REMINDER: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
In the latest social engineering tactic targeting people who like to play games online, a new spam campaign has emerged attempting to lure users into downloading a Monopoly game, which is more like a game of Russian Roulette. The email arrives as a seemingly innocuous invite from a random user (usually your first clue that this is something to avoid!) using an inviting subject line like "Play Online Together" or "Tom has invited you to play Monopoly":
If the recipient follows the link to the monopoly2009.com web site, they are greeted with a web page that actually looks fairly well done advertising the Monopoly "game" and encouraging the user to download using several links dispersed throughout the page after giving a brief history of the game and providing some fun facts.
No code is injected on the user's computer just by visiting the web page. They need to download and install the monopoly.exe executable file that the site tries to deliver. The executable file is just the first stage of the process, however. A fairly common tactic being deployed by hackers is that the code that is installed as a result of the web site download is only the beginning. At this point the trojan is activated on your computer, and now it is going to go out to another computer behind the scenes and download the second stage of the malware, the piece that turns your machine into a spam sending zombie touting Canadian Pharmacy products.
As the icing on the cake, the folks who created the page also included a hit counter at the bottom to lead you to believe that there are people playing the game online right now. Don't be fooled. This is merely a counter of how many people have visited the page thus far.
ALERT: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
Now onto today's blog post :)
Another celebrity death. Another recycled scareware tactic attemping to lure users to download malware by telling them that their PC is infected with a virus. We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year. Now the attention of cyber criminals has turned to Monday's death of Patrick Swayze as the soup du jour for malware distribution.
Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed will lead users to a site that looks like this:
This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms. The Windows Explorer-like screen presented to the user also uses geolocation to attempt to identify the country and city that the user is coming from in an attempt to make the user believe that their data is actively under attack. Popups with phrases like "Scan procedures finished. 34 Potential aggressive items was found!" and "Your computer remains infected by threats! They might lead to data loss and file structure damage, and needed to be heal as soon as possible. Return to Total Security and download it secure to your PC" also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.
Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme. Conficker/Downadup largely popularized scareware with its success (although it wasn't the first to use it) and now others are riding of that popularity to repurpose it for their own scams.
Earlier this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet that is sending out emails spoofing the IRS. We are currently observing traffic averaging about 90,000 messages per hour using this tactic.
The email that users are receiving which appears to come from no-reply@irs.gov is attempting to get them to believe that they misreported their income on their taxes and that the IRS is giving them an opportunity to fix it.
The email provides a link for the user to view their recent tax statement online. This link does not directly infect the user's machine, but instead directs them to a website where the malicious code is being delivered from.
If the user clicks on any of the links on this page, they are directed to download an application called tax_statement.exe. As of the time of this posting, AV detection for this new variant is low.
Please remember that the IRS does not know your email address and will not conduct official business with you over email. Any email purporting to do so is a scam and should be deleted immediately.
In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed. Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that. I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake.
So, the question that I pose to myself is "What's Next?" Taking even just the events of the last decade into account, where are we headed for the next few years? Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today.
Since this is a blog post, I'll try to keep this relatively brief. Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today. I like them and I've had the opportunity to write for them twice now) at some point soon.
Some things to think about:
-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization. Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before. Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft. We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.
-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate. This is happening not only in the enterprise space, but in the consumer market. Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state. VoIP implementations at organizations are also becoming ever popular as well. As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like. Throw away phone numbers used to make spam phone calls have started to become more common. There are services available online which allow you to purchase throw away numbers in blocks. Spammers and can use and abuse these numbers just like they do IP addresses now.
Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities. Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users. As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data.
-- Mobile Malware
Let's face it. The phones that we carry in our pockets are little personal computers. Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on. I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ). As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device. The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market. The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices. Secure sandboxing of third party applications is a must, but that is only a start. Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.
-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window. This has really opened the door for cyber criminals. With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet). The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them. It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.
-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause. Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely.
These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road. Hackers will go where the money is and the money is where the people are. So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.
Proof of concept code has been made available online to take advantage of a newly reported IIS vulnerability that exists on both IIS 5 and IIS 6 that will allow a hacker to take advantage of a web server and give them System level access.
The IIS vulnerability exists in their FTP server in a directory with write access which means that the FTP server must both be turned on and a user (anonymous users also included) must be able to write to a directory in order to exploit the hole.
The suggested workaround until a patch can be released is to turn off write access to the FTP server.
Most IIS installations are not vulnerable to this exploit due to the nature of the configuration required to take advantage of it, however it will affect enough of them where it is cause for concern. Take the necessary precautions to review your IIS web server configuration. With proof of concept code available online, it will only be a short matter of time before malicious exploits are making their rounds.
*** UPDATE 9/1/2009 9:00pm MDT *** Microsoft has acknowledged the IIS FTP 0-day via the bulletin posted here. Microsoft is still determining whether or not it will release an out of band patch and does not currently believe that there are any malicious exploits in the wild taking advantage of the vulnerability.
Do we really know? Recent research would say that we don't.
In late April two conflicting articles were published: One was an article was posted at IT Brief which appears to have been supported by AVG that states 250,000 malicious web sites are created every day and another article was published by Security Pro News that says MessageLabs claims 3,500 new malicious sites daily.
So, which is it? The truth in my opinion is that we don't really know. Also, what neither of these articles discuss is the increase in compromise of legitimate sites due to trojans like Gumblar. The number of compromised legitimate sites is also harder to quantify because it is likely there are a lot more of them out there than are currently known.
One thing appears to be for certain and that is that we have reached the tipping point with the web being used as the primary threat vector for the distribution of malware ahead of email.
Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites. This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.
The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites.
We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see. They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity. No work required on a hacker's part to organically generate interest. That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years.
An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera. These fake websites are being used to inject malware onto curious users' computers. They could also very easily be used in phishing campaigns to steal user's personal information.
Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post.
Roger Thompson, Chief Research Officer at AVG Technologies, said in an article posted on Network World that the latest vulnerability in Microsoft's Video Controller ActiveX library could be the next Conficker.
I very much disagree with that sentiment.
Conficker was similar to the Slammer worm from back in 2003 where there was no overt action required on the part of any individual person to get infected. You could get infected simply by being out of date on security patches. The current Directshow exploit requires a user to visit a malicious web site (links to sites hosting the exploit code are currently being sent out in spam emails) to get infected. Also, the user must be an admin on their computer to get infected by the Directshow exploit. Most people do run in this mode, however so that won't be much of a hurdle to clear, but the requirement that a user must visit a web site hosting malicious code is a tactic that users are becoming more accustomed to avoiding.
There are some similarities here that are worth pointing out, however.
For starters, there are claims that Microsoft knew about this vulnerability well in advance of exploit code being released for it, but neglected to patch it. This makes sense considering Windows Vista and Internet Explorer 8 are not vulnerable to this exploit, but Windows XP and Internet Explorer 6 and 7 are. This does beg the question though as to why Windows Vista is not vulnerable since it has been out for well longer than the exploit has supposedly been known by Microsoft. This is similar to the Conficker situation because the MS08-067 vulnerability that allowed that worm to appear was also being exploited for about a month prior to Microsoft releasing an out of band patch for it. Unfortunately, at that point the damage had already been done and regardless most of the machines that were infected with Conficker are running versions of Windows XP that had never installed a single Microsoft security update (see research at http://mtc.sri.com/Conficker).
Anyway, I digress from my point. Although I do believe that the Directshow exploit is significant and that the out of band patch that Microsoft released to address it is absolutely the right thing for them to have done (as opposed to waiting for their typical Patch Tuesday release next week), I believe it is blowing the situation out of proportion to say that this will be the next Conficker.
As predicted in this month's MX Logic Threat Forecast and Report, cyber criminals have decided to take advantage of the July 4th holiday to send out spam that links to a malware infected web site.
All of the messages that our Threat Operations Center have observed thus far have July 4th themed subject lines and brief message bodies consisting of only a few words followed by a link, a tactic used many times by the Storm/Waledac folks previously.
Some of the subject lines that we have seen thus far include:
Amazing firework 2009
Amazing Independence Day salute
Amazing Independence Day show
America for You and Me
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrate the spirit of America
Celebrate with Pride
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
Fourth of July Fireworks Shows
God Bless America
Happy Birthday America!
Happy Birthday USA!
Happy Birthday, America!
Happy Fourth of July
Happy Independence Day
Home of the Brave
Independence Day firework broke all records
Let the fireworks begin!
Let's celebrate Independence Day
Light up the sky
Long Live America
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Stripes Forever
Super 4th!
The best firework you've ever seen
The best of 4th of July Salute
This Land Is Your Land
Time for Fireworks
Well done 4th!
Traffic so far has been pretty modest, only at about 2,500-3,000 per hour and is likely being mitigated by the fact that many companies have given their employees July 3rd off this year in observance of the fact that this year's United States Independence Day holiday is on a Saturday.
Below is a screen shot of a sample message that someone may receive in conjunction with this campaign:
The site that users who click the link in the email are lured to claims to be a video of a fireworks show, but is actually a download of an executable file (video.exe) that when run will infect the user's PC. So far all of the links that our Threat Operations Center have observed have been subdomains of the "moviesfireworks.com" domain, however our team is on the lookout for more, and this post will be updated as necessary.
Below is a screen shot of the fake video web site.
Here's to everyone having a safe, happy, and malware free July 4th holiday :)
The folks over at Cisco posted a very interesting blog writeup about the Storm/Waledac botnets and how their marriage to Conficker was consummated in order to start monetizing the enormous computing power of the Conficker botnet.
What I found most interesting was the part about how Conficker would hook itself between Wireshark and the network driver (likely within the winpcap library) to hide all of the network interfaces from Wireshark, essentially rendering the packet sniffing tool useless.
Looking ahead, this makes me wonder what else malware could do to alter the behavior and functionality of other tools that security researchers use to analyze malware. We've already seen Conficker introduce signed, encrypted updates to keep researchers from analyzing updates and penetrating its network. This development of malware physically altering how analysis tools work could be a significant game changer in the cat and mouse game of being able to reverse engineer malicious code. This is definitely something that warrants continued monitoring to see if this tactic continues to be employed by cyber criminals, or improved upon.
In the vein of beating a dead horse, our Threat Operations Center has found another fake Microsoft Outlook/Outlook Express scam with a link to malware making the rounds. This new variant shows a bit more effort in attempting to make the email appear as if it is actually from Microsoft.
This new tactic is similar to the twoprevious instances that we have seen over the course of the last 3 weeks where emails were being sent out that claimed to link to updates for Microsoft Outlook and Outlook Express. The previous emails were text based, however and outside of using the names of Microsoft products as a lure, didn't contain any convincing social engineering to convince the recipient that the message was authentic. This new tactic does go one step further to create an HTML based message that looks similar to the formatting that one would see when viewing a Microsoft Tech Bulletin.
A screen shot of the received message is below:
As you can see, this isn't the full message, but the pertinent parts are included. There are several links at the bottom of the message labeled "Contact Us", "Privacy Statement", and a couple of others which link off to the Microsoft site in an effort to make the email appear more authentic.
The creators of this new variant also put a little extra care into how they crafted the URL used in the email. As you can see from the example above the display URL appears as if it is going off to update.microsoft.com, which isn't uncommon. In the background these links are typically either going directly to an IP address or to a domain that is clearly not associated with the company they are spoofing. The tactic being used here is the latter of the two, but you have to pay close attention because if you just quickly glance at the URL, you'll miss something important.
For example, here is one of the URLs that our TOC observed:
You'll notice that the link is really going to "hfhilf.com", clearly a domain not associated with Microsoft, but prepended to the domain is "update.microsoft.com" followed by a query path that looks very much like it could be a legitimate Microsoft Office update path.
As usual, there are a couple of grammatical errors that are your basic tipoff that this message is not from Microsoft. Couple that with the fact that Microsoft does not generally blast out update notifications in this manner and you have two tell-tale signs that this email is the work of cyber criminals, not an official update notification.
My apologies for being a bit light on posting this week. I have been in Amsterdam for the 16th MAAWG Conference. It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!
It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.
This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:
Message Subject: Microsoft Outlook Setup Notification
Message Body:
Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again. I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.
These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.
Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.
Either way, be on the lookout for this respin of last week's news.
The MX Logic Threat Operations Center has observed a new type of malware in the wild being sent out as an email posing as a reconfiguration notification for Microsoft Outlook.
