Jump to content


June 2012

Threat and Spamscape Report

June 2012

What We Saw in May

Overall we've seen our traffic volume decline during the month of May. Even with the decline, the United States remained in the lead with the most spam originating domestically, spawning over 200 million pieces of the unsolicited junk mail. Meanwhile, virus traffic remained high with peaks rising at points to nearly 2 million pieces in a single day towards the end of the month. We also saw a handful of scams repeating themselves throughout the month reusing themes over and over with only slight fluctuations in their intended payloads. All in all, it was business as usual. Here are a few of the other highlights from the month of May:

  • Continuing over from April we saw emails targeting businesses pretending to be from the Better Business Bureau informing those in charge that they have been receiving complaints. The attachment was supposed to contain the details, instead it contained a Trojan downloader that was poised to download and install a Zeus variant.
  • Speaking of Zeus, we saw an interesting variant on the morning of the 23rd cycle through. This particular campaign brought a little extra fun to the party in addition to its normal MO. A fake anti-virus scam by the name of Smart Fortress 2012 was also included, something we hadn't seen riding on board with Zeus before.
  • Another scam we saw over and over during the month of May was another old favorite that targeted LinkedIn members. Claiming to be messages waiting, these emails alternatively linked to SpyEye.
  • A new piece of malware has been discovered in the wild targeting Middle Eastern and North African countries and has all of the signatures of a state sponsored attack. Similar to Stuxnet and Duqu, the code of this malware is much more complex than your everyday malware. Even though we have seen this day to day, attack anyone, kind of malware become more and more complex in the recent years, it is still on a completely different level as what's been dubbed "Flame".

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the month of May. Spam traffic tapered off throughout the month of May. In all, our spam and virus filters quarantined around 1.5 billion messages during May.

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of May.

Regions of Origin

This graph represents both spam and malicious email traffic by region. The dispersal of spam message origination remained relatively unchanged during May.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during May. Nine of the top ten spam originating countries showed a decline in spam output during May, with the exception of Iran who's modest increase propelled it into the number ten spot.

Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

  • W32.Bredo.App.pakc
  • X.W32.Zbot.OVD.pak
  • X.Mal\BredoZp-B-5.12DHLEr
  • X.W32.Mytob.App.pak
  • X.W32.Androm.58a
  • X.W32.bbb.zbot.52b
  • X.DHL.TROj.ndg514
  • X.W32.spmpic.img.jr5.3a
  • X.W32.BBB.59a
  • X.W32\Zbot.CJFW.a
  • X.UPX.App.pakuber
  • X.W32.androm.pak.58a
  • X.W32.J.Androm.bb
  • X.DHL.TROj2.ksa515
  • X.W32.Zbot.img.57a
  • X.W32.Sasfis.pak
  • X.Troj\Zbot-BUX.0506BBB
  • X.W32.Bredo.dhl.0516a
  • X.DHL.TROj2.ndg515
  • X.W32.troj.58.b

30-Day Virus Activity

This chart represents email-borne virus and malware activity during the month of May as seen by AppRiver filters. Email-borne virus messages kept up their expeditive pace for the second month in a row, in all we quarantined over 29 million of these messages during May.

Image Spam

The chart below represents total Image spam seen by AppRiver filters during May. The common tactic of disguising spam content within images remained active in May.

'Flame' Trojan, another Piece of Government Sponsored Malware?

A recently-discovered piece of malware dubbed "Flame" appears to be a highly sophisticated espionage toolkit that is currently making its way around targeted systems. The malware goes to work by spying on infected systems and capturing a large amount of information. To date, infections are concentrated in Iran and other countries in the Middle East and North Africa. Flame has capabilities to exfiltrate all types of data including documents stored on host machines, record keystrokes, take screenshots and even activate microphones and listen in on conversations. It appears that this is another statesponsored infection such as Stuxnet or Duqu. However, Flame does not appear to have the same author.

What's particularly disconcerting from a security standpoint is that Flame went undetected for nearly two years. We wrote about targeted malware attacks in AppRiver's 2012 Prediction Report and discussed the high probability that if in the wrong hands, targeted malware could become weaponized:

Targeted Malware - Stuxnet and Duqu raised more than a few eyebrows as they may have done more than unwillingly steal the top of the headlines this past year. These incredibly complex pieces of malware made their way to specific targets with incredible swiftness and accuracy. There's no doubt that this type of attack whether it be government sponsored or otherwise will remain at least as prevalent if not more so in 2012. The Flame toolkit also shows evidence of state sponsorship though it almost assuredly has different authors and a less focused goal. It's highly complex code gives analysts a strong feeling that this is no ordinary malware, but instead something that was meant to gather as much information as possible from its intended targets. It is obvious now that cyberspace has been weaponized and we will continue to see attacks of this fashion as long as they remain effective.

Stuxnet, Duqu and Flame are great examples of an era in which we now live in where cyber-war and cyber-espionage are becoming more mainstream and successfully exploiting infected systems. And unfortunately, we can expect to see more of these types of threats grow in sophistication and regularity in the years to come.

