Mmm, Spam and Word Salad, Just Like Mom Used to Make

There has been an influx this past week with spam emails that contain nothing but random words. In the subject line one to three of them appear, and in the body around three to six. These words are various verbs such as “mugging” or “denote”, people’s first names, objects, proper nouns, regular nouns, you name it. This type of spam, or grouping of words that make sense, but certainly not together has come to be known as “word salad”.This certainly isn’t the first time that this has occurred, as it’s been occurring since the invention of Bayesian spam filtering back in the late 1990’s. People have stuck to the notion that this technique is used to break or poison this type of filtering. Bayesian filtering is a statistical approach at filtering spam from your inboxes. Essentially it looks at the individual words in an email and assigns each word a probability value based on how likely a word will appear in a spam message. After every word is assigned a value, in most cases, the filter will look at the words appearing furthest away from a neutral score, in either direction, and average them together to produce the resulting score. These filters do need to be trained however, and this is word salad comes into play. The theory is, is that the spammers are sending these emails in an attempt to render these filters useless by confusing its data. The spammers will send random words, or sometimes specific words in anticipation of an event such as a new movie coming out or an election in hopes that their obvious spam will cause common words to appear as spam in future valid emails. This causes these valid mails to begin to be quarantined as spam creating a slew of false positives. The impending frustration then causes the end user to turn off Bayesian filtering clearing the way for the spammers’ real payload that follows. That’s the theory anyway.
Another theory around this current campaign is based on reputation filtering. It (the theory) says that these are being sent to bypass spam filters by appearing as benign emails, that way the sending IP or source gains a positive reputation because it has in the past sent valid mail therefore future mail from that source is more likely going to be good mail as well. This is supposed to increase the likelihood that a spammer’s future message will make it through. This theory has a lot of holes. The first being that anyone who solely uses a reputation filter with no other type of layered filtering will have a lot more issues than this. Another flaw is that all of these are botnet delivered most through home computers using their local ISP’s access. These botnets range in size, but this one is easily in the tens of thousands, high thousands at least, and the chance of one of these bots randomly hitting the same target twice is less than not worth it.
Here’s my theory, are ya ready? Directory Harvest Attack, yep, I said it! Conspiracy theorists are aghast, I’m sure, but here’s my hypothesis, and facts. First of all, I’ll have to agree with part of the reputation filter theory in that they’re short, sweet and will easily bypass most filters initially. However, the real proof lies with who the intended recipients are. Each email is addressed to about 5 recipients and each of these recipients are all at the same domain. Certainly a sign, and another sign is that in most cases only one of the intended recipients is actually a valid user at that particular domain. A Directory Harvest Attack is designed for the sole purpose of collecting valid email addresses. A spammer will blast out short or sometimes even blank emails to randomized but probable email addresses, and when one sticks, they keep it as valid, if it doesn’t, the invalid address will be omitted from future attempts. The valid email addresses that are collected can be sold to “marketers” or used by the spammer in future campaigns.
There you have it, a long winded explanation for a very short email. And to clarify or fess up perhaps, my mom always fried spam, and she never really served it with salad.

Outlook Trojan

Last week we saw a new malware campaign using a fake Microsoft Outlook update as the social engineering tactic de jour. This week has been much more of the same but with a new and improved twist. The second version of these messages also poses as an Outlook update but is new and improved. These appear to be from "Microsoft Customer Support". The new version of these messages that began surfacing late last week is now running full throttle but this one is much more believable and presumably more effective. In this campaign spammers attempt to coerce you to follow the link to an executable file that they have provided thus getting yourself infected. The link provided in the email even appears to be linked to Microsoft.com, however if you look closely you will find that actual base domain is ikl1l1.com. These messages also contain other links to Microsoft that when clicked actually will direct you to the Microsoft website. This feature certainly makes the message appear more believable.

This is the link contained in the message:

http;//update.microsoft.com.ikl1l1.com/microsoftofficeupdate/isapdl/default.aspx/index2.ph

To the untrained eye this link may appear safe and legitimate

Here is what this message looks like:


Following the link in the message takes you to an equally convincing web page that instructs you to download and install this file: officexp-KB910721-FullFile-ENU.exe. This file actually contains a backdoor banking Trojan which allows a remote user to access and steal sensitive data and provides an intruder with remote access to the compromised system.

Here is an example of the page:

Beware of these fake updates and if you ever find yourself about to install an update that was sent to you through email, stop. Instead of navigating through the link in the email, navigate yourself to the proper website and look for updates. We are currently blocking all known variants of this virus.

