Threat and Spamscape Report
What We Saw in April
April was business as usual for miscreants and malfeasants of the interwebs. Even though the numbers were down this month, they still managed to push out a large volume of spam that irritates us and kills our productivity. They even increased the number of locations from which they reach you. The malware guys didn't slow down either. They came at us with all sorts of unique ploys with a spike on the 9th reaching nearly 14 million pieces. Here are a few of the other highlights we saw during the month of April:
- Once again, as the tax deadline approached us in the US, financially themed malware campaigns started hitting our filters at full speed. The popular financial software company Intuit was used as a disguise for many of these attacks during the month.
- Pizza themed malware came to us several times this past month as well. Each of them courtesy of SpyEye, one of the more expensive malware toolkits available on the underground forums. Apparently with the supposed cost of these pizzas, they're trying to make back some of the money they spent on the toolkit.
- An apparent letter from the Human Resources department warns employees of an upcoming seminar on Fire and Counter Terrorism Safety. If that didn't sound like enough fun, apparently there's going to be a test too! (Or maybe just malware from the Bredo family.)
- The Blackhole toolkit and the Zeus Trojan team up to bring compromise and infection to PCs the world over in a fake NewEgg receipt.
- Zeus also makes a solo performance several times this month, and we go into one in particular that claims to come from Bank of America.
- Spam isn't just for inboxes any more, now we're beginning to see more and more hitting our mobile devices. Currently we're seeing mostly affiliate program based spam, but malware has been popping up consistently as well.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of April. Spam message traffic remained flat throughout the month.
This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of April.
Regions of Origin
This graph represents both spam and malicious email traffic by region.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated in April 2012. Spam output from Kazakhstan surged this month, propelling it onto the top ten list for the first time.
Top Email-Delivered Viral Threats
To follow are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).
30-Day Virus Activity
This chart represents email-borne virus and malware activity during the month of April as tracked by AppRiver filters. We quarantined 40.1 million messages containing a virus during the month of April. This is the highest total we have seen since November of 2011. A large push on April 9th, powered in part by a slew of email-borne viruses being sent out by the Zeus Trojan, gave us the highest single day count that we have seen in over 6 months.
The chart below represents total Image spam seen by AppRiver filters in April.
It isn't uncommon to see financially themed malware year-round; however, as the US tax deadline approaches, we tend to see much more of it. Early on in the month, as well as a few weeks beforehand, we were seeing a lot of these malware campaigns pretending to be emails from the do-it-yourself accounting software company Intuit. This particular campaign was disguised as a receipt from Intuit Marketplace, an online service where people can order business materials such as checks, business cards, and tax forms among other things. As is often the case, this receipt is rather generic and fails to itemize the recipient's apparent order, nor does it give a cost. It does give two different options to find out about this mysterious Intuit order though, one is to call the provided 900 number at a rate of $4.79 per minute, or there's a link from which you can download the complete order. The charged phone call option is there most certainly to steer people towards the download link. Once this has been clicked, the victim would have then been secretly redirected through several different websites containing a slew of exploits. Specifically, malware that attempted to pierce unpatched holes in Java as well as a pdf exploit. Once the compromise is achieved, the victim's computer was then taken under control of its attackers.
A Bad Egg
Another somewhat flashy malware campaign we saw in April was one pretending to be a purchase receipt again, but this time from newegg.com. As you may know, NewEgg is an online shop for everything computer - a parts and peripheral place that most people have likely ordered from at least once. Here again the receipt doesn't provide details on exactly what was supposedly purchased, but it does provide links where one can "contact" them with questions. These links go to where you might expect by now, not NewEgg staff, but to one of many websites containing a custom crafted index.html page with exploit code from the Blackhole toolkit. Among many downloaded exploits and bits of malware, this particular infection also led to the creation of a file by the name of 7zBY7xS.exe. This file is recognized as being a variant of the Zeus family of malware. With these two power hitters sharing the same stage, it's apparent that this particular malware run was really up to no good.
Another Bogus Bank "Security Update" Serving Up Zeus
During the second week of April we began to see virus traffic spike to very high levels. On the 9th of the month, we saw the number of email-borne malware reaching almost 14 million pieces, the most we had seen in five month. One of these campaigns appeared to have come from Bank of America. The messages purported to be from the "BoA Security Department" and said that the bank was making security upgrades. There was of course a file attached that the addressee was asked to open and run. The .zip file contained an .exe, and once executed it would infect the target with the ever-popular ZBOT malware family. Ironically the victim that was hoping to avoid banking fraud is now host to the sinister banking Trojan. The Zbot or Zeus malware family has been stealing money from people's bank accounts and other sensitive logins since 2008. In addition to capturing your bank account login credentials Zeus has been known to steal Facebook logins as well. In addition to information theft, Zbot also hijacks its victims' machines and enslaves it to a botnet. When we began blocking this particular iteration of the Zeus Trojan it was not being recognized by any of the 42 Antivirus Engines that we scanned it against, making us the first to identify it as malicious and get signatures in place.
