Jump to content


July 2012 Special 6-month Edition

Threat and Spamscape Report

July 2012

What We've Seen So Far in 2012

So far in 2012 we've already witnessed a great amount of activity targeting many facets of all of our everyday lives. We've seen some minor wins for the good guys in the face of some major adversity from the bad guys. We've also witnessed the uncovering of a few apparent government sponsored cyberattacks that have really made people sit up and notice. Also, we've seen many appearances from the top contenders in the malware world; Zeus, SpyEye, and the Blackhole toolkit have been the most prominent names this year on the malicious cyber front. Here are a few of the other highlights from the first six months of 2012:

  • As more and more people are using smart phones, we're seeing more and more spam and malware targeting these devices. With increased functionality comes increased risk.
  • Zeus has been one of the big three once again thus far into 2012. Even though the source code was apparently given to the author of the SpyEye toolkit, we're still seeing many variants making their circulation that are independent of SpyEye. We've seen campaigns pretending to be banking security updates, we've seen them pretending to be fake receipts, and we've even seen Zeus hide some possibly inane environmental propaganda within one of their campaigns.
  • Speaking of Zeus, we saw an interesting variant on the morning of May 23rd cycle through. This particular campaign brought a little extra fun to the party in addition to its normal MO. A fake anti-virus scam by the name of Smart Fortress 2012 was also included, something we hadn't seen riding on board with Zeus before.
  • In addition to Zeus, the Blackhole crime toolkit has quickly made its way among the heavy hitters. It's sold on the underground forums for cheap and it's readily available for all that know where to pick it up. One campaign of interest in April even leveraged the exploit of the Blackhole toolkit to create a foothold, and installed the Zeus Trojan once it was inside.
  • In the wake of the big Stuxnet/Duqu worm discoveries of last year, another very complex piece of code was discovered targeting Iran and North Africa this year. It was dubbed Flame, and has kept the media closely tuned in to government sponsored "Cyber warfare".
  • The identities of the Koobface gang were discovered early this year and their attack on users of Facebook ceased rather abruptly as their images and identities were released to the world.
  • The SpyEye toolkit is one of the most expensive available on the underground market specifically for its effectiveness and support from its creator. It is for these reasons that we often see several campaigns originating from this tool on nearly a daily basis. One of these in particular leveraged what appeared to be a rather pricey online pizza order confirmation.
  • As is the usual as tax deadlines approached in the U.S., financially themed malware campaigns started hitting our filters at full speed. One of these in particular utilized the popular financial software company Intuit as a disguise.

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the first 6 months of 2012. Spam levels were on the decline during the first 5 months of the year but in June, spam levels starting to pick back up and we saw the first month over month rise in spam of 2012. So far this year we have quarantined 10.6 billion spam messages.

Tests Failed

This chart represents the number of times messages failed various tests over the past 6 months. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the year thus far.

Regions of Origin

This graph represents both spam and malicious email traffic by region. We have seen an uptick in spam messages emanating from Asia during the first half of 2012.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during the first 6 months of 2012. The US and India were by far the world leaders in spam output.

Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last 6 months in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

  • X.HTM.Java.BH.4512
  • X.W32.Oficla-A1020.pak
  • X.W32.bredo.pak.416.a
  • X.HTM.Java.BH.410.sm
  • X.W32.kryp.621.pak.a
  • X.UPX.App.pakuber
  • X.W32.bredo.hp.45a
  • X.W32.Bredo.App.pakc
  • X.W32.Zbot.OVD.pak
  • X.TorSin.htm.217
  • X.W32.PX.pakb
  • X.UPX.App.pakuberc
  • X.Mal\BredoZp-B-5.12DHLEr
  • X.W32.Mytob.App.pak
  • X.W32.kryp.621a
  • X.W32.PECxt.a
  • X.W32.kryp.619a
  • X.W32.Kryptik.dhl.065a
  • X.W32.troj.banker.spy.615
  • X.W32.Androm.58a

6 Month Virus Activity

This chart represents email-borne virus and malware activity during the first 6 months of 2012, as seen by AppRiver filters. After a very slow start to 2012, Q2 was defined by a huge spike in malicious emails being sent out. Of the 104 million malicious emails that we have quarantined so far this year, nearly 87 percent were in the second quarter of 2012. Additionally, a growing number of cybercriminals are now opting to attempt to infect users by way of malicious URL links within emails rather than the traditional method of delivering executables inside attachments.

