Threat and Spamscape Report
June 2012
What We Saw in May
Overall we've seen our traffic volume decline during the month of May. Even with the decline, the
United States remained in the lead with the most spam originating domestically, spawning over 200
million pieces of the unsolicited junk mail. Meanwhile, virus traffic remained high with peaks rising at
points to nearly 2 million pieces in a single day towards the end of the month. We also saw a handful of
scams repeating themselves throughout the month reusing themes over and over with only slight
fluctuations in their intended payloads. All in all, it was business as usual. Here are a few of the other
highlights from the month of May:
- Continuing over from April we saw emails targeting businesses pretending to be from the Better
Business Bureau informing those in charge that they have been receiving complaints. The
attachment was supposed to contain the details, instead it contained a Trojan downloader that
was poised to download and install a Zeus variant.
- Speaking of Zeus, we saw an interesting variant on the morning of the 23rd cycle through. This
particular campaign brought a little extra fun to the party in addition to its normal MO. A fake
anti-virus scam by the name of Smart Fortress 2012 was also included, something we hadn't
seen riding on board with Zeus before.
- Another scam we saw over and over during the month of May was another old favorite that
targeted LinkedIn members. Claiming to be messages waiting, these emails alternatively linked
to SpyEye.
- A new piece of malware has been discovered in the wild targeting Middle Eastern and North
African countries and has all of the signatures of a state sponsored attack. Similar to Stuxnet
and Duqu, the code of this malware is much more complex than your everyday malware. Even
though we have seen this day to day, attack anyone, kind of malware become more and more
complex in the recent years, it is still on a completely different level as what's been dubbed
"Flame".
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of May. Spam traffic tapered off
throughout the month of May. In all, our spam and virus filters quarantined around 1.5 billion messages
during May.
Tests Failed
This chart represents the number of times messages failed various tests over the past month. Keep in
mind that many messages failed multiple tests; hence the total from these charts will surpass the total
individual pieces of spam seen during the month of May.
Regions of Origin
This graph represents both spam and malicious email traffic by region. The dispersal of spam message
origination remained relatively unchanged during May.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated during May. Nine of the top ten
spam originating countries showed a decline in spam output during May, with the exception of Iran
who's modest increase propelled it into the number ten spot.
Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent
appearing in the top position. The virus names that begin with "X." signify rules that were written by
AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in
place for these viruses; it simply means that AppRiver often had protection in place before many of
them).
- W32.Bredo.App.pakc
- X.W32.Zbot.OVD.pak
- X.Mal\BredoZp-B-5.12DHLEr
- X.W32.Mytob.App.pak
- X.W32.Androm.58a
- X.W32.bbb.zbot.52b
- X.DHL.TROj.ndg514
- X.W32.spmpic.img.jr5.3a
- X.W32.BBB.59a
- X.W32\Zbot.CJFW.a
- X.UPX.App.pakuber
- X.W32.androm.pak.58a
- X.W32.J.Androm.bb
- X.DHL.TROj2.ksa515
- X.W32.Zbot.img.57a
- X.W32.Sasfis.pak
- X.Troj\Zbot-BUX.0506BBB
- X.W32.Bredo.dhl.0516a
- X.DHL.TROj2.ndg515
- X.W32.troj.58.b
30-Day Virus Activity
This chart represents email-borne virus and malware activity during the month of May as seen by
AppRiver filters. Email-borne virus messages kept up their expeditive pace for the second month in a
row, in all we quarantined over 29 million of these messages during May.
Image Spam
The chart below represents total Image spam seen by AppRiver filters during May. The common tactic of
disguising spam content within images remained active in May.
'Flame' Trojan, another Piece of Government Sponsored Malware?
A recently-discovered piece of malware dubbed "Flame" appears
to be a highly sophisticated espionage toolkit that is currently
making its way around targeted systems. The malware goes to
work by spying on infected systems and capturing a large amount
of information. To date, infections are concentrated in Iran and
other countries in the Middle East and North Africa. Flame has
capabilities to exfiltrate all types of data including documents
stored on host machines, record keystrokes, take screenshots
and even activate microphones and listen in on conversations. It appears that this is another statesponsored
infection such as Stuxnet or Duqu. However, Flame does not appear to have the same
author.
What's particularly disconcerting from a security standpoint is that Flame went undetected for nearly
two years. We wrote about targeted malware attacks in AppRiver's 2012 Prediction Report and
discussed the high probability that if in the wrong hands, targeted malware could become weaponized:
Targeted Malware - Stuxnet and Duqu raised more than a few eyebrows as they may have done
more than unwillingly steal the top of the headlines this past year. These incredibly complex
pieces of malware made their way to specific targets with incredible swiftness and accuracy.
There's no doubt that this type of attack whether it be government sponsored or otherwise will
remain at least as prevalent if not more so in 2012. The Flame toolkit also shows evidence of
state sponsorship though it almost assuredly has different authors and a less focused goal. It's
highly complex code gives analysts a strong feeling that this is no ordinary malware, but instead
something that was meant to gather as much information as possible from its intended targets.
It is obvious now that cyberspace has been weaponized and we will continue to see attacks of
this fashion as long as they remain effective.
Stuxnet, Duqu and Flame are great examples of an era in which we now live in where cyber-war and
cyber-espionage are becoming more mainstream and successfully exploiting infected systems. And
unfortunately, we can expect to see more of these types of threats grow in sophistication and regularity
in the years to come.