The message subject is "Outlook Setup Notification" and contains the following text within the message body:
You have (1) message from Microsoft Outlook.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
The attached file is named micr__outlook_update_6556.zip and has and md5 checksum of 7aa706c521dd8a11ef23b35fc5c4d543.
So far we are not seeing any variants to neither the attachment name (which could easily be made more random with the digits on the end) nor the hash so the malware is not morphing at this point. That could easily change as it is trivial for AV vendors and spam filters to block this particular threat.
The graph below shows hourly volumes of this new threat since about 11:30am MST on 6/2, when we originally started to observe it hitting our systems.
It looks like Western Union is the target of yet another spoofing campaign by spammers. We've seen these come and go on a fairly constant basis over the past few months where several different brands have been targeted (we've also blogged about them before), but since this one appears to be coming out in pretty high volumes, I thought it was worth mentioning.
The message itself appears to come from the Western Union Support Team (see sample below) and follows the same basic tactic that many of its UPS, DHL, FedEx, and previous Western Union scams employed whereby it is trying to trick the recipient into believing that a package or transfer that they had attempted to send was not delivered and to print out and bring the attached invoice (read: malware) to their local branch. Note the lack of specificity as to where to actually go which has been a common thread in previous scams as well.
Our Threat Operations Center is currently monitoring approximately 100,000 of these new Western Union emails per hour. Below is a graph showing the timeline and prevalence of the most recent Western Union scams starting from the 11th of May. The spike on the far right is this most recent variant.
As is usual, if there is a question about a transaction that you had made with a vendor, use the tracking number that they provided you and visit their web site or call them directly to lookup and verify your transaction. Do not fall victim to these scams.
Just as a general Public Service Announcement, if you are interested in Cross Site Scripting exploit news, and if you are not following @xssexploits on Twitter, do so (and of course follow @smasiello too :) ).
The reason that I mention that is, in addition to wanting to stay up to date on some of the latest XSS announcements, @xssexploits is also one of the first places that I was informed about the recently made public XSS vulnerabilties found on several McAfee web sites.
So, why are these exploits of consequence?
One of the sites mentioned as being vulnerable to cross site scripting vulnerabilties is McAfee's Rebate and Promotion Center web site. One of the fields that a user must populate when filling out the form to obtain a rebate is the date that you purchased one of McAfee's qualifying products in mmyydddd format. By using a technique known as HTML code injection a user could get redirected to another (potentially malicious) McAfee look alike web site used for phishing unsuspecting user's sensitive information or a malware distribution site that looks like an official McAfee web site.
Many security vulnerabilities are introduced by software not doing proper input checking. Following a "whitelist model" where as part of the input checking code you specify the valid types of input as allowed (generally a small list) as opposed to identifying all of the input that is not allowed (a much larger list) is common practice. In this case, it doesn't appear as if the form was doing any kind of input checking. Why the form would allow HTML characters such as quotation marks, less than, and greater than symbols in a field that is clearly expecting only numerical input is only asking for trouble.
I am not trying to pick on McAfee here, but they are a prime example of the reality that if it can happen to a company where security is their business you would expect them to have a pretty keen eye towards security vulnerabilities within their own web site. Back in January, CWE and SANS posted their list of the top 25 programming errors that occur most frequently within applications and Improper Input Validation is at the top of that list. It tops the list because it is the most common flaw and because it is the easiest to exploit. Improper input checking can be exploited with even the simplest of test cases which means that even your lowest level hacker who only knows the bare minimum about XSS and code injection could take advantage of this flaw.
Protect your brand. Protect your web site. Protect your users. Follow secure coding practices and incorporate a security mindset into the products and applications that you build. You don't have to be a security company to think securely.
I wanted to take a moment to write about a topic that we discussed during the recording of Episode 29 of the Security Buzz podcast earlier today. That topic is based off of a post found on DarkReading that discussed Microsoft's decision to release an update to disable the Autorun feature in Windows for USB drives in response to the variant of the Conficker worm which would spread via these devices. The question at hand was whether or not this move is happening too little too late given Conficker's already large presence.
My opinion is that not only is the move too little too late, but it is also a completely irrelevant one for the main reason that according to the folks over at mtc.sri.com, who have posted in depth research as to how the Conficker worm operates, most of the machines that are infected with this worm are still running versions of the Windows XP operating system with Internet Explorer 6 installed on them. This means that most of the machines infected are not one or two patch levels behind on their updates from Microsoft. They are likely years behind and have never been patched, and may in fact be running the original version of Windows XP originally released in October 2001 and have never had a single security patch applied to them meaning that they are vulnerable to every Windows XP vulnerability ever patched.
USB drives, although an important infection avenue to consider (although in my opinion are more of a risk from a data leakage perspective than they are a malware distribution point), are still only a small portion of the infection problem. Emails with attachments, malicious web sites and compromised legitimate web sites that distribute malware, and peer-to-peer downloads of pirated software with embedded trojans are all far more prevalent issues with respect to current worm and malware propagation than USB drives.
Unfortunately, this move by Microsoft will do little to solve the Conficker problem or slow its' spread. It also will not do much overall to prevent further malware propagation in the future because the machines that need to be cleaned up are not the ones that are following best practices by keeping up to date on security patches, running up to date antivirus, and defending in layers. It's those that aren't are and continue to be the real problem.
Over the coming days, please be on the lookout for any spam campaigns related to the recent outbreak of the Swine Flu. With the number of confirmed swine flu cases rising in the United States (currently at 40 according to this recent article posted on bloomberg.com) and around the world coupled with the threat looming that the World Health Organization (WHO) will raise its pandemic alert because of the illness, and you have a combination of circumstances that creates a dangerous cocktail that we frequently see spammers and phishers jump all over.
Although we are yet to see any specific fraudulent campaigns related to the Swine Flu in our Threat Operations Center, our team is on high alert looking for anything that may crop up. Due to the nature of today's blended threat landscape, it is possible that we could see phishing campaigns related to donations to help victims of Swine Flu purporting to be from the WHO or other related organizations. We could also see emails that attempt to lure users to news oriented web sites that play videos which are setup as spoofs for the intention of distributing malware.
News grabbing events like the Swine Flu outbreak are exactly the type of social engineering lures that spammers love to latch onto because of the public's interest in learning more about the topic. Be aware. If you would like to learn more about the recent Swine Flu, or any other breaking news story topic, visit the site of your most trusted news organization directly. Clicking on links within emails is an invitation for trouble.
It seems lately that if we aren't talking about Conficker, we are talking about Waledac. To make things even more interesting there have been purported links between the Conficker and Waledac botnets as during the last week the infected machines associated with the former pulled a code update from the latter.
Today's topic is Waledac specific: a new spam campaign with an SMS Spy theme. Ever wanted to spy on your girlfriend's SMS messages to see if see is cheating on you? Curious as to whether or not your significant other is truly in love with you? Waledac wants to "help" you find out.
Starting earlier this morning our Threat Operations Center began detecting a new spam campaign from the Waledac botnet that contains a link to a web site where users can download a 30 day free trial for a piece of software (read: malware) that when installed on your partner's mobile phone will allow you to read all of the SMS messages that they receive.
The email received looks like the following:
We have seen a number of subject lines associated with this campaign including:
Are you ready to know the truth
Are you sure in your partner
Can your love life be re-ignited
Does your partner truly love you
Have more fun and pleasure in your intimate life
Keep a spy eye on your girlfriend
Make Sure your girlfriend
Now, It's possible to read other people's SMS
Now, you can read any SMS message
possible to read other people
Read his SMS
Read other people's SMS online
The world's most advanced sms reading program
We will teach you to be the master of making love art
What's your hall of shame
You can read anyone's SMS
Are you interested in reading other people's sms?
Do you trust her?
Do you trust your partner blindly?
Do you want to test your partner
Free program for reading sms
Is your partner cheating on you?
Is your partner faithful?
Is your wife or girlfriend cheating on you?
Read her messages
Read your girlfriend sms online
You can download new program for reading sms
Below is a screen shot of the site that the user is directed to when the email link is clicked:
It is important to note that by simply visiting the web site does not infect the user with Waledac. They must download and execute the file (currently named "sms.exe") after clicking the "Download Free Trial Link"
*** UPDATE 1 4/16/2009 11:20am MST *** Funny enough there is an article posted on NetworkWorld today which discusses a potential vulnerability with Apple's iPhone which could result in the execution of shellcode on non-jailbroken versions of the device. Such a vulnerability could result in an exploit that could allow an attacker to see someone's SMS messages according to the article. Maybe the Waledac authors know more than we are giving them credit for :)
Below is an updated volume graph.
As you can see from the above graph volumes were in the 2-4k range per hour until about 2am MST this morning before peaking at about 12,000 during the 6am hour. More updates as they become available.
*** UPDATE 2 4/17/2009 10:40am MST *** After waning for a bit during the mid-morning hours yesterday, volumes started to pick up again at around Noon MST. Current averages are between 12-20k messages per hour and have been maintaining in that range for about the last 24 hours.
Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009.
As we know, where there are users, there are hackers. Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals. As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence. So far, that fallout does not appear to have taken place with Twitter. At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months. Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits. Rest assured, those are coming!
So, what can we learn as a result of Twitter's recent security woes?
I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public. This is true for online applications like Twitter as well as boxed software that you buy in the stores. Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do. At that point you have put your customers at risk also. It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.
Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances. I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been. Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.
Let's take the Mikeyy worm as a primary example. One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw. Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also. Rinse and repeat. In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet. What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker? In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites. Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.
In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online. Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online. I use it myself. As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.
I am guessing that most people are suffering from Conficker information overload today! As such, it is very important to be able to separate the Conficker Facts from the FUD. In case you have not yet seen it, I blogged last week about what I believe will (not) happen when the Conficker.C variant activates tomorrow, April 1st. Up to this point we still have not yet seen anything that would lead me to believe anything contradictory to that statement.
I read a couple of places yesterday about a flaw in the C variant of the Conficker worm that identifies infected machines on your LAN differently than machines that are not infected. According to Dan Kaminsky's blog, this flaw causes a function named NetpwPathCanonicalize() to work differently in the infected version than the version in either the patched or unpatched versions of the Windows OS. This different behavior is what folks like McAfee, Nessus, Qualys, and others are using to key on to develop a scanner to identify infected hosts.
Although a tool is great to identify machines already infected with the Conficker worm, it is more important to emphasize and re-emphasize the importance of patching and multiple defense layers (from out in the cloud all the way down to the network endpoints) to mitigate these types of infections to begin with. In the interim, if you believe that machines on your network may currently be infected with the latest Conficker variant download the proof of concept scanner and put together a quickly actionable plan to clean these machines up.
There certainly is a lot of attention being paid to the Conficker botnet these days. Some of this attention is warranted. What is its purpose? What is it going to do? What is it going to be used for? Will it be split up and sold off to the highest bidders? All valid questions, but recently most of the attention surrounding Conficker has been around what is being called the "activation" of the botnet on April 1 (April Fool's Day. Coincidence?).
Earlier this month a new variant of the Conficker worm, dubbed Conficker.C, was pushed out to update machines that had previously been infected with Conficker.B (the previous variant of the worm). Several improvements were made in Conficker.C that makes it more difficult to infiltrate than its predecessor. Firstly, it moved away from a pull model where the infected hosts would ping back to a command and control server (the URL that it would communicate with was randomly generated based on an algorithm within the malware code) to see if it had any updates to be downloaded. In Conficker.C it has moved to a push based method of update where code changes are sent from a command and control host down to the infected client. The malware further updated itself to include code signing techniques so that it will only accept updates from itself. These updates are game changers as it relates to how security researchers had generally infiltrated and analyzed botnets.
One of the other major changes that was introduced in Conficker.C was the number of domains that are registered by the botnet to distribute code updates. In Conficker.B there were 250 random URLs being generated on a daily basis that the botnet would use to look for updates. Researchers were able to crack the URL generation algorithm and figure out what domains were going to be used on what days so that they could register those domains in advance of the botnet attempting to use them. In response, the Conficker authors seriously upped the ante by changing the number of URLs used by the botnet from 250 daily to 50,000. A virtual scoff from the worm authors.
On April 1, the botnet is said to activate its latest variant, Conficker.C, and rumors are running rampant as to what the wide scale implications will be as a result. All we know at this point is that on April 1, Conficker.C will start using its new code and algorithms to make the botnet much more resilient to penetration by security researchers. We have spoken several times now about how malware authors are attempting to build the next generation botnet after the McColo shutdown. Conficker is a clear example of a proof of concept that will likely be used by malware authors until the "next big idea" comes along.
