MX Logic IT Security Blog

Google AdWords Phishing

2008-05-07T13:49:00-06:00

The folks over at Trend Micro have a good write up on a new type of phishing scam that has started floating around over the last week or so: Google AdWords Phishing.

It looks like the scammers are using the same general content in their phish with a couple of different variations on the subject line and the tagline that appears at the end of the message.

The phishing link mentioned in Trend's blog points to a Chinese registered domain that appears to have been taken down as of the time of this posting, but being the resilient type that cyber criminals are they have started to send out a new spam run with links pointing a new domain (also Chinese registered): adwords.google.com.s0leo9.cn, which is currently still active.

Below is a screen shot of one of the phish examples that we saw hit one of our spamtraps (note where it is different between here and the screen shot posted on Trend's blog):

From a volume standpoint these phishing attempts appear to be coming in waves. For example, on Tuesday, May 6th our Threat Operations Center was seeing approximately 2,200 of these hitting our systems in the early morning hours up to about 7:00am. After that it dropped off to about 2 per hour. In the early morning hours of May 7th we were again seeing up to 550 per hour.

This tactic won't resonate very well with most people as even though there are quite a few organizations out there who are using Google Adwords to promote their products on Google search result pages, the actual audience that this type of scam that this will make sense to is pretty limited.

Peter Gabriel's Web Server Stolen

2008-05-06T12:48:26-06:00

According to Peter Gabriel's web site sometime on Sunday Night or Monday Morning their web servers were stolen from their data center.

I wonder if they broke in with a Sledgehammer? Or if they were Quiet and Alone? I wonder if the RIAA will sue the thieves for stealing music?

Ok, enough jokes....

Kind of makes you wonder how they got in....or does it? I've been speaking to several colleagues lately who either currently perform social engineering engagements or did them in previous lives and it is amazing to me the areas of buildings that they have been able to access and the confidential information that they have uncovered just by every day, common techniques that we all do: tailgating, acting like you misplaced your access badge, or just looking like you belong somewhere.

Then once they were in the data center, how did they access the cabinet that the servers were in? Many cabinets go from the floor to the ceiling or have safeguards in place to prevent the cabinet from being compromised from on top. They should also have at minimum either a keylock or combination lock (or both), not to mention that the data center should also have security cameras covering every square inch of floor space.

We talk about proofs of concept very frequently where the occurrence of one crime is a finger pointing towards the potential occurrence of something much more damaging. This is definitely one of those types of crimes. If it can happen at this data center, what is to say that this same thing couldn't happen at any number of others as well? What security policies does your data center have? How well do they follow them?

We make a lot of assumptions with regards to the security of data centers, but all the technology controls in the world don't make a bit of difference if they can easily be bypassed.

Happy Birthday Spam!

2008-05-01T13:07:00-06:00

It would be inappropriate for me to let this day go by without wishing a happy birthday to one of the most important and controversial terms of the early 21st century.

Spam!

No, not SPAM!

Spam!

I try to shy away from actual definitions of spam because it's scope has gotten so much wider from when the first spam message was sent by Gary Thuerk to a large swath of ARPANET addresses 30 years ago this month.

So, was Thuerk an overly aggressive marketer? Or a pioneer setting the stage for modern day cybercrime? In my opinion the answer is both, but to that I would add the disclaimer that if he didn't do it surely someone else would have.

One could also make the claim that spam started even prior to that using the CTSS (Compatible Time-Sharing System) "mail" command back in 1971 where a developer wrote a long anti-war message that began with "THERE IS NO WAY TO PEACE. PEACE IS THE WAY." Despite being told that using the CTSS mail system in that way would likely be viewed as abusive he defended his position with the statement of "but this is important!"

Obviously spam has evolved quite a bit from its days of ARPANET and CTSS, but there are still a lot of parallels in why spam is sent. The primary end-goal was the use of network technology and over the wire communication for the purpose of making money. Whether that has to do with trying to sell a product (either legitimate or illegitimate) or trying to get a user to install adware or crimeware on their PC, money has been, still is, and will continue to be the primary reason for spam.

As we also know, "Spam Ain't Just for Email Anymore." but still carries the common theme of network abuse. Social and mobile networks have been common recent additional avenues that spammers have been exploiting as well through SMS spam, blog spam. Also, communication technologies like Instant Messenger and Voice over IP (VoIP) haven't been immune either whose abuse have borne acronyms like SPIM and SPIT.

Bill Gates was clearly way off base when he predicted in January, 2004 that spam would be gone in two years. Spam is more prevalent than ever not only in our inboxes, but in just about every way that we communicate and collaborate. As long as people continue to respond to spam it isn't going anywhere. In fact, it will only continue to become more pervasive and unavoidable.

