November 2011

Threat and Spamscape Report

November 2011

What We Saw in October

October was a fairly eventful month in the world of the malicious. The passing of Apple Computer's Steve Jobs at the beginning of the month got a lot of people talking about the man he was and the impact he had on technology. The news also stirred scammers into thinking about new ways to rip off innocent people. Just like past campaigns, scammers sent out links to what were supposed to be news stories, but instead turned out to be malware designed to steal account information from its unsuspecting victims. Here are a few other highlights from the month of October:

• The Zeus Trojan remained hard at work impersonating the United States Chamber of Commerce in a rather confusing ploy to snare business owners.
• Another campaign early on in the month claimed that the IRS was coming after its victims because they had accumulated certain arrears against their accounts. As it turns out, it was just a trick to put fake anti-virus software on their machines.
• What was a never before seen subterfuge used by scammers a couple of months ago remains a very popular theme. We had gotten used to seeing the fake delivery service and bank emails laden with malware in the past, but now a new favorite of the mal-aligned is to mimic the ACH, or Nacha in particular. ACH stands for Automated Clearing House and is responsible for processing large amounts of credit card and debit card transactions in the United States. A large organization that handles a large amount of money.
• There are many toolkits available for the beginner cybercriminal. Kits like IcePack, CrimePack, GPack, Zeus, and Incognito exist, but none are quite as prevalent as this year's up and comer, Blackhole. We look at how this kit has been combined with an email component to ramp up its effectiveness.
• Libya, and Muammar Gadhafi specifically, have been dominating news headlines for a while. On the 20th of October, after a final standoff in Sirte, Libya's leader was captured and killed. The underground market saw this as another opportunity to deliver malware surrounding the event.

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the month of October. Total spam messages seen during October were nearly identical to September at just over 2.5 billion. During October spam messages accounted for 88 percent of total message traffic.

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of October.

Regions of Origin

This graph represents both spam and malicious email traffic by region. Spam traffic imitating from Europe fell slightly in October, while traffic from North America increased.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during October. The top spam countries remained the same during October but we did see a notable spike in spam traffic from Vietnam.

Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top postiion. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This does not mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

• X.UPX.App.pakuber
• X.UPX.App.pakuberb
• X.W32.Yakes.ft
• X.W32.brkn.1018b
• X.Mal\HckPk-A.1
• X.W32.brkn.1018a
• W32\TrojanDownloader.Chep
• W32\Mydoom.R_worm
• X.Brk.Zeus926
• W32\Merond.O_worm
• X.Var.Kazy.1018
• X.W32.BANK.1019NDG.a
• X.UPX.App.pakuberc
• X.W32.Netsky.Q
• W32\Mydoom.Q_worm
• X.W32.PX.pakb
• HTML\Phishing.Gen_trojan
• X.win32.worm.20080529
• X.Mal\BredoZp929b
• W32\Mytob.AX_worm

30 Day Virus Activity

This chart represents email-borne virus and malware activity during the month of October as seen by AppRiver filters. Virus traffic finally subsided from the unprecedented levels that we had seen the previous two months. Although we did still quarantine over 25 million email-borne viruses during the month, this was still only about 15 percent of the traffic that we had seen in September.

Image Spam

The chart below represents total Image spam seen by AppRiver filters during October. Image spam maintained the same levels that we have been seeing for months now. These messages totaled 11 million during October.

Gadhafi Malware Making the Rounds

After nearly every large event that makes world news, we begin to see malicious email and Web campaigns follow them almost immediately. This held true after the news of Gadhafi's death on October 20th. Since then we had seen several email campaigns that claimed to have some sort of news or video clips surrounding the event. Not only had we seen emails pretending to come from fake news sources, but we had even seen a few that had purported to come from Gadhafi's sons. One of these in particular supposedly had contained a .Wmv clip of Gadhafi immediately following his capture. The email was written in Portuguese and said "VEJA OS VIDEOS DO CORPO DE MUAMMAR GADDAFI,APÓS SER CAPTURADO PELOS REBELDES", which translates into "See the videos of the body of Muammar Gaddafi, after being captured by rebels". The attachment appeared to be a Windows Media File, but was instead an .Scr file named "fotosweb.scr" which itself was a standalone executable. Once executed the malware would add itself to the system registry's RUN path to make sure it ran every time the computer restarted, and then promptly hid itself in the file system. The malware then made a standard http call from port 80 to a Dropbox account which was down at the time of testing so we were unable to verify what further malware that it was planning on pulling down.
Always be on your toes when it comes to your news source. There are plenty of bad choices out there, but we're doing our best to keep them out of your reach, it's better that way.