Will it ever actually be used for anything? Sure, it will. Why go through all of this effort to create such a huge botnet then not utilize it for something. In a financially motivated economy it doesn't make sense to not rent it out or sell it off. My point is don't buy too much into the April 1 hype. It very well could be much ado about nothing.
Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases. Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites. Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site.
We saw a couple of different iterations of their most recent Valentine's Day campaigns. One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card. Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy. Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites. As with many other Waledac/Storm generated web sites, just about everything on the page is an image. This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped. These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet.
Below is a screenshot representation of the fake couponizer site:
Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.
Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.
Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):
You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next. The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.
Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before.
Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September 2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm. This botnet clearly isn't just about holidays anymore.
Starting earlier this morning our Threat Operations Center started tracking a new Classmates.com themed spam email that links to a video site that contains malware.
The sample messages that we have received have a from line that spoofs that classmates.com domain and would appear in your mail client as "Classmates [random word] Center" where [random word] is words like "updates" or "manager" (So, it would appear in your mail client as "Classmates updates Center" or "Classmates manager Center" (note the lack of capitalization of the added middle word) where "Classmates" and "Center" are capitalized.
The message content is fairly static with a few variations between the samples. Below is a copy of one of the emails:
Special video report February 25, 2009:
One of your classmates has sent you a video invitation:
"Read the story and see photos of my wedding and our tour,Please discover our video invitation to your family. I hope to get back from you soon..."
Sincerely, Corine Sutherland.
2009 Classmates Organisation Message Centre.
The elements that we have seen vary between samples are the link to the malware site and the name in the closing of the message.
Once clicked the user is brought to a classmates.com branded site with a link to a executable file posing as a video. The file name downloaded is "Adobemedia10.exe".
Volumes have ranged in the 30-70k per hour range since the 6am MST hour this morning.
The subject lines that we have observed associated with this campaign are:
2009 Annual Meeting
2009 Classmates - 2009 Meeting
2009 Classmates - Annual Meeting
2009 Classmates - Getting Video
2009 Classmates - Ill have more to say about the specifics of the meeting soon
2009 Classmates - Meetings
2009 Classmates - Save video fragments from movies with the simplicity of pressing ...
2009 Classmates Annual Meeting
2009 Classmates Annual Meeting -- Coming Soon! - Modern ...
It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.
The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):
----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"
You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------
We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain.
Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:
Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2). As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign.
The commercial AV guys don't appear to be up on this one yet so keep your eyes open! We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.
Here's a great story about social engineering from the folks over at the Internet Storm Center that originates with fake parking tickets being placed on car windshields. The recipient of the "ticket" is then asked to visit a website to get more information about the ticket. When the "offender" visits the web site, they would see photos of various cars parked in parking lots.
The article gives much more detailed information about how the plan was carried out and some of the technical analysis of the malware, if you are interested.
Although the lure used by putting a fake parking ticket on someone's car is certainly something new and different (and probably duped a few people). Based on the description of the behavior of the BHO that was installed where it tries to get users to download a fake antivirus application, this tactic sounds very similar to the Confickr/Downadup botnet that has received quite a bit of press lately although no definitive link has been made yet between the two. One would guess that there was some customization of the malware that users were downloading that would benefit the person who was placing the "tickets" as this method of social engineering is clearly not conducive to wide scale infection.
Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.
Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link. No malware is attached to the email itself. Subject lines also have a love theme to them. Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you". Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:
Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves. Infection does not occur merely by visiting the page. The executable file (e.g. you.exe or love.exe) must be run to install the malware.
This page is also using Google Analytics to track number of visitors and where those visitors are coming from.
Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours. Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:
Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes. It was very successful for them the last time around so why fix what isn't broken, right? Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.
*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day. Average volume since 9am is about 11k per hour. We will continue to monitor over the course of the weekend and will post updates as necessary.
*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend. The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign. If you are not already doing so, you may want to consider blocking access to them. Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST. Maybe they were watching the NHL All Star Festivities :) Current volume graph below ***
A couple of days before the inauguration of president-elect Barack Obama spammers are sending out political propaganda that would have you believe that Barack Obama no longer wishes to be President of the United States.
Spam emails are being sent out with subject lines such as "Haven't you heard latest news about our president-elect?" (Funny enough, one of these samples originated in Brazil. Is Obama about to be President down there too? :) ), "End-time for USA", and "Who will be our president now?". The messages are single line spam messages with phrases of only a few words followed by a link to a barackobama.com look-alike site. Some of the phrases being used in the emails that we have observed are "Barack Obama abandoned sinking ship" and "Obama doesn't wany anymore to be a president".
The site that users are lured to if they click the link in the email looks like this:
All of the links on the site link to a file named pdf.exe which McAfee is calling part of the Waledec family of malware. Waledec is widely considered to be the new incarnation of the Storm Worm based on its similarities in behavior to the original Storm which has been eradicated.
As is often the case with these new outbreaks, AV detection is scarce so be aware of this new tactic. Taking a brief opportunity to toot our own horn, we predicted this type of attack in the January edition of our Threat Forecast and Report.
Volumes are currently averaging about 4,000 per hour hitting the MX Logic systems. We will continue to monitor this over the weekend and update as necessary.
*** UPDATE 1/19/2009 3:30pm MST *** Volumes have averaged between 5-16k messages per hour over the weekend and into Monday with today's average hovering around 10,000 per hour. No new significant variants have been observed. Below is an updated volume graph:
As you can see, there are still significant peaks and valleys in Obama email message flow which means that this campaign is still actively sending out spam. With Tuesday's inauguration we will continue to monitor for either another resurgence of this tactic or the emergence of another new variant from the PCs responsible for sending out this current spam wave. As soon as anything crops up, we will be sure to make you all aware.
Recently, SC Magazine posted an article that quotes a report by Forrester Research which claims that security spending will be higher for both SMBs and Enterprises in 2009. This makes sense to me.
As businesses are looking for ways to cut costs across every department security remains one of, if not the most, important IT matter they still need to be sure is addressed over the course of 2009. As such, matters like inbound spam, viruses, application level intrusions, data leakage protection, web threats, archiving, and compliance will still need to receive top priority as cyber criminals are not feeling the same effects of a downturned economy as everyone else is. As such, their efforts will not be slowed which means that businesses of all sizes need to be as diligent as ever. Organizations are looking to outsource some of their daily tasks that are outside their core competencies so that they can refocus their IT resources towards the company's business objectives, typically at less cost and more effectively than can be accomplished internally.
2009 will certainly be an interesting and exciting year for security as network and application threats become more undetectable and uncleanable by existing technologies and businesses look for ways to protect their intellectual property. The definition of the "network endpoint" has become more and more unclear with mobile and social networking technologies becoming the norm rather than the exception. This creates a large burden as companies try to come to grips with how much of their confidential, proprietary information is floating around freely on the web. As such, IT security spending will be a more prominent a budget line item than in years past. If it isn't, then a company's level of risk increases exponentially.
Starting at about 6:50am MST this morning we started to see a new spam outbreak alleging to be from CNN. Emails will appear to be from several different senders such as "CNN News Centre - Headline News", "Media News", and "News Centre" with addresses such as support@cnn.com and hot@cnn.com. The email that our Threat Operations Center has observed thus far is centered around the current Israel conflict in Gaza.
Here is a sample message of what we have seen:
Israel offers short respite from strikes.
Israel will halt its bombardment of Gaza for three hours every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.
The images broadcast here were graphic and striking.
The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.
2009 Cable News Network. A Time Warner Company. All Rights Reserved.
The URL being linked to is changing from message to message , however the "edition.cnn.2009" at the start of the URL appears to be static through the samples we have observed thus far. Also, the page "israel-gaza.htm" has been linked to in all samples we have seen.
Volumes started out fairly modest at about 50 instances seen within the first 45 minutes, but started to pick up pace very quickly at around 8am MST where we saw another 1,300 within about 10 minutes. We are continuously collecting volume numbers and will post more updates as needed.
If the link in the email is clicked, the user is brought to a fake news page like the following:
Some sample subject lines include:
Hamas launching rocket war after Gaza evacuation
Hamas Goads Israel into War
Israel's War Crimes
War in Gaza: while Israel and Hamas fight
This tactic is similar to the CNN fake news update that we originally saw back in August 2008 where an email purporting to be from CNN was sending users to fake video sites where they were then directed to download a video codec in order to watch the video. The video codec is actually malware.
Due to the effectiveness of the previous CNN outbreak (our Threat Operations Center intercepted about 835M fake CNN messages during a two week period back in August) and the worldwide interest in what is currently happening in Gaza we felt it was appropriate to send out this threat alert to raise awareness in this campaign that appears to be quickly picking up steam.
We will continue to actively monitor this tactic for changes both in volume and content and will report on those as they surface.
**** UPDATE 1/8/2009 2:00pm MST *** After monitoring this threat for the past several hours, peak volumes have so far occurred during the 10am MST hour where our Threat Operations Center observed just over 80,000 of these messages.
Current volume graph:
It also does not appear that the domains being used are fluxing across many IP addresses. Of the domains that we have observed being pointed to by these CNN emails, they have been pointing to 5 IP addresses. Those are 99.135.187.5, 173.21.75.102, 75.45.181.113, 91.123.159.112, and 98.141.74.204. We will continue to monitor in the event that this changes.
The fact that volumes have dropped from their peak is not to say that this tactic is waning. Recall that during the original CNN outbreak back in August it took 3 days for volumes to peak so it is still possible that as developments continue to evolve in Gaza that additional variants of this email and malware may crop up. Additional updates to follow as they become available.
*** UPDATE 1/8/2009 3:20pm MST *** I stand corrected on my previous update. The domains being used to host the fake video codec downloads are indeed fluxing, albeit not very quickly. Current volumes are still holding steady at about 15,000 per hour.
Starting Tuesday morning our Threat Operations Center started to observe a new wave of fake UPS Delivery Notifications. These emails contain an infected zip file that when opened will install malware onto the user's PC.
Fake UPS delivery notifications are nothing new as a tactic. We originally spoke about them back in October 2008 here. Since that time, we have seen a number of similar UPS variants, each with very limited success. Although this new lure is not much different than the ones sent previously, it appears to be having greater penetration rates based on the volumes we are seeing. Although the actual volume is not significant, it is currently representing about 75% of the infected emails that we have seen over the past 24 hours.
The fake notifications that we have seen thus far have been straight forward to identify. They appear to be from "United Postal Service" contain a subject line of "Delivery Problems" and an attachment of UPSinvoice.zip. The email content is as follows:
Hello!
Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your UPS Support Team
You'll notice that the text of the message is almost exactly the same as the variant that we saw back in October save for the date referenced in the message and who the message is signed as.
Similar to the previous tactics that we have seen, the email is very generic. It does not reference neither where the package was attempted to be sent to nor does it say where to pick up the package. Couple that with the fact that UPS does not ask does not ask for a contact email address when a package is shipped, there is no chance that messages of this type should be considered legitimate.
I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance.
Businesses do have a lot of choices when making decisions about protecting their network infrastructures. They can choose to do it in-house using a number of open source solutions or commercial desktop software. They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ). No matter which type of solution you prefer for your organization, most all are effective at stopping spam. Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions.
Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown. Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so. The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets.
I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless. There have been few arrests since CAN-SPAM went into effect 5 years ago. At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.
At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem. I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime? Money. Lots of it. WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture. Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities.
So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today? I would say both yes and no. Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available. Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.
There has been quite a bit of press over the last day or two with respect to a design flaw with SSL that could allow an attacker to forge a security certificate such that it circumvents the built-in authentication methods within your browser. This means that your browser could believe that a malicious, look-alike web site for your bank could authenticate to your browser as your real bank web site if this attack is carried out correctly. See this story from CNET that has a graphical proof of concept example using Bank of America.
If you are not familiar with MD5, essentially it is a 128-bit hashing algorithm that is used by many security applications. For example, an MD5 hash is commonly used as a checksum by system integrity validators (SIV) to ensure that key binaries on your system have not changed their default composition (if they have, this could indicate a trojan or rootkit has been installed on your system).
