Earlier this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet that is sending out emails spoofing the IRS. We are currently observing traffic averaging about 90,000 messages per hour using this tactic.
The email that users are receiving which appears to come from no-reply@irs.gov is attempting to get them to believe that they misreported their income on their taxes and that the IRS is giving them an opportunity to fix it.
The email provides a link for the user to view their recent tax statement online. This link does not directly infect the user's machine, but instead directs them to a website where the malicious code is being delivered from.
If the user clicks on any of the links on this page, they are directed to download an application called tax_statement.exe. As of the time of this posting, AV detection for this new variant is low.
Please remember that the IRS does not know your email address and will not conduct official business with you over email. Any email purporting to do so is a scam and should be deleted immediately.
In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed. Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that. I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake.
So, the question that I pose to myself is "What's Next?" Taking even just the events of the last decade into account, where are we headed for the next few years? Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today.
Since this is a blog post, I'll try to keep this relatively brief. Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today. I like them and I've had the opportunity to write for them twice now) at some point soon.
Some things to think about:
-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization. Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before. Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft. We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.
-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate. This is happening not only in the enterprise space, but in the consumer market. Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state. VoIP implementations at organizations are also becoming ever popular as well. As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like. Throw away phone numbers used to make spam phone calls have started to become more common. There are services available online which allow you to purchase throw away numbers in blocks. Spammers and can use and abuse these numbers just like they do IP addresses now.
Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities. Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users. As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data.
-- Mobile Malware
Let's face it. The phones that we carry in our pockets are little personal computers. Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on. I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ). As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device. The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market. The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices. Secure sandboxing of third party applications is a must, but that is only a start. Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.
-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window. This has really opened the door for cyber criminals. With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet). The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them. It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.
-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause. Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely.
These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road. Hackers will go where the money is and the money is where the people are. So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.
As predicted in this month's MX Logic Threat Forecast and Report, cyber criminals have decided to take advantage of the July 4th holiday to send out spam that links to a malware infected web site.
All of the messages that our Threat Operations Center have observed thus far have July 4th themed subject lines and brief message bodies consisting of only a few words followed by a link, a tactic used many times by the Storm/Waledac folks previously.
Some of the subject lines that we have seen thus far include:
Amazing firework 2009
Amazing Independence Day salute
Amazing Independence Day show
America for You and Me
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrate the spirit of America
Celebrate with Pride
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
Fourth of July Fireworks Shows
God Bless America
Happy Birthday America!
Happy Birthday USA!
Happy Birthday, America!
Happy Fourth of July
Happy Independence Day
Home of the Brave
Independence Day firework broke all records
Let the fireworks begin!
Let's celebrate Independence Day
Light up the sky
Long Live America
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Stripes Forever
Super 4th!
The best firework you've ever seen
The best of 4th of July Salute
This Land Is Your Land
Time for Fireworks
Well done 4th!
Traffic so far has been pretty modest, only at about 2,500-3,000 per hour and is likely being mitigated by the fact that many companies have given their employees July 3rd off this year in observance of the fact that this year's United States Independence Day holiday is on a Saturday.
Below is a screen shot of a sample message that someone may receive in conjunction with this campaign:
The site that users who click the link in the email are lured to claims to be a video of a fireworks show, but is actually a download of an executable file (video.exe) that when run will infect the user's PC. So far all of the links that our Threat Operations Center have observed have been subdomains of the "moviesfireworks.com" domain, however our team is on the lookout for more, and this post will be updated as necessary.
Below is a screen shot of the fake video web site.
Here's to everyone having a safe, happy, and malware free July 4th holiday :)
My apologies for being a bit light on posting this week. I have been in Amsterdam for the 16th MAAWG Conference. It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!
It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.
This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:
Message Subject: Microsoft Outlook Setup Notification
Message Body:
You have (6) message from Outlook Express.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
Message Subject: TheBat Setup Notification
Message Body:
You have (9) message from Microsoft Outlook.
Please re-configure your TheBat again.
Download attached setup file and install.
Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again. I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.
These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.
Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.
Either way, be on the lookout for this respin of last week's news.
The MX Logic Threat Operations Center has observed a new type of malware in the wild being sent out as an email posing as a reconfiguration notification for Microsoft Outlook.
The message subject is "Outlook Setup Notification" and contains the following text within the message body:
You have (1) message from Microsoft Outlook.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
The attached file is named micr__outlook_update_6556.zip and has and md5 checksum of 7aa706c521dd8a11ef23b35fc5c4d543.
So far we are not seeing any variants to neither the attachment name (which could easily be made more random with the digits on the end) nor the hash so the malware is not morphing at this point. That could easily change as it is trivial for AV vendors and spam filters to block this particular threat.
The graph below shows hourly volumes of this new threat since about 11:30am MST on 6/2, when we originally started to observe it hitting our systems.
It seems lately that if we aren't talking about Conficker, we are talking about Waledac. To make things even more interesting there have been purported links between the Conficker and Waledac botnets as during the last week the infected machines associated with the former pulled a code update from the latter.
Today's topic is Waledac specific: a new spam campaign with an SMS Spy theme. Ever wanted to spy on your girlfriend's SMS messages to see if see is cheating on you? Curious as to whether or not your significant other is truly in love with you? Waledac wants to "help" you find out.
Starting earlier this morning our Threat Operations Center began detecting a new spam campaign from the Waledac botnet that contains a link to a web site where users can download a 30 day free trial for a piece of software (read: malware) that when installed on your partner's mobile phone will allow you to read all of the SMS messages that they receive.
The email received looks like the following:
We have seen a number of subject lines associated with this campaign including:
Are you ready to know the truth
Are you sure in your partner
Can your love life be re-ignited
Does your partner truly love you
Have more fun and pleasure in your intimate life
Keep a spy eye on your girlfriend
Make Sure your girlfriend
Now, It's possible to read other people's SMS
Now, you can read any SMS message
possible to read other people
Read his SMS
Read other people's SMS online
The world's most advanced sms reading program
We will teach you to be the master of making love art
What's your hall of shame
You can read anyone's SMS
Are you interested in reading other people's sms?
