June 2011

Threat and Spamscape Report

June 2011

What we saw in May

Virus and malware activity increased during the month of May, sporadically hitting peaks of more than 10 million pieces per day. Major news events, once again, became fodder for malware campaigns while large companies continued to be the target of hackers. Here are a few of the other highlights from the month of May:

• ZeuS is still around and going strong. Its source code has made its way into the hands of security researchers, but that hasn't slowed it down. In May, ZeuS came around posing as a fake Microsoft Security Update.
• The future London 2012 Olympics was the backdrop for some tried and true 419 scam campaigns.
• Breaches continued without falter this past month with even more attacks on Sony's infrastructure, Michael's of Chicago, Eidos Games, and Fox Broadcasting.
• A kit by the name of Weyland&-Yutani made its way to the underground marketplace. Weyland is an equal opportunity bot that has built&-in capabilities to infect both PC and Mac based platforms with more in the works.
• The death of Bin Laden and the Royal Wedding brought about its fair share of malware both on Facebook and in Inboxes.
• Emails from the Federal Bureau of Investigation claim that they have been monitoring Web browsing habits, and claim that the recipient visited " 40 illegal websites", for shame!

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the month of May. Spam traffic remained level this month, totaling 2.95 billion messages.

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of May.

Regions of Origin

This graph represents both spam and malicious email traffic by region. Spam output from Asia increased in May. We also saw a slight increase in spam output from Australia and Oceania.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated during May. For the second consecutive month, Russia held the top spot as the number one country for spam origination. Also, Brazil's output surpassed the US for the first time in many months.

Top Email-Delivered Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

• X.W32.Kryptik.CTR.pak
• X.W32.Kazy.pak
• X.UPX.App.pakuber
• X.Trojanmypic.zip.5.15JRa
• X.W32.PX.pakc
• X.W32.Oficla-A1020.pak
• W32\TrojanDownloader.Ufra
• X.W32.pic.427
• X.W32.Zbot.OVD.pak
• X.Trojan.Zlob.2.bredox
• X.W32.UPX.uberb
• X.W32.Sasfis.pak
• X.W32.yourphoto.zip.4.26j
• X.W32\docPak
• X.W32.facebookpass.zip.4
• X.W32.UPS.dmg.a
• X.Trojan.postal.ksuv22b
• W32\KillAV.EVX
• X.UPX.App.pakuberb
• X.html.fdphish7

30 Day Virus Activity

This chart represents email&-borne virus and malware activity during the month of May as seen by AppRiver filters. For the fifth straight month we saw email&-borne virus messages more than double in quantity. In May, we quarantined more than 102 million email&-borne virus messages, an increase of 239% over April 2011. In fact, May 1st 2011 was the largest volume of these messages that we have seen in a single day in nearly two years.

Image Spam

The chart below represents total Image spam seen by AppRiver filters during May. The obfuscation tactic of using image attachments in an attempt to deliver spam content decreased slightly this month.

You Are Under Surveillance

In the beginning of May, we noticed an interesting malware campaign that had begun early in the morning of May 3rd. The emails claimed to have come from the FBI and delivered a warning that, even though they didn't seem to know who they had sent the email to (as demonstrated by their "Dear Sir/Madam" salutation), the FBI was busy monitoring your Internet activities. The email explains that they had logged recipients' IP address at more than 40 illegal websites and requested readers to fill out the attached "questionnaire." It was entitled document.zip, and even though the file within the zip was an executable (.exe), it was wearing the costume of a .pdf icon. The file was not a questionnaire, but instead a malicious downloader from the Bredolab family. Its intent was to slip past human defenses and create a permanent backdoor on victims' PCs in order to further download malicious payloads such as keyloggers and spyware. Don't worry though, because AppRiver has your back. You may have seen this one in your Daily Held Spam Report as "X.W32.Kryptik.CTR.pak".

ZeuS Poses as Fake Microsoft Security Update

May 10th was patch Tuesday and in addition to the real thing, cybercriminals had their own "security" offering. Messages circulated, claiming to be a security update from Microsoft. Such messages began on May 6th and continued to hit our filters with regularity until one week later.

The messages were spoofed to appear from Microsoft and had the subject "URGENT: Critical Security Update". Messages professed to contain a "Security Update for Microsoft Windows OS". Ironically, the email states that the update will prevent malicious users from gaining access to your computer files, when in reality it would do just the opposite. The attachment was in fact another variant of the Zeus Trojan.