Telecommuters Surf Twice as Much Porn

2008-04-23T15:46:26-06:00

According to this article posted at PC Pro, ScanSafe says that remote employees are more than twice as likely to be surfing porn than employees who work in the office.

This is not a surprising stat as telecommuting takes a level of discipline on the part of the teleworker that is far and away greater than office-bound employees. What is surprising to me is that companies are ALLOWING this type of web surfing to be taking place on their corporate computers!

Porn sites are one of the biggest security risks out there. Porn sites commonly install malware, adware, tracking cookies, and other security risks that could cause a security breach to your organization.

In most cases you want to use technology as an enabler for employees to be as efficient as possible, particularly your remote employees who are frequently less scrutinized because most of management's attention is focused on the employees that are in the office every day. This, however is one of those instances where technology needs to enforce the policies of the organization so that the company can protect itself and its intellectual property from compromise and disclosure. Data leakage as a result of inappropriate employee web surfing and irresponsible organizational content filtering policies is one of the easiest insider threats to mitigate. Companies should be doing everything that they can be to assure that this is not an avenue of information disclosure.

New Phishing Scam Targeting Economic Stimulus Payments

2008-04-22T13:43:00-06:00

Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.

As has been common with most of the government agency spoofs that we have seen over the past year, this one has an IRS logo at the top of the message that is being pulled directly from the IRS web site at irs.gov.

The samples that we are seeing allege to be from "service@irs.gov" and have a subject line of "2008 Economic Stimulus Refund."

The phish content is as follows:

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please click here.

The "click here" link takes the user to a prototypical phishing site where they are asked for their bank routing number and checking account number so that the rebate can be directly deposited into their checking account. The scammers are also trying to establish a sense of urgency to get you to click the link by saying that you have to fill out and submit the form before April 24th if you want to get your stimulus payment on time. Failure to do so will result in delays. This could be an effective tactic against those who may not be scheduled to receive their rebate until July or against the extremely impatient who think that this could be a shortcut to getting their rebate quicker.

This is about the time that we expected to start seeing these scams start coming out, and this certainly won't be the last of them, especially since the distribution of the stimulus payments is expected to last a couple of months.

As with all of the IRS scams that we have seen to date, there are a couple of things that you should remember:

-- The IRS does not communicate with the public over email.
-- To that point, the IRS does not even know what your email address is. If you use at home tax software the software vendor might ask you for your email address, but this is for the purpose of sending you status updates with respect to your tax filing. These emails are not from the IRS.

With respect to the economic stimulus payments, also remember:

-- The economic stimulus payments are being distributed based on your 2007 tax filing. The information for how to distribute your rebate to you will be done based off of your tax forms.
-- The payment schedule for the economic stimulus payments has already been established by the IRS. There is no way to accelerate this process.

Malicious Google Spam Alleging News Video from Bin Laden

2008-04-21T11:32:54-06:00

We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden. Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.

Some of the subject lines that we have seen include:

Special issue of news from CNN! Urgent Fresh News Usama Ben Laden!
Special issue of news from CNBC! Urgent Fresh News Usama Ben Laden!
Special issue of news from Financial Times! Urgent Shocking News Usama Ben Laden!
Special issue of news from CNN! Urgent Apocalyptic News Usama Ben Laden!
Special issue of news from Bloomberg! Urgent Fresh News Usama Ben Laden!

You can see a fairly common theme here.

The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world. The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):

Special issue of news from Reuters! Urgent Dangerous News!

hxxp://www.google.com/pagead/iclk?sa=l&ai=PBXCNHM&num=03311&adurl=http://cavalldemar.org/news_usa.php

Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist

activity, and similarly the largest leaders of terrorist organization of Al

Kaeda, detained American soldiery force in Iraq.

This particular sample was taken from a message where the subject says that the news update is from CNN so you can see that the news agency in the subject line is not necessarily consistent in the actual message itself. If the link from the message is followed, it directs the user to a page where they download a file named videousa.exe, which contains the malware.

Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.4.22.0	2008.04.21	Win-Trojan/Agent.77824.DX
AntiVir	7.8.0.8	2008.04.21	TR/Crypt.XPACK.Gen
Authentium	4.93.8	2008.04.20	-
Avast	4.8.1169.0	2008.04.21	-
AVG	7.5.0.516	2008.04.21	Downloader.Zlob.12.AH
BitDefender	7.2	2008.04.21	-
CAT-QuickHeal	9.50	2008.04.19	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.04.21	-
DrWeb	4.44.0.09170	2008.04.21	-
eSafe	7.0.15.0	2008.04.17	Suspicious File
eTrust-Vet	31.3.5720	2008.04.21	-
Ewido	4.0	2008.04.21	Backdoor.Agent.gxg
F-Prot	4.4.2.54	2008.04.20	-
F-Secure	6.70.13260.0	2008.04.21	Backdoor.Win32.Agent.gxg
FileAdvisor	1	2008.04.21	-
Fortinet	3.14.0.0	2008.04.21	-
Ikarus	T3.1.1.26	2008.04.21	Trojan.Win32.Revelation
Kaspersky	7.0.0.125	2008.04.21	Backdoor.Win32.Agent.gxg
McAfee	5277	2008.04.18	-
Microsoft	1.3408	2008.04.21	TrojanDropper:Win32/Nuwar.gen!lds
NOD32v2	3043	2008.04.21	-
Norman	5.80.02	2008.04.18	-
Panda	9.0.0.4	2008.04.20	-
Prevx1	V2	2008.04.21	-
Rising	20.41.02.00	2008.04.21	-
Sophos	4.28.0	2008.04.21	Mal/Generic-A
Sunbelt	3.0.1056.0	2008.04.17	-
Symantec	10	2008.04.21	-
TheHacker	6.2.92.285	2008.04.19	-
VBA32	3.12.6.4	2008.04.16	Trojan.Win32.Revelation
VirusBuster	4.3.26:9	2008.04.21	-
Webwasher-Gateway	6.6.2	2008.04.21	Trojan.Crypt.XPACK.Gen

Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now. This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.

Cyber Criminals Go To Great Lengths To Establish Trust

2008-04-18T13:37:53-06:00

Over the past 10 months or so we've often discussed different social engineering tactics as it relates to different types of spam and malware campaigns. These tactics range from using pinpoint precision to identify individual scam recipients (like CEOs and other C-Level Executives) to using tragic current events, naked celebrity videos, holiday e-cards, IRS tax refunds, or free/discounted sporting event tickets as a lure to get people to open malicious email attachments or click links that redirect them to web sites that are infested with malware.

So, the question is: How far will cyber criminals go in an attempt to get a foothold on your PC or steal your personally identifiable information?

The answer is simple: As far as they need to.

Cyber criminals will go to whatever lengths are necessary to trick you into doing what they need you to do in order to get infected with malware. This means that the success of their campaign is almost solely related to their ability to establish trust and to make their campaign appear as legitimate as possible. As an example, some of the IRS tax refund scams that we have been seeing this tax season even go so far as to link to or display the real IRS web site's logo, Privacy Policy and Online Help. The Federal Subpoena scam that we spoke about earlier this week included not only the name of the person that the scam was being sent to and their company name, but also their phone number!

As cyber criminals continue to hone their social engineering tactics, it is becoming more and more critical that people understand, are aware of, and keep a keen watch out for new potential threat vectors and the techniques that are being used in order to trick them into giving up information that could result in loss of identity, company secrets, or their life savings.

Losses being incurred as a result of cyber crime are increasing at an alarming rate and now we have reached the point where people are more fearful of being a victim of cyber crime than they are physical crime. According to Gartner, losses as a result of phishing alone could top the $4B mark in 2008! That increase is no accident and does not appear to be slowing anytime soon.

Hold out on Spammers, Get Better Discounts! Win the Spam Game!

2008-04-15T13:40:11-06:00

I just had to take a moment and share a couple of spam messages that came into our spamtraps over the past couple of days that I thought were somewhat humorous.

So, apparently if I had bought my Viagra on Sunday, I would have gotten a 73% discount:

However, if I held out until Monday, I would get an 81% discount:

At this rate, if I hold out a couple more days I should be due about a 115% discount and actually be able to make money off the spammers and beat them at their own game! :)

New Government Phish - This Time Targeting the US District Court

2008-04-14T13:29:00-06:00

It looks like the folks who were spoofing government agencies and targeting C-level executives are at it again; this time spoofing the U.S. District Court.

If you recall, starting around the end of May, 2007 we started to see a month and a half long wave of messages that were being targeted to C-level executives that carried a keylogger payload and used a lure of fake complaints against that executive's company in an attempt to get them to infect themselves. This tactic was, unfortunately, very successful which is why it hung around for as long as it did. These spoofs used an effective social engineering tactic that included both the name of the person receiving the scam as well as the name of their company. This fooled many into believing that the message was indeed legitimate because it didn't carry the earmark of most of your scams that are generically blasted en masse.

