Jump to content


VNR: October 2012

Threat and Spamscape Report

October 2012

What We Saw in September

Once again this month the Blackhole toolkit has dominated the email delivered malware landscape. It has been responsible for utilizing from 500-1000 unique domains at any one time, sending them at our filters at rates of up to 2000 pieces of malicious mail per minute, per domain. Most recently it's campaigns have been made up to imitate the IRS, efax Corporate and LinkedIn. All the while, Zeus and SpyEye get peppered in amongst all of the other contenders vying for access to others' bank accounts. Here are a few of the other highlights from this past month:

  • At the end of August spammers tried to capitalize on the shootings that occurred just outside of the Empire State Building in New York City.
  • Spam has been an annoyance since its inception over 30 years ago. Although it used to rule the conversation years back, it's not that big of a topic nowadays. Its effectiveness has also likely taken a toll. This however doesn't stop people from trying. This past month we have seen spam numbers steadily increase.
  • The SpyEye toolkit was responsible for several different runs during September including those pretending to be from Amazon and the FDIC.
  • A Big scare shivered across the world as a zero day exploit for Internet Explorer was announced. Microsoft hurried and issued an out of band patch while entire countries such as Germany urged their citizens to stop using the browser until it was fixed.
  • Anonymity scored another partial win this past month as Chrome began to utilize the "Do Not Track" HTTP header. It's not a victory for proponents of anonymous browsing by any means, but it's a start.
  • The hacktivist/hacker group Anonymous claims to have stolen 1,000,001 Apple user UDID's. They also claimed to have gotten them from an FBI laptop. This may not have been exactly true.

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the month of September. Spam traffic surged significantly throughout the month of September. In September spam volume was 22% higher than the previous month.

Here is a look at spam traffic over the previous six months:

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of September.

Regions of Origin

This graph represents both spam and malicious email traffic by region.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during September. The huge spike in spam originating in Saudi Arabia finally slowed in September, thus ceding the second place position back to the United States.

Top Email-Delivered Viral Threats

  • X.W32.Sasfis.pak
  • X.UPX.App.pakuber
  • X.W32.Kryptik.CTR.pak
  • X.RTFSPAM20100526
  • X.W32.Oficla-A1020.pak
  • X.Wiretrans.7.25JRa
  • X.HTML.614Uber
  • X.W32.kryp.621.pak.a
  • X.W32.Netsky.Q
  • X.W32.Tibs.IT.pak
  • X.W32.PX.pakb
  • X.W32.Bredo.App.pakc
  • X.W32.PX.pakc
  • X.W32\docPak
  • X.UPX.App.pakuberb
  • X.HTM.Java.BH.4512
  • X.W32.Kryptik.pak924
  • X.W32.Kryp.farca
  • X.W32.Bredolab.App.pak
  • X.W32\TrojanUPX.App.pakb

30-Day Virus Activity

This chart represents email-borne virus and malware activity during the month of September as seen by AppRiver filters. Emails containing malicious attachments (Chart 1) started off September very slow but increased during the latter part of the month. However, emails containing malicious URLs (Chart 2) were very prevalent throughout the entire month of September and have certainly become the favorite infection vector for cybercriminals.



Image Spam

The chart below represents total Image spam seen by AppRiver filters during September. Emails attempting to obfuscate spam content via attachments remained level throughout September.

Spam Levels on the Rise

Early morning July 17th the once powerful spam spewing botnet known as Grum was successfully disabled by the researchers at FireEye in conjunction with SpamHaus, CERT-GIB, and another anonymous researcher (not to be confused with the hacktivist group Anonymous) by the name of Nova7. Their work together helped to locate all of Grum's command and control servers that fed its army of zombie PCs. With the cooperation of hosting providers in several different countries, these servers were taken offline and the underlying botnet stopped receiving commands and quickly followed suit and went offline as well.

Initially, we saw the spam traffic slowly taper off over the next couple of days as you can see in the chart below. However, in the days since the lowest point in traffic that we had seen since the shutdown, at just 16.7 million pieces of unsolicited email for the day of July 22nd, we've seen this spam traffic gradually, and steadily ramp back up to the point where by mid-month we were seeing numbers in the hundreds of millions of pieces per day.

This has been a familiar pattern to witness following the dismantling of a large botnet in the past. At first, there is a feeling of victory and everyone rejoices, but then new botnets rise up and quickly fill in the gaps. Regardless, these victories are just that, and they should be celebrated. As long as everyone continues to fight the good fight, we can continue to innovate and make headway against spam, malware, and all other threats to our cybersecurity.

