies consisting of only a few words followed by a link, a tactic used many times by the Storm/Waledac folks previously. 

Some of the subject lines that we have seen thus far include:

Amazing firework 2009

Amazing Independence Day salute

Amazing Independence Day show

America for You and Me

America the Beautiful

American Independence Day

Bright and joyful Fourth of July

Celebrate Independence

Celebrate the spirit of America

Celebrate with Pride

Celebrating Fourth of July

Celebrating the Glory of our Nation

Celebrating the spirit of our Country

Celebrations have already begun

Fabulous Independence Day firework

Fourth of July Fireworks Shows

God Bless America

Happy Birthday America!

Happy Birthday USA!

Happy Birthday, America!

Happy Fourth of July

Happy Independence Day

Home of the Brave

Independence Day firework broke all records

Let the fireworks begin!

Let's celebrate Independence Day

Light up the sky

Long Live America

Proud to be an American

Sparkling Celebration of Independence Day

Spectacular fireworks show

Stars and Stripes Forever

Super 4th!

The best firework you've ever seen

The best of 4th of July Salute

This Land Is Your Land

Time for Fireworks

Well done 4th!

Traffic so far has been pretty modest, only at about 2,500-3,000 per hour and is likely being mitigated by the fact that many companies have given their employees July 3rd off this year in observance of the fact that this year's United States Independence Day holiday is on a Saturday.

Below is a screen shot of a sample message that someone may receive in conjunction with this campaign:




The site that users who click the link in the email are lured to claims to be a video of a fireworks show, but is actually a download of an executable file (video.exe) that when run will infect the user's PC.  So far all of the links that our Threat Operations Center have observed have been subdomains of the "moviesfireworks.com" domain, however our team is on the lookout for more, and this post will be updated as necessary.

Below is a screen shot of the fake video web site.






Here's to everyone having a safe, happy, and malware free July 4th holiday :)

The folks over at Cisco posted a very interesting blog writeup about the Storm/Waledac botnets and how their marriage to Conficker was consummated in order to start monetizing the enormous computing power of the Conficker botnet. 

What I found most interesting was the part about how Conficker would hook itself between Wireshark and the network driver (likely within the winpcap library) to hide all of the network interfaces from Wireshark, essentially rendering the packet sniffing tool useless.

Looking ahead, this makes me wonder what else malware could do to alter the behavior and functionality of other tools that security researchers use to analyze malware.  We've already seen Conficker introduce signed, encrypted updates to keep researchers from analyzing updates and penetrating its network.  This development of malware physically altering how analysis tools work could be a significant game changer in the cat and mouse game of being able to reverse engineer malicious code.  This is definitely something that warrants continued monitoring to see if this tactic continues to be employed by cyber criminals, or improved upon.

It seems lately that if we aren't talking about Conficker, we are talking about Waledac.  To make things even more interesting there have been purported links between the Conficker and Waledac botnets as during the last week the infected machines associated with the former pulled a code update from the latter. 

Today's topic is Waledac specific: a new spam campaign with an SMS Spy theme.  Ever wanted to spy on your girlfriend's SMS messages to see if see is cheating on you?  Curious as to whether or not your significant other is truly in love with you?  Waledac wants to "help" you find out.

Starting earlier this morning our Threat Operations Center began detecting a new spam campaign from the Waledac botnet that contains a link to a web site where users can download a 30 day free trial for a piece of software (read: malware) that when installed on your partner's mobile phone will allow you to read all of the SMS messages that they receive.

The email received looks like the following:




We have seen a number of subject lines associated with this campaign including:

Are you ready to know the truth

Are you sure in your partner

Can your love life be re-ignited

Does your partner truly love you

Have more fun and pleasure in your intimate life

Keep a spy eye on your girlfriend

Make Sure your girlfriend

Now, It's possible to read other people's SMS

Now, you can read any SMS message

possible to read other people

Read his SMS

Read other people's SMS online

The world's most advanced sms reading program

We will teach you to be the master of making love art

What's your hall of shame

You can read anyone's SMS

Are you interested in reading other people's sms?

Do you trust her?

Do you trust your partner blindly?

Do you want to test your partner

Free program for reading sms

Is your partner cheating on you?

Is your partner faithful?

Is your wife or girlfriend cheating on you?

Read her messages

Read your girlfriend sms online

You can download new program for reading sms

Below is a screen shot of the site that the user is directed to when the email link is clicked:


It is important to note that by simply visiting the web site does not infect the user with Waledac.  They must download and execute the file (currently named "sms.exe") after clicking the "Download Free Trial Link"

*** UPDATE 1 4/16/2009 11:20am MST ***  Funny enough there is an article posted on NetworkWorld today which discusses a potential vulnerability with Apple's iPhone which could result in the execution of shellcode on non-jailbroken versions of the device.  Such a vulnerability could result in an exploit that could allow an attacker to see someone's SMS messages according to the article.  Maybe the Waledac authors know more than we are giving them credit for :)

Below is an updated volume graph. 




As you can see from the above graph volumes were in the 2-4k range per hour until about 2am MST this morning before peaking at about 12,000 during the 6am hour.  More updates as they become available.


*** UPDATE 2 4/17/2009 10:40am MST ***  After waning for a bit during the mid-morning hours yesterday, volumes started to pick up again at around Noon MST.  Current averages are between 12-20k messages per hour and have been maintaining in that range for about the last 24 hours.

Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases.  Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites.  Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site. 

We saw a couple of different iterations of their most recent Valentine's Day campaigns.  One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card.  Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy.  Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites.  As with many other Waledac/Storm generated web sites, just about everything on the page is an image.  This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped.  These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet. 

Below is a screenshot representation of the fake couponizer site:



Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.

Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.

Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):



You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next.  The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.

Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before. 

Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September  2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm.  This botnet clearly isn't just about holidays anymore. 

It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.

The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):

----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"

You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------

We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain. 

Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:



Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2).  As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign. 

The commercial AV guys don't appear to be up on this one yet so keep your eyes open!  We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.

Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.

Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link.  No malware is attached to the email itself.  Subject lines also have a love theme to them.  Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you".  Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:




Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves.  Infection does not occur merely by visiting the page.  The executable file (e.g. you.exe or love.exe) must be run to install the malware. 

This page is also using Google Analytics to track number of visitors and where those visitors are coming from.

Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours.  Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:




Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes.  It was very successful for them the last time around so why fix what isn't broken, right?  Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.


*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day.  Average volume since 9am is about 11k per hour.  We will continue to monitor over the course of the weekend and will post updates as necessary.




*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend.  The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign.  If you are not already doing so, you may want to consider blocking access to them.  Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST.  Maybe they were watching the NHL All Star Festivities :)  Current volume graph below ***