In my role as an anti-spam researcher I get to see a lot of spam. Most of the spam I see can be categorized into a fairly small range of spam types. Common examples include pharmacy, stock and watch spam.

Over the last few weeks I have seen a new type of spam. This is spam which is trying to sell a product to save money on gas. Below is an example of a gas spam:

Currently McAfee detect gas spam. Volume is low for this type of spam making up typically 0.2% of all spam.

Given the high price of oil it is not surprising that a spammer has started selling a product which claims to reduce gas bills.

Have you had any odd meetings in your Outlook or Google calendars lately? I’ve been monitoring an interesting spamming technique over the past few weeks where they are sending automatically accepted meeting requests (if you allow that) to your calendar.

The spam is originating from Gmail accounts but the Google and Outlook calendar functions are compatible so the meeting request goes straight into your calendar and you probably won’t notice it until you get a reminder at the spammers chosen time.

All the samples I’ve seen so far are Nigerian Scams which is interesting in itself as the Nigerian scammers have traditionally been less advanced in terms of coming up with new tricks.

This tactic adds a further nuisance factor for the recipients of this spam as it sets your time as “Busy”. Sure, you can turn off automatic acceptance of meeting requests via the Calendar options in Outlook and in Google Calendar but that feature is provided for a reason so why should the spammers stop us using it? This spam campaign has been low volume and targeted as is the nature of the Nigerian Scam email but there’s been alot of talk in the last few months about Gmails captcha being broken so it wouldn’t suprise me if the botnet spammers pick it up pretty soon!

Happy Anniversary!

May 3, 2008, marks the 30th anniversary of spam mail. Yes, it’s been three decades since Gary Thuerk, a Digital Equipment Corporation (DEC) employee at that time, broadcast the very first unsolicited advertising message announcing a new product, the DEC-20, to everyone on the Internet’s predecessor, the Advanced Research Projects Agency Network (ARPANET). Developed by the Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense, the ARPANET was the world’s first operational packet switching network and paved the way for the information superhighway we now call the world wide web. Take a look at the innocuous message and a write up of the events surrounding this unsolicited commercial email by clicking here: http://www.templetons.com/brad/spamreact.html.

The term “spam”, which refers to SPAM®, a canned meat product sold by the Hormel Foods Corporation, was coined to describe unwanted and unsolicited commercial email. A description of why this term was used is here: http://en.wikipedia.org/wiki/Spam_%28electronic%29#History. The term wasn’t used much in the early days, and it wasn’t until 1994 that spamming started in earnest. Deliberate commercial spamming as a form of advertising is believed to have been started by a law firm, Canter & Siegel. In 1994, the firm sent a message advertising their immigration services to more 6,000 Usenet newsgroups. They developed mass-mailer software to automate the distribution of the email, a practice still used by spammers today.

Over the past 30 years, the face of spam has changed dramatically—from simple text, to obfuscated text, phishing emails, and spammed malware. And it’s even gone beyond that to image spam, spear phishing, attachment spam, and recently even MP3 based spam. At first, spam was sent from single user accounts. Later, spammers pushed their messages through open mail servers. Today, these unwanted emails are typically sent via huge networks of zombie machines, which are designed by malware writers to send large volumes of spam very efficiently. Spamming has also seeped into new venues and morphed into new forms. Spam has evolved from newsgroup and email spamming to Instant Messaging, mobile phone spam, and blog and search result manipulation spam.

Despite Bill Gates’ prediction in 2004 that spam would cease to exist by 2006 (http://news.bbc.co.uk/1/hi/business/3426367.stm), there appears to be no end in sight, even in spite of recent laws, such as the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) introduced to help curb spam. Why does the law lack legs? It’s mainly because today’s spammers, who are motivated by the prospect of financial gains, largely operate outside of countries with strict anti-spam laws.

In some ways, Bill Gates’ prediction was correct in that spam filtering solutions have been developed over this period of time to detect and filter almost all the spam that is sent, but this is cleaning up the problem, rather than eliminating it entirely. I don’t think anyone would favour an “email tax” to reduce spam, and Challenge/Response systems only contribute to more unwanted mail and slower communications. I personally believe it would take a concerted effort on the part of Internet Service Providers (ISPs) and Internet backbone providers to filter spam at its sources and block rogue “bullet proof” ISPs. Technology currently exists to identify and isolate hijacked spam sending zombie PCs, but ISPs appear reluctant to commit to the infrastructure and customer support needed to implement these systems in a highly competitive and price-sensitive market. A better alternative may be a transition to a newer, more secure, mail protocol that would make it easier to eliminate spam email at the source.