Image Spam

The chart below represents total Image spam seen by AppRiver filters so far during 2012. Image spam was on the decline in Q2 of 2012.

A Surge in Smartphone Spam

Remember the days when spam was free? Forget the fact that everyone hates it and had just now gotten used to the fact that it was constantly aiming for your inbox. Now these pesky messages are everywhere, including your phone. And they're not just annoying anymore. They're actually costing unlucky recipients money.

For many, every text to their phone translates to another little charge on their bill. Spammers are cashing in on this on the ease in which users can follow links in SMS messages. The texts are growing more and more prevalent, offering free gift certificates, iPads, and iPhones. Just for fun, we took the bait to find out what one of these campaigns was up to.

It appears we were randomly selected, which is sort of true. These spammers are using automated dialers to send these out en masse. Don't be tricked into responding to them or clicking on the links. If you respond, they'll often be able to tell that they've got a live one, and you'll quickly become a favorite.

This particular campaign is simply an attempt to trick its victims into willfully accepting their unrelenting "marketing" blasts. They never really give anyone anything, nor does it seem that they ever offer anything real. Often times though, these links can lead to malware.

The mobile market is a growing target for these guys as operating systems become more and more predicable (read: iOS/Android). In this case, it works in the same way as another shady practice called "Pay Per Install". The PPI business is all over the place as exemplified by those sneaky toolbars that people accidentally install with other software. In the PPI business, people will become affiliates for other software makers. Some are legitimate; others not so much. The affiliate gets a tiny fee for every unique installation of the software. To make big bucks however, affiliates need to send these things to as many people as possible.

This is the same model now being used by text spammers. The person blasting out these texts are affiliates trying to rip people off. The affiliate ID is appended to the back of the URL in the link above. Every time a unique IP visits that website, this affiliate makes a little money. Anyone following the link would be redirected to about six or seven different sites, each one with a different affiliate ID. (This is likely the same person attempting to use and capitalize on several different programs at once.)

Usually these are survey scams that trick people into receiving several very high cost text messages, but this one only offered a convenient way to purchase from their affiliates, continue making purchases from them, and then make some more. When the user catches on and stops buying, the company can say that the victim broke the contract so they won't have to send them anything.

Just in case somehow a person did legally stay true to their ridiculous demands, they also have a clause that says "Company reserves the right to substitute a product of comparable value for the reward. "Comparable value" shall be determined by Company :"in its sole discretion". "Company" doesn't even have a name. Also included is an agreement to accept their future spam onslaught, which was certainly not legal in the first place thanks both to the CAN-SPAM Act as well as the Telephone Consumer Protection Act. We're not exactly sure how binding this electronic contract is, but they've certainly put forth the effort.

Zeus Continues its Reign

Zeus has been plaguing us for quite some time now and has come to us in many different forms. One in particular proved to be a little more than met the eye. This one was a little different, but the difference wouldn't have been noticed without a deeper look into its devious inner workings. Just when we began to think that our old friend Zeus, the banking credential stealing scourge, was just a shallow one-sided thief, something like this happens. During the first week of January we saw several varieties of the Zeus banking Trojan hit our filters, but this one in particular came with a bonus environmental message hidden within.

On the outside this Trojan was dressed up as a "Credit Notification" from Wells Fargo informing recipients that their accounts had been credited $11,000.00! Wow, that's a lot, and for those who may believe that this must be some sort of mistake, the authors of the email attached handy details of the transaction in a file suitably named "transaction&details.zip".

Once executed, the attachment went to work embedding itself on the victim's machine. A file by the name of unve.exe was created in multiple instances that opened up network connections and was in charge, along with a batch file by the name of tmp6f953619.bat, of monitoring and stealing banking credentials.

There was one curious behavior that happened behind the scenes, however. The malware also opened a network connection, silently downloaded a Jpg file from a DropBox account, and left it on the newly infected PC. The image was entitled "climate_killing_banks.jpg" and depicted a bar chart of the top 20 banks that have financed coal electricity and coal mining since 2005. Obviously a chart created to point out those banks who contribute to negative environmental impact, or perhaps a chart created by the coal industry to point out their best supporters, it could go either way. This image was never opened or displayed during infection, it was simply left behind for someone to find later. This is certainly an interesting message from these thieves, one that says "We may be robbing you blind, but we have real concerns too. Let's make this a better world to live in" (Or something like that).