MD5 checksums have been known for some time to not be completely secure as it is typically expressed as a 32-bit hexadecimal number. This means that there are only a finite number (2^128) of potential hash possibilities. This has been considered to be good enough for many applications, but with the power of today's clustered computing environments (also including botnets), it has been found that the time it takes to generate a targeted MD5 collision has been greatly reduced. According to the CNET article, performing the initial forgery proof of concept took about 2 weeks on a cluster of 200 Playstation PS3s. This kind of computing power is infinitesimal compared to most botnets. Quite a few articles on the web (do a Google search for "md5 collision example" and some will yield source code) already discuss how easy it is to create an MD5 collision.
Web site forgeries are only one example of how MD5 collisions can be used to circumvent security technologies. My friend Adam O'Donnell from Cloudmark points out in a Twitter update that an MD5 collision could also be utilized to make malicious software look legitimate. Take our SIV example from earlier. If a malicious version of a binary was created with the same md5 checksum as its legitimate counterpart, your security checks may never identify that the original executable was modified if your PC were to get infected with some type of trojan or rootkit. This could also cause AV companies to have to rethink how they do some of their own scanning methods also.
What all of this really highlights is the fact that MD5 is no longer a "good enough" (and in reality hasn't been, but that hasn't stopped people from using it) hashing algorithm if your intention is to create a hash that will be used as part of any kind of security/authentication system. I agree with Paul Kocher's statements from the CNet article in that although this is certainly not one of the biggest security issues facing us right now. Between all of the other application based attacks that exist, this one could be potentially very dangerous as it is another one of those that we have discussed that do not require elaborate social engineering to be carried out effectively (at least for web site forgeries) as the redirection to a malicious site can be carried out at the network level.
This is not one of those types of attacks that is likely to occur on a large scale against many widely used web sites (like the Bank of America proof of concept) as it would likely get sniffed out very quickly, but if used for smaller, more localized attacks could prove to be effective.
Just hours after Barack Obama was projected by all of the major news outlets to become the 44th President of the United States, cyber criminals have already launched a link-based malware campaign using Obama as a lure. Uncle Sam wants you to vote. Spammers want you to join their botnets!
As with most effective malware campaigns, timeliness is everything. From what we are seeing so far, the social engineering tactic being used coupled with the interest of the election and its outcome, high volumes of this tactic are already being observed as many users are being tricked and infecting their PCs with this malware which will be used to send out more of this type of spam.
Starting at about 8am MST this morning we started to see messages come into our spamtraps purporting to be from various credible news organizations using from addresses like news@bbc.com, news@cnn.com, election@usatoday.com, among others. The emails have subject lines such as "Barack Obama Wins", "Election Night Results", and "Fear of a Black President".
The messages themselves vary a bit, but the basic premise is the same across the different variants that we have observed so far.
Here is one sample:
-----------------------------------------------
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
------------------------------------------------
As usual, note the grammatical errors.
The link in the message brings the user to a look alike news web site which alleges that the user must download an updated version of flash to view the video of Obama's speech:
Clicking on the download link attempts to download a file called adobe_flash9.exe, which contains the malware.
If early indications are any result of future success, this campaign is going to be a success, but won't win the popular vote (ok, sorry for my bad political humor). In the first 2 hours we have already seen almost 1M of these messages (over 350k in the 8am MST hour and over 600k in the 9am hour).
The folks over at Websense reported another Obama malware campaign in Spanish. This, however appears to be a very low volume, targeted campaign. We have seen less than 50 of these total, but it underlines the fact that cyber criminals are definitely jumping on the post-election bandwagon and doing it in a big way. Strangely enough, if this trend continues we might see more post-election spam than we saw pre-election. Who would've expected that?
In the event that you were not aware, a new critical update (rated as Important on Vista and Server 2008, but critical for Windows XP, 2000, and Server 2003) has been released as an out of band patch from Microsoft.
It is of utmost importance that this vulnerability be patched as soon as you are able to. The primary reason for this patch being released outside of the typical Patch Tuesday schedule is in response to exploits available in the wild and the potential for damage as a result of becoming infected.
The vulnerability being patched is a network level vulnerability. This means that once one machine within the network becomes infected, it will immediately start looking for other vulnerable machines within the network to exploit. As a result, this exploit could have SQL Slammer like implications. The primary difference here is that SQL Slammer was an exploit of IIS, an individual application where this exploit is taking advantage of a vulnerability in the operating system which means that the potential attack surface is much larger.
In the past 24 hours our Threat Operations Center has seen over 100,000 emails with attached exploits that appear to be taking advantage of this vulnerability. All instances that we have seen thus far have been in German so their viability in the United States is limited. We are on the lookout for additional variants, and will report them as they are seen.
*** UPDATED 10/24/2008 1:06pm MDT *** Upon further review It appears that the German emails are not related to the Microsoft exploit. We are currently researching whether there is an email delivery vector being used to deliver exploit code to take advantage of this vulnerability. The German emails are actually a different piece of malicious code. More information here. This update is also to correct the brief mention that was made in this morning's edition of the Security Buzz podcast that there might be an email attack vector sending out exploits. That does not CURRENTLY appear to be the case.
*** UPDATED 10/24/2008 2:20pm MDT *** Exploit code for yesterday's patched vulnerability is freely available via popular security sites like SecurityFocus. Blocking RPC ports such as 135-139, and 445 at your firewalls will not mitigate this attack. Now that exploit code is so easily available it is not out of the realm of possibility that attacks will come from many different angles, email included, looking to get into your network. It is definitely advised that you test and deploy this patch ASAP.
As if Windows users didn't fear Patch Tuesday enough, today there is a new email-borne malware campaign attempting to trick people into installing a piece of malware posing as an official update from Microsoft.
As with many poorly constructed malware campaigns, there is a lot of broken English in the email (even in the Subject line!). The PGP signature at the bottom of the message also appears to be random.
The subject line of the message is "Security Update for OS Microsoft Windows" and alleges to contain an update for several unsupported versions of Windows. This is likely to attempt to infect users who are still on these ancient versions of the Windows OS. Considering the fact that versions of Windows like Windows 98 have been unsupported for so long, if you are still using it, you are likely already infected with lots of other malware and are already a part of many other botnets.
Fake Microsoft Updates are certainly nothing new. We've been seeing them for a couple of years now, but the timing coinciding with Patch Tuesday throws in a wrinkle that I do not recall seeing previously.
It is important to note and remember that all Microsoft Windows updates are distributed either by download off of the Microsoft Web site or through the Windows Update service. Microsoft never releases official patches by email. It is likely that most people are not even seeing this email arrive in their inboxes because most organizations filter out executable attachments (the email comes with a .exe attached to the message) by default.
The message follows:
-----------------------------------------
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
As is typical with any high profile news story, our Threat Operations Center is immediately on the lookout for any new spam campaigns that might start using that story as a social engineering lure.
This post is an alert that we are likely to start seeing spam campaigns (none have been observed by our TOC as of yet) related to the OJ Simpson guilty verdict from last week. Similar to the CNN and MSNBC campaigns from August it is likely that these spam emails will use a lure to an online video to trick users into visiting malicious web sites that download alleged video codecs that are actually malware.
It appears that some search engines are already being poisoned with links to malicious video downloads based off of certain search criteria related to the verdict. It is typical for these types of tactics to start bleeding into email as well.
If/When we start observing these tactics, we'll be sure to post them along with their details.
Today must be "Return of the Old Tactics" day. A little while ago I wrote about a new tactic being employed for an old Google AdWords phish, and now we are seeing a spin on the fake FedEx delivery notification emails that have been so prevalent over the past month, except now they are targeting UPS.
We are seeing a number of emails hitting our spamtraps that appear to be from "United Postal Service" with a subject line of "[NO-REPLY] UPS Tracking Number 89259281" (the eight digits at the end are random). These messages have an attachment of UPS_LETTER.zip which contains an executable file of UPS_LETTER_N839925.doc.exe. (the 6 digits in the filename may be random as well. We are still collecting more samples to be sure).
The message body has the following text:
Unfortunately we were not able to deliver postal package you sent on Sept the 18 in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office
Your UPS
This tactic is similar to the FedEx scam (see original post from August 22nd here) in that the message claims to be a notification of non-delivery of a package that you sent and the spammer wants you to open a copy of an "invoice" (read: malware). Also similar to the FedEx tactic, the message is very non-descript as to where to pickup the package, which should be an obvious tipoff that something is not quite kosher with this email.
We are still collecting volume stats on this new tactic, so as soon as I have those, I will update this post.
*** UPDATE 10/2/2008 13:45 MDT *** As of 9am today average hourly volume is approximately 100,000 fake UPS notifications per hour. We are continuing to monitor to see if this increases or decreases but as of the time of this update we have seen over 2M of these messages processed by our systems.
Hackers combine bots, malware and search engine expertise to drive porn traffic
There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines. Today we discovered that the AARP’s website has been compromised by a two-pronged attack.
First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites. Second, hackers employ bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles.
This provides hackers with multiple benefits. Among them:
Search engines rank sites based upon links from other sites. If a high-ranking site like the AARP (to which Google has assigned a Page Rank of 8/10) links to the hacker’s site, it increases the recipient site’s ranking and traffic.
The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself.
Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware "anti-virus" applications to help them "fix" the problem.
Typically, most blog platforms do a fair job of limiting comment spam. Even so, a cursory check for inbound links to some of the hacked AARP.org profiles shows many blogs now have the AARP.org bot-submitted links in their comment areas.
As we’ve covered before, spam makes a lot of people a lot of money. Hackers have great incentive to find vulnerabilities in email systems as well as web-based content management platforms. They're also increasingly using SEO (search engine optimization) to help stack the odds in their favor. The possibility of being able to inexpensively market on such a massive scale means the threat will never completely go away.
Whether it’s your website or your email network, constant vigilance is necessary to keep your organization from getting egg on its face.
Just ask the AARP.
(Note: The above image is from a non JavaScript auto-redirecting post.)
I've taken a bit of heat internally because I neglected to announce last week's posting of the monthly MX Logic Threat Report and Forecast for September. The latest edition can be downloaded here.
In that report we mention our prediction that as the Democratic and Republican National Conventions concluded and as the campaign season kicks into high gear that we expected to see a continuation of some of the more recent spam tactics that have been employed where hackers were using tabloid like news headlines as a lure to get people to open malicious emails, but with a political twist. So, instead of using fake Britney Spears or Oprah headlines as a means to get unsuspecting users to view a video or news clip the movement has started toward targeting Barack Obama using similar means.
Some of the subject lines that we are currently seeing targeting Obama are:
Obama is ponstar now
Porno with Obama
Sex Video with Obama
Obama Sex Video
Barack Obama Hardcore
Barack Obama sex story with girl
Obama private porno
Barack Obama sex story with Ukrainian girl
Note that we have not yet seen any similar tactics targetting John McCain.
Volume on this tactic is currently extremely low (under 100 total have been seen thus far), but this is likely a proof of concept method that will play itself out over the next two months where more believable tactics are used by spammers. Instead of using tabloid like headlines, be on the lookout for emails containing attachments or links to sites claiming to be hosting the latest candidate television commercial or video with excerpts from a speech at their latest campaign stop.
Obviously there is a bit of a shock factor with these tabloid like headlines that grab people's attention, but since this tactic has been around for several weeks now, expect it to morph to using lures that are far more plausible in the very near future.
According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station. The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.
You are thinking "So what? What risk does an online game keylogger pose to a laptop on the space station? Why should I care?"
As you know, we like to think bigger picture here.
Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus? I don't know about you, but that sends up lots of red flags to me! This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines? Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to? What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network? What was done with these laptops once the virus was detected? Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed?
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries. Where else within the federal government does the potential for similar security breaches exist? Are potential data leakages like this something that the Department of Homeland Security is focused on preventing? If not, they should be! Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!
Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered. It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).
Sample subject lines that we have seen in our Threat Operations Center include:
You Have A Package!!!
Tracking N <fake tracking number>
Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.
It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.
Typically when a new, effective, high volume spam or worm tactic is released into the wild (Paris Hilton Videos, Free World Cup Tickets, Fake News Headlines, etc) the copycats are waiting in the wings and ready to latch onto whatever that tactic is hoping that they might see some success from it as well. This time, however it appears that the people responsible for the CNN Spam outbreak last week (original post here and update here) are now responsible for a new outbreak today alleging to be MSNBC news updates.
Similar to the CNN outbreak from last week these new MSNBC messages are identifiable by a very distinct subject line. All of the messages that we have seen thus far appear to be from "MSNBC Breaking News" and have a subject line that starts with "msnbc.com - BREAKING NEWS:" followed by some fake news headline.
