Thursday, December 3, 2009

***We Have Moved***

Yes, it's true, we have relocated the blog. From now all of our new posts can be found here --> blogs.appriver.com . We're having some issues importing all of these older posts, so feel free to check back here to enjoy or tear apart our previous posts. Thanks, see you at the new site!

Tuesday, December 1, 2009

Bots Using H1N1 Fear to Distribute Malware

At about 8:15 (cst) this morning we began seeing a strikingly large malware campaign attempting to make it's passage to our users' inboxes. The social engineering tactic du jour is a ploy pretending to be an alert from the Center for Disease Control (CDC). The fake alert tries to convince the recipient that they are part of a “State Wide H1N1 Vaccination Program” and that they are required to create a vaccination profile on the CDC website. The link provided in the email takes you to a very convincing imitation of a CDC web page where you are given a temporary ID and a link to your “vaccination profile”. The link is in fact to an executable file that contains a copy of a Trojan most commonly identified as Zbot. This Trojan once installed on your PC, this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization. It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker.
As of 9:15 (cst) we are seeing these messages at the extremely high rate of nearly 18,000 messages per minute netting over 1 million of these messages in the first hour alone. It is now officially flu season and considering the recent concerns over the H1N1 vaccine, I expect this to be a highly effective campaign against those who are not protected from this cyber-threat. Below is an example of the message along with a screenshot of the fake CDC webpage. (click image to enlarge)


Wednesday, November 25, 2009

Things Not to be Thankful For

The holidays are a favorite time for malware authors to strike. They figure everyone's on vacation and they'll have an easier time getting into inboxes. Well, they were wrong about AppRiver, here's the latest Thanksgiving offering from the ZBot or Zeus trojan.
As you can see it's using the same ploy it tried a week or so ago, pretending to be from the IRS with a claim that you have under-paid your taxes. The email arrives with a link that brings you to this website.
As you can see, Zeus did a good job of dressing up the site to make it appear to be legit. They've customized both the email and the link on the landing page to include the domain to which the email was sent through the use of tokens. If you'll notice in the address bar however, the site your on may appear to be the IRS, but the actual domain you've encountered is a little further in - not the IRS.
Remain vigilant over the holidays, and don't go wily nily clicking on links in your emails when you get back to work on Monday.

Tuesday, November 24, 2009

Zbots Newest Strain

Just over an hour ago we began seeing the latest incarnation of the Zbot virus being spammed out to millions of email users. Today’s adaptation employs a common but effective social engineering tactic. The email alleges to be from a friend of yours warning you that someone has posted compromising pictures of you on the web and distributed said pictures to “all of your friends. One obvious flaw is that the random name that they sign the email with should be an unknown to you (unless they get really lucky). The link provided in the message takes you to a website where you can view these photos of yourself. The website contains a download for “PhotoArchive.exe” which is in fact a copy of the Zbot banking Trojan. In the first hour we have seen over 250,000 of these messages. Here is a list of domains that are hosting the malicious payload.

· salikuv.eu
· salikue.eu
· salikuy.eu
· salikuk.eu
· salikuc.eu
· salikui.eu
· salikuf.eu
· salikuh.eu
· salikuu.eu
· salikur.eu
· salikub.eu
· salikus.eu
· salikuj.eu

Here is the message and landing page:

Targeted Spam Marketing

Here is another classic example of the result of some very specific directory harvest attacks. A directory harvest attack is preformed with the sole purpose of collecting email addresses either to use or to collect and sell on the black market. Normally the sale of these addresses is done on fly by night forums to "trusted" individuals, but sometimes you'll run across an example such as this one. Apparently they got sick of trying to sell these one by one, and decided a mass marketing approach would be better for business. This campaign is specializing in physician email addresses for the very reasonable price of $195.

Friday, November 20, 2009

More ZBot

The banking trojan known as ZBot has been relentless these past couple of months. Just a few moments ago we began seeing its latest offering, and this time it was delivered addressed to us(as well as others), well sort of. Aside from the fact that these emails were addressed to invalid users at AppRiver's domain, they were heavily customized to appear as if they were coming from within the security center of AppRiver[dot]com. As you can see, the sender is alerts@[recipient domain], and the link in the email is appended with the recipient domain as well in an attempt to obfuscate the actual landing pages which currently number less than 10, but are coming in at around 800 pieces per minute, per domain.If the victim falls for the lure and clicks on the link, they are taken to a page that informs them that they need to update their Adobe Flash player and provides a second link. This link downloads another copy of the ZBot trojan, this time disguised as flashinstaller.exe. This campaign is currently active, so be careful as they add more domains, currently we have all of these blocked.

Friday, November 13, 2009

Fake Microsoft Updates Invoke Conficker




Exactly one year after infection of the Conficker worm began spreading like wildfire, Malware distributers are still trying to capitalize on public knowledge of this infection. Back in November of 2008, countless organizations took notice as news of the Conficker worm soared in popularity (including public school networks and US military systems as they, too, found Conficker on machines).
Today we are seeing a slew of fake “Microsoft update” emails that are pretending to be a warning that your “ISP has detected that you network has been infected” with the Conficker worm. The attached file (3YMH6JJY.zip) is supposed to be a courtesy of Microsoft that will clean the malware from your machine. In reality the file contains a Trojan the serves to do just the opposite. Here is a look at the message: