September 2011

Threat and Spamscape Report

September 2011

What We Saw in August

The events in Libya have spurred a large amount of unwanted email using the subject matter in an attempt to entice recipients to open spam emails. Subject lines read, "VIDEO: Rebels target Gaddafi's home town", "VIDEO: Inside Gaddafi's ransacked compound", and "Gaddafi 'still threat' for Libya", while contents include everything from the run-of-the-mill Viagra ads to Libyan revolution-themed 419 scams. Scammers have always been opportunists utilizing themes from current events as a method to pique interest. Here are a few other highlights from the month of August:

• Zeus still making appearances last month, most notably mimicking the Internal Revenue Service, The Board of the Federal Reserve System, and NACHA - The Electronic Payments Association. The latter was a victim twice over during August with another targeted attack occurring at the end of the month.
• The second attack purporting to come from NACHA used a little less snappy graphics, but just as many tricks to make its home inside of its host machine.
• Malware takes the reigns as its overall number rivals that of spam. Out of all spam and malicious traffic throughout the month, malware climbed up to an unprecedented 37% of all unwanted traffic. Last year at this time, malware was closer to only 10%, and only around 2% during a spike in 2009.
• Bank of Montreal customers were the intended target of a couple of phishing campaigns that came through this past month. The emails were in plain text without any supporting logos or graphics, and the accompanying HTML attachment left something to be desired.
• Fake traffic tickets from the state of New York invade inboxes for a couple of weeks straight in mid - August.
• A new worm by the name of Morto begins spreading through unprotected systems through the RDP protocol aided by weak passwords.

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the month of August. Driven in part by a large surge in malicious email, we saw the first upward trend in spam in quite a while.

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of August.

Regions of Origin

This graph represents both spam and malicious email traffic by region. In August, we saw a noteworthy spike in spam traffic originating in the US. The US accounted for nearly 21 percent of spam traffic seen by our filter, an increase of 8 percent from the previous month.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during August. For the first time ever, India surpassed the US and Russian Federation to become the number one spam producing country in the world.

Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top postiion. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This does not mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

• X.W32.Sasfis.pak
• X.UPX.App.pakuber
• X.W32.Crypt.ZPACK.Genb
• X.W32.Dropper.Pij.gen
• X.W32\Kryptik.RZB.ACh
• X.W32.PECxt.a
• W32\TrojanDownloader.Agen
• X.W32.RarMal-C
• X.W32.Bred.downloader.815
• X.W32.Oficla-A1020.pak
• X.W32.EncPk-ZCb
• X.W32.Crypt.ZPACK.Gen
• W32\Nite.AA_trojan
• W32\Mydoom.O
• X.Troj\Bredo-IX1
• X.W32.Netsky.Q
• W32\Mydoom.R_worm
• X.W32.Zbot.OVD.pak
• W32\Merond.O_worm
• X.W32.Buzus.pak

30 Day Virus Activity

This chart represents email-borne virus and malware activity during the month of August as seen by AppRiver filters. Virus traffic was certainly spewing out at a break-neck pace throughout the month. At one point, one out of every four messages contained malware (or a link to malware). In sum, we quarantined 179 million malware-laden messages in August, the most we have seen in a single month since 2009.

Image Spam

The chart below represents total Image spam seen by AppRiver filters in August. The practice of using embedded images in emails to deliver spam content has tapered off in favor of obfuscated links.

Zues - God of Malicious Email

Early in the month we saw a fairly large Zeus-laden campaign hit our filters. The emails were taking on a few different personas, with the majority being that of the Internal Revenue Service. The other two, to a lesser extent, were the Federal Reserve and the NACHA Electronic Payments Association, which is a non- profit group that provides rules and regulations for electronic transactions such as insurance premiums and mortgage loans. The group claims to have one of the largest and safest payment systems in the world. This may be true, but these imposters were anything but safe.

As most people know by now, Zeus is currently the most frequently seen piece of malware circulating through the interwebs. It works its way onto victim machines, and installs malicious software that siphons off bank account credentials. In this particular campaign, we saw over 1 million pieces, hitting our filter at an average rate of around 1 every 2 seconds. Each email contained a link to a remotely hosted file. The domains on which they were hosted were: irs-report-file.com, nacha-transactions.com, irs-tax-reports.com, federal-taxes.us, irs-alerts-report.com, federalresrve.com, files-irs-pdf.com, nacha- files.com, and nacha-security.com.

The filenames varied depending on the facade being used. Those included: wire-report.pdf.exe, your- tax-report.pdf.exe, 00000700955060US.pdf.exe, alert-report.pdf.exe, tax_00077034772.pdf.exe, transaction_report.pdf.exe, and 3029230818209.pdf.exe.

NACHA - Two Time Victim

Not only was NACHA the victim of a minor run of malware early in the month, but Black Hats decided to reuse this ploy later on in an attempt to snare additional victims. In the last week of August, we saw a huge rate of malware pretending to come from the automated clearing house network NACHA, nearly 3 million pieces in about 12 hours. Similar to the attacks earlier in the month, these emails were focusing heavily on the NACHA name. NACHA is a non-profit group that provides rules and regulations for electronic transactions such as insurance premiums, mortgage loans, and as they say on their site "the backbone for the electronic movement of money and data."

The emails were a little less decorated than the ones we saw previously this month, but they used the same basic ploy. They claimed that a payment transaction had been cancelled, which can be a very big deal if that's someone's mortgage payment attempting to traverse the wires. Something like this could certainly cause someone to panic in a time of recession and foreclosure. These messages were certainly fakes, but the threat was cause for alarm.