Adobe Shockwave Vulnerabilities Patched

Adobe announced and released a security update yesterday that involved its Shockwave player versions 11.5.0.596 and earlier. The vulnerability could potentially allow an attacker who successfully exploits this vulnerability to take control of the affected system.
Shockwave is used as a media player to deliver Adobe content much like Flash but with much more control. A user must open a corrupted Shockwave file in order to initiate the exploit.
As this vulnerability is listed as "critical", Adobe recommends patching immediately, as do I. Go here to get the goods.

The Twisting of Twitter

I'm sure everyone that uses Twitter with any sort of frequency has had mysterious people (or things?!) attempt to follow their account. Or seen random posts with links to spam, like the awesome one I got last night for the first proven phonewatch of the future! Wow, I've got to have one of those!
Well in addition to the spam links, Twitter worms and malware are now in full force. The miscreants are now posting links in tweets making use of the many url shortening sites such as bit.ly or tinyurl.com in order to hide the true source of their links. These links, once clicked begin an automatic download of malware., and in order to entice you into clicking these links they're using similar tactics as they would in email based campaigns - Utilizing current news topics such as Air France flight447, NBA Finals, etc etc. Stay away from these.
It was only a matter of time before Twitter was littered with this garbage as well, considering these crooks always follow popularity. Luckily for you AppRiver's own SecureSurf blocks these invites and domains for you.

This Just In - BBC News

Not incredibly interesting or new, yet still just as dangerous; this morning we're seeing a virus campaign flying through with the subject "BBC News", the body contains a single hyperlink with random fake news headlines mostly containing something about Paris Hilton. Is she still really that interesting? Was she ever? I digress. The link attempts to start a download of evil intent. The file is named bestvideo.avi.exe, and as you might have guessed isn't a video news snippet, but a trojan that's up to no good. It looks like it started late last night, and was being proactively blocked by our filters, so AppRiver friends have no fear! Just remember not to fall victim to these scammers' ploys. If there's a big story in the news, you can rest assured that the spammers and malware authors are going to replicate it in your inbox and the rest of the interwebs. Stay informed, and not afraid.

Good Morning Malware

Just after 9am yesterday we began seeing messages reporting to be an “Outlook Setup Notification” the messages contained a fake alert attempting to convince you to click on the link provided. The link is to an .exe that is not disguised very well and contains a malicious payload. Yesterday we blocked more than one million of these messages. All of these used the same domain (liventsov.ru) to deliver the malware. Below is an example of the message:

(click image to enlarge)

Fast forward to this morning, just after 8am today we began seeing a very similar campaign. These messages are clearly a new version of the same campaign. Today’s variant claims to have some crucial information about YOUR credit card account. The message states the need to inform you of suspicious activity on your account. Once again there is a url at the bottom (that they would have you believe is a “Word-formatted copy of your transaction list”) that is actually a link to an malicious .exe. Same as the “Outlook Setup Notification” these messages titled “Information of Your Transaction” are also just using one domain (scananida.com.pl) to deliver the malware. We have netted nearly 1 million messages so far today putting on par with yesterday’s campaign, which is still being sent out. Below is an example of the message:

(click image to enlarge)

Making Money in Underground Pharma Sales

While cruising around the somewhat shady Russian forums today looking for people that are still complaining about the 3FN (Pricewert) ISP shutdown last week, I began bouncing around from link to link between these users' posts. As is the usual, once you get in deep enough, "business" opportunities begin to surface such as PPC (pay per click) services, money mule opportunities, or the average forum sponsored buying and selling of malicious tools and information. Today I found another "in" into the less than reputable dark economy style business, specifically the online pharmaceutical industry.
You see these sites all the time, often they've been placed on the back end of legitimate mom and pop sites that were exploited in order to serve up the familiar Canadian Pharmacy versions or the Indian Pharmacy, or the generic ones even.
Today I found a company that facilitates these webfronts. The ad says "We drive cash your way." and goes on to say "We are a pharmacy affiliate program developed for SEO professionals worldwide. We are a pay per sale type of program offering high commissions, high quality sites and convenient payment plans for our partners. We are a pay per sale type of program offering high commissions, high quality sites and convenient payment plans for our partners. If you are willing to join us, please ask your fellow webmasters for an invitation since we require a recommendation. If you are willing to join us, please ask your fellow webmasters for an invitation since we require a recommendation."
The site's "About Us" section informs prospective partners that they work directly with the manufacturers to offer the most popular medications, that includes rock-bottom prices on men's health medications.
So essentially, what you do is supply the webfronts and handle your particular orders, likely through referral numbers set-up in the web pages themselves, and this company supplies the meds. Something like a pyramid type business where you make more money by referring more people. Seems much easier than achieving Ruby Level selling AmWay. According to the site, you will then earn up to 50% revshare (revenue share) on every sale and another guaranteed 10% on the total commission on any referral sales that are made. Commission payments are made in these not-at-all sketchy business methods: Bank wire, Stormpay, Moneybookers, EGold, Epassport, Fethard, or PayPal.
Another site offers 20% commision on sales up to $4000, 22% from 4-10k, and 25% on 10k+. What they lack in commission, they make up in service.
The internet has opened up a whole new way of doing business, both legitimate and illegal. Unfortunately, the dark side continues to expand, even as the authorities are having better luck shutting some of them down.

