MX Logic IT Security Blog

Announcing the July 2008 MX Logic Threat Forecast and Report

2008-07-02T10:51:40-06:00

Hot off the presses and posted to the MX Logic web site is the July 2008 edition of our Threat Forecast and Report.
In this latest edition we look ahead to some of the threats and scams that we see upcoming for the month of July (Teaser: the iPhone will be featured prominently this month!) as well as a lookback to what we saw during the month of June (In our previous report we estimated that spam volume would go up in June after being down in May. Oops!).

There is also something about name calling between pots and kettles....

Check out this month's Threat Forecast and Report here.

Storm Wants to Make You a Winner!

2008-06-30T17:21:00-06:00

Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out. Granted, new Storm Worm variants are nothing new. They come out all the time. I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.

The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).

This is a screen shot of what the site looks like:

Clicking on the banner at the top of the page attempts to download a file named winner.exe. Clicking the "Click Here" link attempts to download mylove.exe.

Here are the virustotal.com results for winner.exe and mylove.exe:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	-
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	-
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	Suspicious file
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	Trojan.Peed.JLV
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	Email-Worm.Win32.Zhelatin.zy
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	-
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon. The IPs that are hosting the infected URLs are being rotated using fast flux. In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times.

This is not likely to be the only time this week that we hear from Storm. Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge. Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless.

Expect to see some revisit of Storm sometime later this week. It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.

Nugache Worm Author Pleads Guilty

2008-06-30T09:46:29-06:00

Jason Michael Milmont, the author of the Nugache worm, and the creator of what came to be known as "Fast Flux" has plead guilty to one count of unlawfully accessing computers, a felony, in a Wyoming federal court.

Fast Flux is an abuse of the domain name system (DNS) by which botnets will continually rotate the IP addresses associated with a malware infected web site to evade detection and forensic analysis. This constant mobility makes the botnet very difficult to shut down.

There is also an evasion tactic called "Double Flux" which is similar to Fast Flux in that it will not only rotate a domain's responding IP addresses, but also that domain's authoritative name servers. The reason that it is called "Fast" flux is because these IP addresses will rotate as often as every couple of minutes.
The Nugache worm was used to launch distributed denial of service (DDoS) attacks as well as steal personal information such as credit card numbers from the computers that were infected with Nugache. It has been estimated that controlled up to as many as 15,000 on his botnet.

Under the terms of his deal Milmont has agreed to pay approximately $74,000 in damages and faces up to five years in federal prison.

In my opinion, this story is only significant because of Milmont's contribution to the botnet community with how his Nugache worm used peer-to-peer networking technology and fast flux in order to create a fully redundant, interconnected network to prevent his botnet from easily being shut down. The size of the Nugache botnet (about 15,000 computers) pales in comparison to some of the botnets that we are seeing today, but the work done by Milmont paved the way for worms like Storm which heavily relied on fast flux to stay alive.

Microsoft Identifies Tools to Address SQL Injection Attacks?

2008-06-26T12:09:43-06:00

According to this TechTarget article, Microsoft has a few tools that they recommend people use to address SQL injection attacks.

Don't be fooled by what is meant by "address" in this context. Let's be clear on what these tools do and what they don't do.

They DO:

-- Scan web sites and identify potential SQL injection vulnerabilities. Even Erik Peterson, a senior director of products for HP's application security center states that Scrawlr (one of the tools identified) falls short the functionality provided many commercial tools.
-- Analyze source code for potential vulnerabilities, however the source code analyzer that is recommended only supports ASP code written in VBScript.

Seems like we are quickly narrowing down the number of web sites these recommended tools will even function on.

They DON'T:

-- Provide protection against any attacks
-- Solve the real root of the problem which is ensuring programmers are following safe coding practices to protect the sites that they develop from SQL injection vulnerabilities.

If you use any of these tools that Microsoft is recommending, don't be lulled into the false sense of security that they can provide. As we can see, many free scanning tools have all kinds of limitations that will only provide the most basic of testing or only work provided that very specific technology conditions and phases of the moon exist.

I am glad to see that Robert Westervelt, the author of the article linked at the beginning of this post wrote up this clarification today. I like Robert and actually did an interview with him back in January related to PDF spam which posted to his blog, but I think his original article not only missed the mark, but could very well have generated a lot of confusion with junior security researchers and management folks on effective ways to detect SQL injection vulnerabilities.

Cyber Hitman of the Future?

2008-06-20T14:28:35-06:00

The July 2008 edition of PC Magazine has a short story on page 92 titled "Hacked Through the Heart" which references a paper published at secure-medicine.org discussing the possibility of hacking the human body through wireless reprogrammable Implantable Medical Devices (IMDs) such as pacemakers. These attacks could lead to effects such as changing the settings on the pacemaker or even disabling it entirely! The paper also goes into detail as to how some of these attacks would take place.

Although the paper mentions that as of right now these are theoretical scenarios, the more important point to remember is that these IMDs are driven by software and "where there is software, there are vulnerabilities" and "where there are vulnerabilities, there will be exploits." I could easily envision a scenario where this creates a Cyber Hitman of the Future where hits are carried out in such a way that they would be virtually untraceable and if executed correctly could have an elapsed time effect where the full damage of the attack may not materialize for days, weeks, or even months after it initially occurred.

On a lighter note, this certainly gives new meaning to the term "Insider Threat" (I'm funny on a Friday :) )

PornTube Malware and Spam Run in High Volumes

2008-06-19T18:01:00-06:00

Worm Alert!

We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component. Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours). From what we can tell thus far the malware appears to be related to the Srizbi botnet.