Anti-Social Networking
As has been the case for a good long while, the spammers, scammers and malware authors always go to
where the people are. A sure fire safe bet for these guys, when looking for the biggest audience, is to go
after the social networking sites. Facebook is certainly one that comes to mind as being a constant
target over the past few years with its now active user count at 800 million. It may only have a fraction
of that membership at 161 million active members, but LinkedIn is still a very big target to these guys.
LinkedIn, as most people know by now, is a social networking site aimed at professionals to do the
online version of good old fashioned human networking. It is also a place where people show off their
skills and resumes to potential employers and search for qualified employees. A perfect place to trick
those who are desperately following any employment lead they get in a time where the economy has
been less than stable. Instead of placing their attacks directly on the LinkedIn site, which is defended by
the LinkedIn security crew, the attackers use an easier approach and that is to mass mail false LinkedIn
notifications in a cast net approach. These end up going to tons of mailboxes that aren’t necessarily
subscribers of the social network, but they also end up going into plenty that are. From there they rely
on those who overlook the ploy and click their links.
One such ploy that was floating
around in May used colored text and
graphics to add to the realism of an
actual LinkedIn notification. The email
informed its recipients of pending
messages and requests from people to
add them to their networks. Once any
of these links were clicked, the
malware went to work installing itself
on its new host. Once inside, it looked
around its environment to make sure
there were no debuggers present
which would possibly tip the malware off that someone was analyzing the sample and it could shut itself
down. After it felt the coast was clear, it went into a long sleep mode. This was possibly done to detect
whether or not it was running in a virtual environment by comparing clock times while in sleep mode.
After this, the malware began to steal browser histories and cookies and send them back to the C&C
server, all the while hiding critical error and security messages. The malware then went on to hide itself
by injecting its code into already running processes, and added itself to auto run sections in the registry.
From there it would lie in wait logging keystrokes and communicating with its new controller.
Evasive Malware Delivered in Fake BBB Complaint
In a continuation from the previous month, malicious emails made up to look like complaints from the
Better Business Bureau hit our filters early on in the month of May. These messages attempted to
convince their recipients that the BBB had recovered a complaint from a customer and that the file
attached to the email contained a summary.
The recipient was instructed to open and read the attached “report†and reply with their response to
the claim. The problem was that the “report†was actually an executable file that contained a nasty
Trojan.
Preliminary examination of the file indicated that it was a variant of the ever popular Zeus or Zbot.
However, some behaviors differ slightly from some of the most recent Zbot infections we have
examined.
Once this variant launched and hid itself, it did a good job of disarming the host machine by making the
following changes : Disabled the TaskManager, disabled the signed binary check, modified windows
explorer settings, and reduced further executable download risk on most extensions.
Communication was also observed with the following domains:
- unocardgam(dot)com
- whatisadebima(dot)com
- wisudarel(dot)com
- fokuslol(dot)com
- froukloro(dot)com
At the time only 9 of 42(21%) AV providers were identifying this threat as malicious. The Zbot or Zeus
malware family has been stealing money from people’s bank accounts and other sensitive logins since
2008. In addition to capturing bank account login credentials, Zeus has been known to steal Facebook
logins as well. Besides information theft, Zbot also hijacks its victim machine and enslaves it to a botnet.
Avoid falling for this attack, and if ever in doubt, pick up the phone and call the supposed sender.
A New Version of Zeus
Early on May 23rd we saw a new payload peppered in with the many Zeus and SpyEye offerings. It
appeared to be a new version of the already infamous toolkit known for stealing financial data. In
addition to performing the same behind the scenes malicious activities such as stealing browser cookies,
ftp credentials, banking login credentials, and general keylogging, this version added a new flavor to the
mix. This one included what appeared to be a new brand of Fake AV or Ransomware on top of what it
had already been offering. Let's start at the beginning:
These arrived as emails pretending to be from PayPal. The emails claimed that the recipient had made a
payment to some random person whose name changed from email to email. The amount sent was
usually a pretty large number, in the hundreds of dollars range. Once this was successful at grabbing the
victim's attention, they would then likely be persuaded into clicking one of the several links included to
supposedly contact PayPal to see what's going on. Once clicked the malware went right to work
contacting an abundance of various domains which would then begin downloading and installing various
components of the malware. This particular variant contacted an initial 16 different domains to gather
its wares.
Among the actions we now consider normal
for Zeus such as making copies of itself and
injecting itself into running processes, Zeus
also disables error messages, firewalls and
existing Anti-Virus solutions just before it
presented the newly infected with what it
called Smart Fortress 2012. The new Fake Anti-
Virus software then started and appeared as if
it was scanning the new system and then
began displaying a long list of "infections".
Though it is true that this machine would
indeed now be infected, it was not by anything that the fake software had displayed. Now, not only was
Zeus stealing money beneath the surface, but it was also trying to get its victims to willingly turn some
over in order to regain control of their computers. Little did they know that attempting to appease the
Fake AV by paying for "malware removal" would only result in losing more money and keeping all of the
same infections. The best thing to do for users who saw this Smart Fortress pop-up would have been to
disconnect all network connections and hope that their backup was up to date.
For some reason this particular Smart Fortress addition to Zeus only ran for a couple of hours before we
stopped seeing it. After that Zeus continued on up to its old tricks, shedding the fake Anti-Virus
technique. These things do come and go, and the fake AV thing has been used many times in the past. It
is possible that Zeus had rented out some temporary space in its payload to another group, or that they
were just trying something a little different.