This social engineering ploy has been used in the past but will almost assuredly fool some portion of the message recipients. Remember, it is never a good idea to open attachments in a message from an unknown sender, but what about in this case when the sender appears to be a trusted source? Consider the fact that sending an unsolicited attachment in an email is not how companies go about disseminating updates. If you get a message like this and think that it may be real, go directly to the company's website to look for an update.

The Breaches Continue

May turned out to be just like April in the realm of high visibility breaches. There was Epsilon and Ashampoo last month, while Sony, Michael's of Chicago and some "strange network activity" on the servers of LastPass made news this month. Additionally, a new hacker group on the scene that goes by the name of LulzSec or the Lulz Boat hacked their way into database servers belonging to the Fox Broadcasting Network. The group has since made public what appears to be about 360 Fox employee email addresses and passwords, claiming they did it "For the lulz! Fox sucks and we like using them as punching bags for our entertainment."

Judging by the passwords and Fox's poor security practices, there is an extreme possibility that many users are using the same password across multiple sites which can create some very bad situations for those affected. Hopefully they have changed them by now, and hopefully they'll pick better ones in the future. Out of this list, the password "password" shows up many times. A few people mixed letters and numbers or added a number after a word in all lower&-case, but no one used a single complex password comprised of letters, numbers, symbols, punctuation, upper and lower case. Granted it wouldn't have done them much good in this situation as the database server was hacked, but there could've been a better personal effort made, but I digress.

The group has also released a list of insecure php pages belonging to Fox, a list of another 900 employee user names and log-ins which are still hashed, as well as 73,000 2011 X Factor contestant names and contact information on Pirate Bay. The Pirate Bay listing was made during the second week of May so we'll give them a break for Rebecca Black meme reference (please make it stop) as they posted: "We're LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender[sic] year."

Big News Events Spark Malware Activity

Sure enough, immediately following the news of Osama Bin Laden's death, Bin Laden&-themed scams and malware were circulating through the Web. As is usual following a large news event, scammers rode the coattails of the news with fake news stories of their own hoping to lure in click happy, news hungry victims. The first place we begun to see these messages was on Facebook. It began as a Wall post from a friend claiming that they had a link to video footage of the ordeal. After clicking on the link, the recipient was instructed to jump through several hoops including filling out a fake survey and copy and pasting Javascript into their browsers. If this last one doesn't sound like a completely terrible thing to do, know from now on that it completely is.

The code would cause your Facebook account to "Like" the malicious page and begin secretly posting copies of the link to all of your friends perpetuating the infection. At the end of the survey it is requested that participants enter their cell phone numbers to receive their results. The fine print claims that this will result in a $10 charge on your cell phone bill. It's not clear whether or not this was just a one&-time charge, or something that would secretly keep recurring.

Along with this Facebook scam, we were also seeing Bin Laden themed emails that were aimed at email inboxes. The first run of these we saw were in Portuguese and translated to : "After the pronouncement of the death of Osama Bin Laden several pictures of the body were released on the internet. According to American newspapers are not all real." The email had an attachment that was supposed to contain the photos titled "FOTOS.Terroris.zip". This file was obviously not photos, but instead a banking Trojan designed to steal bank account credentials, and eventually victims' money.

In addition to the Osama Bin Laden news, the Royal Wedding was all over the place with the marriage of Prince William and Kate Middleton. This also led to malware both online and in our trap mailboxes.

Apple Gets Their Fair Share

May brought us a new malware kit that is now being offered online in the underground forums. It goes by the name of Weylan&-Yutani Bot which was taken from the fictional company from the movie Aliens. Weyalnd&-Yu has a very interesting feature built in, and that is the ability to automatically create scripts designed to infect both PC and Mac machines. Mac malware has been around for a while, though it has yet until now been available as a kit. Kits are written so that you can just add a couple of customizations, hit "Go" and it will create custom malware for even the minimally technical. The kit is selling for 1000 credits WebMoney which exchanges to about $1065 US, and the authors have guaranteed the addition of iPad and Linux scripts in the very near future. Imagine when a user can browse past an infected site and become a victim regardless of their operating system. To best avoid these situations, internet goers should keep all of their software up to date, especially their OS as well as their browsers as these are often the first targets. Don't discount the rest of your software, this needs to be handled appropriately too. Including the removal of unnecessary software , and the use of multiple layers of security including antivirus and a firewall. Safe browsing habits don't hurt either.