Here are some examples of what we have seen in our Threat Operations Center thus far (and as usual, some that are just bizarre):
msnbc.com - BREAKING NEWS: Americans love law suits for breakfast
msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: I will be suing you
msnbc.com - BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger's death
Find out more at http://breakingnews.msnbc.com
=======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.
=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/25384336, select unsubscribe, enter the
email address receiving this message, and click the Go button.
Microsoft Corporation - One Microsoft Way - Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/)
If a user is tricked into clicking on the breakingnews.msnbc.com link (which doesn't really go to an MSNBC page, but you probably already guessed that), they are presented with a page that looks like this:
This is the same tactic that we saw with the CNN fake news updates from last week as well as with the Porntube malware tactic that we saw back in June (original post here). At this point, you are caught in an endless loop where you either need to kill your browser session or click the OK button, but doing that infects you with the malware.
So far we have seen two variants of these emails. The first links to a file named up.html at the end of the "breakingnews.msnbc.com" URL which linked to a page that is branded CNN, not MSNBC. This should be an immediate red flag to any user that something is not right. The newer variant that we just recently started seeing within the past hour links to msn.html. This page uses the same logo that is on top of the real msnbc.com site and will likely look more legitimate to users.
So far volumes have been ranging in the 1.5 to 2 million message per hour range. Although nowhere near the peaks that we saw with the CNN outbreak from last week, it also took 3 days for the CNN spam to reach those volumes. So, I would say that at this point since we have only been tracking this new variant for about 12 hours the lower volumes are no indication of what is to come, but just like in movies, the sequel usually isn't as good as the original...
Heads up on a new, very high volume Fake CNN News Update spam run that is making the rounds. The subject of the email is "CNN.com Daily Top 10." Our Threat Operations Center has seen over 5 million of these just in the last hour alone and over 80 million in the last 24 hours.
Below is a screen shot of the message.
Over the last few weeks we have been seeing large spam runs of what we are calling single-line spam where an email contains a brief lure based on fake news headlines such as "US track team disqualified from Olympics" or "Beijing Olympics postponed indefinitely" followed by a link. The web site linked to in the message is a link to a "video codec" (er, malware) that the user is prompted to download in order to view the online video.
The tactic being used here is similar to what we saw with the Porntube malware that we saw back in June (click here for original Porntube blog post) where the user is prompted to download the video codec when the page initially loads. If the user clicks "Cancel" to not download the codec, another popup is presented where the user is told that they have to download the codec to view the video. This endless loop continues until the user kills their browser session at the operating system level or installs the "codec."
This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.
According to a recent study done on email addiction, Denver is the ninth most email addicted city in the United States (click here for more info and for the other cities in the top 10. BTW, I LOVE the picture on the top of that linked page. Even if you don't care about the list, go for the picture. It's worth it!).
This is not surprising considering the technical culture that exists in and around Denver and I would say its ranking is about right in comparison with the other cities. My biggest surprise was Detroit. I have never been to Detroit, but it has never struck me as a tech-centric city so I am surprised that one is on the list. You could easily win an argument with me on that point though since I really have no personal experience of the city to speak of.
As I sit here in the San Jose airport, I see a number of people checking email on their laptops an on Blackberries (this is San Jose! Where are the iPhones?!). People who are addicted to email need effective email filtering to keep all of the junk off of their mobile devices and out of their inboxes. As more and more malware is developed for mobile devices and as more and more personal information is being stored on those devices, that need will only continue to increase.
This list will be definitely be making it over to our sales folks :)
Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out. Granted, new Storm Worm variants are nothing new. They come out all the time. I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.
The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).
This is a screen shot of what the site looks like:
Clicking on the banner at the top of the page attempts to download a file named winner.exe. Clicking the "Click Here" link attempts to download mylove.exe.
Here are the virustotal.com results for winner.exe and mylove.exe:
Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.1.0
2008.06.30
-
AntiVir
7.8.0.59
2008.06.30
-
Authentium
5.1.0.4
2008.06.29
-
Avast
4.8.1195.0
2008.06.30
-
AVG
7.5.0.516
2008.06.30
-
BitDefender
7.2
2008.06.30
-
CAT-QuickHeal
9.50
2008.06.30
-
ClamAV
0.93.1
2008.07.01
-
DrWeb
4.44.0.09170
2008.06.30
-
eSafe
7.0.17.0
2008.06.30
Suspicious File
eTrust-Vet
31.6.5914
2008.06.30
-
Ewido
4.0
2008.06.27
-
F-Prot
4.4.4.56
2008.06.29
-
F-Secure
7.60.13501.0
2008.06.26
-
Fortinet
3.14.0.0
2008.07.01
-
GData
2.0.7306.1023
2008.06.30
-
Ikarus
T3.1.1.26.0
2008.06.30
-
Kaspersky
7.0.0.125
2008.07.01
-
McAfee
5328
2008.06.30
-
Microsoft
1.3704
2008.07.01
-
NOD32v2
3229
2008.06.30
-
Norman
5.80.02
2008.06.30
-
Panda
9.0.0.4
2008.07.01
Suspicious file
Prevx1
V2
2008.07.01
-
Rising
20.51.02.00
2008.06.30
-
Sophos
4.30.0
2008.07.01
-
Sunbelt
3.1.1509.1
2008.06.30
-
Symantec
10
2008.07.01
-
TheHacker
6.2.96.365
2008.07.01
-
TrendMicro
8.700.0.1004
2008.06.30
-
VBA32
3.12.6.8
2008.06.30
-
VirusBuster
4.5.11.0
2008.06.30
-
Webwasher-Gateway
6.6.2
2008.06.30
-
Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.1.0
2008.06.30
-
AntiVir
7.8.0.59
2008.06.30
-
Authentium
5.1.0.4
2008.06.29
-
Avast
4.8.1195.0
2008.06.30
-
AVG
7.5.0.516
2008.06.30
-
BitDefender
7.2
2008.06.30
Trojan.Peed.JLV
CAT-QuickHeal
9.50
2008.06.30
-
ClamAV
0.93.1
2008.07.01
-
DrWeb
4.44.0.09170
2008.06.30
-
eSafe
7.0.17.0
2008.06.30
Suspicious File
eTrust-Vet
31.6.5914
2008.06.30
-
Ewido
4.0
2008.06.27
-
F-Prot
4.4.4.56
2008.06.29
-
F-Secure
7.60.13501.0
2008.06.26
-
Fortinet
3.14.0.0
2008.07.01
-
GData
2.0.7306.1023
2008.06.30
-
Ikarus
T3.1.1.26.0
2008.06.30
Email-Worm.Win32.Zhelatin.zy
Kaspersky
7.0.0.125
2008.07.01
-
McAfee
5328
2008.06.30
-
Microsoft
1.3704
2008.07.01
-
NOD32v2
3229
2008.06.30
-
Norman
5.80.02
2008.06.30
-
Panda
9.0.0.4
2008.07.01
-
Prevx1
V2
2008.07.01
-
Rising
20.51.02.00
2008.06.30
-
Sophos
4.30.0
2008.07.01
-
Sunbelt
3.1.1509.1
2008.06.30
-
Symantec
10
2008.07.01
-
TheHacker
6.2.96.365
2008.07.01
-
TrendMicro
8.700.0.1004
2008.06.30
-
VBA32
3.12.6.8
2008.06.30
-
VirusBuster
4.5.11.0
2008.06.30
-
Webwasher-Gateway
6.6.2
2008.06.30
-
So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon. The IPs that are hosting the infected URLs are being rotated using fast flux. In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times.
This is not likely to be the only time this week that we hear from Storm. Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge. Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless.
Expect to see some revisit of Storm sometime later this week. It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.
Jason Michael Milmont, the author of the Nugache worm, and the creator of what came to be known as "Fast Flux" has plead guilty to one count of unlawfully accessing computers, a felony, in a Wyoming federal court.
Fast Flux is an abuse of the domain name system (DNS) by which botnets will continually rotate the IP addresses associated with a malware infected web site to evade detection and forensic analysis. This constant mobility makes the botnet very difficult to shut down.
There is also an evasion tactic called "Double Flux" which is similar to Fast Flux in that it will not only rotate a domain's responding IP addresses, but also that domain's authoritative name servers. The reason that it is called "Fast" flux is because these IP addresses will rotate as often as every couple of minutes.
The Nugache worm was used to launch distributed denial of service (DDoS) attacks as well as steal personal information such as credit card numbers from the computers that were infected with Nugache. It has been estimated that controlled up to as many as 15,000 on his botnet.
Under the terms of his deal Milmont has agreed to pay approximately $74,000 in damages and faces up to five years in federal prison.
In my opinion, this story is only significant because of Milmont's contribution to the botnet community with how his Nugache worm used peer-to-peer networking technology and fast flux in order to create a fully redundant, interconnected network to prevent his botnet from easily being shut down. The size of the Nugache botnet (about 15,000 computers) pales in comparison to some of the botnets that we are seeing today, but the work done by Milmont paved the way for worms like Storm which heavily relied on fast flux to stay alive.
We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component. Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours). From what we can tell thus far the malware appears to be related to the Srizbi botnet.
There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories. Here are some example subject lines that we have seen so far:
Batman latest movie bombs at box office Britney found hanged in locker room Celtics disqualified from NBA title China Earthquake claims 1 million lives Dan Brown's latest novel David Cook American Idol - latest NEW single Donald Trump missing, feared kidnapped Egypt Giza pyramids rocked by massive earthquake Eiffel Tower damaged by massive earthquake Eiffel Tower suffers structural damage, collapse possible Find out about Harry Potter's last novel Ford unveils latest 2 door design hatch Get Smart -- movie premiere Get star wars photos Get the latest discount plan from Ford Cars Great Wall of China damaged by earthquake Hiliary admits past failures Hillary Clinton reveals husband's scandal secrets Italy knocked out of Euro 2008 Las Vegas Hotel caught in fire Lastest! Obama quits presidential race London rocked by gas attack, army on high alert Love Guru sneak previews here Man wakes up from 40 year coma Nokia unveils revolutionary new phone design Obama suffers setback in polls due to sex secrets Obama withdraws from elections Oprah found sleeping the streets Osama Bin Laden caught finally Paris Hilton found to be gay Saddam Hussein found dead Star Trek star dies at age 79 Statue of Liberty struck by lightning, catches fire Stonehenge damaged by massive earthquake Top 10 movies of all time Top comedy downloads Top film from the Cannes Turner Empire poised for bankruptcy file Usher and Rihanna making out Watch movie premieres now White House hit by lightning, catches fire Windows Vista URGENT upgrade installation
The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control. Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):
hxxp://envol-restaurant.com/r.html
hxxp://spizarnia.nazwa.pl/r.html
hxxp://wandea1.wandea.org.pl/r.html
Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:
If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:
At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window. The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).
Keep on the lookout for these as they are currently being distributed in fairly high volumes.
*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour. Looks like this one hit quick and is now tailing off.
Starting yesterday (June 18th) we began seeing evidence of a new Storm Worm variant claiming news of a new Earthquake in China.
Some of the subject lines associated with these messages include:
2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Death toll in China exceeds 1000000
Death toll in China is growing
Earth tremors in China is going on
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
Terrible earthquake devastated Beijing
The capital of China were collapsed by earthquake
The most powerful quake hits China
Toll mounts in China earthquake
Unprecedented earthquake in China
This is a pretty typical tactic for Storm: ride on the wave of current events as a social engineering lure to get users to click on links in emails. This variant is primarily targeting the Chinese earthquakes, but there is also a mention of the Beijing Olympics as well stating that the Olympics will be "under the threat."
If a user clicks the link within one of these emails, they are not immediately infected with Storm. They will be directed to a web site (all of the ones that we have seen so far have a .cn TLD) that looks like this:
It is important to note that this is not a real video player, but clicking the player will launch a file named beijing.exe which will infect your PC.
Volume of this variant is pretty low. We are currently seeing on the order of about 900 per hour in our Threat Operations Center. Expect to see similar stories of this nature threatening the safety of the Olympics as well as its participants and visitors as the event gets closer.
According to this article posted on CSO Online, a security researcher named Sebastian Muniz has created a rootkit that will work on "several different versions of IOS."