There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories. Here are some example subject lines that we have seen so far:

Batman latest movie bombs at box office
Britney found hanged in locker room
Celtics disqualified from NBA title
China Earthquake claims 1 million lives
Dan Brown's latest novel
David Cook American Idol - latest NEW single
Donald Trump missing, feared kidnapped
Egypt Giza pyramids rocked by massive earthquake
Eiffel Tower damaged by massive earthquake
Eiffel Tower suffers structural damage, collapse possible
Find out about Harry Potter's last novel
Ford unveils latest 2 door design hatch
Get Smart -- movie premiere
Get star wars photos
Get the latest discount plan from Ford Cars
Great Wall of China damaged by earthquake
Hiliary admits past failures
Hillary Clinton reveals husband's scandal secrets
Italy knocked out of Euro 2008
Las Vegas Hotel caught in fire
Lastest! Obama quits presidential race
London rocked by gas attack, army on high alert
Love Guru sneak previews here
Man wakes up from 40 year coma
Nokia unveils revolutionary new phone design
Obama suffers setback in polls due to sex secrets
Obama withdraws from elections
Oprah found sleeping the streets
Osama Bin Laden caught finally
Paris Hilton found to be gay
Saddam Hussein found dead
Star Trek star dies at age 79
Statue of Liberty struck by lightning, catches fire
Stonehenge damaged by massive earthquake
Top 10 movies of all time
Top comedy downloads
Top film from the Cannes
Turner Empire poised for bankruptcy file
Usher and Rihanna making out
Watch movie premieres now
White House hit by lightning, catches fire
Windows Vista URGENT upgrade installation

The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control. Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):

hxxp://envol-restaurant.com/r.html

hxxp://spizarnia.nazwa.pl/r.html

hxxp://wandea1.wandea.org.pl/r.html

Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:

If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:

At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window. The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).

Keep on the lookout for these as they are currently being distributed in fairly high volumes.

*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour. Looks like this one hit quick and is now tailing off.

New Storm Variant Claiming New Earthquake in China

2008-06-19T13:41:42-06:00

Starting yesterday (June 18th) we began seeing evidence of a new Storm Worm variant claiming news of a new Earthquake in China.
Some of the subject lines associated with these messages include:

2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Death toll in China exceeds 1000000
Death toll in China is growing
Earth tremors in China is going on
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
Terrible earthquake devastated Beijing
The capital of China were collapsed by earthquake
The most powerful quake hits China
Toll mounts in China earthquake
Unprecedented earthquake in China

This is a pretty typical tactic for Storm: ride on the wave of current events as a social engineering lure to get users to click on links in emails. This variant is primarily targeting the Chinese earthquakes, but there is also a mention of the Beijing Olympics as well stating that the Olympics will be "under the threat."

If a user clicks the link within one of these emails, they are not immediately infected with Storm. They will be directed to a web site (all of the ones that we have seen so far have a .cn TLD) that looks like this:

It is important to note that this is not a real video player, but clicking the player will launch a file named beijing.exe which will infect your PC.

Volume of this variant is pretty low. We are currently seeing on the order of about 900 per hour in our Threat Operations Center. Expect to see similar stories of this nature threatening the safety of the Olympics as well as its participants and visitors as the event gets closer.

American in Heidelberg

2008-06-18T10:44:00-06:00

Last week I had the privilege of attending the 13th General MAAWG Meeting in Heidelberg, Germany (I serve as the co-chair of the Zombie/Botnet Subcommittee with my friend Ken Simpson from Mailchannels).

The MAAWG conferences are a great opportunity to meet and talk with some of the best minds in the anti-spam industry, discuss anti-spam tactics, operational best practices (what works and what doesn't), how to be a responsible ESP, and many other topics. Although MAAWG is largely run by ISPs, its mission is to also bring together both email senders as well as email receivers in a collaborative environment where both sides can attempt to work out best practice solutions so that senders can achieve better deliverability rates at the large mailbox providers, a constant struggle for ESPs.

If you are a messaging vendor or provider (and this includes both email filtering vendors as well as email senders) or an ISP, you are doing yourself a disservice by not becoming a member of an organization like MAAWG where ideas, practices and upcoming threats are shared that it is very likely you will not hear anywhere else.

This has been an unpaid advertisement :)

Before I close, I'd be remiss if I didn't bring up something security related in this post. So, I am standing in the security line at Denver International Airport about to go through the metal detector when the guy who was working behind the conveyor belt asks me and the woman behind me the standard "Any liquids, gels, or aerosols in your bag?" before our bags went into the X-Ray machine. I just look at him and say "No", but the woman behind me responds with "Not that I know of." Apparently this set off the ire of the TSA worker who immediately responded with "Not that you know of?! Don't you know what is packed in your bags, ma'am?" I'd never seen a TSA worker move so fast, but her bags were immediately yanked off of the conveyor, she was pulled out of line, and then was escorted by 2 TSA workers to wherever they take you likely to inspect every minute crevice of her bag.

For all of the flack that the TSA gets for either bad procedures or lack of attention to detail, you would think that as a traveler it is also our responsibility to know the basic responses to the simple questions security officers may ask you. The questions are neither tricky nor confusing. I guess this woman had to learn the hard way...

While on the Topic of Google Spam...

2008-06-05T13:54:19-06:00

I wonder if the folks over at Google got the message that service providers had finally had enough of dealing with the backscatter that was coming out of their mail servers because it has also significantly dropped off since we first started talking about it back in April. Backscatter (bounce messages attempting to be delivered to users that do not exist) rates from Google were over 50% on some days. This means that over 50% of the total mail that we were receiving from Google were these invalid bounces. The backscatter rate has dropped now to about 2% of the total mail from Google. That is still higher than what most would call acceptable, but when you are comparing over 500k messages per day to about 10-15k, I would say that is a significant improvement no matter how you slice it.

