Threat and Spamscape Report
April 2011
What we saw in March
March was filled with a few of the more predictable threat campaigns, as well as one big win for the Whitehats in the fight against cyber crime. Cyber criminals continued to prey on those concerned and affected by world events, such as the earthquakes in New Zealand and Japan, the tsunami, and other nuclear disasters. Conversely, we witnessed one of the world's biggest spamming botnets being taken offline by Microsoft, FireEye, and the Dutch High Tech Crime Unit in conjunction with U.S. federal law enforcement agents. Even though this was a key score for the good guys, the good versus bad tally for this past month still seems a bit skewed towards the latter. Here are some other highlights from the month of March:
- Even though it is extremely commonplace to see phishing attacks targeting major banks and their customers, it does not mean that those who utilize smaller local banks and credit unions are free from risk. Criminals also attack local credit unions, which gives them competitive advantage.
- One of the world's largest botnets gets taken down and along with it goes around 30% of the world's spam. A great achievement made through cooperation between several security professionals and law enforcement.
- New Zealand was hit hard with a terrible earthquake, which led to terrible flooding near the town of Christchurch. That, in turn, led to a rash of fake charity sites set up by reprobates to steal money from those who wished to help.
- Japan was also hit hard this month with several large earthquakes that spawned a devastating tsunami that took many lives. Now Japan is facing issues with damage to its Fukushima Daiichi nuclear power plant that is causing radiation leakage from overheated spent fuel rods at the plant. Cyber criminals have decided that this is a perfect opportunity for them to take advantage of those with concern.
- The fake postal delivery Trojans continued with full force this month with what was essentially an endless flow of emails pretending to come from the Fed Ex, or the US Postal Service bringing along with it malicious downloaders that offered up everything from keyloggers to Scareware.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of March. Throughout the month of March, we blocked just less than 4 Billion spam messages. Despite the fact that one of the biggest spamming botnets (Rustock) was shut down this month, we still captured more spam messages than we have seen in a single month since November of 2010.
Tests Failed
This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of March.
Regions of Origin
This graph represents both spam and malicious email traffic by region. During March we saw an increase in spam originating in Asia as well as Australia and Oceania.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated during March. As usual, the United States was the number one location for spamming but for the first time this month we saw India edge out Russia for the second highest spamming country in a month-long period.
Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).
- X.W32.Kryptik.CTR.pak
- X.W32.PX.pakc
- X.UPX.App.pakuber
- X.W32.UPX.uberb
- X.W32.BredoK
- X.W32\TrojanUPX.App.pakc
- X.W32\docPak
- X.W32.DHL.zipJR3.10JRa
- X.UPX.App.pakuberb
- X.W32.BredoZp-B
- X.W32\facePakb
- W32\TrojanDownloader.Prod
- X.W32.PX.pakb
- X.W32.Buzus.pak
- W32\Mydoom.O
- X.W32.Netsky.Q
- W32\Mydoom.R_worm
- W32\Merond.O_worm
- W32\Bredolab.AQZ
- X.html.fdphish7
30 Day Virus Activity
This chart represents email-borne virus and malware activity during the month of March as seen by AppRiver filters. We saw a strong resurgence in messages containing a virus and quarantined over 16 million email-borne virus messages. This is more than twice the amount we saw being sent in February and the highest total since September of 2010.
Image Spam
The chart below represents total Image spam seen by AppRiver filters during March. These spam messages utilize an image attachment in an attempt to obfuscate content. Image spam levels remained constant throughout the month.
Rustock Silenced
The Rustock botnet had been making headlines for the past several years, famous for being the largest spam producing botnet out there (AppRiver would typically see an average of 50 million pieces of spam from the Rustock bots on a daily basis). But back in December of 2010, Rustock drew the attention of security professionals by going on hiatus. There seemed to be no rhyme or reason for its departure, while Rustock Christmas-related email traffic came to a halt. It was theorized that perhaps the group operating the botnet was performing some sort of maintenance or perhaps relocating their command and control servers, though it isn't common for a botnet to completely shut down while these tasks are performed as it is essentially unnecessary. Perhaps the Rustock crew had begun to feel some heat from the investigations that we now know were taking place at the time, and suddenly pulled the plug. If this were the case they must've felt like maybe the coast was clear because just a few weeks later Rustock powered back up as if nothing ever happened. Operations continued for months, from January and to March 16th when Microsoft, armed with their research and critical research from FireEye, and the Dutch High Tech Crime Unit, led the charge on 7 different U.S.-based hosting providers that housed Rustock's command and control servers with help from the U.S. Marshals. These C&C machines were located in Kansas City, Denver, Seattle, Chicago, Dallas, Scranton, and Columbus, Ohio. Microsoft carried with them a court ordered right to seize any and all machines linked to Rustock. Almost immediately the effects of the operation were noticed as the millions of bots infected with Rustock stopped receiving orders and fell silent. Spam volumes dropped nearly 35% as indicated by our filters. This mission seems to have been very effective as we haven't heard a peep from Rustock, and may have more success in the near future as Microsoft is pouring through the data they've newly collected and aims on finding the people in charge of this botnet. Currently no one has been cited in association with Rustock.