Do you trust her?
Do you trust your partner blindly?
Do you want to test your partner
Free program for reading sms
Is your partner cheating on you?
Is your partner faithful?
Is your wife or girlfriend cheating on you?
Read her messages
Read your girlfriend sms online
You can download new program for reading sms
Below is a screen shot of the site that the user is directed to when the email link is clicked:
It is important to note that by simply visiting the web site does not infect the user with Waledac. They must download and execute the file (currently named "sms.exe") after clicking the "Download Free Trial Link"
*** UPDATE 1 4/16/2009 11:20am MST *** Funny enough there is an article posted on NetworkWorld today which discusses a potential vulnerability with Apple's iPhone which could result in the execution of shellcode on non-jailbroken versions of the device. Such a vulnerability could result in an exploit that could allow an attacker to see someone's SMS messages according to the article. Maybe the Waledac authors know more than we are giving them credit for :)
Below is an updated volume graph.
As you can see from the above graph volumes were in the 2-4k range per hour until about 2am MST this morning before peaking at about 12,000 during the 6am hour. More updates as they become available.
*** UPDATE 2 4/17/2009 10:40am MST *** After waning for a bit during the mid-morning hours yesterday, volumes started to pick up again at around Noon MST. Current averages are between 12-20k messages per hour and have been maintaining in that range for about the last 24 hours.
I am guessing that most people are suffering from Conficker information overload today! As such, it is very important to be able to separate the Conficker Facts from the FUD. In case you have not yet seen it, I blogged last week about what I believe will (not) happen when the Conficker.C variant activates tomorrow, April 1st. Up to this point we still have not yet seen anything that would lead me to believe anything contradictory to that statement.
I read a couple of places yesterday about a flaw in the C variant of the Conficker worm that identifies infected machines on your LAN differently than machines that are not infected. According to Dan Kaminsky's blog, this flaw causes a function named NetpwPathCanonicalize() to work differently in the infected version than the version in either the patched or unpatched versions of the Windows OS. This different behavior is what folks like McAfee, Nessus, Qualys, and others are using to key on to develop a scanner to identify infected hosts.
Although a tool is great to identify machines already infected with the Conficker worm, it is more important to emphasize and re-emphasize the importance of patching and multiple defense layers (from out in the cloud all the way down to the network endpoints) to mitigate these types of infections to begin with. In the interim, if you believe that machines on your network may currently be infected with the latest Conficker variant download the proof of concept scanner and put together a quickly actionable plan to clean these machines up.
Word is spreading of a botnet called Psyb0t that is going around and compromising the home routers of people who have not changed the default login password on those devices. According to published numbers around 80,000-100,000 Linksys and Netgear routers have been affected by Psyb0t. It is important note there are a couple of criteria that must be met before your router can be exploited via Psyb0t. First, the router must be a MIPS device (x86 devices are not vulnerable to Psyb0t). Second, it has to be configured to be administered remotely (from the internet, not the local LAN), and third it needs to be using the default password that the device was originally configured with (a common insecure practice).
Although Psyb0t is the first botnet alleged to be exploiting home routers, the concept of compromising routers with default passwords is not a new one. One of the things that I have the honor of doing as part of my job is a quarterly section for SC Magazine called the "Threat of the Month". The piece that I submitted for their February 2009 issue was on the topic of "Drive By Pharming". Essentially what drive by pharming entails is the compromise of home routers that have the "Remote Administration" port enabled so that you can modify their settings from the internet. If the factory password is still set as the password used to login to the device it is trivial for an attacker to get in, modify your settings to point you to a malicious DNS server such that traffic to legitimate sites gets repointed to sites setup to phish passwords or inject malware. That is only one possibility. Another is that a new version of firmware could be uploaded to turn the device into a bot.
At their core, these home routers are mini computers, susceptible to attack and infection if proper precautions are not made to protect them. Default passwords for just about every router made are trivial to find on the internet. In fact, there are sites setup, like routerpasswords.com, that allow you to select the manufacturer of the router and it will tell you the default password based on their known models. Be sure to secure all layers of your home or business (plenty of SOHO businesses use standard Cable/DSL modems for their internet connectivity) network. Never assume that this is being done by someone else or that it is someone else's responsibility. The default settings on most of the gear that you will buy are setup such that initial access and administration of the device is easy (reduces support costs and angry customers). From there it is up to you to make sure best practices are followed to keep your network and data secure from outside intrusion.
There certainly is a lot of attention being paid to the Conficker botnet these days. Some of this attention is warranted. What is its purpose? What is it going to do? What is it going to be used for? Will it be split up and sold off to the highest bidders? All valid questions, but recently most of the attention surrounding Conficker has been around what is being called the "activation" of the botnet on April 1 (April Fool's Day. Coincidence?).
Earlier this month a new variant of the Conficker worm, dubbed Conficker.C, was pushed out to update machines that had previously been infected with Conficker.B (the previous variant of the worm). Several improvements were made in Conficker.C that makes it more difficult to infiltrate than its predecessor. Firstly, it moved away from a pull model where the infected hosts would ping back to a command and control server (the URL that it would communicate with was randomly generated based on an algorithm within the malware code) to see if it had any updates to be downloaded. In Conficker.C it has moved to a push based method of update where code changes are sent from a command and control host down to the infected client. The malware further updated itself to include code signing techniques so that it will only accept updates from itself. These updates are game changers as it relates to how security researchers had generally infiltrated and analyzed botnets.
One of the other major changes that was introduced in Conficker.C was the number of domains that are registered by the botnet to distribute code updates. In Conficker.B there were 250 random URLs being generated on a daily basis that the botnet would use to look for updates. Researchers were able to crack the URL generation algorithm and figure out what domains were going to be used on what days so that they could register those domains in advance of the botnet attempting to use them. In response, the Conficker authors seriously upped the ante by changing the number of URLs used by the botnet from 250 daily to 50,000. A virtual scoff from the worm authors.