Zeus Brings a Little Something Extra to the Party

Early on May 23rd we saw a new payload peppered in with the many Zeus and SpyEye offerings. It appeared to be a new version of the already infamous toolkit known for stealing financial data. In addition to performing the same behind the scenes malicious activities such as stealing browser cookies, ftp credentials, banking login credentials, and general keylogging, this version added a new flavor to the mix. This one included what appeared to be a new brand of Fake AV or Ransomware on top of what it had already been offering. Let's start at the beginning:

These arrived as emails pretending to be from PayPal. The emails claimed that the recipient had made a payment to some random person whose name changed from email to email. The amount sent was usually a pretty large number, in the hundreds of dollars range. Once this was successful at grabbing the victim's attention, they would then likely be persuaded into clicking one of the several links included to supposedly contact PayPal to see what's going on. Once clicked the malware went right to work contacting an abundance of various domains which would then begin downloading and installing various components of the malware. This particular variant contacted an initial 16 different domains to gather its wares.

Among the actions we now consider normal for Zeus such as making copies of itself and injecting itself into running processes, Zeus also disables error messages, firewalls and existing Anti- Virus solutions just before it presented the newly infected with what it called Smart Fortress 2012. The new Fake Anti-Virus software then started and appeared as if it was scanning the new system and then began displaying a long list of "infections". Though it is true that this machine would indeed now be infected, it was not by anything that the fake software had displayed. Now, not only was Zeus stealing money beneath the surface, but it was also trying to get its victims to willingly turn some over in order to regain control of their computers. Little did they know that attempting to appease the Fake AV by paying for "malware removal" would only result in losing more money and keeping all of the same infections. The best thing to do for users who saw this Smart Fortress pop-up would have been to disconnect all network connections and hope that their backup was up to date.

For some reason this particular Smart Fortress addition to Zeus only ran for a couple of hours before we stopped seeing it. After that Zeus continued on up to its old tricks, shedding the fake Anti-Virus technique. These things do come and go, and the fake AV thing has been used many times in the past. It is possible that Zeus had rented out some temporary space in its payload to another group, or that they were just trying something a little different.

One Bad Egg

Another somewhat flashy malware campaign we saw in April was one pretending to be a purchase receipt again, but this time from newegg.com. As everyone likely may know, NewEgg is an online shop for everything computer - a parts and peripheral place that most people have likely ordered from at least once. Here again the receipt doesn't provide details on exactly what was supposedly purchased, but it did provide links where one could "contact" them with questions. These links went to where one might expect by now, not to the NewEgg staff, but to one of many websites containing a custom crafted index.html page with exploit code from the Blackhole toolkit. Among many downloaded exploits and bits of malware, this particular infection also led to the creation of a file by the name of 7zBY7xS.exe. This file is recognized as being a variant of the Zeus family of malware. With these two power hitters sharing the same stage, it's apparent that this particular malware run was really up to no good.

'Flame' Trojan, another Piece of Government Sponsored Malware?

A recently-discovered piece of malware dubbed "Flame" appears to be a highly sophisticated espionage toolkit that is currently making its way around targeted systems. The malware goes to work by spying on infected systems and capturing a large amount of information. To date, infections are concentrated in Iran and other countries in the Middle East and North Africa. Flame has capabilities to exfiltrate all types of data including documents stored on host machines, record keystrokes, take screenshots and even activate microphones and listen in on conversations. It appears that this is another statesponsored infection such as Stuxnet or Duqu. However, Flame does not appear to have the same author.

What's particularly disconcerting from a security standpoint is that Flame went undetected for nearly two years. We wrote about targeted malware attacks in AppRiver's 2012 Prediction Report and discussed the high probability that if in the wrong hands, targeted malware could become weaponized:

Targeted Malware - Stuxnet and Duqu raised more than a few eyebrows as they may have done more than unwillingly steal the top of the headlines this past year. These incredibly complex pieces of malware made their way to specific targets with incredible swiftness and accuracy. There's no doubt that this type of attack whether it be government sponsored or otherwise will remain at least as prevalent if not more so in 2012. The Flame toolkit also shows evidence of state sponsorship though it almost assuredly has different authors and a less focused goal. It's highly complex code gives analysts a strong feeling that this is no ordinary malware, but instead something that was meant to gather as much information as possible from its intended targets. It is obvious now that cyberspace has been weaponized and we will continue to see attacks of this fashion as long as they remain effective.

