IT Security Blog

I wonder if the folks over at Google got the message that service providers had finally had enough of dealing with the backscatter that was coming out of their mail servers because it has also significantly dropped off since we first started talking about it back in April.  Backscatter (bounce messages attempting to be delivered to users that do not exist) rates from Google were over 50% on some days.  This means that over 50% of the total mail that we were receiving from Google were these invalid bounces.  The backscatter rate has dropped now to about 2% of the total mail from Google.  That is still higher than what most would call acceptable, but when you are comparing over 500k messages per day to about 10-15k, I would say that is a significant improvement no matter how you slice it.

Unfortunately, though the problem has shifted from backscatter to 419 phishing scams.  A 419 phishing scam is the advance fee fraud type of scam where for a small amount of money you can be promised to receive much more in return.  419 scams are also typically called Nigerian Scams.  The term 419 comes from the Nigerian Criminal Code that deals with fraud.

Although still about 25% of the email that we get from Google's network is spam, the traffic has shifted from about 50% backscatter to about 50% phishing, in particular from IP addresses that start with 72.14.204, 72.14.214, and 72.14.246.  

This is certainly not intended to single out Google either as they are not the only free webmail provider that we see enormous amounts of spam from.  We see plenty from Yahoo and Hotmail as well.  Google is the main provider on everyone's radar right now because of the quickly changing nature of attacks against their system and the rapidly changing view across many different industries of the viability of using Google as their business mail host.  More and more legitimate businesses are having trouble sending email from their hosted GMail accounts to service providers because Google's mail servers are ending up on block lists with increasing regularity, a trend that is only gaining momentum amongst industry insiders.

Since February we have made several mentions of Google Spam and its migration from benign redirects to Canadian Pharmacy sites to malware distribution fake Osama bin Laden videos.  We also saw a Storm Worm campaign which alleged to be a video codec that used this same technique. 

Since February Google spam had accounted for anywhere between 1-5% of total spam volume, but over the past couple of weeks has all but completely disappeared.

Where did it go?

It seems to have migrated over to Microsoft's Live SkyDrive service.  If you are not familiar with SkyDrive, it is a document hosting service being launched by Microsoft, similar to Google Docs. 
Here is the basic premise on how this tactic works:

-- Email is received with a link to a document hosted on the SkyDrive service with some sort of social engineering lure as bait.  The format of the URL is http://hostname.bay.livefilestore.com/..$very_long_hash_value…/$filename.html (where the hash is some calculated value and $file.html is the name of the hosted file)

-- User clicks the link to file hosted on SkyDrive, which in this case is an HTML file that contains a JavaScript redirect to a pharmacy website

-- Redirected web site is displayed in the user's browser and any background code executed which could include the drive-by injection of malware just as we saw with Google Spam.

The HTML file being hosted on SkyDrive is a simple, one line script :

<html><script language=JavaScript>window.location.replace("hxxp://songkhlong.com")</script></html>

Currently, SkyDrive Spam is accounting for a little over 1% of the total spam that we are seeing in our Threat Operations Center which means that it is currently as prevalent as both phishing and gambling spam.  I don't believe that we have seen the last of Google spam, but focus definitely appears to have moved toward Microsoft for the time being.

As a side note, McAfee originally reported seeing large influxes of SkyDrive Spam back in January so SkyDrive spam isn't a new tactic, however it has dramatically increased in prevalence since the dropoff of Google Spam about 2 weeks ago.

*** UPDATE 6/5/2008 4:50pm MDT *** - It appears that Google Docs is also being targeted by this tactic.  I just came across the below message (note the link at the bottom) from one of our spamtraps which hit our system yesterday (the hosted doc appears to have been taken offline by the time of this update):

Hi fellow

Is the Rising Cost of Prescrlption Drugsare cause of concern?

The rising cost of Prescrlption drugs may be costing you your health.
In particular, living on a fixedincome.

You can cut your Medicalbilling.

Simple Way to Cut Your Prescrlption Costs optfor Generic.

Genericpharmacy: A Cheaper Effective Alternative

Forget about huge spendings You can save upto 8O%

Hugesaving because the solutions is directly from manufacturer.

hxxp://docs.google.com/View?docid=3Dddsz3hdh_0wwwmrbm3

Yet another new twist in the never ending array of Google Spam that we have been seeing over the past 2 months.  The sample that just hit our spamtraps within the last hour has a bit of a new twist to it.

When I first opened this message I thought "Neat!  Google video spam!"  It wasn't until I looked at the source code of the message that I realized that this was just another link to malware redirecting through Google with a fake video as the lure.

Here is a screenshot of the spam:



Clicking any of the links downloads a file named  video_codec-v2.12.384.exe.

So far AV pickup is pretty spotty (stats courtesy of Virustotal):

Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	TR/Dropper.Gen
Authentium	-	-	-
Avast	-	-	Win32:Agent-GPS
AVG	-	-	-
BitDefender	-	-	DeepScan:Generic.Malware.FBldld.D22058AD
CAT-QuickHeal	-	-	-
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	suspicious Trojan/Worm
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	-
F-Prot	-	-	W32/Agent.Q.gen!Eldorado
F-Secure	-	-	Suspicious:W32/Malware!Gemini
Ikarus	-	-	Virus.Win32.Agent.GPS
Kaspersky	-	-	-
McAfee	-	-	Proxy-Agent.af.dr
Microsoft	-	-	Trojan:Win32/Danmec.gen!A
NOD32v2	-	-	a variant of Win32/Agent.NEQ
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Heuristic: Suspicious File With Bad Child Associations
Rising	-	-	-
Sophos	-	-	Troj/Bdoor-AJR
Symantec	-	-	-
TheHacker	-	-	-
VBA32	-	-	suspected of Trojan-PSW.Pinch.12 (paranoid heuristics)
VirusBuster	-	-	-
Webwasher-Gateway	-	-	Trojan.Dropper.Gen

Over the last few weeks we have seen a significant increase in what is known as Google Spam in the Threat Operations Center; sometimes peaking at almost 5% of our overall spam volume.
Google spam is defined as spam that abuses the Google PageRank system by artificially inflating the ranking of a spam site.  Once a spam site has been ranked on the top of the Google search engine based on certain keywords, spam blasts are sent out which craft URLs that query on these keywords and emulate the Google "I'm Feeling Lucky" button which automatically redirects users to the query's top ranking site. 

Most of the Google spam that we have seen thus far redirects to different variations of pharmacy sites pushing pills and enhancement products, typical to most health related spam.

One element of Google spam that hasn't received much attention, however is the potential for attachment based malware distribution via this tactic.  The potential for drive-by malware download as a result of malicious javascript or iframes is obvious and well documented, but another potential threat vector is the possibility of Google Spam directing a user to a malicious PDF. 

Many users by default have their PCs setup to automatically open common attachment types like PDFs without so much as a confirmation box asking the user whether or not they are sure they want to open the file.  This convenient feature is a wide open hole for malware injection, especially considering the PDF exploits that have been published over the last several months. 

To better protect themselves users should not be allowing any attachment type to be opened by default, no matter how common.  Although it might be an inconvenience to have to click a button on a confirmation dialog every time we open file types that we are used to using and that we may open 50 times per day, it at least puts one more step between ourselves and potentially malicious downloads.  Allowing any file to be opened on your PC without your prior knowledge and consent enables a level of trust from an untrusted network that should never exist.