One of the concepts that I have been throwing out there since we originally started talking about drive-by pharming (aka DNS Rebinding attack) is the potential of similar vulnerabilities being exploited in an effort to move malware infections out closer to the network edge and create a "router bot" whereby a compromised router could potentially be used for the distribution of spam, viruses, and malware similar to how PCs are used today. This would be even more difficult to detect than a PC based malware infection, however as I do not believe that there are any network device based rootkit/malware detection engines that even exist right now (please do correct me if I am wrong here) although this may certainly create a market for them. Would you be able to easily detect if your router was being used to distribute spam if it wasn't affecting your web browsing or normal internet usage? Not likely.
One of the things that concerned me from the article was the quote from EuSecWest conference organizer Dragos Ruiu where he said that "nobody thought you could actually build exploits for Cisco." This is a dangerous attitude to have for any software application. I like to say "Where there is software, there are vulnerabilities." This is often followed by "Where there are vulnerabilities, there are exploits" although far more vulnerabilities exist than there are exploits written for them.
One should never assume that software is hacker-proof. It very well may be (however unlikely), but even making the assumption or suggestion is when you've conceded that your guard has been let down. Always remain diligent in your pursuit of security!
Ok, I'll step off my soapbox now. Have a great weekend!
Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court.
Here is an elided sample that has been received by our Threat Operations Center:
UNITED STATES TAX COURT
WASHINGTON, DC 20217
Docket No. 622-555. Filed May, 2008.
COMMISSIONER OF INTERNAL REVENUE
Petitioner.
v.
EXECUTIVE NAME HERE
COMPANY NAME HERE
COMPANY PHONE NUMBER HERE
Respondent.
PETITION
The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008
This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006. As motions, without prejudice, and remand this case to respondent.s Office of Appeals.
Respectfully submitted,
Bennett H. Klein
Tax Court Bar No KB0214
400 Second Street, N.W.,
Washington, D.C. 20217.
The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th. Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately. It would not surprise me if the same people behind those scams are also originating from the same group of people.
*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour. Very low volumes in an attempt to fly under the radar as much as possible.
We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden. Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.
Some of the subject lines that we have seen include:
Special issue of news from CNN! Urgent Fresh News Usama Ben Laden!
Special issue of news from CNBC! Urgent Fresh News Usama Ben Laden! Special issue of news from Financial Times! Urgent Shocking News Usama Ben Laden! Special issue of news from CNN! Urgent Apocalyptic News Usama Ben Laden!
Special issue of news from Bloomberg! Urgent Fresh News Usama Ben Laden!
You can see a fairly common theme here.
The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world. The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):
Special issue of news from Reuters! Urgent Dangerous News!
Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist
activity, and similarly the largest leaders of terrorist organization of Al
Kaeda, detained American soldiery force in Iraq.
This particular sample was taken from a message where the subject says that the news update is from CNN so you can see that the news agency in the subject line is not necessarily consistent in the actual message itself. If the link from the message is followed, it directs the user to a page where they download a file named videousa.exe, which contains the malware.
Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:
Antivirus
Version
Last Update
Result
AhnLab-V3
2008.4.22.0
2008.04.21
Win-Trojan/Agent.77824.DX
AntiVir
7.8.0.8
2008.04.21
TR/Crypt.XPACK.Gen
Authentium
4.93.8
2008.04.20
-
Avast
4.8.1169.0
2008.04.21
-
AVG
7.5.0.516
2008.04.21
Downloader.Zlob.12.AH
BitDefender
7.2
2008.04.21
-
CAT-QuickHeal
9.50
2008.04.19
(Suspicious) - DNAScan
ClamAV
0.92.1
2008.04.21
-
DrWeb
4.44.0.09170
2008.04.21
-
eSafe
7.0.15.0
2008.04.17
Suspicious File
eTrust-Vet
31.3.5720
2008.04.21
-
Ewido
4.0
2008.04.21
Backdoor.Agent.gxg
F-Prot
4.4.2.54
2008.04.20
-
F-Secure
6.70.13260.0
2008.04.21
Backdoor.Win32.Agent.gxg
FileAdvisor
1
2008.04.21
-
Fortinet
3.14.0.0
2008.04.21
-
Ikarus
T3.1.1.26
2008.04.21
Trojan.Win32.Revelation
Kaspersky
7.0.0.125
2008.04.21
Backdoor.Win32.Agent.gxg
McAfee
5277
2008.04.18
-
Microsoft
1.3408
2008.04.21
TrojanDropper:Win32/Nuwar.gen!lds
NOD32v2
3043
2008.04.21
-
Norman
5.80.02
2008.04.18
-
Panda
9.0.0.4
2008.04.20
-
Prevx1
V2
2008.04.21
-
Rising
20.41.02.00
2008.04.21
-
Sophos
4.28.0
2008.04.21
Mal/Generic-A
Sunbelt
3.0.1056.0
2008.04.17
-
Symantec
10
2008.04.21
-
TheHacker
6.2.92.285
2008.04.19
-
VBA32
3.12.6.4
2008.04.16
Trojan.Win32.Revelation
VirusBuster
4.3.26:9
2008.04.21
-
Webwasher-Gateway
6.6.2
2008.04.21
Trojan.Crypt.XPACK.Gen
Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now. This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.
It looks like the folks who were spoofing government agencies and targeting C-level executives are at it again; this time spoofing the U.S. District Court.
If you recall, starting around the end of May, 2007 we started to see a month and a half long wave of messages that were being targeted to C-level executives that carried a keylogger payload and used a lure of fake complaints against that executive's company in an attempt to get them to infect themselves. This tactic was, unfortunately, very successful which is why it hung around for as long as it did. These spoofs used an effective social engineering tactic that included both the name of the person receiving the scam as well as the name of their company. This fooled many into believing that the message was indeed legitimate because it didn't carry the earmark of most of your scams that are generically blasted en masse.
This new scam follows this same basic social engineering tactic except it takes it one step further in that it also includes the phone number of the company being targeted. This is just another way that the scammers are attempting to establish legitimacy with their intended target since it doesn't look like your everyday, run of the mill type of spam.
By targeting C-level executives, the technique used in this type of attack is called "whaling." It is called whaling because they are trying to get the largest fish that they can on the hook; people who are generally more affluent and stand more to lose, both personally and professionally.
Below is an example of one of these messages (Some personal information has been redacted):
AO 88(Rev.11/94) Subpoena in a Civil Case
________________________________
Issued by the
UNITED STATES DISTRICT COURT
________________________________
Issued to: XXXXXXXXXXXXXXXXXXX
COMPANY NAME HERE
COMPANY PHONE NUMBER HERE
SUBPOENA IN A CIVIL CASE
Case number: 91-201-NKE
United States District Court
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specifiied below.
________________________________
Place:United States Courthouse
880 Front Street
San Diego, California92101
Room: Grand Jury Room
room 5217
Date and Time: May 7,2008
9:00 a.m. PST
Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los Angeles, CA90071
________________________________
Please download the entire document on this matter(follow this link) and print it for your record. <hxxp://cacd-uscourts.com/ViewCase.php?case=91-201-NKE>
This subpoena shall remain in effect until you are granted leave to depart by the court or by an officer on behalf of the court.
Any organisation not a party to this suit thas is subponaed for the taking of a deposition shall designate one or more offcers, directors, or managing agents, or other persons to testify on its behalf, and may set forth, for each person designated, the matters on wich the person will testify. Federal Rules of Civil Procedures,20(b)(6).
Failure to appear at the time and place indicated may result in a contempt of court citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct any questions to the person requesting you to appear: City Prosecutor.
You'll notice a few spelling errors which is your typical dead giveaway that something isn't quite right here (of course, the US District Court trying to communicate with you via email, which it never does, should have been the first one). They also went to the trouble of registering a new domain, cacd-uscourts.com.
Here is where it gets funny:
-- cacd-uscourts.com is the domain used. If this were really a government domain, would it have a .gov TLD?
-- This domain was registered two days ago to someone named Michael Rice who lives in the U.K.
-- Registration for the domain was done by a company named WEB4AFRICA
It's been a while since we have seen this type of scam outside of the IRS spoofs that we have been seeing in accordance with tax season so I am sure it will get its share of victims. No solid information yet on whether these new phish are being sent to the same C-level execs who were targets of last year's scams. More information to come as it becomes available.
**** UPDATE 1 (4/15/2008 12:00pm MDT): We are still seeing these emails hitting our system at a rate of about 30 per hour. Obviously very low overall volume, but that speaks to the precision of the targeting being used. The highest hour that we have seen so far today was the 10am hour where we saw 50, and we basically saw none between midnight and 7am. It appears that the cacd-uscourts.com domain that was hosting the malware yesterday has had its registration suspended by WEB4AFRICA. The web site is no longer accessible.
Never to rest on their laurels, the Storm Worm gang brings us yet another new twist in how they are trying to get you to infect your PC.
This new Storm variant follows in the footsteps of the Google Spam with a purported video download that I blogged about on April 3rd except that Storm is trying to convince you that you want to view a new music video that has just been released.
Here is an example of one of the messages that came into our Threat Operations Center:
Eagles just made a new video. See it here before it releases. Cut and
paste the link in your browser to get the video:
hxxp://zbrkfdxd[deleted].blogspot.com
All of the examples that we have seen thus far have been random subdomains off of blogspot.com, a popular, free blog hosting site. When the link in the email is clicked you are immediately redirected to hxxp://giftapplys.cn (registered on April 8th) which serves up the below page:
Both the fake video player and the "Download it" link point to the malware download. Interestingly enough, the video player points to a file named StormCodec.exe and the Download It link points to a file named StormCodec8.exe. These files have the same md5 checksum (2f16017932e729b8a9f1f5c07eec9b99), however so despite their different names, they are actually the same file.
We've only seen about 50,000 of these messages over the last 24 hours (I say "only" because many Storm Worm variants are in the millions within their first day) so this tactic isn't too popular at the moment, but is new and different from previous tactics so is definitely something to keep on the lookout for.
Yet another new twist in the never ending array of Google Spam that we have been seeing over the past 2 months. The sample that just hit our spamtraps within the last hour has a bit of a new twist to it.
When I first opened this message I thought "Neat! Google video spam!" It wasn't until I looked at the source code of the message that I realized that this was just another link to malware redirecting through Google with a fake video as the lure.
Here is a screenshot of the spam:
Clicking any of the links downloads a file named video_codec-v2.12.384.exe.
So far AV pickup is pretty spotty (stats courtesy of Virustotal):
Antivirus
Version
Last Update
Result
AhnLab-V3
-
-
-
AntiVir
-
-
TR/Dropper.Gen
Authentium
-
-
-
Avast
-
-
Win32:Agent-GPS
AVG
-
-
-
BitDefender
-
-
DeepScan:Generic.Malware.FBldld.D22058AD
CAT-QuickHeal
-
-
-
ClamAV
-
-
-
DrWeb
-
-
-
eSafe
-
-
suspicious Trojan/Worm
eTrust-Vet
-
-
-
Ewido
-
-
-
FileAdvisor
-
-
-
Fortinet
-
-
-
F-Prot
-
-
W32/Agent.Q.gen!Eldorado
F-Secure
-
-
Suspicious:W32/Malware!Gemini
Ikarus
-
-
Virus.Win32.Agent.GPS
Kaspersky
-
-
-
McAfee
-
-
Proxy-Agent.af.dr
Microsoft
-
-
Trojan:Win32/Danmec.gen!A
NOD32v2
-
-
a variant of Win32/Agent.NEQ
Norman
-
-
-
Panda
-
-
-
Prevx1
-
-
Heuristic: Suspicious File With Bad Child Associations
Rising
-
-
-
Sophos
-
-
Troj/Bdoor-AJR
Symantec
-
-
-
TheHacker
-
-
-
VBA32
-
-
suspected of Trojan-PSW.Pinch.12 (paranoid heuristics)
How does this happen? This is typically a by-product of PCs that are used for things that are outside their intended business purpose. For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used. It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites. Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.
As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring. This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly. These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.
Just had this come across one of our honeypots a few minutes ago: Google spam linking to an infected executable file.
So far AV detection is pretty spotty, and of the ones that are identifying it, it is typically falling under the "generic detection" categories.