Empire State Shooting Spawn Spam

During the last week of the month of August a former woman's fashion accessory worker shot one of his ex-coworkers outside of the Empire State Building in New York City. Two people were killed and nine people wounded after all was said and done. This was a tragic event that spurred immediate headlines. What's the first thing a spammer does with tragedy? Why, exploit it for personal gain of course! Just a few hours after this event made the news, spammers began using it as a lure to get readers to follow their link.

After the link was clicked, people were taken to an online pharmacy site. I'm not exactly sure how the two relate. I suppose they were going for the "Hey, what is this? Oh well, while I'm here I might as well" crowd, but one can't be certain.

Some Push for Anonymity

Anonymous internet browsing has made a move from those who are up to no good and don't want to be caught to those who feel that data mining is creepy, and now finally into the general public for all sorts of personal reasons. Back in February the browser plug-in "Do Not Track Plus" began to appear. This plug-in made it possible for users to disable tracking their usage at a domain level. This was done simply by blocking requests by the tracking companies. Now there is support for Do Not Track built directly into browsers, and in IE10 this is enabled by default assuming that no one wants to be tracked online. The other browsers, such as Chrome who just recently added support for Do Not Track, have this feature disabled by default. The feature works simply by sending an HTTP header to website when it is visited with a simple "yes" or "no" or "track me" or "Don't track me" as the case may be. Some feel this to be a part of an online privacy movement, while others feel it to be a detriment to the internet as we know it claiming that by crippling tracking people are going to look to other ways to make their money including tiered or pay to play internet structures. Apache has gone as far as building the new versions of their web servers to completely ignore Do Not Track requests, while others including Microsoft, Google, and Mozilla, members of the Tracking Protection Working Group give it their full support.

Fraudulent FDIC Emails Carry SpyEye Infection

This year we have seen the SpyEye Trojan being distributed quite frequently and often at breakneck speeds. This past month we have seen many different campaign offerings from SpyEye, one in particular appeared to come from the FDIC. These warned readers that their ACH and Wire transaction capabilities had been suspended due to the expiration of their "security version". It was quite ironic that the social engineering technique being used in this email campaign was posing as a security safeguard against the very same things that this malware utilized to steal money (ACH and Wire Transfers). The cybercriminals distributing these messages must have a good sense of humor. This email campaign was utilizing 20 unique domains to host the [SpyEye] payload and was hitting our filters at the very high rate of over 250K per hour.   

Here is a look at the message:

SpyEye is one of the most advanced threats in the wild today that focuses on financial fraud and theft and utilizes a "Man-in-the-browser based attack". There are many custom versions of SpyEye that utilize server-side automation to overcome security controls such as smart card readers, hardware tokens and one-time transaction codes. These custom versions of SpyEye have the capability to automatically initiate transfer of funds the second the victim logs into his/her account. Those who can find and afford to purchase the SpyEye malware toolkit have the luxury of receiving full support and customized versions from the software's author himself.

Big Scare Over Internet Explorer Vulnerability

Internet Explorer, as does most software, suffers from vulnerability issues all of the time. The big deal with this particular time was the fact that it was being seen being exploited actively in the wild, and it is rumored that the exploit was developed by the same Chinese hacking group that were responsible for attacks against industrial and chemical companies just last year.

In order to become a victim one must visit a specially crafted web page utilizing IE versions 9 and down. The exploit would then quickly give the attacker full control over the now compromised machine. The announcement of this vulnerability became such a big deal that entire countries, namely Germany, urged their citizens to stop using IE altogether until Microsoft can issue a patch. And patch it they did. It's rare for Microsoft to not just wait until the next Patch Tuesday to issue updates and fixes for their systems, but this one was hurried and an out of band patch was quickly released. Now we just need a patch for that new Java vulnerability and we'll be all set, until tomorrow of course.

Hacker Claims He Hacked the FBI

Early in the month a hacker related to the now infamous hacking group Anonymous released a set of one million and one iPad, iPhone, and iPod users' usernames, device names and Unique Device Identification numbers, or UDID's, among other things. The hacker claimed he had gotten them from an FBI laptop that he had hacked. This was done to obviously raise suspicion as to why the FBI would have a giant list of people's Apple device information. Were they tracking users?! What could they be up to?! The FBI issued several statements saying that there was no evidence that any "FBI laptop had been compromised or that the FBI either sought, obtained, (or cared about), this data" As it turns out, researchers found that the data was most likely lifted from a company that created apps for mobile devices by the name of BlueToad since many of the recurring UDID's pointed to that company. BlueToad later realized that it was in fact their system that had been breached and quickly apologized for the event and discontinued the use of UDID's in their products. The hacker remains at large! Actually though never apprehended, we haven't heard from this guy since, but I can embellish too, can't I?

For this information in a PDF download, view our October 2012 Threat & Spamscape Report (PDF) Click Here