This new scam follows this same basic social engineering tactic except it takes it one step further in that it also includes the phone number of the company being targeted. This is just another way that the scammers are attempting to establish legitimacy with their intended target since it doesn't look like your everyday, run of the mill type of spam.

By targeting C-level executives, the technique used in this type of attack is called "whaling." It is called whaling because they are trying to get the largest fish that they can on the hook; people who are generally more affluent and stand more to lose, both personally and professionally.

Below is an example of one of these messages (Some personal information has been redacted):

AO 88(Rev.11/94) Subpoena in a Civil Case

________________________________

Issued by the

UNITED STATES DISTRICT COURT

________________________________

Issued to:      XXXXXXXXXXXXXXXXXXX

COMPANY NAME HERE

COMPANY PHONE NUMBER HERE

SUBPOENA IN A CIVIL CASE

Case number:    91-201-NKE

United States District Court

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States 
District Court at the place, date, and time specifiied below.

________________________________

Place:   United States Courthouse

880 Front Street

San Diego, California 92101

Room:    Grand Jury Room

room 5217

Date and Time:   May 7,2008

9:00 a.m. PST

Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los 
Angeles, CA 90071

________________________________

Please download the entire document on this matter(follow this link) and print it for your 
record. <hxxp://cacd-uscourts.com/ViewCase.php?case=91-201-NKE>

This subpoena shall remain in effect until you are granted leave to depart by the court or 
by an officer on behalf of the court.

Any organisation not a party to this suit thas is subponaed for the taking of a deposition 
shall designate one or more offcers, directors, or managing agents, or other persons 
to testify on its behalf, and may set forth, for each person designated, the matters on 
wich the person will testify. Federal Rules of Civil Procedures,20(b)(6).

Failure to appear at the time and place indicated may result in a contempt of court 
citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct 
any questions to the person requesting you to appear: City Prosecutor.

You'll notice a few spelling errors which is your typical dead giveaway that something isn't quite right here (of course, the US District Court trying to communicate with you via email, which it never does, should have been the first one). They also went to the trouble of registering a new domain, cacd-uscourts.com.

Here is where it gets funny:

-- cacd-uscourts.com is the domain used. If this were really a government domain, would it have a .gov TLD?
-- This domain was registered two days ago to someone named Michael Rice who lives in the U.K.
-- Registration for the domain was done by a company named WEB4AFRICA

It's been a while since we have seen this type of scam outside of the IRS spoofs that we have been seeing in accordance with tax season so I am sure it will get its share of victims. No solid information yet on whether these new phish are being sent to the same C-level execs who were targets of last year's scams. More information to come as it becomes available.

**** UPDATE 1 (4/15/2008 12:00pm MDT): We are still seeing these emails hitting our system at a rate of about 30 per hour. Obviously very low overall volume, but that speaks to the precision of the targeting being used. The highest hour that we have seen so far today was the 10am hour where we saw 50, and we basically saw none between midnight and 7am. It appears that the cacd-uscourts.com domain that was hosting the malware yesterday has had its registration suspended by WEB4AFRICA. The web site is no longer accessible.

Rock on with the Storm Worm

2008-04-11T13:29:36-06:00

Never to rest on their laurels, the Storm Worm gang brings us yet another new twist in how they are trying to get you to infect your PC.

This new Storm variant follows in the footsteps of the Google Spam with a purported video download that I blogged about on April 3rd except that Storm is trying to convince you that you want to view a new music video that has just been released.

Here is an example of one of the messages that came into our Threat Operations Center:

Eagles just made a new video. See it here before it releases. Cut and
paste the link in your browser to get the video:
hxxp://zbrkfdxd[deleted].blogspot.com

All of the examples that we have seen thus far have been random subdomains off of blogspot.com, a popular, free blog hosting site. When the link in the email is clicked you are immediately redirected to hxxp://giftapplys.cn (registered on April 8th) which serves up the below page:

Both the fake video player and the "Download it" link point to the malware download. Interestingly enough, the video player points to a file named StormCodec.exe and the Download It link points to a file named StormCodec8.exe. These files have the same md5 checksum (2f16017932e729b8a9f1f5c07eec9b99), however so despite their different names, they are actually the same file.

We've only seen about 50,000 of these messages over the last 24 hours (I say "only" because many Storm Worm variants are in the millions within their first day) so this tactic isn't too popular at the moment, but is new and different from previous tactics so is definitely something to keep on the lookout for.

First Google, now Hotmail

2008-04-10T13:58:36-06:00

According to a blog entry posted recently by Websense, it looks like spammers have found a way to break the Hotmail email account signup CAPTCHA.