On April 1, the botnet is said to activate its latest variant, Conficker.C, and rumors are running rampant as to what the wide scale implications will be as a result. All we know at this point is that on April 1, Conficker.C will start using its new code and algorithms to make the botnet much more resilient to penetration by security researchers. We have spoken several times now about how malware authors are attempting to build the next generation botnet after the McColo shutdown. Conficker is a clear example of a proof of concept that will likely be used by malware authors until the "next big idea" comes along.
Will it ever actually be used for anything? Sure, it will. Why go through all of this effort to create such a huge botnet then not utilize it for something. In a financially motivated economy it doesn't make sense to not rent it out or sell it off. My point is don't buy too much into the April 1 hype. It very well could be much ado about nothing.
Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases. Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites. Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site.
We saw a couple of different iterations of their most recent Valentine's Day campaigns. One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card. Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy. Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites. As with many other Waledac/Storm generated web sites, just about everything on the page is an image. This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped. These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet.
Below is a screenshot representation of the fake couponizer site:
Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.
Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.
Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):
You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next. The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.
Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before.
Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September 2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm. This botnet clearly isn't just about holidays anymore.
Microsoft has announced that they have added Srizbi botnet code detection to their Malicious Software Removal Tool (MSRT) with its latest update. As mentioned in the article, Microsoft claimed victory over the Storm botnet by cleaning up over 91,000 Storm infected PCs within 24 hours of their initial Storm heuristics were released back in September 2007.
As with when the original Storm botnet was mostly eradicated, Srizbi isn't a major player in the spam wars these days. The Srizbi botnet never quite recovered from its days as one of the most prevalent spam botnets after McColo was shut down back in November. The Cutwail and Mega-D botnets who were also largely affected by McColo are doing quite well for themselves, however.
As Joe Stewart said in the article, Microsoft would have served itself better to go after one of the newer botnets on the scene, like Xarvester or Donbot, or even Cutwail or Mega-D. With all of the news surrounding Confickr and how that botnet still lies in waiting to come alive that would be another prime candidate to target. I agree with Joe where he said it will be nice to get these machines cleaned up, but it isn't going to have an affect on spam volumes.
It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.
The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):
----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"
You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------
We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain.
Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:
Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2). As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign.
The commercial AV guys don't appear to be up on this one yet so keep your eyes open! We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.
Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.
Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link. No malware is attached to the email itself. Subject lines also have a love theme to them. Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you". Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:
Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves. Infection does not occur merely by visiting the page. The executable file (e.g. you.exe or love.exe) must be run to install the malware.
This page is also using Google Analytics to track number of visitors and where those visitors are coming from.
Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours. Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:
Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes. It was very successful for them the last time around so why fix what isn't broken, right? Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.
*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day. Average volume since 9am is about 11k per hour. We will continue to monitor over the course of the weekend and will post updates as necessary.
*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend. The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign. If you are not already doing so, you may want to consider blocking access to them. Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST. Maybe they were watching the NHL All Star Festivities :) Current volume graph below ***
I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance.
Businesses do have a lot of choices when making decisions about protecting their network infrastructures. They can choose to do it in-house using a number of open source solutions or commercial desktop software. They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ). No matter which type of solution you prefer for your organization, most all are effective at stopping spam. Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions.
Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown. Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so. The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets.
I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless. There have been few arrests since CAN-SPAM went into effect 5 years ago. At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.
At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem. I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime? Money. Lots of it. WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture. Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities.
So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today? I would say both yes and no. Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available. Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.
An MXL co-worker (Thanks, Grant!) directed me to this blog posting by a guy named Lance Winslow titled "SPAM Killing Small Business Productivity". It is no surprise to anyone that any small business that has not taken steps to protect their infrastructure with some kind of anti-spam/traffic shaping/traffic control device or service (I am partial to the managed service form factor, BTW :) ) is feeling the effects of the amount of spam flying over the internet on a daily basis. So, in that respect Lance hasn't started off his post with anything revolutionary.
Then things start to get weird...
Lance states "...the Federal Trade Commissions; FTC’s war on SPAM is killing small businesses and flooding their inboxes with junk mail". What?! Last I checked, a LOT more people than just who are involved in the FTC are fighting spam on a daily basis and doing a pretty decent job of it. I work with many of them on a daily basis both at MX Logic and at our many competitors. Secondly, how is the FTCs war on spam killing small businesses and flooding inboxes with junk mail? Last I checked, that was the spammers who were responsible for that....oh yeah, and the infected PCs that they use to do their dirty work. I'll concede that CAN-SPAM hasn't done much, but spam hasn't increased as a result of CAN-SPAM. Spam has increased due to money chasing criminals using spam as a vehicle to make money.
Lance then goes on to say "America Online indicated that it culls 75% of the incoming SPAM thru filters and many other companies are able to do this too. But what if you are a small business which does not have such features on your website? What do you do then? You cannot do a thing." Strike 2! Firstly, I know quite a few of the anti-spam folks over at AOL personally and I'll be more than happy to publicly defend them and say that I am sure they are catching more than 75% of incoming spam. If that were MX Logic's catch rate I surely would have been fired years ago! It certainly hasn't been my looks that has gotten me by! :) Further, how can Lance ascertain that there is nothing you can do if you do "not have such features on your website"? I am going to guess that he is really referring to inboxes here and not web sites (as web sites are a bit of a different animal than what he originally started out his post with). Has he ever looked into the cost of a Managed Security Service or a network appliance? Anyone can deploy anti-spam defenses at fairly low cost per user. The cost can even be free if you are willing to do the work yourself to maintain your own installation of a software based service like Spamassassin.