Unfortunately, though the problem has shifted from backscatter to 419 phishing scams. A 419 phishing scam is the advance fee fraud type of scam where for a small amount of money you can be promised to receive much more in return. 419 scams are also typically called Nigerian Scams. The term 419 comes from the Nigerian Criminal Code that deals with fraud.

Although still about 25% of the email that we get from Google's network is spam, the traffic has shifted from about 50% backscatter to about 50% phishing, in particular from IP addresses that start with 72.14.204, 72.14.214, and 72.14.246.

This is certainly not intended to single out Google either as they are not the only free webmail provider that we see enormous amounts of spam from. We see plenty from Yahoo and Hotmail as well. Google is the main provider on everyone's radar right now because of the quickly changing nature of attacks against their system and the rapidly changing view across many different industries of the viability of using Google as their business mail host. More and more legitimate businesses are having trouble sending email from their hosted GMail accounts to service providers because Google's mail servers are ending up on block lists with increasing regularity, a trend that is only gaining momentum amongst industry insiders.

Where Has All of the Google Spam Gone?

2008-06-05T11:15:00-06:00

Since February we have made several mentions of Google Spam and its migration from benign redirects to Canadian Pharmacy sites to malware distribution fake Osama bin Laden videos. We also saw a Storm Worm campaign which alleged to be a video codec that used this same technique.

Since February Google spam had accounted for anywhere between 1-5% of total spam volume, but over the past couple of weeks has all but completely disappeared.

Where did it go?

It seems to have migrated over to Microsoft's Live SkyDrive service. If you are not familiar with SkyDrive, it is a document hosting service being launched by Microsoft, similar to Google Docs.
Here is the basic premise on how this tactic works:

-- Email is received with a link to a document hosted on the SkyDrive service with some sort of social engineering lure as bait. The format of the URL is http://hostname.bay.livefilestore.com/..$very_long_hash_value…/$filename.html (where the hash is some calculated value and $file.html is the name of the hosted file)

-- User clicks the link to file hosted on SkyDrive, which in this case is an HTML file that contains a JavaScript redirect to a pharmacy website

-- Redirected web site is displayed in the user's browser and any background code executed which could include the drive-by injection of malware just as we saw with Google Spam.

The HTML file being hosted on SkyDrive is a simple, one line script :

<html><script language=JavaScript>window.location.replace("hxxp://songkhlong.com")</script></html>

Currently, SkyDrive Spam is accounting for a little over 1% of the total spam that we are seeing in our Threat Operations Center which means that it is currently as prevalent as both phishing and gambling spam. I don't believe that we have seen the last of Google spam, but focus definitely appears to have moved toward Microsoft for the time being.

As a side note, McAfee originally reported seeing large influxes of SkyDrive Spam back in January so SkyDrive spam isn't a new tactic, however it has dramatically increased in prevalence since the dropoff of Google Spam about 2 weeks ago.

*** UPDATE 6/5/2008 4:50pm MDT *** - It appears that Google Docs is also being targeted by this tactic. I just came across the below message (note the link at the bottom) from one of our spamtraps which hit our system yesterday (the hosted doc appears to have been taken offline by the time of this update):

Hi fellow

Is the Rising Cost of Prescrlption Drugsare cause of concern?

The rising cost of Prescrlption drugs may be costing you your health.
In particular, living on a fixedincome.

You can cut your Medicalbilling.

Simple Way to Cut Your Prescrlption Costs optfor Generic.

Genericpharmacy: A Cheaper Effective Alternative

Forget about huge spendings You can save upto 8O%

Hugesaving because the solutions is directly from manufacturer.

hxxp://docs.google.com/View?docid=3Dddsz3hdh_0wwwmrbm3

Poorly Crafted Fake CNN News Updates

2008-05-28T12:06:00-06:00

As I was going through one of our spamtraps a few minutes ago I saw a brand new message come in which claimed to be a CNN News Update. This was especially interesting to me because none of our spamtraps subscribe to any updates from CNN (or any other news organization for that matter).

So I started to do a little digging....

Below are the (somewhat elided) headers:

Received: from unknown [219.87.137.170] (EHLO mail.tfmi.com.tw)    by
XXXXXXXXXXXXX (XXXXXXXXXX) over TLS secured channel    with ESMTP
id XXXXXXXXXXXXXXXXXXXXXXXXXX (envelope-from
<news@cnn.com>);    Wed, 28 May 2008 11:32:13 -0600 (MDT)

Received: from User (dsl-KK-static-static-237.201.95.61.airtelbroadband.in
[61.95.201.237] (may be forged))    (authenticated bits=0)    by mail.tfmi.com.tw
(8.12.5/8.12.8) with ESMTP id m4SHTkxC005178;    Thu, 29 May 2008 01:29:49 +0800

If you are not sure how to read email message headers, here is basically how this message breaks down: It originated from a static DSL customer in India (dsl-KK-static-static-237.201.95.61.airtelbroadband.in) and routed through Taiwan (mail.tfmi.com.tw), then sent to our spamtrap.

Whoever is sending these spam messages either doesn't know what they are doing or is testing the waters for an upcoming spam/malware run. Here's why:

When I opened this message in an email client, the HTML within the message never attempted to render. Why? Because the content type of the message was set in the message header as plain text. This means that the email client should not attempt to render the HTML (show it as it would appear on a web page) rather display the raw HTML text to the user. Only the truly geeky, like me, would take the time to actually analyze this gibberish.