Ever since the story broke in late February about Gmail's CAPTCHA technology being broken, we've been seeing large numbers of both spam and backscatter (at the rate of about 40-50% of all mail traffic) from Google's mail servers. This has also caused some of Google's servers to trigger our automated blocks on an occasional basis. It looks like other anti-spam vendors have followed suit in this approach as well.
It looks like Hotmail will soon be in that same boat unless they can figure out a new system and get the spam accounts shut down.

FBI Releases 2007 Internet Crime Report

2008-04-10T11:47:56-06:00

Last week the FBI released its Internet Crime Report for 2007, and there are some interesting trends when comparing this report to the past couple of years.

Total monetary loss as a result of internet crime continues to increase. Between 2005 and 2007 total loss from cases of fraud went from just over $185M to over $239M. That's an increase of 30% over two years!

So, what constituted these losses?
According to the report Financial Institutions Fraud has increased over 400% as a percentage of total complaints received) between 2005 and 2007 from 0.5% of complaints received to 2.7%. Computer fraud also substantially increased as a percentage of overall complaints during that same time frame (1.4% to 5.3%). Almost a 300% increase!

That's interesting in and of itself, but how does it translate to real dollars?

As one might expect (lack of education on the threat, perhaps?), the types of fraud that generated the greatest amount of loss per complaint were actually some of the least prevalent types. In 2005 and 2006, Nigerian Letter Fraud didn't even appear in the top 10 list of types of fraud, however it topped the list of loss per complaint at $5,000 and $5,100 respectively. Compare that to 2007, where it cracked the list at number 10, but accounted for the third highest loss per complaint at $1,922. Auction Fraud, which was the most common fraud complaint for all 3 years had consistently one of the lowest loss/complaint numbers ranging from $385 (2005) and $602 (2006). Thanks to the increase of stock pump and dump scams investment fraud topped the 2007 list at $3,547 per complaint! Interestingly though, despite the amount of attention and press that these scams have received over the past year and a half investment scams still didn't crack the top 10 complaint percentage list.

How people were contacted in order to be defrauded stayed pretty static between 2006 and 2007 with email leading the charge at just under 74% for both years. Where the report shows movement, however is in the increase of the web and phone (vishing) being used as a more frequent vector of communication with victims. In 2005, the internet and telephone accounted for 16.5% and 4.5% of communication vectors, respectively. In 2006 and 2007 those numbers were in the low to mid 30s for the internet and around 18% for telephone.

So, if you're still with me these obviously are a lot of stats, but what does it all boil down to?

What this outlines, among other things, is the constantly changing threat landscape and that the least seen threats are the most dangerous. As such, it is important to not only educate yourself, but educate your organizations as to the types of threats that are out there. Make sure they also know what is real and what is not. There are so many virus hoaxes, some several years old, that still make the rounds on a regular basis that it is easy to see how people either get confused as to what is viable and what isn't, and why others think that internet threats are just the industry crying wolf in an attempt to get people to continue to buy product. It is these types of threats that have also caused a serious drop in consumer confidence in some brands to the point where many users have developed an aversion technique to any email or correspondence from them because they have a hard time determining whether the message is a scam or not. This loss of confidence has caused a serious problem for when these brands actually do send out legitimate mail because their response rates have suffered.

Is there an answer?

Many solutions have been on the table for quite some time between email authentication technologies like SPF/Sender ID and DomainKeys Identified Mail (DKIM), botnet detection technologies, and brand protection companies who (among other services) monitor for look alike domains being registered that are intended to look like common brands to be used in phishing campaigns. Unfortunately, at this point so much social damage has been done to these brands because they are so frequently targetted for phishing and other fraud campaigns that restoring consumer confidence is an extremely difficult mountain to climb. I'm not saying that it can't be done, but I am saying that the cyber criminals act much quicker than some of these technologies can react and that doesn't appear to be changing anytime soon.

It's Google Spam! It's Video Spam! It's Malware!

2008-04-03T12:25:52-06:00

Yet another new twist in the never ending array of Google Spam that we have been seeing over the past 2 months. The sample that just hit our spamtraps within the last hour has a bit of a new twist to it.

When I first opened this message I thought "Neat! Google video spam!" It wasn't until I looked at the source code of the message that I realized that this was just another link to malware redirecting through Google with a fake video as the lure.

Here is a screenshot of the spam:

Clicking any of the links downloads a file named video_codec-v2.12.384.exe.