Cybercriminals Target Regional Credit Unions
We all know that customers of large banks are a nonstop target for cybercriminals, but what about the regional banks or even regional credit unions? Of course we see phishing attempts day in and day out and they certainly have a very wide range of targets, but most prevalent are those targeting large banks or credit card companies. It's not very often we see them operate on a micro scale. The reason is simple. It is because the broader their net, the more likely they are to get a catch. When a smaller target is chosen they certainly have far less potential victims, however they may have more surprise on their side catching the customers of these smaller banks and credit unions off guard.
Early on in the second week of March we began seeing something that was certainly a bit outside the norm. This campaign was aimed at the members of Grow Financial Credit Union (a Tampa Bay area Credit Union). The phishing attempt began with an email posing as a security warning from the credit union alerting customers that their account may have been compromised. The message contained an attachment that posed as a pdf document. The attached file named: GrowFinancialFCU_Account_Restore_Form.pdf.zip, contained an html page which was designed to capture your Credit Union account information. Since most people are very cautious of clicking links in emails, perhaps the cybercriminals feel that delivering the entire web page to victims would increase the perceived legitimacy of the message. Once entered, the page will ship the target's critical financial data (as seen below) before redirecting them to the actual Grow Financial website.
This was a very well-crafted phishing campaign that just goes to show, individuals using smaller banking institutions are not any safer from these attacks than anyone else. Remember, if you ever have any concerns about your bank account go directly to their website and do not follow any links or (in this case) pages provided in an unsolicited email.
Tragedies Spark Scams
As is the usual, tragic events that make worldwide attention always seem to bring with them scams from soulless criminals looking to cash in on the devastation of others. The earthquake, tsunami, and now Fukushima events in Japan are proving to be no different. Emails circulating mid-month claimed to come from the British Red Cross and were attempting to gather money from people whose intentions were to help the victims of Japan. This was exactly like the events that followed the earthquake in New Zealand barely two weeks beforehand. A number of fake charity sites popped up, most notably sites that mimicked the Red Cross attempting to add a look of legitimacy to their scams. These fake Red Cross sites appeared to be the New Zealand Red Cross in the case of the Christchurch tragedies, and The UK Red Cross or Japanese Red Crescent in the wake of the disasters in Japan. Unfortunately anyone who donates to these will become victims themselves. The emails gave brief news tidbits of the catastrophes and claimed that "The Japanese Red Cross has agreed to accept donations from the UK". They also offered a way to "donate" to their cause via a Moneybookers account which is a cash intermediary site that brokers money deals through the internet similar to PayPal. People can apply money towards a person's account and that person can nearly anonymously retrieve the money without much of a trace. These emails offered a yahoo email address to which to donate. This should've been a big red flag to those who are watching out as any legitimate charity would use an email address at their own domain, not to mention that they would also more likely steer you to their site via a secure connection through which to make any donations. That is if they were to spam out requests for donations in the first place. Keep a level head and research any and all charities before handing over your money.
Other scams that quickly followed these claimed to have actual video content of the tsunami in Japan and were delivered in several email formats. These included sloppy plain text emails that contained supposed links to the videos, emails designed to look like Twitter email notifications, and emails pretending to be notifications from CNN. Unlike the fake charity pages where victims would unknowingly give their money directly to the scammers, these video themed attacks would place malware on the victims' PCs thusly giving the attackers direct access to whatever they wanted whether it be account information and credentials to making the target a part of a remotely controlled bot network. We have seen the "breaking news" CNN formatted email in the past and have seen this technique to be quite effective on a large scale. Most notably back in August of 2008 through late in 2009 when it was a very popular theme often associated with the Storm Worm and was used to trick recipients into believing that they were receiving legitimate news notifications. The subjects ranged from the ridiculous- "Olympic Athletes Bare All", to the political- "McCain Lawyers Impeach Obama", to the (what was) current in pop culture- "Listen Online Now" - which led viewers to what was supposedly a sneak peek at a newly released Michael Jackson song shortly after his death. Here are a few postings that were made around the time these were in full swing.
Unspecial Delivery
The most popular Trojan horse disguise to date has got to be the snail mail delivery notification. This theme that was made popular by the Storm Worm beginning several years ago has continued steadily without breaking stride. The Storm Worm is since defunct, but its creativity lives on by lending its delivery notification theme to those that are obviously much less creative. These emails pretend to be from many sources all with one thing in common, the UPS, USPS, DHL, FedEx, as well as such fictional delivery services as the "Post Express Office". Emails have experimented with a few different techniques claiming that a package that the user was to receive was either missing, available, or on its way. Sometimes they'll even claim that the recipient had sent a package and there was an issue with it. Regardless of the specifics, such emails were meant to spur the recipients' curiosity, and get them to execute the attachments. This technique has also proven to be successful with people that would have normally been fairly vigilant except for the fact that they just had happened to be expecting a package one day when they had received these. Multiply this by businesses that deal with third party shipping on a daily basis, and you can probably see why this theme has stuck around.
The attachments almost always contain one of a few popular Trojan downloaders known throughout as Pushdo, Kryptik, Delphi, Bredo, Sasfis, or Oficla, some of these names are synonymous. These downloaders then lead to Scareware versions of Anti-Virus, or even dangerous phishing kits such as Zeus or even most recently SpyEye.