In addition to ever more creative ways to block received spam, is an upgrade to the SMTP protocol answer? Or do we need more government legislation? Or is it something else altogether? Will it take another 30 years to put spammers out of business? I sure hope not!

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

The Internal Revenue Service (IRS) is some phishers favourite target, especially during the tax season each year. We first saw IRS phishing emails in our spam traps in 2005 and have seen them every year since, particularly when the U.S. tax year comes to a close.

Does the early bird catch the worms?

Who would consider a tax issue as early as in September? The phishers must think someone would. We started to see IRS phishing e-mails as early as September last year. The volume has increased in the following months, with a sharp increase in January 2008, and is showing no signs of abating today.

Targeting both individuals and businesses

Most IRS phishing e-mails target individuals, but there were several campaigns which targeted business/corporate accountants and treasury managers this year. The phishing e-mails claimed that there were some recent changes to business and corporate tax laws and asked the recipient to download the relevant files by clicking the embedded links.

Using an IP address instead of a normal domain name is commonly seen in phishing e-mails, because the phishers want to hide the phish domain name from the recipients eyes. In the sample below the phisher also claims that the encoded IP is a document reference and the phishing uri is a personalized link.

Common characteristics of an IRS phishing e-mail

The IRS phishing e-mails normally have a faked “From:” header to try to let the recipients think it is from the IRS. The message body part usually begins with different variations of the IRS logo. They usually follow this with how much money you are supposedly to be refunded for the year. Then the recipients are asked to fill a tax refund form by clicking a link which is normally hidden behind text, such as “Please click here”. The link will lead the recipients to an online form which requests personal information such as Social Security Number, Name, Address, Date of Birth, mother’s maiden name, Bank account number, Credit card number, Expiration date, Card verification number, ATM PIN number and name of the issuing bank.

Recently some phishers have enclosed a html attachment to the e-mail rather than including a link to a phishing web site, and have asked the recipient to open the attachment and submit the details via the attached form.

We also spotted an IRS Vishing (short for “voice phishing”) campaign this year.

All in all it has been a busy tax season for the IRS phishers. The IRS give some helpful tips on how to avoid being caught out by these types of phishing emails on their web site.

Meeting the German participants of the McAfee SPAM Experiment for dinner yesterday turned out to be very interesting and provided some unexpected results. After 14 days living on a Spam-mail diet they are still in good shape. Some are so into it that they even installed SiteAdvisor to find out, in advance, if a site is likely to send you spam when you leave your email address there…

Getting in trouble with the girl-friend for browsing dating web sites while leaving his mail-address for possible use by spammers was one of the less expected (and desired) results.

And then this: Collecting spam through surfing porn sites really does not work! All who tried told me they didn’t receive much spam when leaving their email on such sites. That really was a surprise for me. I would have expected a lot of spam, as there seems to be a fairly obvious link between porn and certain drugs and enhancement pills…

Constantly living in a world full of (empty) promises seems to have some effect as well: “It’s nice sitting here with you, but soon I’ll be hanging out with Tom Cruise and Jessica Alba and I will even get money for it” - it’s amazing what some shady people promise you, just to get your email address and other personal data.

There was some amazement when two participants figured out they had received nearly identical advance-fee scams: One in English, the other one in the Polish language.

Well, I’m sure all participants will have a lot of interesting experiences and stories to share at the end of the experiment and I sincerely hope they manage to stop clicking on all those ‘you are the 100,000,000,000 visitor of this webpage’-banners

Oh, and a last note: If there is one movie you should watch this year, make sure it’s the Futurama: Bender’s Big Score where Spam and Phishing play key elements in the story!!

A recent article in The Register seems to imply that if you’ve got out-of-date security software, any fraudulent charges to your accounts could suddenly be your liability. The advice given by the British Bankers’ Association includes much more than just the state of one’s security software; this could just as easily include misaddressing a check or falling victim to a phishing attack, among other things. On the other hand, it’s highly unlikely it would ever be worth the bank’s effort to invoke this clause.

From the Banking Code of the British Bankers’ Association

12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow Section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

These two sections offer quite a few bullet points about how not to be a victim of identity theft or financial fraud.