The attachment, "report_082011&-65.pdf.exe", was a busy one once executed. It began by checking its environment to see if it was running in a debugging program, a sort of self-defense mechanism which it used to avoid being analyzed by those pesky AV people. After that it injected itself into running processes in true rootkit fashion, and deleted its original file, seemingly disappearing into the ether. Unfortunately though, it did not. It, by the way, was a downloader that brought its friend Zeus to the party. It did so by spawning several processes, including one that reached out first to a Google IP to check for network connectivity, and then to a pseudo-random domain name, in this case qimqzrtpkmukd[dot]com at 75.75.230.118, in order to connect to its command and control server. Once the connection was made, the victim machine became infected with Zeus, became part of a botnet, and the controller could then continue to push down further malware and siphon off information as they pleased. Stay away from unwanted emails from unknown senders, and always question alerts that claim packages couldn't be delivered, transactions have failed, your password needs to be changed, or anything that would require you to open an attachment or enter personal information in order to be viewed. They're likely malicious, so err on the side of caution. In the meantime, AppRiver customers will only be able to see these in their Held Mail Reports.

Phishing at the Bank of Montreal

This month we saw a couple of different phishing campaigns that focused on clients of the Bank of Montreal. Each of these came in as a plain text email without the normal supporting logo or graphics of any sort. One email claimed the usual account password security issue that we're so used to, and the other claimed to deposit $200 into the recipient's account for taking a short survey. Both of these came with an HTML attachment that was poorly thrown together, but its purpose was to obtain account and personal, private information. These should have been apparent frauds, but just in case we held on to them for safe keeping.

Malware Laden Spam Reaches New Heights

On August 12th we began seeing a very significant spike in malicious spam. Although spam numbers have been slightly down overall we are now seeing some of the highest numbers ever witnessed when it comes to malicious spam as a percentage of overall spam traffic. In fact not since August of 2008 have we seen such a large and sustained malware push. During the second week of August 2011, 23.5 percent of all spam traffic had been malicious messages. At its peak on Sunday, August 13th malicious messages comprised a whopping 37 percent of all spam.

On average we see malware in roughly 5 percent of all spam traffic. It would appear this month that someone or multiple groups are attempting to rebuild their botnets. This has certainly been the trend over the past few years. While spam has plateaued (for the time being) the messages themselves have become much more dangerous than ever before.

The malicious messages that we have found in most abundance over week during this spike had been alleging to be from either USPS, DHL or Fed Ex. Analysis of these various campaigns indicated that these three campaigns were likely from the same botnet. Some of the other more prolific of these malware campaigns that we were monitoring utilized a theme of IRS Notices, Hotel Refunds, Change Log, Credit Card Block Notifications and Fake Invoices. Most of these message attachments led to the install of a Trojan downloader. Once installed, your machine could be infected with various forms of Scareware and/or Keyloggers, in addition to becoming part of the botnet itself.

You Recieved a Ticket

On August 17th, we began receiving a hefty dose of emails claiming to come from the state of New York. The emails claimed that the recipient had received a speeding ticket from the State on July 5th. This could have certainly struck some curiosity in those who hadn't been in New York at that time, and likely even more in people who had. Either way the notice went on to say that in order to plead their case, they had to print out the attached copy of the ticket and mail it to, "Town Court, Chatam Hall." In addition, the emails were dated August 3rd and August 4th despite coming in on the 17th. This was likely to add a bit of anxiousness to the recipient as a normal time to respond to these sorts of things is between two weeks and thirty days. The attachment was, of course, malware, a trojan downloader. Be aware that even though this email appeared slightly "legal" due to its blocky layout(perhaps?), it was missing a lot of critical data that a true legal notice should contain. In fact, real legal notices often contain so much information that it's often difficult to figure out exactly what they're saying. I imagine that this was part of the ploy as well, to get victims to search for the details within the attachment. Don't be tempted to look! This is just another popular social engineering technique that these guys employ.

The Motro Worm Spreads to Weak Systems

In the past few weeks, a worm dubbed "Morto" has been spreading on the Internet. Morto attempts to propagate itself to additional computers via the Remote Desktop Protocol (RDP). Morto spreads by having infected systems scan for servers allowing RDP login. Once Morto finds an RDP-accessible system, it attempts to log in to a domain or local system account named 'Administrator' using one of the following weak passwords; admin, password, server, test, user, pass, letmein, 1234qwer, 1q2w3e, 1qaz2wsx, aaa, abc123, abcd1234, admin123, 111, 123, 369, 1111, 12345, 111111, 123123, 123321, 123456, 654321, 666666, 888888, 1234567, 12345678, 123456789, 1234567890. Upon successful login, Morto uploads a payload to the victim computer using the filename 'a.dll.' When this payload is executed, the following files are created: %windows%\clb.dll, %windows%\temp\ntshrui.dll, <system folder>\sens32.dll, and C:\windows\offline web pages\cache.txt.

Morto will also disable active Anti-Virus programs on the host machine. Infected systems will have a REG_BINARY value under HKEY_LOCAL_MACHINE\SYSTEM\Wpa named "md" created by the malware. The malware can be prevented from executing on the machine by deleting this value. Morto then attempts to find other systems to infect by scanning for other RDP servers on TCP port 3389.

Morto also has a botnet like functionality wherein the payload attempts to communicate with command and control servers within the following domain names: jifr.info, jifr.co.cc, jifr.co.be, jifr.net, qfsl.net, qfsl.co.cc, and qfsl.co.be

Despite the fact that Morto can easily be avoided, it still found success in spreading across many weakly protected systems on the internet. This infection can be deflected by simply using a strong password and by placing strict limitations on RDP access.