Threat and Spamscape Report
August 2011
What We Saw in July
July has not gone by without its fair share of cyber events. One of the big stories this month has certainly been the Rupert Murdoch phone hacking scandal that continues to trouble Murdoch's empire. Thanks to poor voicemail password practices of their victims and a complete lack of ethics and morals, reporters from the associated newspapers have caused a really big wave in the media with their less than savory techniques of acquiring leads. Meanwhile, virus traffic continues to maintain a moderate level and Facebook scams continue to bounce from wall to wall. Here are a few other highlights from the month of July:
- The career oriented social networking site LinkedIn was used as bait for scammers during the month of July. This time accounts are "closed" due to either inactivity, or the opposite, hard to tell apparently.
- Two back to back campaigns pretend to be messages from the National Security Association, as well as the Board of Governors of the Federal Reserve System. Both of these were urging recipients to install fake system security updates. Instead of stronger security, victims of this scam would be infected with a variant of the ZeuS Trojan.
- A domestic bomber in Norway causes havoc and murders 76 people, those hungry for the news may have fallen prey to a fake Facebook link claiming to be video footage.
- Among many other Facebook scams seen this month, another appeared immediately following the news of the death of Amy Winehouse. Also a scam purporting to have video of the singer right before her death.
- A new tool surfaces in the wild called the AutoWhaler which is supposed to steal phishing information stored on other cybercriminals' fake phishing pages. The tool has a twist though as many iterations have additional code under the surface that attempts to steal logon information from the thief attempting to use the tool without their knowledge.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of July. Spam traffic was on a downward trend throughout the month of July. In all we quarantined just over 2.2 Billion spam messages.
Tests Failed
This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of July.
Regions of Origin
This graph represents both spam and malicious email traffic by region. As we see below the decrease in spam during July was due in large part to a reduction of spam originating from the US.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated during July.
Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top postiion. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This does not mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).
- X.W32.Sasfis.pak
- X.UPX.App.pakuber
- X.W32\docPak
- W32\Zbot.S!generic
- W32\Mydoom.O
- W32\Mydoom.R_worm
- X.W32.Netsky.Q
- X.W32.Buzus.pak
- W32\Extats.E_trojan
- W32\Merond.O_worm
- X.UPX.App.pakuberb
- W32\Mydoom.N
- W32\Netsky.C
- X.win32.worm.20080529
- W32\Mydoom.Q_worm
- W32\Netsky.C_worm
- X.Html.JS.916a
- HTML\Phishing.Gen_trojan
- W32\Fruspam.GD
- X.Kloud.5
30 Day Virus Activity
This chart represents email-borne virus and malware activity during the month of July as seen by AppRiver filters.
Image Spam
The chart below represents total Image spam seen by AppRiver filters during July. Spam content delivered via image attachment remained level throughout July.
Malware Posing as an Update From RSA
Beginning on July 21st, we started to see a campaign making use of the RSA breach (where more than 40 million SecurID Tokens were compromised in March 2011). Although the technique of using a fake "security" update as guise to pass along malware to people is nothing new, this social engineering tactic was somewhat clever.
If you have not read about it previously, RSA Security was breached back in March of this year. The hackers made away with the credentials to roughly 40 million SecurID Token user accounts, thus rendering them insecure and in need of replacement. The messages that we were sent that morning posed as a message from RSA and communicated a new found "unsafe vulnerability" in token devices. Recipients were provided with a link to what was claimed as a security scanner and would apparently detect said vulnerability. Of course, the link took recipients to a file instead, this one named blocked_list(dot)EXE, which was a piece of malware.
It appears that the creators of this attack considered the breach of RSA an opportunity to capitalize on perceived and real vulnerabilities that resulted from the hack. Attackers are forever looking for the perfect angle of attack, one that will make people think (if only for a second) that a message is legit. In this instance, many victims knew about the breach and somehow still gave this message an air of legitimacy and clicked right through it.
The payload of the malicious file was later identified as a variant of the ever-persistent ZBot family of trojans. Once executed, the malware copies itself into the %system% directory and deletes the originally executed file "blocked_list(dot)EXE", and then begins to inject itself into the processes winlogon.exe and explorer.exe in an attempt to remain hidden. After making precautions that it cannot easily be removed, it begins making DNS queries for pseudo random domain names utilizing the TLDs .info, .biz, .org, and .net. The domain names are 15 to 16 characters in length and each one seems to be tried four times before the algorithm chooses a new one and moves on. This will continue until the infected machine makes a successful match with its controller who utilizes the same algorithm. The botnet controller will pick a couple of these domains to register, changing them from day to day. These are then used as temporary control servers from which to issue commands and push down further malware, such as keyloggers, to the infected PCs.