Also, the email had every link within the message (including the help text at the bottom of the message which is supposed to link to the CNN web site) pointed to a web site hosted in Italy. Here is an example taken directly from the email:

For assistance, go to <a href="hxxp://www.colectionarul.com/existenz1.html">CNN web page</a> and choose the "Help" link on any page.<br> If you do not want to recive any more news from CNN <a href="hxxp://www.colectionarul.com/existenz1.html">click here</a>!</span></font> <font color="#808080" face="Arial"></font></p>

There doesn't appear to be anything malicious on the page being linked to at colectionarul.com (at least right now), which leads me to believe that this was either someone who didn't know what they were doing and thus sent out a horribly broken spam message or someone who was doing a test run and that this was a prelude to more current event based social engineering tactics similar to what started the huge Storm Worm outbreaks in January 2007.

New Kind of Phish: Dead Phish!

2008-05-27T10:18:56-06:00

Thanks to James in our Threat Operations Center for forwarding me a sample of one of the funnier phishing tactics that I have come across. I thought an appropriate name for this type of scam would be "Dead Phish."

Here is a copy of the email (in all it unedited glory filled with spelling and grammatical errors):

Dear Sir,

We are in receipt of a Death Certificate certifying you dead and seeking the transfer of your over due contract funds to an Account in London.

All the local financial contractural obligations have been met and the funds is ready for transfer to the London account.

Please understand that if we do not hear from you in the next 7 days we shall treat you as dead and the funds shall be duly transferred.

You have been notified.

If this is false please write and let us have an affidevid to counter
this claims.

Yours faithfullly,

Mrs.callister Ibe

Chairman of Contract Review Panel

Phone:234-805-6135520.

This is another phish by phone tactic similar to what I have blogged about previously where the scammers are avoiding using web site links within their messages in an attempt to get by URL filters and built-in browser phishing detection.

My favorite part is where it says "You have been notified." What if I were actually dead? It's true that you can get your email just about anywhere nowadays, but I never knew that also extended to beyond the grave! This was a good way to start the post-holiday work week.

New Chinese Earthquake Relief Phishing Scam

2008-05-21T11:13:00-06:00

Sometimes the depths to which spammers will stoop really sickens me.

Even in today's criminally infested internet I sometimes naively hope that there is still some kind of Code of Conduct where trying to capitalize off of certain catastrophic events was considered taboo. As we've seen before, such as with the devastation caused by Hurricane Katrina back in 2005, the Indian tsunami in 2004, and now with the earthquake and aftershocks that have already killed over 28,000 people in southwest China's Sichuan province (with estimates that the death toll will be over 50,000 before the final counts are tallied) over the past week and a half, scams looking to tug at both your heart strings and purse strings have started popping up.
I'll abbreviate the message that we received for the sake of brevity (it's about the longest phish I have ever seen) as it gives a fairly detailed account of the plight of the person allegedly sending the message:

Dear friend,

I don't know your exact name. I can only guess.

I ask you to read my letter up to the end. After that you will be in the right to send my letter in a garbage basket or.......

My letter is caused by despair. I don't know to whom to address. I am compelled to ask for help any person. Namely you. I hope that mine letter has got to the person which has sympathy and compassion. I wish to trust in it.

My name is Arnulfo. My situation plunges me into depression and despair.

I will tell you shortly. I do not even know how to express correctly my thoughts. How to write you about it. I can tell with confidence that my hands shiver when I press on the buttons of the keyboard. Several days ago I could not think that I shall address to the stranger with such situation. Probably it's stupid or incorrectly. But it's the only thing that is left to do. I just ask to understand me. I even must say that it is a shame to do it.

I will continue. I don't know where you are. And I do not know what news you watched on TV or listened by Radio. I think that you could hear about Earthquake in China. My God, it's awful...

Me and my wife have flied to the country of Philippines two weeks ago. We wanted to search for a new place in this world, where we could create our new world. There where we
could live and create good family. We have got married a year ago. The matter is that my wife is a chinese woman, and I was born on Philippines, but has grown in Spain. My father is Spaniard, and my mum is Philippine. My parents have died several years ago. I have left to study in the university to another country. I studied Chinese
language and culture. There I also have got acquainted with Jin It's my wife. We have got married. And yes, we were happy. I will tell - We are happy together. But parents of Jin were against our marriage. And we have decided to search a place which will make us happy. We thought of Philippines.

All. Everything was good. Yes, everything was simply magnificent. Until the first impact has happened. We have heardabout it in the news. I do not want to describe that occured with Jin when she has heard about that her native city was completely destroyed. Her native city has been destroyed. Me and Jin were in panic. We have decided at once to come back to China to my wife's parents. Jin was in despair.

But the destiny has made a new turn. We had no money for air flight to China for two. We had money. We have made money transfer to the bank account in Philippines for purchase of a small house. But I can receive this money only on the 1st of June. Not earlier. Bank bureaucracy exists all over the world. We did not know what to do. Then we have found only one output. We have received all money which were on our ATM-cart. Me collected the sum of money for air flight only for my wife. It was a hard moment in our life. But then I did not know that the worst will be ahead. We have solved that my wife will go to China alone. It was a difficult decisions for me. But I could not stop Jin. And I could not fly together with her. Jin has quickly gathered and has departed. When she left tears flew on our cheeks . I do not know how to explain that I felt during this moment. But I understood that my wife felt. Mine Jin. Her parents were in trouble. I have remained alone not having money. My hotel accommodation has been paid for some days.