His final paragraph states "A concocted report from MX Logic purports that SPAM is down a whopping 9%? If you believe that you are on drugs just like the FTC. If you are a small business getting 300 junk mails per day, obviously this is not going to help you in the least as it still means you are getting over 275 junk mails a day. Worse the figure of nine-percentile is said to be a complete misrepresentation and convenient fabrication." Perhaps Lance should do a bit more reading about the decline in spam volumes since the shutdown of McColo back on November 11th (although I do appreciate that he is reading our report!). Although the botnets that were originally debilitated as a result of the McColo shutdown are back online, spam volumes overall are still down from where they were pre-McColo. Now, I will agree with Lance's point where he said that if you were getting 300 spam emails per day and are still getting anywhere from around 275 per day, you are still getting deluged (perhaps our sales folks should try to sell Lance an anti-spam solution :) ). At a micro level this doesn't seem like a big deal, but when looked on a much more macro scale in an environment like ours and other major ISPs who process hundreds of millions of emails per day, the effects are dramatic.
I'm curious as to what authority he stands on or interviewed to make the statement that drops in spam volume are a "complete misrepresentation and convenient fabrication" ? How is saying that spam volumes are down convenient for us? In our business, spam sells. The more there is, the better sales numbers grow as businesses become more aware of the inadequacies of their own systems in trying to manage spam themselves. They realize that they NEED an alternative so that they can focus on their core competencies and not just on keeping their mail servers online. As a result, crises and large spam events like the CNN outbreak from back in August are great for our sales numbers. It certainly makes selling the need for a solution easier on them. I've been accused during media interviews by less tech savvy reporters of trying to spread FUD because "I have to say that spam volumes are up because fighting spam is the business that we are in", but never that I'm lowering numbers for convenience. I don't quite see how that argument makes any sense.
The closing of his post is the coup de gras: "If you have innovative thoughts and unique perspectives, come think with Lance." I would certainly say that Lance's perspectives are unique (and completely uninformed), but his thoughts are not quite so innovative (however quite imaginative!).
There has been quite a bit of press over the last day or two with respect to a design flaw with SSL that could allow an attacker to forge a security certificate such that it circumvents the built-in authentication methods within your browser. This means that your browser could believe that a malicious, look-alike web site for your bank could authenticate to your browser as your real bank web site if this attack is carried out correctly. See this story from CNET that has a graphical proof of concept example using Bank of America.
If you are not familiar with MD5, essentially it is a 128-bit hashing algorithm that is used by many security applications. For example, an MD5 hash is commonly used as a checksum by system integrity validators (SIV) to ensure that key binaries on your system have not changed their default composition (if they have, this could indicate a trojan or rootkit has been installed on your system).
MD5 checksums have been known for some time to not be completely secure as it is typically expressed as a 32-bit hexadecimal number. This means that there are only a finite number (2^128) of potential hash possibilities. This has been considered to be good enough for many applications, but with the power of today's clustered computing environments (also including botnets), it has been found that the time it takes to generate a targeted MD5 collision has been greatly reduced. According to the CNET article, performing the initial forgery proof of concept took about 2 weeks on a cluster of 200 Playstation PS3s. This kind of computing power is infinitesimal compared to most botnets. Quite a few articles on the web (do a Google search for "md5 collision example" and some will yield source code) already discuss how easy it is to create an MD5 collision.
Web site forgeries are only one example of how MD5 collisions can be used to circumvent security technologies. My friend Adam O'Donnell from Cloudmark points out in a Twitter update that an MD5 collision could also be utilized to make malicious software look legitimate. Take our SIV example from earlier. If a malicious version of a binary was created with the same md5 checksum as its legitimate counterpart, your security checks may never identify that the original executable was modified if your PC were to get infected with some type of trojan or rootkit. This could also cause AV companies to have to rethink how they do some of their own scanning methods also.
What all of this really highlights is the fact that MD5 is no longer a "good enough" (and in reality hasn't been, but that hasn't stopped people from using it) hashing algorithm if your intention is to create a hash that will be used as part of any kind of security/authentication system. I agree with Paul Kocher's statements from the CNet article in that although this is certainly not one of the biggest security issues facing us right now. Between all of the other application based attacks that exist, this one could be potentially very dangerous as it is another one of those that we have discussed that do not require elaborate social engineering to be carried out effectively (at least for web site forgeries) as the redirection to a malicious site can be carried out at the network level.
This is not one of those types of attacks that is likely to occur on a large scale against many widely used web sites (like the Bank of America proof of concept) as it would likely get sniffed out very quickly, but if used for smaller, more localized attacks could prove to be effective.
It has been one month since McColo had its upstream bandwidth cutoff by Global Crossing and Hurricane Electric. What has changed since?
As we've previously reported ( here and here), immediately after the McColo shutdown we saw a 50-60% decline in spam volume. This drop carried on for about 9 days even though in the middle of all of this McColo was briefly brought back online by TeliaSonera. During this brief uptime the Rustock botnet was able to update itself and point its bots to different command and control hosts. It wasn't until 4 days later that Rustock came back with a vengeance and resumed its normal spamming activities.
Since that time we have also seen the Mega-D botnet come back online as well. The current net result is still positive as spam volumes are still about 40% lower than what they were prior to McColo. This is largely due to the fact that the Srizbi botnet still only shows minor signs of life despite reports that Srizbi is back in the hands of its original owners.
I am still surprised that these botnets were so easy to cripple to begin with, even if only temporarily. What this will end up leading to, however is the bigger, better botnet which will have more redundancy built in, have command and control centers that are live on multiple networks having bandwidth provided by multiple providers and fast fluxes both its nodes and nameservers to create a truly interconnected network that can only be taken down by effectively removing all of the connected, infected machines. Add in encrypted channel communication between the nodes and some of the DDoS defense mechanisms incorporated by botnets like Storm and your botnet is bulletproof.
As defenses improve, attack tactics evolve. Just like when Word macro writers realized that they had to move on to the next generation of infection, those who are diligently working on new botnet communication technology are working on the next generation botnets (yes, plural). Get ready.
It looks like Apple has finally changed their tune as it relates to using security software on their PCs and is now telling their users to make sure they have antivirus software installed. See article here.
This move was inevitable. At some point Macs would gain enough market share for them to become more of a target for hackers and cyber criminals. Most security researchers have been saying that for a long time, and I applaud Apple for finally coming to that realization also, even though it really should have been said some time ago. Now the Mac users who have long been saying that they don't need to worry about malware "because they run a Mac" really don't have a leg to stand on as even the manufacturer of their computer has come out and contradicted that claim.
