Threat and Spamscape Report
April 2012
What We Saw in March
Hot on the heels of this year's RSA conference, hackers continued to use Web site defacements and Distributed Denial of Service attacks in order to make their points both in a socio-political manner as well as seemingly just for the heck of it. It would appear that even though there have been many arrests in connection to the LulzSec group and Anonymous (and even an insider informant), the attention given to these groups has motivated others , some of whom have their own agendas. In addition to "activism" or "hacktivism", the groups behind Zeus, Blackhole, and several other malware families remain consistently active. Here are a few highlights from the month of March:
- A hacker that goes by the handle Sabu turns out to be a turncoat. He has been linked to the arrest of several top agents in LulzSec and Anonymous.
- The Blackhole toolkit masquerades as emails directed at Certified Public Accountants as well as emails from Intuit a company known for its bookkeeping and tax preparation software. This is a popular target market during tax season.
- A Trojan by the name of Matsnu, possibly spawned from the SpyEye Trojan toolkit, imitates the FDIC as well as security company Trusteer.
- Emails pretending to be from LinkedIn, PayPal, US Airways, Career Builder, the USPS and others have been making aggressive moves towards inboxes and all appear to have come from the same group. The malicious sites used in these campaigns are serving up a whole host of exploits targeting Adobe Acrobat and Java platforms, among others, and even offer installs of the Zeus Trojan.
- A popular scam that has enjoyed quite a long run on Facebook makes a move over to Pinterest.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of March. Spam levels remain somewhat subdued during the first quarter of 2012. However, 84 percent of all email traffic are spam messages.
Tests Failed
This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of March.
Regions of Origin
This graph represents both spam and malicious email traffic by region. Overall these ratios remained very similar to what we have seen in the past but we did see a noteworthy increase from Australia.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated in March 2012. A spike in spam traffic from the United States helped propel it back to the number one spot, overtaking India once again.
Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This does not mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them.)
- X.UPX.App.pakuber
- X.Kryptik.fdic.315
- X.W32.Kryptik3.7
- X.UPX.App.pakuberc
- JS\Iframe.CA_trojan
- HTML\Phishing.Gen_trojan
- W32\Mydoom.R_worm
- PDF\WorldBusinessGuide_ap
- W32\Merond.O_worm
- X.W32.Netsky.Q
- W32\Mydoom.Q_worm
- W32\Mydoom.NAC_worm
- X.32.Kazy.ndg0229
- X.Xpack.trk.315
- X.photo.smregt.314JRb
- X.photo.smr.egt
- X.W32.trojan.ndg.3.16a
- X.W32.MyDoom.R
- X.win32.worm.20080529
- JS\Iframe.BY_trojan
30-Day Virus Activity
This chart represents email-borne virus and malware activity during the month of March as tracked by AppRiver filters. Emailed Virus traffic was again inconsistent this month with some huge peaks followed by periods of relative calm. This pattern is in keeping with the trend thus far in 2012.
Image Spam
The chart below represents total Image spam seen by AppRiver filters in March. These messages attempt to use a form of obfuscation to evade spam filtering by encapsulating the spam content within an image. This method was used somewhat frequently this month.
"Hacktivist" Sabu Turns on his Principles
What might have been the biggest news the past month was the outing of Hector Monsegur, the once leader of the short lived yet infamous hacktivist groups called LulzSec. Monsegur went by the online handle of Sabu. Last year, Sabu was the leader of a group that appeared out of nowhere and immediately made huge waves in the security community. Their sole purpose, according to LulzSec at the time, was to hack into large profile entities' networks and expose critical data (both corporate and customer data). Their goal wasn't necessarily to cash in on the data itself, but to expose flaws in security simply for the lulz, or laughs. LulzSec gained a lot of notoriety as well as popularity among those who believed in their public facing "Robin Hood" attitude, even though with each breach they exposed hundreds of thousands of data pieces belonging to completely innocent users.
As it turned out though, Sabu never cared for the innocent. Before LulzSec's rise to infamy, he was busy hacking into systems with malicious intent. Whether it be breaking into an auto supply company to have four engines sent to him for resale, or utilizing the credit card information he stole from other systems to pay personal bills and to later sell on underground forums. It is quite clear that Sabu was never one to look up to as a martyr.
Sabu ended up getting sloppy and exposed his real IP to the FBI one day when he failed to use a proxy to log into an Internet Relay Chat channel. From that point on, they had him. Back in June 2011, the FBI paid Hector a visit at his New York apartment where he had been living off of his online earnings and government assistance since his job at Limewire fell through back in mid-2010. As has been the case in nearly all hacker arrests in the past, Sabu began singing like a bird, and it appears that his assistance led to the arrest of another outspoken LulzSec top officer, Jake Davis aka Topiary, who resided in the Shetland Islands. After his arrest, LulzSec went silent.
Other arrests credited to Sabu were Ryan Ackroyd (kayla, lol, lolspoon), Darren Martyn (pwnsauce, raepsauce, networkkitten), Donncha O'Cearrbhail (palladium), and Jeremy Hammond (Anarchaos, sup_g, burn, yohoho, POW, tylerknowsthis, crediblethreat) who participated in the groups LulzSec, Anonymous, AntiSec and/or Internet Feds.
Until recently, Sabu had been out on bail for his former crimes, but he is now in police custody and is facing up to 124 years in jail for three counts of computer hacking conspiracy, five counts of computer hacking, one count of computer hacking in furtherance of fraud, one count of conspiracy to commit access device fraud, one count of conspiracy to commit bank fraud, and one count of aggravated identity theft, all of which he has pled guilty for.