[ SEVERAL UNIMPORTANT PARAGRAPHS REMOVED ]

Also some kind people which know about my situation have helped me. I shall have the small sum of money. But a greater sum of money is required . I am lack of 1500$. I have no opportunity to find such sum of money. I tried all ways to find thó money. I do not wish to think that money solve everything in this world. I believe that the main thing is people and love. And I want to believe that I will be able to be beside my Jin soon . We are sure will be happy together.

Only despair has compelled me to write you this letter. Probably it sounds silly. You have a right to think about me all that you want. I shall understand you.I I address to you for a help. Your help is required to me. I will tell directly that I ask you to help me with money. I will return you money
later, right after as soon as I receive my money which are in the bank. I can return to you money on the first of June. I shall see the wife. I shall be with her. I can take care of her. After that I will return on Philippines to take back money. And I will return to you even more Money. I only ask to help me now.I have been explained that I will be able to receive money in Western Union. And I shall return the money to you in the same way. I am ready to return you more.

I will hope that my letter will not offend you because we are unfamiliar. I do not even know your name. I have taken yours e-mail from Internet. And I have hope that e-mail to which I write is of a good person.

I will understand you in any case. Iask to excuse me . I only want you to understood me. Only despair and love have compelled me to write this letter to you. I wish to use all variants To be near to my love.

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

I don't know what to tell you more . I believe in love and destiny. I ask you to answer me to this e-mail:

arnulfoqramos@yahoo.com.ph

I have registered it right now. I shall wait fo your answer to this e-mail. If you want to answer me

Yours faithfully Arnulfo

The words that I want to use to describe people who would try to capitalize on an event that has affected hundreds of thousands of people aren't appropriate for corporate blog nor for any other conversation for that matter. Every time I see these types of things, it further lowers my faith in humanity.

Please be on the lookout for this and other related scams over the coming weeks as we are sure to see more of them, likely alleging to be from relief organizations and/or companies who claim to be affiliated with them.

If you wish to make a donation to your favorite relief organization to help them to provide assistance to people around the world being affected by these horrific natural disasters please contact them directly. Do not respond to solicitations via email, even if they look legitimate or come from an email address that potentially looks legitimate.

*** UPDATE 5/21/2008 11:20am MDT *** Here are some of the subject lines that we are seeing associated with this scam:

-- Help me
-- Help me please. Read through the letter
-- Last hope. Help me please
-- I ask to help. Please

Rootkit Written Targeting Cisco Routers

2008-05-16T13:42:45-06:00

According to this article posted on CSO Online, a security researcher named Sebastian Muniz has created a rootkit that will work on "several different versions of IOS."

One of the concepts that I have been throwing out there since we originally started talking about drive-by pharming (aka DNS Rebinding attack) is the potential of similar vulnerabilities being exploited in an effort to move malware infections out closer to the network edge and create a "router bot" whereby a compromised router could potentially be used for the distribution of spam, viruses, and malware similar to how PCs are used today. This would be even more difficult to detect than a PC based malware infection, however as I do not believe that there are any network device based rootkit/malware detection engines that even exist right now (please do correct me if I am wrong here) although this may certainly create a market for them. Would you be able to easily detect if your router was being used to distribute spam if it wasn't affecting your web browsing or normal internet usage? Not likely.

One of the things that concerned me from the article was the quote from EuSecWest conference organizer Dragos Ruiu where he said that "nobody thought you could actually build exploits for Cisco." This is a dangerous attitude to have for any software application. I like to say "Where there is software, there are vulnerabilities." This is often followed by "Where there are vulnerabilities, there are exploits" although far more vulnerabilities exist than there are exploits written for them.

One should never assume that software is hacker-proof. It very well may be (however unlikely), but even making the assumption or suggestion is when you've conceded that your guard has been let down. Always remain diligent in your pursuit of security!

Ok, I'll step off my soapbox now. Have a great weekend!

Cell Phone Spam Becoming More Invasive

2008-05-12T12:35:30-06:00

I wanted to take a moment to respond to the New York Times article that appeared on their website on May 10th with respect to mobile phone spam.

Largely up to this point the United States has missed the boat as it relates to mobile phone spam. This is largely because the problem pales in comparison in the US to the rest of the world. When it is more of an issue here, however it will definitely become more problematic for consumers. In the United States your cell phone number very much becomes tied to your identity. If you change your cell phone number it is a real pain to have to make sure you notify everyone in your contact list (family members, friends, colleagues, etc) that you can no longer be reached at your old number. This combined with cell phone number portability that was introduced a few years ago makes it simple to even switch carriers and keep your number, which hadn't previously been possible. In some other countries, like Japan where mobile spam is a huge problem, cell phone numbers are throwaway. When the Japanese start getting spam on their cell phone, they change numbers until the new number starts getting spammed. Rinse and repeat.

In the United States there has mostly been a wait and see mentality as it relates to mobile spam, but few who have gotten spam on their mobile phone would disagree that it isn't an issue that needs to be addressed.

Let's look at it from the carrier's perspective first though. The article states that "Communications companies say they are not interested in spam as a profit center." I would say that "publicly" this is true, but if you look at it from a sheer numbers perspective, they carrier's are already making big money as a result of mobile spam. Let's use the following statement from the article: "getting as few as 10 unsolicited text messages a month at 20 cents each would cost an extra $24 a year".

Here is where the numbers game really kicks in.

If you assume 10 unsolicited text messages per month (which is a lot in my opinion!) this equates to $2 per month (using their pricing model). Surely some people will wait on the phone on principle alone in order to fight this additional $2 charge on their bill every month, however many will say that the long telephone waits in order to fight the charge and get it removed is simply not a productive use of their time and will leave it alone. This, of course, begs the question what the breaking point is? At what point do the lines cross whereby it is an efficient use of time to fight the charge. The answer to that question will lie with each individual consumer.