12.5
• Do not keep your checkbook and cards together.
• Do not let anyone else use your card, and do not tell anyone else your PIN, password, or other security information.
• Your bank or building society will never ask you for your PIN. If you are in any doubt about whether a caller is genuine or if you are suspicious, take the caller’s details and call us.
• If you change your PIN, you should choose your new PIN carefully.
• Try to remember your PIN, password, and other security information, and securely destroy the notice as soon as you receive it.
• Never write down or record your PIN, password, or other security information.
• Always take reasonable steps to keep your card safe and your PIN, password, and other security information secret at all times.
• If your card issuer takes part in a secure online payment system (such as Verified by Visa or MasterCard SecureCode), consider signing up either at their Web site or whenever you are given the option while shopping online. This involves your registering a password with your card company; you will be asked for the password whenever you shop at an online retailer taking part in the scheme. You should keep this password secret.
• Never give your account details or other security information to anyone unless you know who they are and why they need them.
• Keep your card receipts and other information about your account containing personal details (for example, statements) safe and get rid of them carefully.
• Take care when storing or getting rid of information about your accounts. People who commit fraud use many methods, such as “bin raiding” (a.k.a., dumpster diving) to get this type of information. You should take simple steps such as shredding printed material.
• Be aware that your mail is valuable information in the wrong hands. If you don’t receive a bank statement, card statement, or any other expected financial information, contact us.
• You will find the APACS Web site a helpful guide on what to do if you suspect card fraud.

12.9
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access Internet banking sites by typing the bank or building society’s address into your Web browser. Never go to an Internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice: Our Web sites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.

But wait, there’s a caveat: They won’t invoke this willy-nilly:

12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for your card being misused will be limited as follows.

This code would be far too difficult and costly to implement in most cases. It would have to be a particularly large sum of money involved in the fraud, enough that it might be deemed worth the cost of an investigation, alienating a customer, and courting a heap of bad PR.

Although this is all good advice from the BBA, it looks like the assertion that people will suddenly be financially liable for having out-of-date security software is just a case of spreading FUD.

As we see every year, Christmas season is a great opportunity for a new virus to spread by email using “Christmas” as a reason to read the email. We just had a post here on Avert Labs blog about one a few days ago. If it was just the spammers, we could understand, since they live to do that, but today I got an email from my bank, stating that I could start to send Christmas and New Years virtual cards through their website! I immediately thought that it was a phishing scam, so I decided to check the link. It was indeed a new url created by the bank, something like www.christmascards[insert Bank Name here].com.br, where you could select up to 4 different Christmas / New Years cards and send to your friends… This just happened hours ago… I bet that I will start to receive some Xmas virtual cards and I also bet that those will not be from my friends . So you do not get me wrong, I like virtual postcards, but here, this strange marketing campaign will make things real easy for the bad guys, since the real bank sent a mass mail to all customers telling them that they can send those cards from their website. Now, what do you think will happen when the bank customers start to receive fake virtual postcards on behalf of the bank, with attached malware??

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.

As of late, a weekend is just not complete without a new W32/Stration variant spamming, and this weekend was no exception. Of course, this variant added a Christmas twist to the message body. To add to the Christmas “fun”, we also saw two other nasties taking advantage of people hoping for a little holiday cheer in their inbox.

Here’s hoping you all missed this excitement because you were having a wonderful holiday with friends and family instead. Or perhaps basking in the glow of a TV, enjoying a new video game console. (Speaking of which, the Wii just got an internet browser which is capable of playing Flash games. Hmmm… Very cool that they went with Opera, though!)

Technologies advance with time, and so is the case with Instant Messengers. Not long ago, people were happy sending text messages. Then VoIP came along and changed the scene. Soon after IM vendors embraced it. Many IM clients are now VoIP enabled. As soon as VoIP started going deeper into the mainstream, security researchers warned of related issues. One issue was abuse with spam, usually referred to as SPIT. Wikipedia states SPIT is “as-yet-nonexistent problem“. As VoIP is getting more popular the scenario is changing fast, this “as-yet-nonexistent problem” is slowly but surely emerging. The following images shows a real-world VoIP spam over Skype.

The image shows a typical spam prospect. The spammer starts a conference call with some random users and starts playing the spam message. This process is most likely not manual but automated with bots.

Use and abuse are two sides of the same coin and this technology is no exception. All major IM providers are giving away SDKs to develop add-ons. However these SDKs also lower the bar for spammers to develop bots. We have witnessed the same with the ongoing development around Skype malware.