Are there lulz in prison? I sincerely doubt it, but I'm sure there will be plenty of time to reflect on how the energy of these men could have been better suited and focused.
Tax Season Creates Many Targets
The Blackhole crimeware toolkit is certainly getting some serious play time these past few months. Just last month, we've seen virus-laden emails pretending to come from the Better Business Bureau (BBB) as well as Intuit, a company known for their accounting software. All of this seems to have been targeting US taxpayers as we lead up to April 15th, the deadline for filing federal income taxes in the United States. Early on March 8th, we began seeing yet another similar ploy, however it seems to have been targeted at tax preparers instead of the tax payer. Much like the aforementioned BBB and Intuit emails, these came with convincing graphics and formatting. They appeared to come from the American Institute of CPA's claiming that the recipient accountant had been involved in fraudulent filing practices, details of which were presented in an attached pdf entitled Complaint.pdf. Of course this wasn't the case, in fact the attachment link wasn't an attachment at all, but a link to one of about 100 Web sites we were seeing that was hosting this malware. All of which were labeled as "aic.html". These emails were coming in fast at around 300 - 400 per minute for each domain involved.
SpyEye and the FDIC
Just before lunch on March 15th a large email campaign began hitting our filters. The subject read "Fwd: FDIC About your business account" followed by a random string of letters and numbers presumably attempting to mimic an account number. The email body went on to inform the recipient that the email contained important information about their bank, as well as possible loans and accounts that were affected. This information was supposedly contained within the attachment named FDIC_Detailed_Report_About-Your-Business-Account-mar2012-ZWZAY3Q4X.zip. But inside the archive file was an executable by the same name minus the superfluous characters and numbers at the end.
Once this file was executed it went right to work. First, the executable hid itself and spawned several other processes beneath the surface. The first of which began to install what, on the surface, appeared to be an onboard version of the Rapport software by the company Trusteer, though it is possible that the software was simply mimicking Rapport, or installing a manipulated version of the software, though it is unclear why. The faux Rapport software worked beneath the surface of the attack and its existence wouldn't be noticed unless one was to dig into the file structure where it was installed. It didn't even install the browser address bar icon that the real Rapport software is known for and recognized by. As of this report, it still remains a mystery as to what this portion of the malware was used for.
Next the trojan began installing a basic debugger on the compromised system to monitor system activity such as console commands and file activity and created logs that could be stored and shipped to the attacker. In the process of doing so it created registry entries, which are normally used to troubleshoot network related problems.
Next the malware attempted to make a connection to the fast flux domain rosefuture.com. This domain was shared by four different IPs - 124.133.228.122, 208.115.203.138, 60.19.30.135, and 217.24.246.7 - that are housed across the world including China, Albania, Texas and Italy. Initially it was looking for a response from http://rosefuture.com/login/hi.php?id=CC863B1B374E49576461&stat=0 which when contacted at the time of analysis only returned "0308 E9C2". This could have possibly been an "Ok" or acknowledgment code to the new bot to maintain its connection.
As is with 99% of Trojans out there today, this one was looking for banking credentials and other sensitive account information. Keep yourself safe by maintaining a defense in depth approach to security that utilizes several layers of protection. These should include Anti-virus, email and Web filtering, a good firewall, and whatever else makes good sense for your organization. Start with the basics and only add what you can handle. If a defensive layer is added that requires constant attention (e.g., log monitoring) and human interaction to be effective, it could end up creating a larger hole than you began with if you're unable to provide it with the resources.
Zeus Remains Aggressive
Throughout the second part of March we began seeing several campaigns utilizing different themes and aggressively attacking potential victims' inboxes. All of which were coming from the same group as was evident by the URL patterns of the accompanying malicious links. Themes utilized included: LinkedIn, PayPal, US Airways, Career Builder and the USPS among others. All were similar as they utilized an onslaught of exploit codes that were executed against the target machines nearly all at once. These were designed to exploit holes in software such as Adobe Acrobat and the Java runtime environment. Once a vulnerability was leveraged by the myriad of exploit code, Zeus would be installed on the target machine. Here is a look at several of the accompanying emails:
Pinterest Joins the Party
A new(ish) online community called Pinterest has been making a lot of noise as it gains more and more popularity among its users. The site is used by contributors who post or "pin" images with brief descriptions to topics that interest the poster. The images then become links to original articles about the image. Examples include recipes, artwork, clothing, memes or anything else a person can think of to share. Once pinned, the images join a forever scrolling mash-up of pinteresting articles from other contributors. As a member, you can choose to follow certain people or simply browse the masses for attention-grabbing content.
The scam community has also taken notice of Pinterest's buzz and activity. This past month, for example, scammers started posting survey scam content en masse to Pinterest. These scams are reminiscent of similar scams that had become very popular on sites like Facebook. Similarly, the scams offer things like free gift cards or interesting news items to entice would-be victims. After clicking the images, victims are directed through several pages of seemingly innocuous surveys in order to get to the goods. Unfortunately along the way, the victim of the survey scam will inadvertently end up signing up for some sort of scam, usually by not unchecking a box with small print, or possibly by clicking a continue button that also contains small print. These scams usually get their money from their victims by charging their cell phone bills a large reoccurring monthly fee.
Scams can be avoided by remembering that if something appears too good to be true, it usually is, except for our SecureSurf Web Protection service, of course! Shameless plug? Perhaps.