So far AV pickup is pretty spotty (stats courtesy of Virustotal):

Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	TR/Dropper.Gen
Authentium	-	-	-
Avast	-	-	Win32:Agent-GPS
AVG	-	-	-
BitDefender	-	-	DeepScan:Generic.Malware.FBldld.D22058AD
CAT-QuickHeal	-	-	-
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	suspicious Trojan/Worm
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	-
F-Prot	-	-	W32/Agent.Q.gen!Eldorado
F-Secure	-	-	Suspicious:W32/Malware!Gemini
Ikarus	-	-	Virus.Win32.Agent.GPS
Kaspersky	-	-	-
McAfee	-	-	Proxy-Agent.af.dr
Microsoft	-	-	Trojan:Win32/Danmec.gen!A
NOD32v2	-	-	a variant of Win32/Agent.NEQ
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Heuristic: Suspicious File With Bad Child Associations
Rising	-	-	-
Sophos	-	-	Troj/Bdoor-AJR
Symantec	-	-	-
TheHacker	-	-	-
VBA32	-	-	suspected of Trojan-PSW.Pinch.12 (paranoid heuristics)
VirusBuster	-	-	-
Webwasher-Gateway	-	-	Trojan.Dropper.Gen

New IRS Refund Scam with a Vishing Twist

2008-03-27T20:51:45-06:00

About an hour ago we started to see yet another new variant of the IRS Refund Scams, this time using "Vishing" or Phish By Phone as a lure.

Here is a sample of the message that we received:

Internal Revenue Service Tax Refund

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $215.

Tax Refund Number:84730004332 - Will Expire on 29 March 2008

Attention!
Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.

To receive your tax refund please call the IRS Tax Refund Department at: 602-427-5984 .

Internal Revenue Service

Upon calling the number (602 is an Arizona area code) listed in the email you are greeted by a digital voice which introduces itself as being the Internal Revenue Service then asks you to enter your social security number, credit card number, expiration and PIN. The interesting thing here is that the recording appears to be a poorly repurposed scam. After asking for your PIN it tells you to please wait while it is "activating your account".

Wait a minute! I thought I was getting a refund!

'Tis certainly the season for tax scams and we've been seeing quite a few of them in the Threat Operations Center between the phishing scams that ask for your credit card number on a fake web site with promises of a refund to malware based scams that claim to "update the tax software installed on your computer". We'll likely only see more of them over the next 2-3 weeks as well as the tax deadline nears. I would also expect to see similar types of scams with promises of things like advances on your economic stimulus payments as we get closer to early May which is when the initial payments are scheduled to be distributed.

Surf Child Porn (or not?), Go To Jail

2008-03-20T12:45:11-06:00

I was forwarded this article this morning regarding an FBI sting operation using fake web links in an effort to catch people who surf to child porn sites. I am all for prosecuting people who are breaking the law, particularly in relation to offenses relating to child porn, but the method described in the article has an uncomfortably high potential for false positives.

For starters, web sites are in the public domain and are accessible by anyone, anywhere, and at anytime regardless of how they got there. How is the FBI to know that you found the web site as a result of one of their email lures and didn't stumble upon it some other way having no original intention to visit a child porn site? Have you ever found yourself on a porn site or some other site that you weren't expecting as a result of a mistyped URL, unintended mouse click, or deceptive web site? Sure you have!

The article mentions another real possibility of accessing the site via an unsecured wireless connection. Could you frame your neighbor with the dog that barks all day that you don't like by jumping on his open wireless network and surfing to this mousetrap site? What if a bot on your PC was emulating clickthroughs to the site in an attempt to throw authorities on a wild goose chase?

I agree with the author where he states that this potentially sets a dangerous precedent if this type of surveillance continues to be allowed to stand up as evidence. Granted, we've all heard the "someone must have been using my wireless network" and "I must have had malware on my PC" defenses before, but this situation could have some serious federal level consequences. Sounds dangerous to me!

Does it Cost Extra for the iPod Without Malware?

2008-03-19T14:48:57-06:00

Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!

How does this happen? This is typically a by-product of PCs that are used for things that are outside their intended business purpose. For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used. It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites. Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.

As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring. This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly. These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.

Soloway Pleads Guilty, Faces Up to 26 Years in Prison

2008-03-18T10:01:55-06:00

Back in May, 2007 Robert Alan Soloway, a "Spam King" (as he was dubbed) was arrested on criminal charges by the Justice Department (read the original blog post with my thoughts on this event) and at the time there was a lot of discussion amongst the media as to whether or not this was a significant event. Would spam volumes fall? What effect would it have on the spammer community? Have we won a major battle in the fight against email and internet pollution?