Where was I? Oh, yes! Security!

The article mentions that "The carriers regularly adjust spam filters to block offending messages. At Sprint, more than 65 percent of all text messages sent over its network are identified and blocked as spam before they reach customers." Spammers are aware that spam filtering for SMS spam is still not very mature. As such, it is a target that is more easily exploited than spam over email. To look at this as a cynic, is this also something that cell phone companies are putting considerable money towards stopping considering the amount of revenue being generated?

I as well as many others across the security industry have been predicting the wider scale movement of spam to mobile devices for the past couple of years now and have also discussed how much easier that movement is becoming due to the inbox and the personal computer becoming a lot more mobile. I wouldn't yet say that we have turned the corner as it relates to mobile spam nor would I say that we are on the verge of an epic increase, but the problem definitely continues to grow as the filtering technology lags behind. Mobile malware continues to grow also, albeit not nearly at the same rate as personal computer based malware. Now that most phones are coming with internet access, however the protections on those devices need to be at least on par with what is being provided for PCs.

Whaling Scam from the US Tax Court

2008-05-12T10:24:00-06:00

Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court.

Here is an elided sample that has been received by our Threat Operations Center:

UNITED STATES TAX COURT

WASHINGTON, DC 20217

Docket No. 622-555. Filed May, 2008.

COMMISSIONER OF INTERNAL REVENUE

Petitioner.

EXECUTIVE NAME HERE
COMPANY NAME HERE
COMPANY PHONE NUMBER HERE

Respondent.

PETITION

The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008

Please download a Copy of the Order, Letter, Notice or Other Document Being Appealed

This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006. As motions, without prejudice, and remand this case to respondent.s Office of Appeals.

Respectfully submitted,

Bennett H. Klein

Tax Court Bar No KB0214

400 Second Street, N.W.,
Washington, D.C. 20217.

The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th. Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately. It would not surprise me if the same people behind those scams are also originating from the same group of people.

*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour. Very low volumes in an attempt to fly under the radar as much as possible.

The Google Calendar Spam Dilemma

2008-05-12T09:52:31-06:00

There have been more and more complaints popping up on the internet lately in relation to a new type of spam: Calendar Spam. Calendar Spam introduces some new annoyances and some potential tricky pitfalls that we are used to seeing from typical spam.

Since the announcement of the Google CAPTCHA compromise and the influx of spam and blowback that has been eminating out of the Google network since, it is clear that there is no easy solution to this problem from Google's standpoint (I am giving them the benefit of the doubt that more is being done on the backend than their claims that they are shutting accounts down as quickly as they can, which is clearly a futile effort). Now spammers have started also abusing the Google system to send out spam calendar invites.

One might say: Calendar invites are no more intrusive than spam. I can easily delete them from my inbox just like any other message.

True, except the default behavior of the Google Calendar (and of the Outlook calendar, actually) is to automatically display events that you have been invited to in your calendar, even if you have not responded to them. So, what this means is that if the spammy calendar event was sent to you with a reminder (which they all are), then you will still receive the reminder notification even if you deleted the original invite from your mailbox.

So, what to do? Should you decline these events? Doing so and sending a notification back to the original sender is essentially a validation of your email address which will open the floodgates for more spam. Ignoring it obviously doesn't yield the desired result either as we just discussed.

In fairness, Google does provide some guidance on how to prevent Calendar Spam, which essentially involves not auto-adding events to your calendar. A nice work around, but certainly not a "fix" in my opinion. This is an important calendaring feature, which is why many of the widely used calendars support it. Simply turning it off because you are receiving spam calendar invites is merely an inconvenient band-aid.

I've also seen some people say "Google signs their mail with DKIM. Shouldn't that help?" Neither DKIM nor Sender ID Framework do anything to determine the reputation of the sender nor does it make any positive or negative determination as to the content of the message. They only help to determine whether or not the message was spoofed or forged. In this case, since the message is originating through Google's own servers, it will pass any kind of authentication mechanism.

This goes back to the age old discussion that we have had many times in that spammers will latch onto any type of technology they can get their hands on and will use and abuse it in every way possible (many times in ways you and I never even thought they could be abused!).

Clearly Google's problems are running deeper and deeper by the day. New vulnerabilities and abuses of their services are being unconvered on a seemingly daily basis. More and more service providers are starting to block communications from Google as a result which will start to make them a less viable option for users and businesses alike which will cut into Google's top and bottom lines. Google has some great tools and certainly are an innovation driven company. Now if only their security would start to catch up to their innovation...

Google AdWords Phishing

2008-05-07T13:49:00-06:00

The folks over at Trend Micro have a good write up on a new type of phishing scam that has started floating around over the last week or so: Google AdWords Phishing.

It looks like the scammers are using the same general content in their phish with a couple of different variations on the subject line and the tagline that appears at the end of the message.

The phishing link mentioned in Trend's blog points to a Chinese registered domain that appears to have been taken down as of the time of this posting, but being the resilient type that cyber criminals are they have started to send out a new spam run with links pointing a new domain (also Chinese registered): adwords.google.com.s0leo9.cn, which is currently still active.

Below is a screen shot of one of the phish examples that we saw hit one of our spamtraps (note where it is different between here and the screen shot posted on Trend's blog):

From a volume standpoint these phishing attempts appear to be coming in waves. For example, on Tuesday, May 6th our Threat Operations Center was seeing approximately 2,200 of these hitting our systems in the early morning hours up to about 7:00am. After that it dropped off to about 2 per hour. In the early morning hours of May 7th we were again seeing up to 550 per hour.