Antivirus
Version
Last Update
Result
AhnLab-V3
-
-
-
AntiVir
-
-
TR/Crypt.XPACK.Gen
Authentium
-
-
-
Avast
-
-
-
AVG
-
-
Generic10.BID
BitDefender
-
-
MemScan:Trojan.Downloader.Exchanger.C
CAT-QuickHeal
-
-
(Suspicious) - DNAScan
ClamAV
-
-
-
DrWeb
-
-
-
eSafe
-
-
Suspicious File
eTrust-Vet
-
-
-
Ewido
-
-
-
FileAdvisor
-
-
-
Fortinet
-
-
W32/Tibs.WA!tr.dldr
F-Prot
-
-
W32/Tibs.K.gen!Eldorado
F-Secure
-
-
Trojan-Downloader.Win32.Agent.ljx
Ikarus
-
-
Trojan-Downloader.Win32.Agent.ljx
Kaspersky
-
-
Trojan-Downloader.Win32.Agent.ljx
McAfee
-
-
-
Microsoft
-
-
-
NOD32v2
-
-
Win32/Agent.ETH
Norman
-
-
-
Panda
-
-
-
Prevx1
-
-
Trojan.Downloader
Rising
-
-
-
Sophos
-
-
Troj/Exchan-B
Sunbelt
-
-
-
Symantec
-
-
Downloader
TheHacker
-
-
-
VBA32
-
-
suspected of Downloader.Zlob.8
VirusBuster
-
-
Trojan.Zlob.GMQ
Webwasher-Gateway
-
-
Trojan.Crypt.XPACK.Gen
The spam itself has a porn twist to it (as opposed to the health and pill related spam that we usually see). The sample that landed in our honeypot has a subject of "Rihanna Exposed" and a short message body which reads "Download and Watch" which is a link to the malware (abusing Google) at http://www.google.com/pagead/iclk\?sa=l&ai=HvlJeh&num=33195&adurl=http://REDACTED.pl/video.exe (redacted since the site is still hosting live malware).
Over the last few weeks we have seen a significant increase in what is known as Google Spam in the Threat Operations Center; sometimes peaking at almost 5% of our overall spam volume.
Google spam is defined as spam that abuses the Google PageRank system by artificially inflating the ranking of a spam site. Once a spam site has been ranked on the top of the Google search engine based on certain keywords, spam blasts are sent out which craft URLs that query on these keywords and emulate the Google "I'm Feeling Lucky" button which automatically redirects users to the query's top ranking site.
Most of the Google spam that we have seen thus far redirects to different variations of pharmacy sites pushing pills and enhancement products, typical to most health related spam.
One element of Google spam that hasn't received much attention, however is the potential for attachment based malware distribution via this tactic. The potential for drive-by malware download as a result of malicious javascript or iframes is obvious and well documented, but another potential threat vector is the possibility of Google Spam directing a user to a malicious PDF.
Many users by default have their PCs setup to automatically open common attachment types like PDFs without so much as a confirmation box asking the user whether or not they are sure they want to open the file. This convenient feature is a wide open hole for malware injection, especially considering the PDF exploits that have been published over the last several months.
To better protect themselves users should not be allowing any attachment type to be opened by default, no matter how common. Although it might be an inconvenience to have to click a button on a confirmation dialog every time we open file types that we are used to using and that we may open 50 times per day, it at least puts one more step between ourselves and potentially malicious downloads. Allowing any file to be opened on your PC without your prior knowledge and consent enables a level of trust from an untrusted network that should never exist.
Tax Season is here and the IRS scams just keep on coming. We've already seen and talked about many different variants of the IRS phishing emails that say you are due a refund that they will gladly refund to your credit card, but now it appears that the scams have moved into malware downloads.
We've seen a new IRS scam over the past couple of days which is trying to trick users into thinking that they need to update the tax software on their system. Why would the IRS care what tax software you have on your system or if you have any at all? Of course, the real answer is, "They don't."
An example of the message that we are seeing:
Dear Tax Payer,
As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.
To begin the update, please visit hxxp://nzkaa . info and click "Open" when asked how to begin the download.
After doing so, no further action is required on your part.
Thank you for your cooperation,
IRS.GOV Agent #4[3
The URL above is obfuscated in the event that it is still hosting malware. At the time that I visited the site it appeared as if it had been taken down, however the registration of the domain is still active, so it is possible that it could move to another IP and be a malignant site again.
A couple of interesting/humorous things about this new spam:
-- Every spam message that has hit our systems relating to this scam has come from the same IP address: 92.48.88.145, an IP out of the UK (I wasn't aware that the IRS had offshored their email distribution :) )
-- The web site in the spam is currently (subject to change while the domain is still active) being hosted on an IP out of the Bahamas. Another thing the government has decided to offshore, apparently.
-- Every message has HELOd (the start of the SMTP conversation) as "Exploit". At least they're honest :)
As with the other government agency scams that we have seen to date, volume is low. The MX Logic Threat Operations Center processed around 2,000 of these messages on 2/4, 1,600 on 2/5, and about 550 so far today (as of 1pm MST).
As with the other IRS and other government agency scams that have preceded this one, the government does send personal email to alert you of software updates, refunds, or any other official matter. The IRS knows how to get a hold of you if they need to do so.
I came across an article this morning on the SC Magazine site talking about a new virus called "MonaRonaDona" which takes a bit of a different twist when put next to most strains of malware released over the past couple of years.
As we know malware made the move from a vehicle used to achieve fame or notoriety to a method used to make large amounts of money a few years ago. Similar to how MBR rootkits are a bit of a throwback to a time when attacking the MBR was a popular method of virus infection, the MonaRonaDona worm is a throwback to the time when worms were written mostly for recognition. Granted, there is a financial component to MonaRonaDona as well, it is not likely to be very successful.
MonaRonaDona appears to be spreading via malicious advertisements being posted on web sites. The user will not know they are infected until they reboot their machine when they will receive a popup that states: "Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity." This malware will also prevent the user from opening common programs on their PC such as Microsoft Office and Adobe applications.
Very noble, but I fail to see how preventing me from opening Word does anything to remedy crimes against humanity in places like Darfur.
Part of the intention of the worm author as well is to socially engineer the user of the infected PC to perform a search in the Google search engine for the name of the worm. Among other fake sites engineered by the malware authors is a site to purchase a product named Unigray. For $40 Unigray alleges that it can clean your PC of MonaRonaDona. Of course, all it really cleans is your wallet out of $40 :)
Personally, this worm seems like a lot of work for what will likely be very little reward. It is different though, especially with the hacktivism angle, from most other malware which makes it interesting.
We've discussed before that we expect to see more political based spam as the presidential election year wears on, especially closer to Democratic and Republican convention times. Expect to see more political based hacktivism type malware lures as the year progresses and as the race for the White House intensifies. As we saw with the Ron Paul spam last November, the stage has been set to use spam as a method for propaganda distribution pertaining to the upcoming election!
Looks like the government agency spoofs from last summer have returned!
During May/June, 2007 we saw nearly weekly variants of emails being spammed that were spoofing different government agencies largely targetted towards C-level executives containing a keylogger payload. These emails started off with the malware attached to the email message itself, then migrated to a pull infection model where the user downloaded the malware off of a web site via a link embedded within the message.
Starting today we've started to see a resurgence of this tactic, but this new variant is spoofing the Department of Justice. This department had not been one of the spoof targets of the previous spam runs. Below is a redacted screen shot of the new scam (courtest of McAfee):
As you can see from the above screen shot, the message has an attachment named complaint.zip which contains the malware payload.
A couple of similarities in social engineering tactics between this scam and the previous scams from this summer are the inclusion of the name of the person and the name of the company that the message is being sent to. You'll notice from the screen shot that there are also grammatical errors and misspellings.
A few particular examples that I have seen were sent from IPs in Italy. Somehow I doubt the DoJ has contracted with anyone in Italy to start sending legitimate complaint notices :)
Volumes of this scam have been pretty low; on the order of a few hundred being seen by our Threat Operations Center per hour. No information yet as to specific targetting of this scam. This post will be updated as more information becomes available.
Between our webmaster working on a new blogging tool for me to use and the first of three Messaging Anti Abuse Working Group (MAAWG) meetings for the year in San Francisco last week (I am now Chairing the Botnet/Zombie Subcommittee), I've not had nearly the time that I normally have for blogging over the past couple of weeks. I've been queuing up topics in the meantime though so we should be back on our regular posting cadence now.
In comparison to most previous years, 2008 is off to a pretty fast start as it relates to spam and malware. Save for last year when the Storm Worm started January off with a bang, the months of January to April are typically a bit slow from the perspective of new worms, malware, and spam volume. The primary reason for this "slow season" is that a good number of your malware writers are of high school/college age. Those folks are in school or otherwise occupied during the early months of the year. Come May or thereabouts, schools start letting out for the summer, kids find themselves with more idle time, and the flood of malware and spam begins. Infections rise, spam levels rise, and things quickly start hopping around our TOC.
2008 has somewhat bucked the trend in that regard as we have seen a number of developments just in the first two months of the year alone: MBR Rootkits, Drive-By Pharming, and continually high spam volumes which normally drop off by as much as 30% after the first of the year. In fact, the spam volumes that we have been observing this week are UP about 20% from any other week so far this year!
We've also seen social engineering tactics like Fake Microsoft updates with links to malware and IRS phishing scams claiming that you are due a refund from the IRS that will be gladly credited to your credit card if you provide them with your card number (not new tactics, but worth noting nonetheless) as well as Google spam (email with links to Google search results which forward you to sites that have abused Google's PageRank system).
Google spam is currently accounting for around 100,000 messages per hour that we are seeing in our Threat Operations Center. Although this doesn't represent a significant percentage of volume, it is the most prevalent spam tactic that we are currently observing. Compare that to IRS phishing which we are currently seeing at a rate of less than 100 per hour.
If the first two months of 2008 are any indication of what the rest of the year will be like, perhaps it is appropriate that it is the year of the rat according to the Chinese calendar :)
According to this article at internetnews.com, American and Russian law enforcement agencies know who is behind the creation of the Storm Worm.
The article goes into detail on the difficulties of extradition to the United States if American officials request it so I won't belabor that point here.
What is important is whether or not this could mean the end of the Storm Worm? Unfortunately not. We already know from research done by Joe Stewart that recent variants of the Storm Worm are using a key to encrypt their P2P traffic basically segregating the network into chunks that use this same key to communicate. This means that these portions of the botnet could be sold off and used for whatever purposes the buyer wanted to use them for: more spam, different malware, etc. If the Storm Worm code is also made available, then there is nothing stopping Storm from living on.
Even scarier is the notion that we have seen the evolution of malware and it only gets nastier and nastier with one idea building off the previous. So, even if we don't see additional specific Storm Worm variants if/when the authors are arrested, the concepts and code will certainly live on and take on new shapes in the next popular malware strains.
The folks over at F-Secure posted this image charting out malware growth by year since 1986 (the year of the first PC virus - Brain.A). The scale of the graph is somewhat skewed because of the enormous growth of malware over the past few years, but the numbers jive with what McAfee AVERT Labs reported earlier this year in that more malware (new strains and variants of existing malware) was discovered in 2007 than in 2005 and 2006 combined.
2008 is expected to provide no relief to this trend either. Hang on and please keep your hands and feet inside the ride at all times!
In keeping with form the gang responsible for the Storm Worm (and its many variants) has been releasing updates to correspond with the New Year holiday coming up next Tuesday (they also released some Christmas joy as well on Christmas eve for those who wanted early "presents").
They've been changing domains linked to in the email that is directing you to the malware download. So far we have seen:
happycards2008.com
newyearcards2008.com
happynewyearcards2008.com
uhavepostcard.com
All of the above sites are currently active except for happynewyearcards2008.com which appears to be offline.
If the link in the email is clicked it takes you to a site where it tells you that your download will begin shortly (actually it is scanning for vulnerabilities for it to exploit on your PC) and that if your download doesn't start to click to download the file manually. When the link is clicked the malware is downloaded so that people can infect themselves. This is akin to other Storm Worm variants which operated in a similar fashion.
The downloaded file is changing names also. Currently the file is happynewyear2008.exe, but previous variants have downloaded happy2008.exe, happy-2008.exe, and happynewyear.exe.
Have a Happy New Year, but don't party with the Storm Worm Gang!
I realize that I have been a bit lax in my posting over the past couple of weeks with the holidays and having been sick for a goodly amount of time (is any time that you are sick really "good" time?) as well. I thought I would take some time to attempt to bring 2007 to a close with a wrap up of what we have seen this year. I'll probably make some references to our 2008 predictions blog posting as well since some of what we have seen this year will carry over to next and beyond.