From a timing perspective this announcement comes at a good time as well. As IT managers are working on their 2009 budgets, this is now something that they need to include as another line item to allocate money for early in the year. If your Mac does not already have some kind of antivirus software installed, the time is now to get it. Apple's personal computer market share continues to increase which means its prevalence as a target will also continue to rise. Don't be left holding the bag either as a personal Mac user or as a corporate user. Macbots are coming. iPhones and iPods will not be far behind.
*** UPDATE 12/2/2008 4:42pm MST *** So it looks like I need to recant a little bit. If you look at Apple Knowledge Base Article 4454, you notice the last updated date of December 2, 2008. This article was originally published back on June 8, 2007. Unfortunately, the existence of this article hasn't changed most Mac user hubris in their invulnerability to malware because the fact of the matter remains that many Mac users still don't use antivirus software on their machines. The time is still now to change that. A widespread Mac virus could be a devastating event!
Apparently you just can't keep a good botnet down.
As expected, the honeymoon that we have been on since the November 11th shutdown of McColo is over. As we discussed in our previous post about the volume declines after the McColo shutdown, the Rustock botnet was able to update some of its infected machines during an approximately 12 hour period that McColo was brought back online by TeliaSonera, a Swedish ISP. Rustock has come back and come back strong over the past few days mostly sending out Canadian Pharmacy spam (one of our all time favorites).
Above are traffic graphs for the three major botnets that were affected as a result of the McColo shutdown. The big dropoffs for Srizbi and Mega-D are both on November 12 (the day after McColo was taken offline). Traffic from both the Srizbi and Mega-D botnets have been virtually non-existent since the 12th.
The Rustock spike started on November 20, about 5 days after McColo was temporarily brought back online.
Just to keep us all on our toes, we've even seen some signs of life from the Storm botnet that most of us had written off for dead. Although it is felt that some of this traffic was coming from poorly configured Barracuda devices, we're still keeping an eye out in the event that there is potential of this botnet coming back.
Despite the resurrection of the Rustock botnet, overall mail volumes are still down about 30-35% from where they were prior to November 11. Today, Fireeye is reporting that the Srizbi botnet is back under the control of its original owners and that new command and control servers have been registered in Russia. So, it stands to reason that Srizbi will not be dormant for much longer before we start to see spam volumes increasing again. The last two weeks has been a nice holiday before the holiday, but it looks like we are very quickly getting back to business as usual....and that's just the way I like it!
Last week we reported the significant decrease in spam volumes as a result of the shutdown of McColo, a hosting provider that was catering to spammers. I wanted to take a few minutes and lend a bit more color and data to what we originally reported now that we have had a few days to let the real effect soak in.
We continue to see over an over 50% decline in total mail flow (all spam). In fact, that percentage appears to have leveled off at over 60%. A bit lower than the 75% reduction some are reporting, but no matter how you slice it the effect has been more than significant.
Below is a graph outlining hourly mail flow patterns since November 1:
The significant drop-off that you see about two-thirds of the way through the graph correlates directly with the McColo shutdown on 11/11. According to our stats that dropoff occurred during the 1pm MST hour on the eleventh.
A couple of botnets in particular appear to have been severely debilitated as a result of the McColo shutdown. Those are the Srizbi, Rustock, and Mega-D botnets. Traffic associated with the Mega-D botnet (named such because of its advertisement of male enhancement products) has declined over 95% since 11/11 and Srizbi volume has declined by over 80%.
Sophos is reporting that McColo was briefly brought back online this weekend by a Swedish ISP named TeliaSonera. After receiving many complaints about the matter from security researchers they were taken offline again, but not before the folks responsible for the Rustock botnet were able to release a code update to their bots to point them away from McColo. It is unclear at this point whether that update was released to a significant base of Rustock infected PCs, but it does breathe new life into a botnet that had briefly been put on life support. So far today we are not observing any significant effect as a result of the Rustock update.
Spam percentages have also taken a big hit as a result of the decline in spam volume. For the past 2 years we have been reporting spam at about 90% of all email traffic on the internet. Since the McColo shutdown those volumes have occasionally dipped down in the low-to-mid 70 percent range, percentages that we have not seen the likes of which since the first quarter of 2006.
Although the short-term effect of the McColo shutdown has been significant we still do not believe that spam volumes will be affected over the long haul. Botnets come and go and malware techniques will continue to evolve. As Storm declined in volume, botnets like Srizbi, Mega-D, Rustock, Cutwail, and others have been more than ready to pick up the slack. The punch line to all of this remains the same. The people who can have the most impact in continuing to win battles in the battle against spam are the people who are providing domain registrar service, DNS service, and ultimately bandwidth service to bots and botnet owners. If bots cannot communicate, they cannot thrive. The events of the past week have been a perfect example of that.
That certainly didn't take long, did it?
Just hours after Barack Obama was projected by all of the major news outlets to become the 44th President of the United States, cyber criminals have already launched a link-based malware campaign using Obama as a lure. Uncle Sam wants you to vote. Spammers want you to join their botnets!
As with most effective malware campaigns, timeliness is everything. From what we are seeing so far, the social engineering tactic being used coupled with the interest of the election and its outcome, high volumes of this tactic are already being observed as many users are being tricked and infecting their PCs with this malware which will be used to send out more of this type of spam.
Starting at about 8am MST this morning we started to see messages come into our spamtraps purporting to be from various credible news organizations using from addresses like news@bbc.com, news@cnn.com, election@usatoday.com, among others. The emails have subject lines such as "Barack Obama Wins", "Election Night Results", and "Fear of a Black President".
The messages themselves vary a bit, but the basic premise is the same across the different variants that we have observed so far.
Here is one sample:
-----------------------------------------------
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
------------------------------------------------
As usual, note the grammatical errors.
The link in the message brings the user to a look alike news web site which alleges that the user must download an updated version of flash to view the video of Obama's speech:
Clicking on the download link attempts to download a file called adobe_flash9.exe, which contains the malware.