The image below shows the assembly code for the loop which is used by Skype malware to search for users. You will notice the “SEARCH USERS” Skype APIs:

The malware actually uses more of these. The image below will highlight those:

These APIs are part of Skype SDK and are documented by skype. It is just a matter of time before we start seeing bots, in the wild build on top of IM SDKs provided by the vendors. We advise users to be aware of this developing attack vector. McAfee Avert Labs is prepared for this battle!!

Here’s a concept that might inflate everyone’s ego a little, as well as (hopefully) making them a little more wary: It’s not just CxOs whose names and info are valuable. It’s yours and mine, too.

In Italy, trojan spammers are sending emails which appear to be from lawyers, threatening legal action if the recipient doesn’t clean up their allegedly-infected machine. Of course, this email includes a “helpful link” to a removal tool which is, in reality, a trojan. The most notable thing here is that the email includes actual lawyers’ names and contact information, which is causing significant problems for the lawyers whose names have been used.

We’ve also received reports from Italy indicating people are getting similar emails, but from people who appear to be angry business partners, rather than from lawyers.
Miscreants have also taken to heart the figures regarding the lack of security awareness in smaller businesses. Small companies may feel that they’re too insignificant to be targeted, but their machines may actually be just as valuable as someone in a Fortune 500 company. Small businesses’ bandwidth is often better than a home user’s, their employees’ name and contact info can be used in schemes like this, they might be more apt to be hurt by Denial of Service attacks or extortion attempts, while they’re less apt to have trained or dedicated security staff.

Really, everyone’s data has a useful place in the internet criminal’s arsenal. Doesn’t that just warm the cockles of your heart?

So what do we take away from all this? Regardless of how urgent an email appears to be, it pays to double-check links and attachments with the apparent sender if you’re not expecting it. And to keep yourself from being an “apparent sender”, consider very carefully what information you make available on the internet. Do you need to post your employees’ name and phone numbers publicly or would something more general be feasible?

I’ve seen a number of fake charity sites crop up over the last week or so, and the cynic in me knows it’s that time of year again. Christmas is a time of joy and happiness, good will to all men, peace on earth, and thank whoever you believe in you’re not a turkey! It’s not restricted to the Christmas period but, at this time of year, we are more likely to think of those less fortunate and that is exactly the feelings the fraudsters are trying to exploit with fraudulent sites purporting to help needy children who are abandoned, distressed, endangered, exploited, homeless, hungry, sick or suffering.

The websites I’ve seen so far are very professional with a fairly high amount of graphical content (flash and html versions no less) and a good amount of verbiage designed to make the reader feel upset, guilty, sentimental, or otherwise relieved of a tear or two. Much of the layout and content on one of these fraudulent sites was directly copied directly from a legitimate charities websites with simply a name and a logo changed. These websites are as bad as some of the leaflets that drop through your door, but they cost less, well at least in the short term.

Q:Can you tell the difference?

I’ll save the answer until later. So how many real charities use compromised machines to host their websites or botnets to send their email? Not one! Here is a sample of the spammed image from one of the recent campaigns. (Doesn’t it look a bit like the recent stock spams?) I expect the quality of the email content to improve in the future however.

Please be very wary of any donation opportunities appearing via email, just as you would if a stranger was knocking at your door, cap in hand. This FTC site has some good advice on responsible donating.

A:The Red one was the fraud site.

Many of you have heard about the Nigerian Email Scam (aka 419 Fraud) that proliferates through email traffic and usually sits waiting in your Inbox or Junk Mail folder for the next victim. Many do not know, however, that the scam has been successful for over a decade now since the 1990’s and gets its origins as far back as the 16^th century.

The Nigerian Email scam is a derivative of the Spanish Prisoner Con where a victim is told about a Spanish prisoner that is extremely wealthy who needs somone’s help in getting free. This so-called prisoner is relying on the con artist to raise enough money to free him. The con artist approaches his victim with the story and allows him to help with a portion of the fundraising with the promise of high reward and financial gain. There was even a Hollywood movie called The Spanish Prisoner made in 1997 based on this plot.

The first instances of the Nigerian Scam were seen in the early 1990’s. Back then, it was delivered via postal service or fax. Over ten years later, its main method of delivery is email and to this day there are still people falling victim to the scam. Losses are estimated in the billions of dollars. Brian Ross of ABC News has recently completed an interesting investigative report following the trail of these Nigerian con artists.

To add insult to injury, there is an immensely popular song and music video in Nigeria whose lyrics flaunt the success of the scam (“you be the mugu², I be the master”) and ridicule Caucasians’ greed (“Oyinbo³ people greedy, I say them greedy”).

