Ah, See, It's got a Picture, It Must Be Safe

So, anyway, I just finished watching this video interview on YouTube. This guy, Sage Lewis from Web Marketing Watch is interviewing Cresta Pillsbury from ScanAlert. She's promoting the re-branding of their HackerSafe product. This product is designed for website owners and operators to feel protected against vulnerabilities. HackerSafe scans your site on a daily basis looking for holes, and when they find one, they let you know about it and how to fix it. Along with their service you receive a shiny image to place on your website to let all that may enter information onto your site, that it's completely safe.
I don't know about you, but I see a huge flaw in this, at least from a visitor's standpoint. It's good as a website operator, or e-business owner to have a company that will continually watch out for your site's security, but as a visitor, how do you know that the little picture of a green shield truly means you're on a protected site? You don't, look I have one, I guess that means blogspot is malware free. Yeah, maybe not, huh?!
I have seen it on sites that sell pharmaceuticals, and other bogus products, and it has always made me wonder if seeing that had ever baited people into believing that a site that they would have normally steered clear from was indeed safe. I bet it has.
Anyway, I just wanted to rant, sorry about that. Just remember that just because someone on the interweb tells you something's safe doesn't make it true. Be vigilant, and watch out for warning signs, and keep your info secure.

FBI Invades Your Social Network (Learns of your favorite music)

According to our buddy the Storm Worm, the FBI has taken the liberty of taking your "personal" information from the social networking site Facebook. Apparently, they're attempting a different demographic with this social engineering tactic. I can't say that I wouldn't do the same thing, especially since previous attacks against users of Facebook and MySpace proved to be so effective in the past, even though those attacks were actually done on these sites themselves. These were instead sent out via Storm botnet with the idea of just flooding inboxes with the likelihood that they would reach a concerned Facebook user or two. There were several different email subjects in this one, among them were:
FBI busts alleged Facebook
FBI is watching us
The FBI's plan to "profile" Facebook
Get Facebook's FBI Files
FBI may strike Facebook
et al.
As usual a link in the email led recipients to a webpage with the picture above, with another link where you could download the story, and also as usual if you don't click the link, Storm will start the download for you.
Storm's been very active this month along with the Pushdo botnet, and many other campaigns. We at AppRiver have seen a 600% increase in virus activity over last month and nearly 1100% +/- increase from two months ago. We have been watching the patterns, and have remained ahead of the game when it comes to adding virus signatures for all of these new variants into our own proprietary AV engine. They certainly are keeping us busy, though.

A King Receives His Judgement

Much like the true kings of lands ruled by monarchy, when one "Spam King" falls, there is always one to take their place. In the spam community, whenever the public learns of a spammer's true name, the media immediately refers to them as the Spam King, ....inboxes drop to their digital knees, and gladly rejoice in the junk mail offerings the king showers upon its fiefdoms.
One such Spam King, Robert Alan Soloway who was arrested in May of 2007 finally received his sentence this past Tuesday. In addition to still owing more than $17 million dollars in civil penalties from past judgments, including one from another kind of king, Microsoft for $7.8 million in 2005, Soloway, who is now 29, received more than 47 months in federal prison. The prosecutors were pushing for nine years, but the presiding judge claimed that the sentencing guidelines for the nation's anti-spam statute weren't clear enough.
Still, 4 years will be a far cry from the life of unearned luxury he had been living in Seattle for many years. The judge has given Soloway 60 days to report to prison, think he'll show? We'll see.

My apologies to Burger King, and the Hormel Corporation for my infringing on two copyrights at once. I feel their products are delicious, and I eat nothing but.

Remember That Package You Never Sent?

Over the past several days, the United Parcel Service has been the front for a group of malware authors. They have been sending out emails claiming to be from the UPS with the message:

"Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.Please print out the invoice copy attached and collect the package at our office Your UPS"

And as you probably guessed, the attached "invoice" was in actuality a piece of malware, a keylogging trojan to be exact.
The beginning of this campaign started last Sunday July 13th. It was then followed by a second version of the same campaign early the following Monday, however this one was in German:

"Guten Tag,
leider konnten wir ihren Paket gesendet am 01. Juli nicht zustellen, da
die Adresse des Empfangers nicht existiert. Drucken Sie bitte den Lieferschein im Anhang dieser Mail aus,und holen Sie ihr Paket bei uns ab. Mit freundlichen Grussen,
Ihre UPS"

At that point I thought that may have been the end of it, that is until the following Saturday when we saw version #3, and then version #4 on Tuesday, and a 5th version early this morning. I'm looking forward to tomorrow's version, or likely tonight's version.
Today's campaign has lasted for about 7 hours so far, and we're catching an average of around 40K per hour for a total of just over 300,000 pieces captured at the time of writing this, with a straggler from the past week's campaigns every now and then.
I'm curious as to how many people send so many packages via UPS that they would fall for this, not that I've ever given UPS my email address as a means of communication or anything, I was just curious. I'm also curious as to how many people opened this attachment knowing that they hadn't even used UPS, but it's to these people the spammers and virus writers owe thanks for keeping these things going.
Here's a list of the file names attached to the emails in the order they were received (avoid them):
Version 1: ups_invoice.zip
Version 2: UPS_Lieferschien_8102.zip
Version 3: ups_invoice.zip
Version 4: UPS_INVOICE_978172
Version 5: UPS_INVOICE_187271