A Surge of Smartphone Spam
Remember the days when spam was free? Forget the fact that everyone hates it and had just now gotten used to the fact that it was constantly aiming for your inbox. Now these pesky messages are everywhere, including your phone. And they're not just annoying anymore. They're actually costing unlucky recipients money.
For many, every text to their phone translates to another little charge on their bill. Spammers are cashing in on this on the ease in which users can follow links in SMS messages. The texts are growing more and more prevalent, offering free gift certificates, iPads, and iPhones. Just for fun, we took the bait to find out what one of these campaigns was up to.
It appears we were randomly selected, which is sort of true. These spammers are using automated dialers to send these out en masse. Don't be tricked into responding to them or clicking on the links. If you respond, they'll often be able to tell that they've got a live one, and you'll quickly become a favorite.
This particular campaign is simply an attempt to trick its victims into willfully accepting their unrelenting "marketing" blasts. They never really give anyone anything, nor does it seem that they ever offer anything real. Often times though, these links can lead to malware.
The mobile market is a growing target for these guys as operating systems become more and more predicable (read: iOS/Android). In this case, it works in the same way as another shady practice called "Pay Per Install". The PPI business is all over the place as exemplified by those sneaky toolbars that people accidentally install with other software. In the PPI business, people will become affiliates for other software makers. Some are legitimate; others not so much. The affiliate gets a tiny fee for every unique installation of the software. To make big bucks however, affiliates need to send these things to as many people as possible.
This is the same model now being used by text spammers. The person blasting out these texts are affiliates trying to rip people off. The affiliate ID is appended to the back of the URL in the link above. Every time a unique IP visits that website, this affiliate makes a little money. Anyone following the link would be redirected to about six or seven different sites, each one with a different affiliate ID. (This is likely the same person attempting to use and capitalize on several different programs at once.)
Usually these are survey scams that trick people into receiving several very high cost text messages, but this one only offered a convenient way to purchase from their affiliates, continue making purchases from them, and then make some more. When the user catches on and stops buying, the company can say that the victim broke the contract so they won't have to send them anything.
Just in case somehow a person did legally stay true to their ridiculous demands, they also have a clause that says "Company reserves the right to substitute a product of comparable value for the reward. "Comparable value" shall be determined by Company :"in its sole discretion". "Company" doesn't even have a name. Also included is an agreement to accept their future spam onslaught, which was certainly not legal in the first place thanks both to the CAN-SPAM Act as well as the Telephone Consumer Protection Act. We're not exactly sure how binding this electronic contract is, but they've certainly put forth the effort.
Fire and Counter Terrorism Safety
A rather unique plain text malware campaign started hitting our filters just after mid-month. This campaign came with the subject line "RE: Fire Safety joint event". These emails were meant to be a heads-up from the recipients' HR department. There were several different variations of the emails, but all notified employees that the company was about to embark on a joint training event with "Fire and Counter Terrorism Safety". According to the different versions of the email, there were also to be two to four tests given after the event. The messages go on to say that last year's performance on these tests was sub-par giving an "X out of ten" employees could not pass notice. The kind HR worker supposedly was giving employees a running start on this year's performance by attaching the study materials to these notices. The attachment was instead a Trojan designed to infect the unwary.
Pizza Ploy Makes the Rounds
Another interesting and unique ploy by the bad guys this month came in the form of an itemized receipt that claims the addressee had just ordered a pizza. On the 24th we saw right around a million pieces from this campaign alone, coming in at a rate of 1500 per minute at its peak. The pizza order varied from email to email but was always a rather large one with a rather hefty price tag. Toward the end of the order was this line: "If you haven't made the order and it's a fraud case, please follow the link and cancel the order." Most went ahead and clicked the "Cancel Order Now" link, since they hadn't ordered an overpriced pizza.
Out of the million or so emails, the "Cancel Order Now" links were sharing references to 40 different domains. All of them hosted a page that displayed the heading "WAIT PLEASE" in bold letters followed by "Waiting..." below. Beneath the surface though, the page was running three different scripts attempting to download and run another script by the name of "js.js" from three different places. All of these did the same thing and the redundancy was in case any of the three sites went down.
The "js.js" script pulled down several files from the IP 188.8.131.52 which is located in Chicago, IL. All of these belonged to the SpyEye family. Among the ones pulled down was a pdf exploit as well as a Java exploit. Once these weaseled their way into the newly infected system, a myriad of further downloads and communications took place, including a couple of components that made encrypted POSTs to 184.108.40.206 in France.
SpyEye became somewhat infamous in the underground economy when it appeared on the scene three years or so ago and went against then front runner Zeus. Both of these were being sold as automated malware toolkits on underground forums. The authors of these toolkits were in competition with one another until the author of Zeus sold his source code to the SpyEye author who then incorporated it into his kit. Zeus is still available for purchase, but it has been replicated and reused by many different groups, especially since the code was released. As a result there are many different unsupported versions going around.
SpyEye, on the other hand, is available at a cost of around upwards of $10,000 US. This version is specifically customized and supported by the author. The cost of the kit often comes with a year's license and the author will answer any questions to help users get it off the ground. He will also help to repack its payload into new undetected variants as many times as necessary for the length of the license. This just goes to illustrate the professionalism on both sides of the coin.