Anti-Social Networking

As has been the case for a good long while, the spammers, scammers and malware authors always go to where the people are. A sure fire safe bet for these guys, when looking for the biggest audience, is to go after the social networking sites. Facebook is certainly one that comes to mind as being a constant target over the past few years with its now active user count at 800 million. It may only have a fraction of that membership at 161 million active members, but LinkedIn is still a very big target to these guys.

LinkedIn, as most people know by now, is a social networking site aimed at professionals to do the online version of good old fashioned human networking. It is also a place where people show off their skills and resumes to potential employers and search for qualified employees. A perfect place to trick those who are desperately following any employment lead they get in a time where the economy has been less than stable. Instead of placing their attacks directly on the LinkedIn site, which is defended by the LinkedIn security crew, the attackers use an easier approach and that is to mass mail false LinkedIn notifications in a cast net approach. These end up going to tons of mailboxes that aren’t necessarily subscribers of the social network, but they also end up going into plenty that are. From there they rely on those who overlook the ploy and click their links.

One such ploy that was floating around in May used colored text and graphics to add to the realism of an actual LinkedIn notification. The email informed its recipients of pending messages and requests from people to add them to their networks. Once any of these links were clicked, the malware went to work installing itself on its new host. Once inside, it looked around its environment to make sure there were no debuggers present which would possibly tip the malware off that someone was analyzing the sample and it could shut itself down. After it felt the coast was clear, it went into a long sleep mode. This was possibly done to detect whether or not it was running in a virtual environment by comparing clock times while in sleep mode. After this, the malware began to steal browser histories and cookies and send them back to the C&C server, all the while hiding critical error and security messages. The malware then went on to hide itself by injecting its code into already running processes, and added itself to auto run sections in the registry. From there it would lie in wait logging keystrokes and communicating with its new controller.

Evasive Malware Delivered in Fake BBB Complaint

In a continuation from the previous month, malicious emails made up to look like complaints from the Better Business Bureau hit our filters early on in the month of May. These messages attempted to convince their recipients that the BBB had recovered a complaint from a customer and that the file attached to the email contained a summary.

The recipient was instructed to open and read the attached “report” and reply with their response to the claim. The problem was that the “report” was actually an executable file that contained a nasty Trojan.

Preliminary examination of the file indicated that it was a variant of the ever popular Zeus or Zbot. However, some behaviors differ slightly from some of the most recent Zbot infections we have examined.

Once this variant launched and hid itself, it did a good job of disarming the host machine by making the following changes : Disabled the TaskManager, disabled the signed binary check, modified windows explorer settings, and reduced further executable download risk on most extensions.

Communication was also observed with the following domains:

  • unocardgam(dot)com
  • whatisadebima(dot)com
  • wisudarel(dot)com
  • fokuslol(dot)com
  • froukloro(dot)com

At the time only 9 of 42(21%) AV providers were identifying this threat as malicious. The Zbot or Zeus malware family has been stealing money from people’s bank accounts and other sensitive logins since 2008. In addition to capturing bank account login credentials, Zeus has been known to steal Facebook logins as well. Besides information theft, Zbot also hijacks its victim machine and enslaves it to a botnet. Avoid falling for this attack, and if ever in doubt, pick up the phone and call the supposed sender.

A New Version of Zeus

Early on May 23rd we saw a new payload peppered in with the many Zeus and SpyEye offerings. It appeared to be a new version of the already infamous toolkit known for stealing financial data. In addition to performing the same behind the scenes malicious activities such as stealing browser cookies, ftp credentials, banking login credentials, and general keylogging, this version added a new flavor to the mix. This one included what appeared to be a new brand of Fake AV or Ransomware on top of what it had already been offering. Let's start at the beginning:

These arrived as emails pretending to be from PayPal. The emails claimed that the recipient had made a payment to some random person whose name changed from email to email. The amount sent was usually a pretty large number, in the hundreds of dollars range. Once this was successful at grabbing the victim's attention, they would then likely be persuaded into clicking one of the several links included to supposedly contact PayPal to see what's going on. Once clicked the malware went right to work contacting an abundance of various domains which would then begin downloading and installing various components of the malware. This particular variant contacted an initial 16 different domains to gather its wares.

Among the actions we now consider normal for Zeus such as making copies of itself and injecting itself into running processes, Zeus also disables error messages, firewalls and existing Anti-Virus solutions just before it presented the newly infected with what it called Smart Fortress 2012. The new Fake Anti- Virus software then started and appeared as if it was scanning the new system and then began displaying a long list of "infections". Though it is true that this machine would indeed now be infected, it was not by anything that the fake software had displayed. Now, not only was Zeus stealing money beneath the surface, but it was also trying to get its victims to willingly turn some over in order to regain control of their computers. Little did they know that attempting to appease the Fake AV by paying for "malware removal" would only result in losing more money and keeping all of the same infections. The best thing to do for users who saw this Smart Fortress pop-up would have been to disconnect all network connections and hope that their backup was up to date.

For some reason this particular Smart Fortress addition to Zeus only ran for a couple of hours before we stopped seeing it. After that Zeus continued on up to its old tricks, shedding the fake Anti-Virus technique. These things do come and go, and the fake AV thing has been used many times in the past. It is possible that Zeus had rented out some temporary space in its payload to another group, or that they were just trying something a little different.

For this information in a PDF download, view our june 2012 Threat & Spamscape Report (PDF) Click Here