2007 will most certainly be known in the anti-spam and anti-malware worlds as the year of the Storm Worm. From late January when Storm was first discovered all the way through the end of the year where even up to this weekend we continued to see additional Christmas e-card variants popping up, Storm Worm volumes not only eclipsed every other piece of malcode that we saw in our Threat Center, but it also surpassed volumes seen previously only by the outbreaks of the Sober worm back in 2005. Since the Storm Worm has been so adept at refining its social engineering tactics and has primarily been releasing new variants around major events like holidays, expect this to continue into 2008 likely morphing into political spam as the presidential races continue to heat up.
Speaking of social engineering, we saw several refinements this year not only in how it is used as a lure to attempt to get a user to open a message, but in how spam mail itself is targeted. Starting in late May and continuing through June (there was another that popped up in December also) spammers were forging emails purporting to be from government agencies like the FTC and non-profits like the Better Business Bureau in an attempt to make the message look like a complaint was being filed against the target company. What made these messages so unique and effective is that they were targeted and sent directly to C-level executives. If the target opened the attachment/clicked the link within the message body they were infected with a keylogger which would log any information input into the infected machine and upload it to a web site where cyber criminals were then selling that information for profit.
We also saw a significant shift away from image based spam, a tactic that had been prevalent in larger volumes since December, 2005. Image spam had been the big spam story throughout all of 2006 and even into the early parts of 2007, reaching almost 40% of spam volumes in April of this year. As it reached its peak, however, it quickly started to decline. As image spam waned, we saw the dawn of a new spam: PDF spam!
PDF spam forced the industry to react quickly and make sure that it was treating messages as holistic entities examining not only message headers and body content, but the content of attachments to ensure that spam content was not being hidden in there.
Although PDF spam volumes were short lived, they highlighted the rapid movement away from image spam to the point where image spam is currently less than 3% of all spam volume that we see. PDF spam also introduced additional challenges that image spam did not. Not only were messages larger due to the existence of the PDF attachment (this was a similar characteristic of what we saw with image spam so at least this in itself did not introduce any new challenges), but since PDFs need to be scanned for potential malcode they required the additional system resources of a virus scan. Many more CPU cycles were being chewed by processing PDF spam as opposed to its image based predecessor. PDF spam lasted in large quantities for only about a month.
As PDF spam waned we have been seeing some minimal increases in other types of attachment based spam with spam sometimes appearing within the body of a Word doc or an Excel spreadsheet. Volumes of this type of spam are still quite low, but could easily be leveraged for a wide scale attack similar to how PDF spam was used. Most of the tactics now have gone back to what I call "old school" style spam where spammers have been resorting back to text obfuscations in an effort to get their junk through spam filters.
So, as you can see, a lot has happened in 2007 and the forecast for 2008 looks to bring about some new challenges as these existing threats evolve and as new ones emerge. If you'd like some more information on what we expect to see next year and forward, feel free to read my 2008 predictions blog. In the meantime, here's to hoping everyone has a safe and wonderful holiday season.
As we near the end of another year I can say with surety that 2007 will be remembered among spam and malware filtering companies as the year of the Storm Worm. In 2005 it was the year of the Sober worm, but 2007 has most definitely been owned by Storm and its many variants.
So, as we close out 2007 we start to look forward to 2008. What are some of the 2007 trends that we expect to continue in 2008? What will be new? How will current trends evolve?
Here are some of my random thoughts:
-- We will see an increased prevalence of Web 2.0 attacks.
When we talk about "Web 2.0" we are talking mostly about interactive communities like blogs, wikis, and social networking sites like MySpace and Facebook. Web 2.0 sites provide a richer, more interactive internet experience for its users which extends the internet beyond just your typical "download content and view pages" approach and puts users in more control over the content.
From a user experience perspective, this is a great idea, but typically what makes things easier for the user carries along with it some level of security implication.
As part of the Web 2.0 experience, more code execution is being pushed to the client browser. This doesn't necessarily change the types of attacks that exist in Web 2.0 applications versus Web 1.0 applications (attacks like XSS, SQL Injection, and CSRF still exist just as they did before), but now will manifest themselves in different ways. As such it will be the responsibility of the application developer to be more aware of client side input validation and make sure that potentially malicious code never makes it from the "untrusted" user environment to a site's "trusted" backend infrastructure. Cyber criminals will try to exploit these potential vulnerabilities in code validation as much as possible.
-- We will see an increase in "blended threats" in 2008.
If you are not familiar with the term "blended threat" it is a combination type of threat which will mix the data stealing capabilities of malware with backdoor botnet capabilities. What this means is that if you are infected with one of these hybrid types of malware you could have a keylogger installed on your machine which is logging your keystrokes and sending your potentially confidential and personally identifiable information to a cyber crook for sale in the underground community, but your machine is also available as a spam zombie such that botnet herders can rent time on your computer to send out spam/viruses/etc.
The holiday season is a particularly interesting time to potentially see these types of threats also because of the amount of online shopping that takes place in the 5 weeks between Thanksgiving and Christmas. comScore recently released their Cyber Monday 2007 Statistics which showed that $733 million dollars was spent online on Cyber Monday (the Monday after the Thanksgiving weekend) alone. This is obviously a target that is too large for criminals to ignore.
-- Abuse will continue to move into other forms of communication
We've already seen some of this in 2007, but is something that we expect to continue not only into 2008 but beyond.
Mobile phone and PDA abuse is already a big problem in places like Europe and Japan. It isn't so much so yet in the United States, but as smartphones make more of a movement into the space where they allow the development and installation of third party applications users will need to be continually wary of the security implications of these new conveniences. The line between the PC and the phone is becoming blurrier every day and as such mobile computing devices will soon need to deploy the same types of security suites that should be installed on every desktop and laptop PC.
We also expect to see more tele-spam (spam sent via VoIP technologies) and voicemail injection (the compromising of vulnerable VoIP systems to inject spam voicemail directly into a user's voicemail inbox.
In the vein of "targets too large for criminals to ignore" the smartphone industry is expected to be a $250B industry by 2011. You can be sure that cyber criminals will do whatever they can to get a piece of that pie!
-- Continued movement of malware away from email as a primary distribution vector.
This is another one of those trends that we have seen shift over the past year or two. Malware authors have already begun the movement from the "push" based method of infection that we have talked about previously (where static malware content is pushed to the user via an email attachment) to a "pull" based model where users pull the content from a web site, typically lured to by a link in either an email or an instant message.
The Storm Worm is actually a great example of this transition in action. Early versions of the Storm Worm pushed executable file attachments to unsuspecting users when opened would infect the user's PC with Storm. Later variants used social engineering tactics like fake, malicious e-cards to lure people to web sites to download more dynamic pieces of malware.
More and more viruses have been following this trend over the last year or two and we expect this trend to continue. By 2009 or 2010 we expect malware distribution by internet pull based methods to surpass email as a distribution vector making it the primary method of infection. The email virus is likely to never completely go away, but the dynamic nature of the web as a way to distribute malware carries many advantages that email's static nature does not.
-- More targetted phishing/malware attacks
What discussion about social engineering would be complete without a mention of the evolution of tactics by cyber criminals in an effort to establish legitimacy with their targets?
Social engineering has always been the key ingredient to the success or failure of any cyber crime campaign. If you can do it well, you will have a significant greater chance of success than if you don't. The Storm and Sober worms (the last two really successful email-borne malware campaigns) were successful because of the social engineering tactics they used (Paris Hilton videos, free World Cup tickets, and e-cards as a few examples). As cyber criminals continue to launch new campaigns, you can be certain that they will refine their social engineering tactics to the point where even the trained eye will have trouble quickly determining the (il)legitimacy of an email.
These attacks will also become more targeted similar to the government agency scams from earlier this year that were sent primarily to high C-level executives. Effective social engineering combined with good targeting methods virtually ensure that there will always be people who will fall for these scams which will always leave spam as a virtually 100% profitable venture.
We've been talking quite a bit lately about the move from "push" based malware to "pull" based. So I figured it was time to dedicate a full blog posting to it and its significance.
Again, pull based malware is generally web site hosted malware where the user "pulls" the content from the web site by virtue of visiting the site with their web browser.
This type of malware is especially dangerous for a couple of reasons:
-- It evades attachment filtering techniques (since there is no email attachment. The content comes via a web site link) -- The user generally has no idea that the site they visited is malicious -- Hackers can employ technologies like server side polymorphism to repack binaries for every download, thus rendering traditional signature based anti virus engines useless
We are starting to see more and more instances of common web site compromises where users can get infected without any lure (for example the 1st Congressional District GOP of Wisconsin was reported as compromised about a week ago by the same group that brought us the Storm Worm. In general, however these types of infections are still the exception, not the norm.
Speaking of the Storm Worm gang, they have actually created a hybrid between push and pull infections for some of their variants. These will look for a number of unpatched vulnerabilities on a victim's PC when launched and if it can't find any that it is looking for will direct the user to download and install the file manually. Even Vista's UAC system only provides rudimentary protection here. Since applications executed directly by the end user are considered trusted (Vista will ask you if you are sure you want to install the program, but who doesn't just click "Yes" to that prompt?) the user falls on their own sword and infects themselves. Nice, eh?
Typically when a user is being lured to a malicious web site multiple communication mediums are leveraged. Something has to let the user know that the site is available and accessible, right? That lure in many cases comes via email.
There is a distinct crossover between email and web defense solutions such the data collected from one can be used to make the other one more effective, creating a synergistic relationship between the systems. At least for the foreseeable future hackers are going to have to continue to use technologies like email in an attempt to get users infected. During that time having a solution which not only monitors and protects your inbound mail flow but also your outbound web browsing activities provides an effective defense-in-depth solution against malware and fraud.
This new tactic is leveraging Youtube links in an effort to get users to click and download malicious code. The link sent via email looks like a properly formatted Youtube URL, but is actually directed toward a compromised web server. To avoid DNS the link goes to a numerical IP address instead of a hostname which is also easier to take down.
This is another example of pull based malware that we have been talking about more and more where the user has to go visit a web site (either by clicking a link or following instructions to go to a particular web site) in order to get infected as opposed to having the malware "pushed" to them via an email attachment.
This method of infection also forced the AV vendors to start employing URL based blacklists into their products such that malicious web sites can be proactively identified by the AV engine based on the web site address and not necessarily based on the hosted content. This is a good move on their part especially considering the increase (and expected continued prevalence) in server side polymorphic viruses.
Just like 2005 was the year of the Sober worm, 2007 will be known as the Year of the Storm.
Since late January we have seen Storm worm variants using social engineering tactics like news stories, current events, and e-cards in an attempt to get unsuspecting victims to open attachments, click links, and get infected to become the latest addition to the Storm Worm bot army.
The latest and greatest social engineering tactic that we started seeing on Saturday has now started using porn. This tactic, as with the e-card tactic, is using a pull based method of infection where the malware content is not "pushed" to the user via an attachment, rather the email sent contains a link where when clicked by the user causes them to "pull" it down.
The messages that we have been seeing with this new variant include the following either in the subject line or message body (this is only a partial list): "I need someone to please me. Check out my pictures", "Want me to show you what my room mate and I do when we get lonely at night", and "Taking these pictures made me so hot. I bet they will make you hot too" (I'll bet this post gets caught by a few spam filters :) ). This new variant is currently accounting for about 1 in 6 virus infected messages seen by the MX Logic Threat Operations Center within the last 24 hours.
So, why the movement to "pull" based malware instead of "push" based. For one, it is more difficult for end users to submit samples of the malware. If the attachment is pushed to the end user, they have all of the information that they need at their fingertips to submit to the anti-virus vendors. Secondly, with the pull based model users may not even know that they are going to a malicious web site so that when the visit the site it may display some kind of error message saying that the site was not available (or something innocuous as to not arouse suspicion) when in the background the user's PC just got infected with malware. This model also enables the malware authors to utilize a tactic known as "Server Side Polymorphism" where the way that the malware is packed can continually change on a per download basis thus rendering traditional signature based anti-virus engines ineffective. The version of the malware that I download could have an entirely different signature than the version someone else downloads even though we may have clicked through to the site at the exact same time.
We've been seeing more examples of pull based malware over the last couple of months, mostly related to the Storm worm but the BBB scam from a couple of months ago used this method as well. Pull based infection provides much greater flexibility for the malware authors in their attempts to stay one step ahead of the anti-virus engines and is something we will continue to see not only from Storm, but from other worm authors who learn from Storm's successes in their attempts to come up with new methods to get onto our PCs.