“I Go Chop Your Dollar” (video)

I Go Chop Your Dollar (lyrics)
I don’t suffer no be small
Upon say I get sense
Poverty no good at all, no
Now I’m make I join this business
419¹ no be thief, it’s just a game
Everybody they play ‘em
If anybody fall mugu², ha! My brother I go chop ‘em

Chorus

National Airport now me get ‘em
National Stadium now me build ‘em
President now my sister brother
You be the mugu² , I be the master
Oyinbo³ I go chop your dollar, I go take your money disappear
419¹ is just a game, you are the loser I am the winner
The refinery now me get ‘em,
The contract, now you I go give ‘em
But you go pay me small money make I bring ‘em
You be the mugu², I be the master… now me be the master ooo!!!!

When Oyinbo³ play wayo, them go say now new style
When country man do ‘em own, them go the shout bring ‘em, kill ‘em, die!
Oyinbo³ people greedy, I say them greedy
I don’t see them tire that’s why when them fall enter my trap o!
All day show them fire

1. Nigerian criminal code that the scam violates
2. Nigerian Pidgin for “fool”
3. Nigerian Pidgin for “Caucasians”

In the world of security, there are typically two kinds of arms races – symmetric and asymmetric. Asymmetric warfare is where it is orders of magnitude easier to defend than it is to attack (or vice-versa). In other words, given a conscious decision to be secure, it is inherently a lot easier to carefully engineer a fail-safe system, than it is for a malicious attacker to figure out a way to break it. Good examples of asymmetric warfare are cryptography (most modern cryptographic algorithms are practically impossible to break), memory-corruption based exploitation (stack canaries, address-space layout randomization, non-executable memory pages / “PaX”, “no-execute” hardware support etc are all relatively easy to implement and use), deception & uncertainty (e.g. ICMP traceback, honeynets), etc. On the other hand, symmetric warfare is where the attackers and defenders are on a level playing ground in terms of available technologies. The best examples of this have been DRM (Digital Rights Management) and virus technologies (detection and evasion).

Every now and then, good defensive technologies from asymmetric warfare in one security domain are applied for offensive purposes in another security domain (or vice-versa depending upon which came first). The following are two recent examples.

Firstly, in the world of online form submission, “captchas” have become a de-facto standard to check whether an actual human is involved in the process. A captcha is essentially a visual challenge-response test. Typically, a distorted image is generated randomly for each form, and the user is supposed to visually recognize the content displayed and type it in. The assumption is that automated bots can’t identify the content quickly enough, only humans can. A pretty fail-safe technique actually, and it works to this day for most purposes. However, the same concept is now being used by spammers:

The entire unsolicited message is one captcha image. For traditional anti-spam agents that have to quickly scan through emails, this is indistinguishable from legitimate-looking emails from unknown senders and with image-attachments.

So the asymmetric defense from the world on online-form submissions has now introduced an asymmetry in the world of anti-spam. The day wire-speed OCR (optical character recognition) becomes available, possibly invented for spam defense, the asymmetry in online-form submissions will also be lost.

Second, let’s look at TLB (Translation Look-aside Buffer) desynchronization. The PaX technology from Grsecurity introduced the idea of non-executable memory pages via split TLB. A brilliant defensive technology that games the paging-logic of IA32 based CPUs using desynchronization of the TLB to allow a kernel mode driver to know whether a memory access is a data-access or an execute access. So it became possible to detect exploits that tried to execute code copied into pages marked non-executable.

Following this, the split-TLB defense was applied for offensive purposes in Shadow Walker (hiding rootkits from AV/AS scanners) and defensive purposes in Ollybone (reversing packed/encrypted malware). Packed malware typically start off by unpacking the original code into a separate section (marked non-executable by the malware analyst). Then, when the malware attempts to execute the OEP (Original Entry Point) instruction, the Ollybone driver can intercept it and present an “unpacked” memory layout to the reverse engineer. Shadow Walker uses an “inverse-PaX” technique. When a scanner attempts to read from a Rootkit occupied page, a cloaking driver detects it as a non-execute access, and presents a cloaked clean version of the page instead. The driver allows execution of the Rootkit pages as usual. This makes traditional user-space scanning for kernel-mode rootkits completely ineffective.

The following is the latest addition to the utility of this split-TLB trick.