Fake LinkedIN Updates Lead to Malware
Midway through the month of July we began seeing a campaign that used LinkedIn as a cover for attempted malware infections. The attacks began as emails warning recipients that their accounts had been deactivated due to too many failed login attempts, and surprise surprise, they even provided a link for victims to follow in order to restore these supposed accounts. The link labeled "Follow this link" took users to a variety of sra.li shortened sites that all redirected to the domain kdbhhhgsdjsb[dot]cx[dot]cc. Once a victim's browser reached this page, it spared no time in attempting to push down a malicious package recognized as a Kryptik downloader variant via obfuscated JavaScript.
Once the victim's machine is infected, the backdoor opened by the initial malicious payload is free to accept other malware that is pushed down from the mothership without any knowledge or interaction from the victim. AppRiver is currently blocking all variants of this attack.
Stealing from Theives
There is a big buzz circulating right now about a new kit available on underground forums called the 666Auto-Whaler. This kit is designed specifically to steal account logon credentials not from victims directly, but instead from phishing sites that other criminals have set up, so much for honor among thieves. The tool is designed to be as simple as most phishing kits are, just enter the competitor's phishing site URL and click "Scan" and the Auto-Whaler is supposed to spider through the given URL searching for text files that contain previously stolen account credentials.
But the fun doesn't stop there! Even though there are clean versions of this tool in the wild, there are many more that have a little extra functionality under the hood. In these versions, as the "whaler" is attempting to steal from the other cyber criminals, the 666Auto-Whaler tool is scouring that user's computer stealing their logon credentials. It would appear that the main goal of this tool is to steal credentials for the online game Runescape, though it could certainly happen upon banking credentials or other personal information as well. If you can't trust a thief, who can you trust?!
LulzSec Sails Again
After a two week hiatus, the group now famous for causing internet mayhem in the name of "AntiSec" has made their return. The group has made a name for themselves proving flaws in other people's internet security. Before their time off, LulzSec had breached the servers of Sony, and Infragard, among many others. They had also made a point to make sure that people knew that they were not associated with the Hactivist group Anonymous. Since their return, however, they seem to have joined forces with the Anon group. Their targets have also moved from "just for the lulz", into the hacktivist, we have a political message realm.
Even in the wake of the arrest of many of their supposed members, including their apparent leader and spokesman who calls himself "Topiary", the two groups are continuing their assault on the internet. Their most current attack has been against eBay's payment service PayPal. The groups have launched DDoS attacks against PayPal and are urging people to boycott the service. They are "outraged" that PayPal has played nice with the FBI. Here is a snippet from their release:
In recent weeks, we've found ourselves outraged at the FBI's willingness to arrest and threaten those who are involved in ethical, modern cyber operations. Law enforcement continues to push its ridiculous rules upon us - Anonymous "suspects" may face a fine of up to 500,000 USD with the addition of 15 years' jail time, all for taking part in a historical activist movement. Many of the already-apprehended Anons are being charged with taking part in DDoS attacks against corrupt and greedy organizations, such as PayPal.
Even though the groups Anonymous and LulzSec are greatly disliked by many big organizations, it would seem that they're up for an award at this year's BlackHat Conference in Las Vegas. The "Pwnie Award" is given to those who have made the biggest impact on the hacking community over the past year, and these guys have certainly made an impact even in their short run so far. It"ll be fun if they win, and they show up to accept their award!
Facebook Survey Scams Seem to Increase
More and more now we're all becoming familiar with Facebook scams and malware. These are the ones where someone will see a post from their friend that touts a strange, sexy, or news oriented video with a comment about it that leaves just enough to the imagination to entice people into clicking on the link. The current most popular line of attack is the survey scam. These will taunt viewers with one of the aforementioned videos and will lead them instead through a survey that they must take in order to get to what they want. At the end of a usually short line of questioning the reader is tricked into receiving the answer by text. By agreeing to this, they are then hooked into a $2 dollar per text fee which the "service" will then begin sending on a regular basis.
A lot of the time the subject of these videos is just something odd, or vague, such as a recent one that claimed to be a video of a girl with a spider living under her skin. Others go the route of "You've got to see this!", or "I can't believe what you were doing in this video". More so lately it seems that these scams are using another old tried and true tactic by utilizing current events in order to spread faster. We saw one not too long ago claiming to be video of Osama Bin Laden's death, and this past month we saw scammers praying off of people who were attempting to learn information about the bombings in Oslo. This one started appearing just hours after the event had happened in Norway. Equally as punctual we saw some immediately following the announcement of the death of Amy Winehouse claiming to be video of her smoking crack just before her reported death. These show no sign of stopping, and can sometimes catch a person off guard. Stay aware, and question links that seem a little off to avoid these scams.