If early indications are any result of future success, this campaign is going to be a success, but won't win the popular vote (ok, sorry for my bad political humor). In the first 2 hours we have already seen almost 1M of these messages (over 350k in the 8am MST hour and over 600k in the 9am hour).
The folks over at Websense reported another Obama malware campaign in Spanish. This, however appears to be a very low volume, targeted campaign. We have seen less than 50 of these total, but it underlines the fact that cyber criminals are definitely jumping on the post-election bandwagon and doing it in a big way. Strangely enough, if this trend continues we might see more post-election spam than we saw pre-election. Who would've expected that?
I've taken a bit of heat internally because I neglected to announce last week's posting of the monthly MX Logic Threat Report and Forecast for September. The latest edition can be downloaded here.
In that report we mention our prediction that as the Democratic and Republican National Conventions concluded and as the campaign season kicks into high gear that we expected to see a continuation of some of the more recent spam tactics that have been employed where hackers were using tabloid like news headlines as a lure to get people to open malicious emails, but with a political twist. So, instead of using fake Britney Spears or Oprah headlines as a means to get unsuspecting users to view a video or news clip the movement has started toward targeting Barack Obama using similar means.
Some of the subject lines that we are currently seeing targeting Obama are:
Obama is ponstar now
Porno with Obama
Sex Video with Obama
Obama Sex Video
Barack Obama Hardcore
Barack Obama sex story with girl
Obama private porno
Barack Obama sex story with Ukrainian girl
Note that we have not yet seen any similar tactics targetting John McCain.
Volume on this tactic is currently extremely low (under 100 total have been seen thus far), but this is likely a proof of concept method that will play itself out over the next two months where more believable tactics are used by spammers. Instead of using tabloid like headlines, be on the lookout for emails containing attachments or links to sites claiming to be hosting the latest candidate television commercial or video with excerpts from a speech at their latest campaign stop.
Obviously there is a bit of a shock factor with these tabloid like headlines that grab people's attention, but since this tactic has been around for several weeks now, expect it to morph to using lures that are far more plausible in the very near future.
Heads up on a new, very high volume Fake CNN News Update spam run that is making the rounds. The subject of the email is "CNN.com Daily Top 10." Our Threat Operations Center has seen over 5 million of these just in the last hour alone and over 80 million in the last 24 hours.
Below is a screen shot of the message.
Over the last few weeks we have been seeing large spam runs of what we are calling single-line spam where an email contains a brief lure based on fake news headlines such as "US track team disqualified from Olympics" or "Beijing Olympics postponed indefinitely" followed by a link. The web site linked to in the message is a link to a "video codec" (er, malware) that the user is prompted to download in order to view the online video.
The tactic being used here is similar to what we saw with the Porntube malware that we saw back in June (click here for original Porntube blog post) where the user is prompted to download the video codec when the page initially loads. If the user clicks "Cancel" to not download the codec, another popup is presented where the user is told that they have to download the codec to view the video. This endless loop continues until the user kills their browser session at the operating system level or installs the "codec."
This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.
Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out. Granted, new Storm Worm variants are nothing new. They come out all the time. I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.
The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).
This is a screen shot of what the site looks like:
Clicking on the banner at the top of the page attempts to download a file named winner.exe. Clicking the "Click Here" link attempts to download mylove.exe.
Here are the virustotal.com results for winner.exe and mylove.exe:
| Antivirus |
Version |
Last Update |
Result |
| AhnLab-V3 |
2008.7.1.0 |
2008.06.30 |
- |
| AntiVir |
7.8.0.59 |
2008.06.30 |
- |
| Authentium |
5.1.0.4 |
2008.06.29 |
- |
| Avast |
4.8.1195.0 |
2008.06.30 |
- |
| AVG |
7.5.0.516 |
2008.06.30 |
- |
| BitDefender |
7.2 |
2008.06.30 |
- |
| CAT-QuickHeal |
9.50 |
2008.06.30 |
- |
| ClamAV |
0.93.1 |
2008.07.01 |
- |
| DrWeb |
4.44.0.09170 |
2008.06.30 |
- |
| eSafe |
7.0.17.0 |
2008.06.30 |
Suspicious File |
| eTrust-Vet |
31.6.5914 |
2008.06.30 |
- |
| Ewido |
4.0 |
2008.06.27 |
- |
| F-Prot |
4.4.4.56 |
2008.06.29 |
- |
| F-Secure |
7.60.13501.0 |
2008.06.26 |
- |
| Fortinet |
3.14.0.0 |
2008.07.01 |
- |
| GData |
2.0.7306.1023 |
2008.06.30 |
- |
| Ikarus |
T3.1.1.26.0 |
2008.06.30 |
- |
| Kaspersky |
7.0.0.125 |
2008.07.01 |
- |
| McAfee |
5328 |
2008.06.30 |
- |
| Microsoft |
1.3704 |
2008.07.01 |
- |
| NOD32v2 |
3229 |
2008.06.30 |
- |
| Norman |
5.80.02 |
2008.06.30 |
- |
| Panda |
9.0.0.4 |
2008.07.01 |
Suspicious file |
| Prevx1 |
V2 |
2008.07.01 |
- |
| Rising |
20.51.02.00 |
2008.06.30 |
- |
| Sophos |
4.30.0 |
2008.07.01 |
- |
| Sunbelt |
3.1.1509.1 |
2008.06.30 |
- |
| Symantec |
10 |
2008.07.01 |
- |
| TheHacker |
6.2.96.365 |
2008.07.01 |
- |
| TrendMicro |
8.700.0.1004 |
2008.06.30 |
- |
| VBA32 |
3.12.6.8 |
2008.06.30 |
- |
| VirusBuster |
4.5.11.0 |
2008.06.30 |
- |
| Webwasher-Gateway |
6.6.2 |
2008.06.30 |
- |
| Antivirus |
Version |
Last Update |
Result |
| AhnLab-V3 |
2008.7.1.0 |
2008.06.30 |
- |
| AntiVir |
7.8.0.59 |
2008.06.30 |
- |
| Authentium |
5.1.0.4 |
2008.06.29 |
- |
| Avast |
4.8.1195.0 |
2008.06.30 |
- |
| AVG |
7.5.0.516 |
2008.06.30 |
- |
| BitDefender |
7.2 |
2008.06.30 |
Trojan.Peed.JLV |
| CAT-QuickHeal |
9.50 |
2008.06.30 |
- |
| ClamAV |
0.93.1 |
2008.07.01 |
- |
| DrWeb |
4.44.0.09170 |
2008.06.30 |
- |
| eSafe |
7.0.17.0 |
2008.06.30 |
Suspicious File |
| eTrust-Vet |
31.6.5914 |
2008.06.30 |
- |
| Ewido |
4.0 |
2008.06.27 |
- |
| F-Prot |
4.4.4.56 |
2008.06.29 |
- |
| F-Secure |
7.60.13501.0 |
2008.06.26 |
- |
| Fortinet |
3.14.0.0 |
2008.07.01 |
- |
| GData |
2.0.7306.1023 |
2008.06.30 |
- |
| Ikarus |
T3.1.1.26.0 |
2008.06.30 |
Email-Worm.Win32.Zhelatin.zy |
| Kaspersky |
7.0.0.125 |
2008.07.01 |
- |
| McAfee |
5328 |
2008.06.30 |
- |
| Microsoft |
1.3704 |
2008.07.01 |
- |
| NOD32v2 |
3229 |
2008.06.30 |
- |
| Norman |
5.80.02 |
2008.06.30 |
- |
| Panda |
9.0.0.4 |
2008.07.01 |
- |
| Prevx1 |
V2 |
2008.07.01 |
- |
| Rising |
20.51.02.00 |
2008.06.30 |
- |
| Sophos |
4.30.0 |
2008.07.01 |
- |
| Sunbelt |
3.1.1509.1 |
2008.06.30 |
- |
| Symantec |
10 |
2008.07.01 |
- |
| TheHacker |
6.2.96.365 |
2008.07.01 |
- |
| TrendMicro |
8.700.0.1004 |
2008.06.30 |
- |
| VBA32 |
3.12.6.8 |
2008.06.30 |
- |
| VirusBuster |
4.5.11.0 |
2008.06.30 |
- |
| Webwasher-Gateway |
6.6.2 |
2008.06.30 |
- |
So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon. The IPs that are hosting the infected URLs are being rotated using fast flux. In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times.
This is not likely to be the only time this week that we hear from Storm. Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge. Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless.
Expect to see some revisit of Storm sometime later this week. It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.
Another one bites the dust...
Jason Michael Milmont, the author of the Nugache worm, and the creator of what came to be known as "Fast Flux" has plead guilty to one count of unlawfully accessing computers, a felony, in a Wyoming federal court.
Fast Flux is an abuse of the domain name system (DNS) by which botnets will continually rotate the IP addresses associated with a malware infected web site to evade detection and forensic analysis. This constant mobility makes the botnet very difficult to shut down.
There is also an evasion tactic called "Double Flux" which is similar to Fast Flux in that it will not only rotate a domain's responding IP addresses, but also that domain's authoritative name servers. The reason that it is called "Fast" flux is because these IP addresses will rotate as often as every couple of minutes.
The Nugache worm was used to launch distributed denial of service (DDoS) attacks as well as steal personal information such as credit card numbers from the computers that were infected with Nugache. It has been estimated that controlled up to as many as 15,000 on his botnet.
Under the terms of his deal Milmont has agreed to pay approximately $74,000 in damages and faces up to five years in federal prison.
In my opinion, this story is only significant because of Milmont's contribution to the botnet community with how his Nugache worm used peer-to-peer networking technology and fast flux in order to create a fully redundant, interconnected network to prevent his botnet from easily being shut down. The size of the Nugache botnet (about 15,000 computers) pales in comparison to some of the botnets that we are seeing today, but the work done by Milmont paved the way for worms like Storm which heavily relied on fast flux to stay alive.
Worm Alert!
We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component. Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours). From what we can tell thus far the malware appears to be related to the Srizbi botnet.
There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories. Here are some example subject lines that we have seen so far:
Batman latest movie bombs at box office
Britney found hanged in locker room
Celtics disqualified from NBA title
China Earthquake claims 1 million lives
Dan Brown's latest novel
David Cook American Idol - latest NEW single
Donald Trump missing, feared kidnapped
Egypt Giza pyramids rocked by massive earthquake
Eiffel Tower damaged by massive earthquake
Eiffel Tower suffers structural damage, collapse possible
Find out about Harry Potter's last novel
Ford unveils latest 2 door design hatch
Get Smart -- movie premiere
Get star wars photos
Get the latest discount plan from Ford Cars
Great Wall of China damaged by earthquake
Hiliary admits past failures
Hillary Clinton reveals husband's scandal secrets
Italy knocked out of Euro 2008
Las Vegas Hotel caught in fire
Lastest! Obama quits presidential race
London rocked by gas attack, army on high alert
Love Guru sneak previews here
Man wakes up from 40 year coma
Nokia unveils revolutionary new phone design
Obama suffers setback in polls due to sex secrets
Obama withdraws from elections
Oprah found sleeping the streets
Osama Bin Laden caught finally
Paris Hilton found to be gay
Saddam Hussein found dead
Star Trek star dies at age 79
Statue of Liberty struck by lightning, catches fire
Stonehenge damaged by massive earthquake
Top 10 movies of all time
Top comedy downloads
Top film from the Cannes
Turner Empire poised for bankruptcy file
Usher and Rihanna making out
Watch movie premieres now
White House hit by lightning, catches fire
Windows Vista URGENT upgrade installation
The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control. Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):
hxxp://envol-restaurant.com/r.html
hxxp://spizarnia.nazwa.pl/r.html
hxxp://wandea1.wandea.org.pl/r.html
Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:
If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:
At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window. The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).
Keep on the lookout for these as they are currently being distributed in fairly high volumes.