View Demo Here

Unlike Shadow Walker which is designed to hide Rootkit’s kernel-space modifications, we apply the split-TLB trick to hide user-space code (or data) patches instead. This has a tremendous impact in the world of malware analysis and DRM.The proof of concept demo here shows a user-space executable that is designed to be tamper-resistant. It does this using a “checksum” thread that periodically monitors and posts the checksum of certain memory pages used by a critical “worker” thread. The worker thread periodically prints a status message. Once the anti-checksum driver is loaded, it first setups a cloaked clean version of the worker-thread page. Using split-TLB, the checksum thread is shown the clean version only. Then the driver patches the worker-thread code and completely disables its status messages. As seen in the demo, the checksum thread generates checksum-match messages even as the worker-thread has been visibly tampered with. Once the driver is unloaded, the cloaking is removed, and only then the checksum thread detects the process has been tampered with. This illustrates that user-space tamper resistance via self-checksums can not be relied upon anymore for any platform that supports split “TLB” or any style of memory cloaking that distinguishes executes from reads.

So the originally defensive PaX technology turned offensive in Shadow Walker, then defensive in Ollybone, and again either defensive/offensive depending upon whether it’s used for hiding code-patches in malware during analysis or in DRM-enabled products to break their tamper resistance.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

It’s no big revelation to say that spammers and virus writers have been getting increasingly sophisticated about the mechanisms they use to get their ads in front of a set of real, human eyes. It seems, recently, that virus writers are concentrating on improving their background infrastructure to get better metrics and overall success rate.

For instance, it seems the miscreants are getting into the world of data mining. There’ve been a couple examples recently of ways they’ve used different techniques for keeping track of how their botnets are doing. Keep your bots in handy groups for different purposes, and then track them with a nice graphical interface!

Personally, I still have a hard time thinking of these groups as “professional”, in the suit-and-tie sense of the word. But this is so organized it makes me wonder if the people behind these things don’t effectively have Accounting and Marketing departments.
But then, occasionally the spammers take a turn that kinda makes you wonder. Yes, the field of “Pump and Dump” stock spam is getting a bit crowded - maybe something new and different is what’s in order?

Starting last night, there was a new raft of spams using a “technique” which is decidedly odd. Just a single word, spelled out in ASCII art. Are they counting on users to google this strange word just to solve the mystery? Or is the “payload” yet to come?

Recently one of our researchers, David Rayhawk, gave an interview to Fox news on mobile malware and smishing.

Fox News 35 has the video on their site. There is also a mirror on Google video. The interview covered topics such as data destroying malware and the advent of smishing and for-profit malware. We have covered these topics in earlier posts.

While the current threats are not very widespread, the samples we’re seeing indicate that the capability for greater trouble is approaching.

Hackers are trying to use the good reputation of Wikipedia to lure unsuspecting users into executing malware. The very openness of Wiki that allows users to freely add or edit available content has made it an attractive target for virus authors to plant malicious code in articles. A POC worm targeting Wiki was discovered earlier in August of this year.

In a recent incident, an email was mass spammed to German computer users requesting them to download a security fix for a new variant of the infamous Blaster worm. The email was crafted to supposedly appear from Wikipedia, complete with an official Wikipedia logo. The email directed users to a fixed Wikipedia article which included a link to malware hosted on an external site.

Editors at Wikipedia were quick to fix the misleading content in the article. However since Wiki stores all previous revisions to an article, the attacker was able to direct users to the archived pages via the spammed email. Wikipedia administrators had to finally erase all old versions of the article to resolve the issue.

As malware authors continue to improve social engineering techniques, public community sites like MySpace, Orkut, Wikipedia et al will have to adapt and modify their policies with regards to posting and editing content. One can take a cue from webmail providers like Hotmail and Yahoo that have implemented mandatory virus scanning of attachments, to have all content scanned by an antivirus before being posted. This will help prevent mischief makers from creating toxic pages.

Update: A detailed anaylsis of this threat can be viewed at the McAfee Avert Labs Threat Library. Trojan Nordex: http://vil.nai.com/vil/content/v_140856.htm.

McAfee Avert have received several samples of a spammed Word DOC file called “McAfee Inc. Reports.doc” (size 205,824 bytes). This trojan file carries a macro that, if allowed to run, will drop on the harddisk and execute a file called “LS060E5.eXE” (size 27,648 bytes).

Detection of both files was added to 4887 DATs (02 Nov 2006) under W97M/Kukudro.t and the PWS-LDPinch names, respectively.