Storm Issues Special News

It has been a very busy and very varied month for our buddies the Storm Worm authors. It seems they have been going non-stop with ever changing code to keep everyone on their toes just like the beginning of last year, maybe even a little more so. Today they've made use of previously infected domains with a slightly updated approach. Earlier in the week these domains were linked to by an email offering up the old standby, celebrity porn videos. Recipients would recieve a link that led them to http://xxxxx.xx/index1.php, and once at the site, they would get the image of a video window attempting to load, and as usual if you didn't click the download now link, Storm would attempt to start the download for you as a message box appears prompting you to save the file.
Today they began offering up these Subject lines:
Special issue of news from CNBC! Urgent Shocking News Usama Ben Laden!
Special issue of news from Bloomberg! Urgent Shocking News Usama Ben Laden!
Special issue of news from Reuters! Urgent Dangerous News Usama Ben Laden!
Special issue of news from Telerate! Urgent Shocking News Usama Ben Laden!
Special issue of news from CNN! Urgent Dangerous News Usama Ben Laden!
Special issue of news from Financial Times! Urgent Fresh News Usama Ben Laden!The body of the email contains claims that "Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist activity, and similarly the largest leaders of the terrorist organization of Al Kaeda, detained American soldiery force in Iraq." That opening line is followed by a brief history of 'Ben Laden's' evil timeline, and it also seems that all of the links from earlier in the week still work, along with the new ones, but they have been replaced with an edgier version of what is now a "shocking video".
These guys are certainly working hard to keep their botnets up and running, and I'm sure we'll be seeing a lot more from them.

Digital Insight Clients Phished

A very large phishing campaign is rolling through AppRiver today. Not your run of the mill Bank of America phish either. This one is targeting Digital Insight clients. Digital Insight, who was acquired by Intuit back in 2006 for $1.35 billion is responsible for creating internet banking solutions for mid-market banks and credit unions as well as large corporations. They offer customized portals based on the need of your company. Including functions such as internet banking, online lending, and electronic bill paying. So when you imagine someone giving up their Digital Insight company and log-in information, you should also be able to imagine that this could cause way more damage than giving up an individual account.
I have never been signed into a Digital Insight account, however I can imagine that through this account you would be able to access a lot of very important information in regards to the company who owns the account as well as the banking info that this account in turn handles. I could also imagine being able to exploit the software once you have this kind of access, maybe during beta testing, by inserting code to transfer all transactional information? Once again I've never seen all of the info that is contained within one of these log-ins, but considering the size of this campain, and the nature of the business DI handles, I'm assuming it's pretty juicy.
As normal, these arrive as emails claiming that your account is about to expire, and provides a link to a fake log-in page where you can give up your account information. The links are reoccuring and noticeable to the keen eye looking for frauds, however, one in particular looked pretty convincing to me, that one was... /accounts.digitallnsight.net/onl... The tricky part lies in the center of the main domain where instead of using the letters "L" and "i", they are using double lower case "L's" digita ll nsight. I can see where this one could fool even some of the most vigilant.
AppRiver is currently blocking all phishing attempts to Digital Insight, but always remember, your bank or financial institution will never require that you do business through an email.

Hacker gets Slap on the Wrist, and a Job Offer.

After a year long investigation, the FBI and authorities in the Netherlands were led to 18 year old Owen Thor Walker who later plead guilty. Walker operated under the moniker Akill, part of the cybercriminal group A-Team out of his bedroom in the small town of Whitianga.
Authorities described Walker as a bot herder responsible for large stock market pump and dump scams, as well as a large DDoS attack that brought down servers at the University of Pennsylvania in 2006 which spurned the investigation. He also wrote all of his own malware and software which he sold to other cybercriminal groups which in turn used the software to retrieve user names, passwords, and credit card credentials from other victims.
As Walker stood in court yesterday, instead of strict punishment, the judge released him stating "Walker was immature and unable to set proper boundaries for himself in relation to his 'undoubted expertise' in computers." He was also fined £5,500, which seems like a drop in the bucket considering his actions caused nearly $20 Million worth of damage.
If that wasn't enough, during the proceedings, both the prosecution and defense stated that the police were interested in talking to him about a job on the right side of the law. The head of the police e-crime laboratory said that the self-taught Walker was 'at the top of his field'.
It would also appear that he is being 'head-hunted' by several other computer programming and security companies outside of the court.
Quite an interesting way to get your resume out there. Just make sure that when you're robbing people, you make sure it's in a way that is smart enough to impress some people, and you can make a legal career out of it! Hey, I'm think I'm gonna start brainstorming now, not that I'm bitter.

