Over the past several day we have been seeing several malicious email campaigns posing as legitimate communication from Amazon. The first campaign is posing as messages from the amazon.co.uk with the subject line reading: Your Amazon Order Has Dispatched (#3digits-7digits-7digits). These messages purport to be order shipment notifications. These messages began hitting our filters on 10/31/14 and have been coming in consistently ever since. Thus far we have quarantined just over 600,000 of these messages. Each message contains a Word document (MD5: a75e196e6c0cabc145f4cdc3177e66ec) that contains a malicious macro. In most instances users should at a slightly lower risk with this infection vector, since macros are not enabled by default in more recent versions of Word.  The macro (if allowed to execute)leads to the install of a Trojan dropper. The malware currently creates a process named SUVCKSGZTGK.exe on the victims machine. Eventually this leads to the install of key-logging malware designed to harvest banking login credentials, email credentials and social media credentials. As we commonly see with this these types of campaigns, the payload can be changed out by the malware distributors so this dropper could pull down some other form of malware in the future.

Here is a look at the message:

amazon_sample_2

In a separate email blast, another group is distributing malicious emails posing as Amazon order confirmation emails. These emails are coming is at a slightly slower clip than the former campaign mentioned but we have quarantined nearly 160,000 of these message over the past few days. They appear from amazon.com with the subject reading: Your order on Amazon.com.  These email have a bit more of a legitimate look as they utilize actual graphics taken from Amazon. Instead of a malicious attachment, these messages utilize links to compromised wordpress sites. Clicking these links will launchthe download of a .scr file  named: invoice1104.pdf[dot]scr. Which should be a huge red flag to most users as the .scr file extension is used almost exclusively for malware infection these days. The .scr file(MD5: 09cb12d7cd0228360cd097baeaaa6552) is in fact a Trojan dropper that will lead to the install of more malware once it has infected the host. Once again, from here, the sky is the limit for the malware distributors since they can now download and install remote files of their choosing.

Here is a look at the message and prompt :

amazon_sample_1

 

popout

This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam. Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account, never follow the link in an email such as this, go directly to the website and check your account from there.

PunkinAh, Halloween.  A time when people dress up in creepy costumes and enjoy a marathon of classic horror flicks.  And while some people may be spooked more easily than others, here are five things that will alarm even the most fearless IT security pro.

 

  • Protecting a network without sufficient funds.  Whether it’s locating qualified staff or convincing upper management that system updates are necessary expenditures, the lack of funds can seriously impede the health of an organization’s security posture.
  • A future of unknowns.  IT security pros spend a lot of time researching the world of cybercrime so that they can stay out of harm’s way.  Happily, White Hats are good at disseminating information to their peers when breach occurs.  Vulnerabilities were recently found in Heartbleed SSL and Shellshock Bash, for example, and the community responded by sharing information and patching networks before incident.  But what about those unknown exploits?  It’s enough to keep IT pros up at night.
  • The next Zero Day attack. These large-scale attacks often leverage the aforementioned secret vulnerabilities and use them to spread online malaise quickly. Examples include Storm Worm, which targeted an internet-consuming public and Stuxnet or Duqu that was a customized espionage attack.  Oftentimes, these attacks are able to operate for quite a long time without anyone ever being the wiser.
  • Insider threats.  Threats can come from careless, lazy or even well-intentioned employees who have intimate knowledge of the company’s network and accounts.  In the case of a disgruntled former employee, access can be revoked immediately but with the employee who accidentally falls for a social engineering scam, your network may never be the same.
  • Falling victim to data breach.  We seem to hear about data breaches on daily basis as of late.  Not only must IT pros take care of internal damage to systems, but also worry about stolen customer data.  This is an expensive problem that can cost millions of dollars due to direct loss and preventative assurances, like paying for victims’ credit monitoring.  Then there’s consumer confidence and negative publicity that likely affects bottom line.

 

No one wants to be the next victim of data theft or deal with unknown attacks, and because of that, sometimes it’s good to be a little afraid as an IT Security Pro.  A small dose of fear can be healthy and motivate us to go the extra mile in preventative care.  After all, those who remain complacent in their security practice often find themselves to be the next target we’ll read about in tomorrow’s newspaper.