What makes this incident worth mentioning is that the spammers appear to have used a mcafee@{domain}.com template for their spoofed emails (we have seen many domain names used - e.g. “europe”, “playful”). This was picked up by the media http://www.net-security.org/virus_news.php?id=710 which, unfortunately, was ambiguous enough to generate certain levels of confusion.

Some readers who did not follow the link to the description on the Kaspersky site clearly missed the statement “Kaspersky Lab believes that McAfee is in no way involved in the distribution of this Trojan“. As a result we started receiving questions like “Did you really..?”

For those interested to find the answer to this question please follow the link to one of our earlier posts on this subject - http://www.avertlabs.com/research/blog/?p=28 “Can I trust myself?”.

Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.

The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.

The task list looks like this:

$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1"
10
12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt|
http://get.example.com:8091/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

^{(line breaks and spaces added for readability)}

The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”

So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….
Read the rest of this entry »

During the last week image spam accounted for up to 40% of the total spam received, compared to about 1% a year ago. Image spam has been significantly increasing for the last few months and various kinds of spam, typically pump and dump stocks, pharmacy and degree spam, are now sent as images rather than text. Image spam is typically three times the size of text based spam, so this represents a significant increase in the bandwidth used by spam messages.

During this period our image spam detection remained well over 99% and image spam discard rates were almost as high, averaging about 95% of image spam discarded. Spammers moved to image based spam in an attempt to evade detection, but its not working!

For a good few weeks we’ve been watching the pharmaceutical and wrist-watch spammers using name server host names in the style “ns1.ns1.some-domain.tld.” (normally they are ns1.domain.tld, a simple hostname without the subdomains). This is a pretty unusual thing to do and we can only presume the spammers have their own devious or misguided reasons for doing so. The domains registered against these name servers also exhibit another interesting feature, they are registered with the name servers in an invalid (or at least very unusual) way, and furthermore these domains fail in whole bunch of other simple test cases that are not found in clean sites. With streaming updates we are able to protect against these campaigns, often ahead of the spam campaigns starting.

Saw an insteresting bit of news today, on a tactic I wish could be used to confuse the criminal elements out there into stopping their garbage-spewing.

“Wait. Am I sending unsolicited, usually commercial, e-mail to a large number of addressees, or am I engaging in services to avoid or suppress unsolicited e-mails?”

Plus, bonus amusement points for overuse of the phrase “spicy ham”.

Whilst investigating how spammers are abusing free web site hosting providers, McAfee Avert Labs has discovered that very few spammers have the technology or resources to abuse the free web hosting providers in an automated or bulk manner. This leads to a vertical marketplace where a spammer (with the necessary skills) can sell this alternate form of web site hosting to other spammers. These “link providers” create and maintain thousands of free hosting accounts on behalf of the spammers, which are then used to redirect to spam web sites. The providers can update the redirects, so that when the final spam web pages are taken down by ISPs, web hosts, or domain resellers, the redirects can be updated to link to another live spam web site.

For this service, plus 50 accounts per day, one particular “link provider” charges $25 a week or $0.04 per link ($25 is roughly the cost of 3-4 real domain names). Some spammers like the free hosting providers - they know that the bigger hosts are unlikely to get blacklisted because they have many legitimate users.Grassing them up: After some discussions we started sending data to one of the larger free hosting providers about accounts seen in our vast network of spam traps. Within about an hour, they had regularly confirmed our data and taken down the accounts. This relationship has cut the abuse observed by us on that provider by over 90% in just over a week. Let’s hope those spammers are buying their new watches from pound$hop, rather than Bolex, this summer!

McAfee Avert Labs has recently seen spammers start to use Microsoft Word documents and HTML attachments to deliver their advertising payload. By moving the advertising content, most importantly the URL link, into an attached document rather than the body of the email message, spammers are able to evade some of the Anti-Spam vendors’ content filtering techniques. This is because most vendors don’t scan content inside attachments because this has previously not been necessary.

Microsoft Word is a convenient format because it supports clickable links and most recipients will have Word installed or would be able to open the document with another compatible word processor. This is the format chosen recently by a spammer, Leo Kuvayev / BadCow, who is plugging pharmaceuticals using web sites hosted in China. This spammer sends out what appears to be an invoice/bill:

When recipients click on the attachment, they get the spam payload, which advertises the spammer’s pharmaceutical site:

We saw the first samples of this in our traps around the 22nd August, and we are still seeing them today. As expected, the spammer is varying the attachment file name, email body text and subject in nearly every batch of the messages sent, for example:

Subject: Billing Update, Bill #90023
Forward original invoice with attached invoice transmittal sheet to the contracting officer.
DATED MATERIAL,INVOICE ATTACHED

Subject: Your receipt for Invoice #25826
Credit memo attached to deleted payment receipt cannot be applied to different invoice.
Software order has a Related invoice attached with prepayment information.