*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour. Looks like this one hit quick and is now tailing off.
Since February we have made several mentions of Google Spam and its migration from benign redirects to Canadian Pharmacy sites to malware distribution fake Osama bin Laden videos. We also saw a Storm Worm campaign which alleged to be a video codec that used this same technique.
Since February Google spam had accounted for anywhere between 1-5% of total spam volume, but over the past couple of weeks has all but completely disappeared.
Where did it go?
It seems to have migrated over to Microsoft's Live SkyDrive service. If you are not familiar with SkyDrive, it is a document hosting service being launched by Microsoft, similar to Google Docs.
Here is the basic premise on how this tactic works:
-- Email is received with a link to a document hosted on the SkyDrive service with some sort of social engineering lure as bait. The format of the URL is http://hostname.bay.livefilestore.com/..$very_long_hash_value…/$filename.html (where the hash is some calculated value and $file.html is the name of the hosted file)
-- User clicks the link to file hosted on SkyDrive, which in this case is an HTML file that contains a JavaScript redirect to a pharmacy website
-- Redirected web site is displayed in the user's browser and any background code executed which could include the drive-by injection of malware just as we saw with Google Spam.
The HTML file being hosted on SkyDrive is a simple, one line script :
<html><script language=JavaScript>window.location.replace("hxxp://songkhlong.com")</script></html>
Currently, SkyDrive Spam is accounting for a little over 1% of the total spam that we are seeing in our Threat Operations Center which means that it is currently as prevalent as both phishing and gambling spam. I don't believe that we have seen the last of Google spam, but focus definitely appears to have moved toward Microsoft for the time being.
As a side note, McAfee originally reported seeing large influxes of SkyDrive Spam back in January so SkyDrive spam isn't a new tactic, however it has dramatically increased in prevalence since the dropoff of Google Spam about 2 weeks ago.
*** UPDATE 6/5/2008 4:50pm MDT *** - It appears that Google Docs is also being targeted by this tactic. I just came across the below message (note the link at the bottom) from one of our spamtraps which hit our system yesterday (the hosted doc appears to have been taken offline by the time of this update):
Hi fellow
Is the Rising Cost of Prescrlption Drugsare cause of concern?
The rising cost of Prescrlption drugs may be costing you your health.
In particular, living on a fixedincome.
You can cut your Medicalbilling.
Simple Way to Cut Your Prescrlption Costs optfor Generic.
Genericpharmacy: A Cheaper Effective Alternative
Forget about huge spendings You can save upto 8O%
Hugesaving because the solutions is directly from manufacturer.
hxxp://docs.google.com/View?docid=3Dddsz3hdh_0wwwmrbm3
According to this article posted on CSO Online, a security researcher named Sebastian Muniz has created a rootkit that will work on "several different versions of IOS."
One of the concepts that I have been throwing out there since we originally started talking about drive-by pharming (aka DNS Rebinding attack) is the potential of similar vulnerabilities being exploited in an effort to move malware infections out closer to the network edge and create a "router bot" whereby a compromised router could potentially be used for the distribution of spam, viruses, and malware similar to how PCs are used today. This would be even more difficult to detect than a PC based malware infection, however as I do not believe that there are any network device based rootkit/malware detection engines that even exist right now (please do correct me if I am wrong here) although this may certainly create a market for them. Would you be able to easily detect if your router was being used to distribute spam if it wasn't affecting your web browsing or normal internet usage? Not likely.
One of the things that concerned me from the article was the quote from EuSecWest conference organizer Dragos Ruiu where he said that "nobody thought you could actually build exploits for Cisco." This is a dangerous attitude to have for any software application. I like to say "Where there is software, there are vulnerabilities." This is often followed by "Where there are vulnerabilities, there are exploits" although far more vulnerabilities exist than there are exploits written for them.
One should never assume that software is hacker-proof. It very well may be (however unlikely), but even making the assumption or suggestion is when you've conceded that your guard has been let down. Always remain diligent in your pursuit of security!
Ok, I'll step off my soapbox now. Have a great weekend!
Rootkits, and Spam, and Pharming! Oh My!
Nice to be back!
Between our webmaster working on a new blogging tool for me to use and the first of three Messaging Anti Abuse Working Group (MAAWG) meetings for the year in San Francisco last week (I am now Chairing the Botnet/Zombie Subcommittee), I've not had nearly the time that I normally have for blogging over the past couple of weeks. I've been queuing up topics in the meantime though so we should be back on our regular posting cadence now.
In comparison to most previous years, 2008 is off to a pretty fast start as it relates to spam and malware. Save for last year when the Storm Worm started January off with a bang, the months of January to April are typically a bit slow from the perspective of new worms, malware, and spam volume. The primary reason for this "slow season" is that a good number of your malware writers are of high school/college age. Those folks are in school or otherwise occupied during the early months of the year. Come May or thereabouts, schools start letting out for the summer, kids find themselves with more idle time, and the flood of malware and spam begins. Infections rise, spam levels rise, and things quickly start hopping around our TOC.
2008 has somewhat bucked the trend in that regard as we have seen a number of developments just in the first two months of the year alone: MBR Rootkits, Drive-By Pharming, and continually high spam volumes which normally drop off by as much as 30% after the first of the year. In fact, the spam volumes that we have been observing this week are UP about 20% from any other week so far this year!
We've also seen social engineering tactics like Fake Microsoft updates with links to malware and IRS phishing scams claiming that you are due a refund from the IRS that will be gladly credited to your credit card if you provide them with your card number (not new tactics, but worth noting nonetheless) as well as Google spam (email with links to Google search results which forward you to sites that have abused Google's PageRank system).
Google spam is currently accounting for around 100,000 messages per hour that we are seeing in our Threat Operations Center. Although this doesn't represent a significant percentage of volume, it is the most prevalent spam tactic that we are currently observing. Compare that to IRS phishing which we are currently seeing at a rate of less than 100 per hour.
If the first two months of 2008 are any indication of what the rest of the year will be like, perhaps it is appropriate that it is the year of the rat according to the Chinese calendar :)
|