Using current news events in spam and malware campaigns is nothing new. In fact we see it with most major tragedies or events. This time around the topic is the Ebola virus. We’ve been seeing both spam and virus campaigns using Ebola as a topic to get the readers attention, with one malware campaign even claiming to be from the World Health Organization. With this one claiming to have information on how to stay safe about diseases around “that you know nothing about”.

ebola malware sample

 

Most of the spam coming in seems to be using Ebola as a click bait in the message, rather than focusing the spam specifically on Ebola. Messages coming in with subjects claiming to have breaking news on Ebola or others claiming they have cures. Some even trying to sell Ebola survival guides. Using a popular news topic in spam is a common tactic since people are more likely to have heard about the messages alleged content. Usually with the message being formatted in such a way that it is going to provide you with information you may not know yet. Sometimes even looking like legitimate news agency emails. From there it makes it easier to deliver a payload or to try and get a user to click on some link in a message to take them elsewhere. In the recent campaigns, most of the spam with links in them take you to websites that don’t even mention Ebola. They are just using it’s popularity in the email message to get users to click on links and get their attention for products they are trying to get you to buy.

ebola samples of spams

 

Due to Ebola’s popularity at the moment, it can make it harder for a user to determine if a message is actually spam or if maybe it is something they are interested in like legitimate news. This is when it’s best to remember some good practices of safe email use.

  • Check who the message is coming from – This can show sometimes if a message is coming from an account you don’t recognize. This may not always be a reliable tactic since a From address can be spoofed, but it can make it easier to weed out the obvious fake emails.
  • Look where a link may take you - In almost every mail program, you can hover your mouse over a link and see where it’s taking you. Often you can see right away if a link looks legitimate or not. If you get an email from an American news agency about a miracle Ebola cure but it’s leading you to a a foreign website or a website you’ve never heard of, it’s probably safe to not click the link.
  • Always be wary of attachments – This goes for pretty much any attachment. Some of the commonly abused file types are .exe, .scr, .com, and .pif for malware. There are many other attack vectors in programs for malware to use as well though. So if you get attachments from unknown senders at all, it’s best to take as much caution as you can such as scanning the file with web tools or you local antivirus. A side note to add is to also be aware of double extensions. By default in Windows OS, a known file extension is not shown. Sometimes malware authors will create and zip a virus such as “Invoice.pdf.exe”. When saved and extracted to a computer, most users will just see “Invoice.pdf” making it look legitimate.

 

Keeping a close eye on the email content you look at can save you from falling in to a phishing scam or installing a virus. But using email filtering and keeping antivirus up to date is equally important in protecting users and should shield most users from these types of spam and attacks.

This morning we had a particularly large virus campaign come in. The messages were claiming to be from payment@bill.com about an unprocessed payment. Attached to the message was a zipped piece of malware.

Sample Message

Sample Message

 

Over the past month we’ve been seeing around 1.5 to 2.5 million virus messages through out the entire day. This morning though, over the course of about 3 hours we have seen 6.2 million from a single virus campaign. There were a few other campaigns numbering in the tens of thousands during that time but the fake bill.com malware certainly dwarfed any others. For this campaign, though it was large in volume and numbers across all servers here, the malware attached was matching a virus rule that had previously been in place on our system. That rule having the same 6.2 million matches this morning. Running a sample of the virus in virustotal.com shows only 16 of 54 antivirus companies are blocking this particular executable.

All ur base...It took less than one day after the news was publically released about a major flaw in the bash command line interpreter before a botnet leveraging this flaw, referred to as ShellShock, has been spotted in the wild. This vulnerability is being compared to Heartbleed, the OpenSSL flaw that made headlines earlier this year, in terms of severity. Unfortunately researchers agree that this actually has the potential to eclipse Heartbleed in that arena. The reason being is that where Heartbleed was able to easily steal data from unsuspecting victims, this new bash vulnerability allows an attacker to actually gain access and control of its victim’s machines. Another concerning factor of this new exploit is its potential targets. Bash runs in both Linux and Mac’s OS X operating systems, a rarely targeted group which may be caught with their guard down. Every Mac we have tested this on so far has been vulnerable to this exploit, where we achieved varying results with Linux environments due to particular Linux flavors and bash versions that were installed. Bash is the most widely used shell on Linux based systems and is also the default shell in Mac OS X Panther which is (version 10.3) and later. This vulnerability is present in every bash version up to 4.3, which is potentially a large swatch of users. It is being stated however that the likely prime target of these new attacks will be Apache web servers that use standard CGI implementation.

The botnet, known as Wopbot, has already gone to work. It has been busy running distributed denial of service attacks against Akamai and other targets over night. It has also been scanning the entire IP address space of the US Department of Defense apparently searching for open Telnet ports which commonly would be brute forced in order to gain access. This is quick work by cyber attackers which is exactly what those at risk do not want with such a publically available flaw. Currently the Linux community is rushing to create and push out patches for ShellShock while others are arguing whether or not to simply remove the point of vulnerability altogether. It is unclear what Apple’s stance is on this or when they may have a fix available. Hopefully they will move quickly as well or all of my friends who “never get viruses” just may be in trouble.

It is recommended that those who may be susceptible to this vulnerability watch closely for patches or hotfixes and apply them as soon as possible.