.Rtf Documents Being Used in Spam Campaign

Not as interesting as it is unusual, the .rtf file (rich text format) is being used as a spam vehicle in a rather large blast currently. The emails themselves contain a news headline style subject line and are blank except for an attachment of the .rtf variety. The name of the files vary, and they are all around 363 bytes in size. The documents themselves don't contain any exploits, just a single sentence advertisment once they are opened up. The ad reads "http://XXXX.org - Order the cheapest medications now!"Where the "x's" are numbers that seem to be different in almost all of the samples I've peered into.
This is a campaign I'd usually not think twice about, but it is rather large. Since blocking them about 10 minutes ago, we have already caught over 400,000 pieces, and the numbers are still climbing.

Will ATMs be a New Target?

Over the past year and a half according to The Register, a family of data-stealing trojans has been discovered running through ATMs in Eastern Europe. These trojans have been evolving over time and have been fitted with a great deal of control. The main function of the malware replaces old techniques such as external card readers that were fitted over the existing card slot, and had the job of pre-reading, if you will, ATM and credit cards and storing the information as the card was being inserted. These ran on several batteries that were usually taped underneath the reader in between the actual ATM card reader and the fraudulent one. Now instead, the malicious software runs internally to collect card information and PIN numbers, as well as any other banking information that can be accessed by the user.
I t has also been found that this malware also has the ability to include master card and single use card functionality. The master card can be inserted into the ATM to access the malware and gives the user many other abilities such as access to print outs of log information, print outs of the card information it had collected, or even the ability to make the machine dispense all of its cash. The single use cards would apparently be used by less trusted indiviuals such as mules, that would have a single purpose such as removing money and returning it to the bosses for a cut.
The real question in this situation is how did the malware get on these systems? ATMs are on strict security controled closed networks, and there is no access at the kiosk itself. This leads me to believe that these cases likely began as an inside job in order to get the malware onto the ATMs in the first place. Otherwise the hackers would have had to jump a lot of network hurdles to get their payload all the way to that point. Or, the security on these banking systems were sub-par, to say the least.

A Two-Pronged Attack

As I was reading a blog posting by Sophos's Graham Cluley this morning I saw something familiar, and that was a campaign that I had spent some time blocking last night from home. At least, that's what I thought that I was originally looking at. As it turns out the campaign that Graham was talking about was a phishing campaign, and the one I was dealing with was a malware distribution. The reason for the confusion was due to the fact that both of these were bound for inboxes riding in the exact same emails, and all of these, as Graham states were reminiscent of last week's Commonwealth bank phishing attempts.
The emails themselves arrived posing as email "Setup Notifications". The phishing campaign emails were limited to the subject line "Microsoft Outlook Notification". The emails with the virus attachments however had multiple subject lines such as "Outlook Express Setup Notification", "TheBat Setup Notification, as well as "Microsoft Setup Notification".

The Phishing emails all pointed towards one base domain that was also associated with the Commonwealth Bank phishing attack. Once recipients followed this link they would arrive at a webpage made to look like a Microsoft site of sorts. A message on the screen would read "Please re-configure your Microsoft Outlook again. Enter the following information:" It then asks for you to input your mail server address, your email address, and your email password. Neither the email nor the web form explain exactly why you need to do this, but I have an idea.
The same emails with the malware attachments, specifically a file named update_6556.zip had kind of a rocky start as its initial run contained a slew of empty .Zip files. It wasn't until its second attempt with a file named micr_outlook_update_6556.zip did the payload become malicious. This piece of malware is designed to open a backdoor on the victim's pc through which more malware can be delivered at a later time. Early assessement appears as though this particular malware also has the ability to hitch a ride on removable media as well. The file is detected by AppRiver as X.W32/Branvine.A, and we've seen just over a million pieces from this campaign since it began just over 12 hours ago.

We've always known that the same malware authors may try several different vectors to achieve their ultimate goal of looting the bank accounts of their victims, but it certainly is a rarity to see them use the exact same vehicle to deliver very different approaches. These also come at a time when zero-day virus totals have ramped back up similar in volume to the days before McColo fell.