3 in One Week?!

I just noticed a rush of links flying by here at AppRiver in emails promoting free Anti-Virus software, well, more like "Free Antivir\_/s". My personal AV software recognized it as a possible Nuwar variant. Nuwar, Peacomm, etc etc that would be the Storm Worm... again! If it's true, this will be the third variant in one week from these guys. The Storm authors have done it a little different than their norm with this one. Instead of what was becoming the familiar fake news story video page, you're directed to a rather professional looking page playing off of a Microsoft feel pushing a product called Anti-Virus XP 2008.Shortly after visiting this page you are prompted to begin the download of your new free "anti"-virus software, as a hidden iframe tries to just go ahead and download the malware for you in case you choose not to select the manual install option. This particular page was hosted on a hijacked Italian domain appended with a /index.php page where the malicious page resides. These guys are hitting it hard again, just like this time last year.

Sorry About Your New iPhone

Today was the long anticipated iPhone upgrade to the 2.0 firmware! Did you get yours yet? I hope not, though I'm sure alot of people ran out and bought the 3G, excited about the cheaper price, and the eventual, with today's firmware release, ability to use ActiveSync in order to hook up with their exchange servers, as well as several other "fixes" and features the upgrade offered. Well, these new iPhone owners as well as owners of the first iPhones that attempted to run their upgrade today were first greeted by a message that informed them that they had to upgrade their iTunes to version 7.7 before proceeding with the 2.o upgrade, which goes off well, but once you attempt to install version 2.0, iPhone owners are then left with an expensive unresponsive paperweight. The upgrade fails partially through the process with this error:The iPhone is then unable to do anything except show the dial pad and show an option to make an emergency call. It seems Apple didn't anticipate the number of upgrades they were going to need to pull off, and their systems weren't able to handle it. Well, I guess this is one day I can put my envy aside and be glad I don't (yet) own an iPhone, and I guess my Windows Mobile Device can take a win for once!

Heavy Storms for the Month of July

It's only just barely into the second week of July, and the Storm Worm has offered up it's third variant of the month. This time around it has brought you the first look of the last days on Earth proclaiming the start of World War III. Apparently the US and Iran aren't playing nice, and negotiations end in the start of the war. The emails arrive with subject lines, and bodies such as:

US Army crossed Iran's borders
The Iran's Leader Mahmoud Ahmadinejad declared Jihad to USA
Negotiations between USA and Iran ended in War
The World War III has already begun
Third War in Iran
USA declares war on Iran
War with Iran is the reality now
Negotiations between USA and Iran ended in War
US army is about 20 kilometers from Tegeran

Each contain a link to a fake news site with Storm's newest trademark, the fake news video page. A link below the image of the video prompts you to retrieve the video, but instead delivers the worm itself. One of the newer techniques Storm began using last month is to include an infected iframe on the webpage that serves up the malware for an added opportunity for infection. Unlike the link that requires you to click on it in order to download and install Storm, the infected iframe automatically attempts to run malicious javascript that downloads a second variant of the worm onto your computer. To avoid being a victim of these malicious iframe attacks which seem to be the flavor of 2008, I recommend disabling Javascript in your browser, or using a plug-in such as 'NoScript' for Firefox which will allow you to create a whitelist of sorts for pages you trust as you visit them, and will prompt you anytime a script attempts to run whilst on a site you're unfamiliar with.
Also as everyone predicted, Storm had a 4th of July run as well which I believe officially began running the night before. Here are a couple of screenshots from Independence Day. AppRiver is currently blocking all Storm variants.

Right on Schedule

Well it's not Storm's 4th of July offering, but it does have a nice theme. It turns out to be a backdoor trojan, or a Remote Administrator Trojan. It was first spotted late last night, and is beginning to trickle in here at AppRiver in its usual guise, an e-greeting card. This one with the subject "You just received an E-Greetings for the 4'th of July". The links in the email appear to go to a site called greetings(dot)com, where you can view your e-card, but a closer inspection reveals that you are actually directed to a Romanian website that serves up the file "July.exe". On a side note, I kind of enjoyed that once I got my hands on a sample the icon turned out to be a little American flag, how patriotic of them!

Storm's Pre-Independence Offering

Not a second after I finish up AppRiver's Spam report for the month of June, where I had a slightly lengthy piece about the Storm Worm, do I start seeing it's newest offering. This is a slightly different approach than we're used to with these guys. Normally this group will use current events to arouse public curiosity, and then take you to a fake video screen, or the like where the infection begins. This time they use the ruse of 'Shocking' or 'Stunning' videos of your favorite stars and performers. Once the link is clicked, the site displays a couple of different images indicating that your computer is full of virii and spyware. This even includes the ever convincing little yellow dialogue box that appears near your system tray when something official is happening. However, it's rather easy just to exit the page without clicking on any of the other boxes, which will begin the Storm Worm installation.
I titled this posting pre-independence due to my predicition that we should be seeing some independence day themed emails from Storm any second now. Most likely it will be tomorrow or the following morning.