My opinion then was that it wouldn't have an effect and the numbers over the past 10 months since his arrest have backed up that claim. Since May, 2007 email spam volumes have actually increased by about 150%!
So, did this have an effect on the spammer community? Clearly not from the standpoint of the cyber criminal's use of email as an effective delivery vehicle. If it had any effect at all, it was from the perspective of further emphasizing that spammers should remain as behind the scenes and as stealthy as possible. Soloway very much bucked the trend in this regard and even went so far as to mock a lawsuit filed against his company by Microsoft.

Based on Soloway's guilty plea he faces up to 26 years in prison. His sentencing is scheduled for June 20th. So, the question remains: "Have we won a major battle in the fight against email and internet pollution?" I believe the answer to the question is "Yes", but true success in this war is clearly not defined by victories in small, individual battles. For every spammer arrested, prosecuted, and fined there are many others ready and willing to carry the torch.

...Speaking of Malicious Attachments In Google Spam

2008-03-17T16:01:03-06:00

Just had this come across one of our honeypots a few minutes ago: Google spam linking to an infected executable file.

So far AV detection is pretty spotty, and of the ones that are identifying it, it is typically falling under the "generic detection" categories.

Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	TR/Crypt.XPACK.Gen
Authentium	-	-	-
Avast	-	-	-
AVG	-	-	Generic10.BID
BitDefender	-	-	MemScan:Trojan.Downloader.Exchanger.C
CAT-QuickHeal	-	-	(Suspicious) - DNAScan
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	Suspicious File
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	W32/Tibs.WA!tr.dldr
F-Prot	-	-	W32/Tibs.K.gen!Eldorado
F-Secure	-	-	Trojan-Downloader.Win32.Agent.ljx
Ikarus	-	-	Trojan-Downloader.Win32.Agent.ljx
Kaspersky	-	-	Trojan-Downloader.Win32.Agent.ljx
McAfee	-	-	-
Microsoft	-	-	-
NOD32v2	-	-	Win32/Agent.ETH
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Trojan.Downloader
Rising	-	-	-
Sophos	-	-	Troj/Exchan-B
Sunbelt	-	-	-
Symantec	-	-	Downloader
TheHacker	-	-	-
VBA32	-	-	suspected of Downloader.Zlob.8
VirusBuster	-	-	Trojan.Zlob.GMQ
Webwasher-Gateway	-	-	Trojan.Crypt.XPACK.Gen

The spam itself has a porn twist to it (as opposed to the health and pill related spam that we usually see). The sample that landed in our honeypot has a subject of "Rihanna Exposed" and a short message body which reads "Download and Watch" which is a link to the malware (abusing Google) at http://www.google.com/pagead/iclk\?sa=l&ai=HvlJeh&num=33195&adurl=http://REDACTED.pl/video.exe (redacted since the site is still hosting live malware).

Malicious Attachments via Google Spam

2008-03-10T16:39:00-06:00

Over the last few weeks we have seen a significant increase in what is known as Google Spam in the Threat Operations Center; sometimes peaking at almost 5% of our overall spam volume.
Google spam is defined as spam that abuses the Google PageRank system by artificially inflating the ranking of a spam site. Once a spam site has been ranked on the top of the Google search engine based on certain keywords, spam blasts are sent out which craft URLs that query on these keywords and emulate the Google "I'm Feeling Lucky" button which automatically redirects users to the query's top ranking site.

Most of the Google spam that we have seen thus far redirects to different variations of pharmacy sites pushing pills and enhancement products, typical to most health related spam.

One element of Google spam that hasn't received much attention, however is the potential for attachment based malware distribution via this tactic. The potential for drive-by malware download as a result of malicious javascript or iframes is obvious and well documented, but another potential threat vector is the possibility of Google Spam directing a user to a malicious PDF.

Many users by default have their PCs setup to automatically open common attachment types like PDFs without so much as a confirmation box asking the user whether or not they are sure they want to open the file. This convenient feature is a wide open hole for malware injection, especially considering the PDF exploits that have been published over the last several months.

To better protect themselves users should not be allowing any attachment type to be opened by default, no matter how common. Although it might be an inconvenience to have to click a button on a confirmation dialog every time we open file types that we are used to using and that we may open 50 times per day, it at least puts one more step between ourselves and potentially malicious downloads. Allowing any file to be opened on your PC without your prior knowledge and consent enables a level of trust from an untrusted network that should never exist.

Another New IRS Malware Scam

2008-03-06T13:21:15-06:00

Tax Season is here and the IRS scams just keep on coming. We've already seen and talked about many different variants of the IRS phishing emails that say you are due a refund that they will gladly refund to your credit card, but now it appears that the scams have moved into malware downloads.

