Jump to content


VNR: November 2012

Threat and Spamscape Report

November 2012

What We Saw in October

Overall during the month of October we saw Spam levels rise during mid-month only to return to first of the month levels by October's end. Malware followed the same sort of trend though spiking more drastically to a point where a malicious link or a malicious attachment accompanied one in every five emails received by our filters. Political hacktivist attacks on world banks trended while other hackitivists faced prison sentences. Here are a few of the other highlights from the past month:

  • Perhaps the naiveté surrounding the safety of mobile devices is finally starting wane as Google makes plans to implement active malware scanning in their Google Play Store. Not only will this malicious App scanner be able to scan newly added Apps to its marketplace, but will also contain a feature that can scan those that are already installed on your mobile device.
  • Foreign powers have taken to cyber-attacks against at least a half dozen U.S. banks this past month. The attacks are of the Distributed Denial of Service variety which prevents the banks' customers from accessing online resources.
  • Fake British Airways e-Ticket confirmation emails lead to malware infections.
  • The Blackhole toolkit has shown no signs of slowing down as its trademark Javascript obfuscation has been sighted on nearly a daily basis utilizing a variety of themes. Another theme this past month appeared to be a notification of a scanned document from a network resource.
  • CNN Breaking News emails utilizing snappy graphics and Onion-esque headlines harken back to the early days of the Storm Worm when it used sensationalized false news headlines to trick its recipients into falling for the bait.
  • The Anti-Sec movement's main players of last year, by the name of LulzSec, attacked every high profile website they could get their hands on in order to prove the point that these companies weren't taking security seriously enough. In the process, this group broke plenty of laws, and several of them were promptly arrested. Another one faced sentencing for his part in the debacle this past month.

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the month of October. Spam volume was up and down throughout the month of October. In all we quarantined 1.7 billion spam messages during the month.

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of October.

Regions of Origin

This graph represents both spam and malicious email traffic by region. North America accounted for the highest levels of spam origination that we have seen in quite some time.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during October. For the second straight month the US was the point of origination for more spam than we had seen in a one month period since Q1 of 2012.

Top Email-Delivered Viral Threats

  • X.W32.Troj.bbb.1026a
  • X.W32.eFax.bredo.1023a
  • X.W32.troj.dblExt.25a
  • X.W32.bre.Nac.1024a
  • X.Troj.naa.ndg1024a
  • X.troj.meripri.29a
  • X.W32.Oficla-A1020.pak
  • X.W32.eFax.bredo.1023b
  • X.W32.kryp.pak.717
  • X.W32.Krypt.pak.1019a
  • X.Troj.dblExt.pak
  • X.W32.Mytob.App.pak
  • X.W32.Bredo.fex.0810a
  • X.JS.BLKhl.htm,1026a
  • X.PAD.xses
  • X.W32.Change.Krypt.1019a
  • X.Dual.Extensions.29a
  • X.W32\FakeAV.BJTL.amad
  • X.W32.zbot.pak.52
  • X.UPStrack.zip.10.18jra

30-Day Virus Activity

This chart represents email-borne virus and malware activity during the month of October as seen by AppRiver filters. These figures include both malicious attachments as well as malicious links. During October we saw numerous large email campaigns utilizing both malicious attachments as well as malicious links. This traffic resulted in a very malware-laden month in spam traffic. In October we quarantined over 361 million emails containing malware. Malware now comprises the highest percentage of spam that we have seen historically. During October, 21, 1 percent (or roughly 1 in every 5 messages) of total spam either contained malware or a link to malware.

Image Spam

The chart below represents total Image spam seen by AppRiver filters during October.

Google Play to Add Malware Scanning

We here at AppRiver have been discussing the upcoming dangers of the mobile marketplace for what seems to be quite a while now. As more and more people adopt the mobile lifestyle, and it not being uncommon for people to own several mobile devices, the attack vector for the bad guys is ever expanding. Back in the day when every mobile phone essentially had its own proprietary operating system, it was a lot of work with very little pay off for malware authors to write malicious code for mobile devices. Now the industry has made it much more tempting as now only a few major mobile operating systems rule the market, the capabilities of these devices has greatly increased, and people are now doing a lot more enticing activities to want to be thieves such as online banking and an ever-increasing amount of mobile purchases. Mobile devices store emails, contacts, passwords, browser histories, and soon with the release of Apple's Passbook, or Google Wallet, these devices will store plane tickets, credit cards, and become a replacement for cash altogether. There's always been just one small problem, however. These devices do not utilize anti-virus. Sure, there are a couple companies that have tried, but it hasn't been well adopted and according to studies, these solutions were not able to keep up.

Luckily now though it seems that the major players are beginning to realize the importance of securing these devices. According to the website AndroidPolice[dot]com, the new version of Google Play Store 3.9.16 includes code for what is going to be built in malware scanning going by the name of "App Check". The code shows that not only will the scanner inspect new applications submitted to the Play Store, but it will also include functionality to scan Apps that have been previously installed on the Android device. This is great news, and hopefully other companies will quickly follow suit. For now, the home computer remains the largest target we own, but how long will that last, that thing is way too big to fit in my pocket.

Fake Scanned Documents Carry Infection

Early morning on the 19th, we began monitoring an email campaign purporting to be scanned documents that recipients had sent. This technique is not new, we have seen it used for years now but the messages in each campaign vary slightly from the last. What keeps the cybercriminals using this method repeatedly is that they so closely resemble what these real notifications tend to look like and coupled with the fact that many people are used to receiving legitimate messages of this sort. This creates a somewhat innocuous looking message that people will be likely to open. This malicious spam campaign was coming in at nearly 1 million messages per hour and the malicious payloads were spread across a total of 136 different domains. The emails all contained a link to one of these domains that hosted a malicious payload that once clicked, would have infected its target machine with malware designed to steal victims' money. It appeared that these malicious emails were a product of the Blackhole Toolkit. Malware infection has been dominated lately by these types of campaigns that utilize emails with links in order to deliver malware. The Blackhole toolkit has been a major contributor to this type of attack.