Stuxnet, Duqu and Flame are great examples of an era in which we now live in where cyber-war and cyber-espionage are becoming more mainstream and successfully exploiting infected systems. And unfortunately, we can expect to see more of these types of threats grow in sophistication and regularity in the years to come.

The Gig is Up for the Koobface Gang

Chalk up another win for the good guys this year so far! Thanks to the tireless efforts of the Facebook Security Team, five men have been ousted as the people behind the Koobface family of malware that had plagued Facebook for several years now. These five men were traced to St. Petersburg, Russia where they were living high on the hog. Their eventual undoing was through a sloppy mistake made on one of their command and control severs. First the person responsible for the C&C's upkeep accidentally left a service available which allowed any visitor to view inbound traffic data, and after that, analytics software installed on the machine led researchers to the Koobface main server in charge of pushing out all major updates. Once this IP was realized, the ball started rolling. Domains that were hosted on the same server were then linked to two of the five men involved with the malware distribution ring. Ironically, the gang's favorite infection vectors, social networks, were then used to put all of the pieces together utilizing information that the participators left out in the open on these sites and others. Now a wealth of information has been collected on these men, and Russian authorities have been informed. Even though none of the men have yet to be arrested, their C&C server has been brought down, and Koobface is no more. Now we just wait until the foreign authorities do the right thing.

SpyEye Tries its Hand in the Pizza Business

Another interesting and unique ploy by the bad guys this month came in the form of an itemized receipt that claims the addressee had just ordered a pizza. On the 24th we saw right around a million pieces from this campaign alone, coming in at a rate of 1500 per minute at its peak. The pizza order varied from email to email but was always a rather large one with a rather hefty price tag. Toward the end of the order was this line: "If you haven't made the order and it's a fraud case, please follow the link and cancel the order." Most went ahead and clicked the "Cancel Order Now" link, since they hadn't ordered an overpriced pizza.

Out of the million or so emails, the "Cancel Order Now" links were sharing references to 40 different domains. All of them hosted a page that displayed the heading "WAIT PLEASE" in bold letters followed by "Waiting..." below. Beneath the surface though, the page was running three different scripts attempting to download and run another script by the name of "js.js" from three different places. All of these did the same thing and the redundancy was in case any of the three sites went down.

The "js.js" script pulled down several files from the IP which is located in Chicago, IL. All of these belonged to the SpyEye family. Among the ones pulled down was a pdf exploit as well as a Java exploit. Once these weaseled their way into the newly infected system, a myriad of further downloads and communications took place, including a couple of components that made encrypted POSTs to in France.

SpyEye became somewhat infamous in the underground economy when it appeared on the scene three years or so ago and went against then front runner Zeus. Both of these were being sold as automated malware toolkits on underground forums. The authors of these toolkits were in competition with one another until the author of Zeus sold his source code to the SpyEye author who then incorporated it into his kit. Zeus is still available for purchase, but it has been replicated and reused by many different groups, especially since the code was released. As a result there are many different unsupported versions going around.

SpyEye, on the other hand, is available at a cost of around upwards of $10,000 US. This version is specifically customized and supported by the author. The cost of the kit often comes with a year's license and the author will answer any questions to help users get it off the ground. He will also help to repack its payload into new undetected variants as many times as necessary for the length of the license. This just goes to illustrate the professionalism on both sides of the coin.

Intuitive Malware

It isn't uncommon to see financially themed malware year-round; however, as the US tax deadline approaches, we tend to see much more of it. Early on in the month of April, as well as a few weeks beforehand, we were seeing a lot of these malware campaigns pretending to be emails from the do-ityourself accounting software company Intuit. This particular campaign was disguised as a receipt from Intuit Marketplace, an online service where people can order business materials such as checks, business cards, and tax forms among other things. As is often the case, this receipt is rather generic and fails to itemize the recipient's apparent order, nor does it give a cost. It does give two different options to find out about this mysterious Intuit order though, one is to call the provided 900 number at a rate of $4.79 per minute, or there's a link from which you can download the complete order. The charged phone call option is there most certainly to steer people towards the download link. Once this has been clicked, the victim would have then been secretly redirected through several different websites containing a slew of exploits. Specifically, malware that attempted to pierce unpatched holes in Java as well as a pdf exploit. Once the compromise is achieved, the victim's computer was then taken under control of its attackers.

For this information in a PDF download, view our July 2012 Threat & Spamscape Report
(PDF) Click Here