Subject: Confirm amount of charges for Claim #59703
“Invoice” hence shall mean the invoice attached to this Agreement.
You MUST show and review the UCAR Invoice Number.

Subject: Filed under your account via Statement #67345
This is to acknowledge receipt of your letter (with attached invoice) of August 2006.
Potential fraud alert, please review invoice to prevent further action on your account.

The attachments for these samples have filenames similar to: Bill90023.doc, Invoice25826.doc, Claim59703.doc and Statement67345.doc, but the attachments remain the same so simple checksums are effective for now.
We may see this technique adopted by other spammers, and it may also spread to other popular formats such as PDF. While there are plenty of other characteristics of this spam that can be used to block it, it is yet another incremental step by spammers to attempt to make detection harder. To keep up with this, Anti-Spam vendors may need to add attachment scanning to their solutions, which would require additional processing power on customers email servers. In addition, the attachments mean spam is getting bigger. The messages in the current campaign are only 35k in size, but Word documents are well known for growing very quickly in size. A rise in document spam would mean recipients’ mailboxes and servers clog up faster, worsening the burden that spam puts on us all.

Some cell phone users have started receiving SMS messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com“. (This is an example and was not a real url at the time of writing)
This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.

While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challeging to know the current scope of the problem.

Imagine the threat to enterprise networks once hackers learn how to fully exploit SMiShing techniques. Most large enterprises have thousands of employees, using a variety of devices to access their networks. Despite their best efforts to issue safety guidelines, IT security staff cannot control human behaviour-especially in light of the fact that mobile-users have not (yet) learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks.

Enterprises would be wise to keep a close eye on this issue and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now.

I recently got a bunch of Yahoo instant messages from a few IM buddies. All of them about a geocities page: www.geocities.com/omg_thats_too_funny_3/ Unfortunately, that page was taken down by the time I could check what it was about. Also, my buddies couldn’t recall sending me that link.

It’s essentially a phishing attack delivered over the popular Yahoo instant-messenger network. You might see an offline buddy sign in, send you the above link with a couple of tempting smileys, and quickly log off. The scary part is that it’s sent without their knowledge, frequently when they are not online. They might even remember getting knocked off of the Yahoo IM because “they signed in somewhere else”. This likely meant that their Yahoo accounts had been compromised.

If you look around, you will find quite a few others have been scammed into losing their Yahoo passwords via phishing sites:

http://isc.sans.org/diary.php?storyid=1463
http://www.broadbandreports.com/forum/remark,14377670
http://zigzackly.blogspot.com/2005/10/yahoo-password-hack-warning.html

IMs from buddies are to easily trusted. Many sites that host pictures/videos allow only registered users to view them. So it’s not surprising that this type of attack is so successful.

What’s different about this attack is that it’s not a simple password-stealing attempt from a single targeted user. Once an unsuspecting user compromises her credentials by submitting them at the phishing site, a CGI script on that site uses the YMSG protocol with the stolen credentials, logs on to the Yahoo IM network and gathers the buddy list of that user to propagate the attack further! All buddies on this compromised user account get similar IMs posing as this user.

Theorizing further, it’s not hard to imagine a central attacker controlled dB of stolen Yahoo IM ids (and for the users who fell for the phishing, even their passwords). Such a dB could be really useful for spammers. It can be used to do some fancy data-mining as well (buddy relationships etc). At the very least, it shows which users are security savvy and which ones are not!

The attacker could keep creating newer sites when older ones are taken down/blocked. Yahoo IM’s default-allow policy makes all this even worse - non-buddies (anyone!) can send you an instant message without any previous contact. This is actually the whole point behind using them on social networking sites like Orkut, Myspace etc. So the phishing attacks can’t really be blocked on the network or URL level.

The only solution seems to be to use a “site-key” mechanism on the Yahoo login page(s). Something like a user-specified image/secret that gets displayed before the user even types the username (or password). This image can be selected based on the cookies/Macromedia Flash Objects downloaded through previous sessions. Since only Yahoo can read the content inside these local objects, only Yahoo can generate the right site-key image. The user enters her credentials only on recognizing the right site-key.