CNN Breaking News Headlines Bring Malware

This just in: Emails touting CNN breaking news headlines such as "Mitt Romney Almost President" or "Turkish President says 'Worst case scenario' in Syria becoming a reality" came crashing into our filters early in October. The emails, as seen below, use CNN banner graphics and include a number of headlines of enticing current events, including the topmost headline claiming that Mitt Romney has taken the lead in the United States presidential race with more than 60% of the votes. This is followed by other "stories" about the recent meningitis breakouts, a couple of iPhone/Apple stories, and many others.

As a mouseover reveals, every link in these emails leads not to CNN, but instead to a slew of malicious domains that install malware on to the victims' PCs. This a very familiar technique that is not unlike a certain worm that made very big headlines of its own that went by the name of Storm. Storm crashed its way into PCs back in January of 2007 and earned its moniker through its first email delivered headline "230 Dead as storm batters Europe". Eager to find out the details of this devastating news, recipients of these emails quickly clicked on the attachments and helped to spread the Storm Worm in a rapid fashion. Seeing the success of their new tactic, it became a constant ruse of which people fell for over and over again. Now it's a rarity if a world event, or other major news story occurs and someone with mal-intent fails to attempt to capitalize on it.

Acts of CyberWarfare?

During the end of September through the month of October the world began getting news of Distributed Denial of Service attacks against a number of financial institutions. Those included J.P. Morgan Chase, Bank of America, Wells Fargo and the New York Stock Exchange. A group by the name of Izz ad-din Al qassam took immediate credit for the attacks. The attacks were meant to disrupt business for these organizations and were supposedly in response to the highly offensive anti-Muslim video by the name of "Innocence of Muslims". The attackers claimed that they would shut down incoming traffic to these sites for 8 hours each, though most connectivity problems were intermittent.

Another theory claims that these attacks against US banks represent something much more, a blatant escalation of global cyber conflict. It is theorized also that the attacks against these financial institutions is the direct result of US sanctions against Iran and that Iran Special Forces have at least a hand in the attacks, specifically a group by the name of Iran's Revolutionary Guard Corps. A direct response to wound our financial institutions in a similar manner as the US has theirs.

After Stuxnet, Duqu, and now these attacks, it would seem that the cyber realm is a fully operational battleground between Iran and the US.

Another Hacker Linked to LulzSec Becomes Noob in Prison

A hacker by the name of Raynaldo Rivera from Tempe Arizona admitted guilt by way of plea agreement this month to having broken into computers belonging to Sony Entertainment and causing them a great deal of grief back in May of last year. Having been arrested this past August after turning himself into authorities; Raynaldo has been waiting what his punishment may be. As it turns out, the 20 year old is looking at a possible 15 years in prison, a hefty fine for a very boastful attack that Sony admits to having cost them $600,000. Raynaldo's co-consiprators Cody Krestinger 24, and Ryan Cleary 20, have both also pled guilty and are awaiting their sentencing for the attacks.

To Fly. To Infect.

Late overnight on the 25th, we began seeing emails that looked suspiciously like British Airways e-ticket confirmation emails. With the graphics and formatting undoubtedly stolen from actual British Airways e-tickets, they were somewhat convincing save for a few flawed details. The first of which was that the email explained that the flyer's itinerary was delivered as an attachment named "BritishAirways-eticket.zip", an immediate red flag. I've personally never flown on BA, but every other airline that I have flown on print the itinerary directly in the email ticket confirmation, and never have I been given an attachment to open, especially a .zip. If one was to go as far as to uncompress the zip file they would find that the file inside was an executable of the same name masquerading as a PDF document through the use of a double extension "BritishAirways-eticket.pdf.exe". Once removed from the zip file the recipient would no longer be able to see the "exe" portion of the file in most cases and the file would appear to simply end in .PDF.

Another red flag was the fact that the recipient, or supposed ticket purchaser's name didn't appear in the email, instead a simple greeting was used with no name whatsoever. In all of the samples that I've seen "Dear," was the only greeting used.

In addition a random confirmation number was given for each, and aside from that it seemed to just be copied from an actual British Airways correspondence.

Once we looked at the attachment it was realized that it was another variant of ZBot, or Zeus. Zeus has been a highly popular and highly active banking trojan over the past couple of years. Once belonging to a single criminal group, older versions of Zeus began appearing on underground forums, and its distribution has become widely scattered and in the hands of the many.

This version, as with most versions of Zeus began by creating multiple instances of itself and immediately began to inject code into running processes, specifically those of which control Windows Security settings and auto-update features. After which the malware hid itself in various places around the hard drive and placed itself into startup areas. Next it began making a few DNS calls for the sites neonmedia.pl, dorot.com, worldcom.pl, bizez.pl, and fournet.pl. After communicating with these domains, it pulled down several other pieces of malware designed to monitor keystrokes, read and delete cookies, modify proxy and network settings, tamper with Outlook Express settings, and stop all remaining firewall and security settings. In addition to all of this, the infected PC then got to become a part of a larger botnet and aid its controller in future cyber exploits.

Luckily AppRiver was proactively looking for variants like this one and had a block on this campaign before it even had a chance.

For this information in a PDF download, view our November 2012 Threat & Spamscape Report (PDF) Click Here