Fake IRS Notifications Deliver Malware Infection

We always see a large spike in IRS-themed malware around the April 15th tax deadline each year. However, many cybercriminals feel that it's always a good time to invoke the IRS to trick unwary computer users into having their machines infected. In fact, it is quite common to see a steady diet of IRS-themed malware year round. During the first week of the month, we saw over 10,000 messages per hour being quarantined that claimed to be tax notifications from the IRS. Subject lines included with these campaigns were "IRS Notification", "Debt for the period 2011", "Your Tax Report", and "IRS Notice". These messages were almost comical in their wording which warned "there are arrears reckoned on your account" but still will fool some small percentage of those receiving them. The messages all had a file attached named Calculations_#54585.zip (with the numeric values randomized). Each archive contained the file calculations.exe. Once executed, a backdoor for communication was opened and the malware began communication with falcononfly2006.ru via GET requests over port 80. From here a new infection identified as Trojan.Yandere was installed via the backdoor. This Trojan is associated with the ever popular Rogue AV malware family. We know it's a very frightful feeling to think your arrears have been reckoned but please resist the temptation and steer clear of these. As always we are blocking all known variants of this threat.

Blackhole Toolkit Rivals Zeus

It has been a very familiar sight to see emails with malicious attachments pretending to be from popular shipping companies, like fake IRS notifications or other similar ploys. Most of these are courtesy of the Zeus trojan, an easily recognizable kit born trojan hell bent on stealing banking information from unsuspecting victims. Zeus has been around for quite some time now, and due to its ease of accessibility on the underground forums, it has spread quite rapidly in the wild.
Lately, though, a lesser known toolkit by the name of Blackhole has gained in popularity. The Blackhole toolkit was released into the underground market less than a year ago and was being sold for around $1500 US per yearly license which included support. The cost was enough to keep the rookies away and allowed operators of the new toolkit to operate relatively under the radar. That is until May of this year when the kit was made available for free in many locations. Since then we have seen a steady increase in the number of infections for which this kit is responsible.
Initially, Blackhole would simply infect legitimate websites with the proper vulnerabilities which passersby would visit and become infected via drive-by download. Now, however, an email component has been added to increase traffic to these sites which instead of being only legitimate compromised sites primarily now include a slew of random sites set up for the sole purpose of snaring victims. Early this month, after the passing of Steve Jobs, we began to see emails, claiming through a few varied subject lines, that Apple's co-creator was indeed still alive. These emails contained a link to the "Hot News". Once readers clicked on the link they were led to one of thousands of web pages that were infected by the Blackhole toolkit. The infected site would then begin running an obfuscated Javascript which would look for vulnerabilities on the system of the new visitor. It would then exploit those vulnerabilities to infect them and install a backdoor on their system.
More recently we began seeing a new campaign linked to the Blackhole kit, with a new batch of domains also associated. These emails were made to look like an automated email notification from a Hewlett-Packard OfficeJet Printer. The email purported that a document was scanned and sent to the recipient, and even offered handy links from which to view them.

The links did then what anyone would now expect, and ship the unfortunate person to more infected web sites. This time, sites included an element that attempted to launch a Java routine in addition to its normal attack, which is hidden in more obfuscated Javascript.

At the time, we saw well over 1500 domains serving up this Blackhole toolkit created malware, and over 4.5 million pieces of email at a rate of 30,000 per minute hitting our filters related to this particular campaign.

Bad News from the Chamber of Commerce

Even though malware from the Blackhole toolkit is becoming a major player, Zeus is still the champion at malicious infections in both size and spread. One campaign we saw early in the month showed the public that Zeus isn't going anywhere anytime soon. The emails pretended to come from the Chamber of Commerce, utilizing a strong banner complete with the Chamber's logo as well as a footer that gave the Chamber's address and other information. The somewhat cryptic message suggested that readers may have had a good, mutually beneficial, professional partnership for the recipient's business, and all of the pertinent info was supplied in the attachment "USChamber[dot]zip".

The attachment was of course a rather aggressive piece of malware that would open a backdoor onto the victim's system in order to begin to download further malicious payloads once it was established. Once it had a foothold, it would attempt to contact two other domains - jokeins[dot]com and agrofond[dot]com. From both of these places it would then make a "GET" request for a file by the name of start[dot]exe. This file was the ever-popular and ubiquitous Zeus. Once Zeus began to run, it would spawn a process by the name of miuf[dot]exe which in turn launched a keylogger and then started trying to make many outbound connections in classic Zeus style by pinging a different pseudo-random domain name every couple of seconds on port 80 until it found one that was active from which to receive instructions, these are domains such as gzdyhtiyhxbve21d10mvdrjtbzftpucyjq[dot]org.

Zeus also sent out a handful of UDP packets to an equal number of unique IP addresses each with 72 bytes of data. These were originating from random local ports to a destination port unique to the recipient IP address. This was possibly to announce itself to other members of the botnet that the victim would now belong to.