This tactic won't resonate very well with most people as even though there are quite a few organizations out there who are using Google Adwords to promote their products on Google search result pages, the actual audience that this type of scam will make sense to is pretty limited.

Peter Gabriel's Web Server Stolen

2008-05-06T12:48:26-06:00

According to Peter Gabriel's web site sometime on Sunday Night or Monday Morning their web servers were stolen from their data center.

I wonder if they broke in with a Sledgehammer? Or if they were Quiet and Alone? I wonder if the RIAA will sue the thieves for stealing music?

Ok, enough jokes....

Kind of makes you wonder how they got in....or does it? I've been speaking to several colleagues lately who either currently perform social engineering engagements or did them in previous lives and it is amazing to me the areas of buildings that they have been able to access and the confidential information that they have uncovered just by every day, common techniques that we all do: tailgating, acting like you misplaced your access badge, or just looking like you belong somewhere.

Then once they were in the data center, how did they access the cabinet that the servers were in? Many cabinets go from the floor to the ceiling or have safeguards in place to prevent the cabinet from being compromised from on top. They should also have at minimum either a keylock or combination lock (or both), not to mention that the data center should also have security cameras covering every square inch of floor space.

We talk about proofs of concept very frequently where the occurrence of one crime is a finger pointing towards the potential occurrence of something much more damaging. This is definitely one of those types of crimes. If it can happen at this data center, what is to say that this same thing couldn't happen at any number of others as well? What security policies does your data center have? How well do they follow them?

We make a lot of assumptions with regards to the security of data centers, but all the technology controls in the world don't make a bit of difference if they can easily be bypassed.

Happy Birthday Spam!

2008-05-01T13:07:00-06:00

It would be inappropriate for me to let this day go by without wishing a happy birthday to one of the most important and controversial terms of the early 21st century.

Spam!

No, not SPAM!

Spam!

I try to shy away from actual definitions of spam because it's scope has gotten so much wider from when the first spam message was sent by Gary Thuerk to a large swath of ARPANET addresses 30 years ago this month.

So, was Thuerk an overly aggressive marketer? Or a pioneer setting the stage for modern day cybercrime? In my opinion the answer is both, but to that I would add the disclaimer that if he didn't do it surely someone else would have.

One could also make the claim that spam started even prior to that using the CTSS (Compatible Time-Sharing System) "mail" command back in 1971 where a developer wrote a long anti-war message that began with "THERE IS NO WAY TO PEACE. PEACE IS THE WAY." Despite being told that using the CTSS mail system in that way would likely be viewed as abusive he defended his position with the statement of "but this is important!"

Obviously spam has evolved quite a bit from its days of ARPANET and CTSS, but there are still a lot of parallels in why spam is sent. The primary end-goal was the use of network technology and over the wire communication for the purpose of making money. Whether that has to do with trying to sell a product (either legitimate or illegitimate) or trying to get a user to install adware or crimeware on their PC, money has been, still is, and will continue to be the primary reason for spam.

As we also know, "Spam Ain't Just for Email Anymore." but still carries the common theme of network abuse. Social and mobile networks have been common recent additional avenues that spammers have been exploiting as well through SMS spam, blog spam. Also, communication technologies like Instant Messenger and Voice over IP (VoIP) haven't been immune either whose abuse have borne acronyms like SPIM and SPIT.

Bill Gates was clearly way off base when he predicted in January, 2004 that spam would be gone in two years. Spam is more prevalent than ever not only in our inboxes, but in just about every way that we communicate and collaborate. As long as people continue to respond to spam it isn't going anywhere. In fact, it will only continue to become more pervasive and unavoidable.

Telecommuters Surf Twice as Much Porn

2008-04-23T15:46:26-06:00

According to this article posted at PC Pro, ScanSafe says that remote employees are more than twice as likely to be surfing porn than employees who work in the office.

This is not a surprising stat as telecommuting takes a level of discipline on the part of the teleworker that is far and away greater than office-bound employees. What is surprising to me is that companies are ALLOWING this type of web surfing to be taking place on their corporate computers!

Porn sites are one of the biggest security risks out there. Porn sites commonly install malware, adware, tracking cookies, and other security risks that could cause a security breach to your organization.

In most cases you want to use technology as an enabler for employees to be as efficient as possible, particularly your remote employees who are frequently less scrutinized because most of management's attention is focused on the employees that are in the office every day. This, however is one of those instances where technology needs to enforce the policies of the organization so that the company can protect itself and its intellectual property from compromise and disclosure. Data leakage as a result of inappropriate employee web surfing and irresponsible organizational content filtering policies is one of the easiest insider threats to mitigate. Companies should be doing everything that they can be to assure that this is not an avenue of information disclosure.

New Phishing Scam Targeting Economic Stimulus Payments

2008-04-22T13:43:00-06:00

Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.

As has been common with most of the government agency spoofs that we have seen over the past year, this one has an IRS logo at the top of the message that is being pulled directly from the IRS web site at irs.gov.

The samples that we are seeing allege to be from "service@irs.gov" and have a subject line of "2008 Economic Stimulus Refund."

The phish content is as follows:

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please click here.

The "click here" link takes the user to a prototypical phishing site where they are asked for their bank routing number and checking account number so that the rebate can be directly deposited into their checking account. The scammers are also trying to establish a sense of urgency to get you to click the link by saying that you have to fill out and submit the form before April 24th if you want to get your stimulus payment on time. Failure to do so will result in delays. This could be an effective tactic against those who may not be scheduled to receive their rebate until July or against the extremely impatient who think that this could be a shortcut to getting their rebate quicker.

This is about the time that we expected to start seeing these scams start coming out, and this certainly won't be the last of them, especially since the distribution of the stimulus payments is expected to last a couple of months.

As with all of the IRS scams that we have seen to date, there are a couple of things that you should remember:

-- The IRS does not communicate with the public over email.
-- To that point, the IRS does not even know what your email address is. If you use at home tax software the software vendor might ask you for your email address, but this is for the purpose of sending you status updates with respect to your tax filing. These emails are not from the IRS.

With respect to the economic stimulus payments, also remember:

-- The economic stimulus payments are being distributed based on your 2007 tax filing. The information for how to distribute your rebate to you will be done based off of your tax forms.
-- The payment schedule for the economic stimulus payments has already been established by the IRS. There is no way to accelerate this process.

Malicious Google Spam Alleging News Video from Bin Laden

2008-04-21T11:32:54-06:00

We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden. Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.

Some of the subject lines that we have seen include:

Special issue of news from CNN! Urgent Fresh News Usama Ben Laden!
Special issue of news from CNBC! Urgent Fresh News Usama Ben Laden!
Special issue of news from Financial Times! Urgent Shocking News Usama Ben Laden!
Special issue of news from CNN! Urgent Apocalyptic News Usama Ben Laden!
Special issue of news from Bloomberg! Urgent Fresh News Usama Ben Laden!

You can see a fairly common theme here.

The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world. The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):

Special issue of news from Reuters! Urgent Dangerous News!

hxxp://www.google.com/pagead/iclk?sa=l&ai=PBXCNHM&num=03311&adurl=http://cavalldemar.org/news_usa.php

Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist

activity, and similarly the largest leaders of terrorist organization of Al

Kaeda, detained American soldiery force in Iraq.

This particular sample was taken from a message where the subject says that the news update is from CNN so you can see that the news agency in the subject line is not necessarily consistent in the actual message itself. If the link from the message is followed, it directs the user to a page where they download a file named videousa.exe, which contains the malware.

Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.4.22.0	2008.04.21	Win-Trojan/Agent.77824.DX
AntiVir	7.8.0.8	2008.04.21	TR/Crypt.XPACK.Gen
Authentium	4.93.8	2008.04.20	-
Avast	4.8.1169.0	2008.04.21	-
AVG	7.5.0.516	2008.04.21	Downloader.Zlob.12.AH
BitDefender	7.2	2008.04.21	-
CAT-QuickHeal	9.50	2008.04.19	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.04.21	-
DrWeb	4.44.0.09170	2008.04.21	-
eSafe	7.0.15.0	2008.04.17	Suspicious File
eTrust-Vet	31.3.5720	2008.04.21	-
Ewido	4.0	2008.04.21	Backdoor.Agent.gxg
F-Prot	4.4.2.54	2008.04.20	-
F-Secure	6.70.13260.0	2008.04.21	Backdoor.Win32.Agent.gxg
FileAdvisor	1	2008.04.21	-
Fortinet	3.14.0.0	2008.04.21	-
Ikarus	T3.1.1.26	2008.04.21	Trojan.Win32.Revelation
Kaspersky	7.0.0.125	2008.04.21	Backdoor.Win32.Agent.gxg
McAfee	5277	2008.04.18	-
Microsoft	1.3408	2008.04.21	TrojanDropper:Win32/Nuwar.gen!lds
NOD32v2	3043	2008.04.21	-
Norman	5.80.02	2008.04.18	-
Panda	9.0.0.4	2008.04.20	-
Prevx1	V2	2008.04.21	-
Rising	20.41.02.00	2008.04.21	-
Sophos	4.28.0	2008.04.21	Mal/Generic-A
Sunbelt	3.0.1056.0	2008.04.17	-
Symantec	10	2008.04.21	-
TheHacker	6.2.92.285	2008.04.19	-
VBA32	3.12.6.4	2008.04.16	Trojan.Win32.Revelation
VirusBuster	4.3.26:9	2008.04.21	-
Webwasher-Gateway	6.6.2	2008.04.21	Trojan.Crypt.XPACK.Gen

Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now. This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.

Cyber Criminals Go To Great Lengths To Establish Trust

2008-04-18T13:37:53-06:00

Over the past 10 months or so we've often discussed different social engineering tactics as it relates to different types of spam and malware campaigns. These tactics range from using pinpoint precision to identify individual scam recipients (like CEOs and other C-Level Executives) to using tragic current events, naked celebrity videos, holiday e-cards, IRS tax refunds, or free/discounted sporting event tickets as a lure to get people to open malicious email attachments or click links that redirect them to web sites that are infested with malware.

So, the question is: How far will cyber criminals go in an attempt to get a foothold on your PC or steal your personally identifiable information?

The answer is simple: As far as they need to.

Cyber criminals will go to whatever lengths are necessary to trick you into doing what they need you to do in order to get infected with malware. This means that the success of their campaign is almost solely related to their ability to establish trust and to make their campaign appear as legitimate as possible. As an example, some of the IRS tax refund scams that we have been seeing this tax season even go so far as to link to or display the real IRS web site's logo, Privacy Policy and Online Help. The Federal Subpoena scam that we spoke about earlier this week included not only the name of the person that the scam was being sent to and their company name, but also their phone number!

As cyber criminals continue to hone their social engineering tactics, it is becoming more and more critical that people understand, are aware of, and keep a keen watch out for new potential threat vectors and the techniques that are being used in order to trick them into giving up information that could result in loss of identity, company secrets, or their life savings.

Losses being incurred as a result of cyber crime are increasing at an alarming rate and now we have reached the point where people are more fearful of being a victim of cyber crime than they are physical crime. According to Gartner, losses as a result of phishing alone could top the $4B mark in 2008! That increase is no accident and does not appear to be slowing anytime soon.