We've seen a new IRS scam over the past couple of days which is trying to trick users into thinking that they need to update the tax software on their system. Why would the IRS care what tax software you have on your system or if you have any at all? Of course, the real answer is, "They don't."

An example of the message that we are seeing:

Dear Tax Payer,

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, please visit hxxp://nzkaa . info and click "Open" when asked how to begin the download.

After doing so, no further action is required on your part.

Thank you for your cooperation,

IRS.GOV Agent #4[3

The URL above is obfuscated in the event that it is still hosting malware. At the time that I visited the site it appeared as if it had been taken down, however the registration of the domain is still active, so it is possible that it could move to another IP and be a malignant site again.

A couple of interesting/humorous things about this new spam:

-- Every spam message that has hit our systems relating to this scam has come from the same IP address: 92.48.88.145, an IP out of the UK (I wasn't aware that the IRS had offshored their email distribution :) )
-- The web site in the spam is currently (subject to change while the domain is still active) being hosted on an IP out of the Bahamas. Another thing the government has decided to offshore, apparently.
-- Every message has HELOd (the start of the SMTP conversation) as "Exploit". At least they're honest :)

As with the other government agency scams that we have seen to date, volume is low. The MX Logic Threat Operations Center processed around 2,000 of these messages on 2/4, 1,600 on 2/5, and about 550 so far today (as of 1pm MST).
As with the other IRS and other government agency scams that have preceded this one, the government does send personal email to alert you of software updates, refunds, or any other official matter. The IRS knows how to get a hold of you if they need to do so.

Hacktivism Meets Malware

2008-03-05T11:03:42-06:00

I came across an article this morning on the SC Magazine site talking about a new virus called "MonaRonaDona" which takes a bit of a different twist when put next to most strains of malware released over the past couple of years.

As we know malware made the move from a vehicle used to achieve fame or notoriety to a method used to make large amounts of money a few years ago. Similar to how MBR rootkits are a bit of a throwback to a time when attacking the MBR was a popular method of virus infection, the MonaRonaDona worm is a throwback to the time when worms were written mostly for recognition. Granted, there is a financial component to MonaRonaDona as well, it is not likely to be very successful.

MonaRonaDona appears to be spreading via malicious advertisements being posted on web sites. The user will not know they are infected until they reboot their machine when they will receive a popup that states: "Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity." This malware will also prevent the user from opening common programs on their PC such as Microsoft Office and Adobe applications.

Very noble, but I fail to see how preventing me from opening Word does anything to remedy crimes against humanity in places like Darfur.

Part of the intention of the worm author as well is to socially engineer the user of the infected PC to perform a search in the Google search engine for the name of the worm. Among other fake sites engineered by the malware authors is a site to purchase a product named Unigray. For $40 Unigray alleges that it can clean your PC of MonaRonaDona. Of course, all it really cleans is your wallet out of $40 :)

Personally, this worm seems like a lot of work for what will likely be very little reward. It is different though, especially with the hacktivism angle, from most other malware which makes it interesting.

We've discussed before that we expect to see more political based spam as the presidential election year wears on, especially closer to Democratic and Republican convention times. Expect to see more political based hacktivism type malware lures as the year progresses and as the race for the White House intensifies. As we saw with the Ron Paul spam last November, the stage has been set to use spam as a method for propaganda distribution pertaining to the upcoming election!

Heads Up! New Government Spoof with Malware Payload

2008-02-27T22:26:41-06:00

Looks like the government agency spoofs from last summer have returned!

During May/June, 2007 we saw nearly weekly variants of emails being spammed that were spoofing different government agencies largely targetted towards C-level executives containing a keylogger payload. These emails started off with the malware attached to the email message itself, then migrated to a pull infection model where the user downloaded the malware off of a web site via a link embedded within the message.

Starting today we've started to see a resurgence of this tactic, but this new variant is spoofing the Department of Justice. This department had not been one of the spoof targets of the previous spam runs. Below is a redacted screen shot of the new scam (courtest of McAfee):

As you can see from the above screen shot, the message has an attachment named complaint.zip which contains the malware payload.

A couple of similarities in social engineering tactics between this scam and the previous scams from this summer are the inclusion of the name of the person and the name of the company that the message is being sent to. You'll notice from the screen shot that there are also grammatical errors and misspellings.

A few particular examples that I have seen were sent from IPs in Italy. Somehow I doubt the DoJ has contracted with anyone in Italy to start sending legitimate complaint notices :)

Volumes of this scam have been pretty low; on the order of a few hundred being seen by our Threat Operations Center per hour. No information yet as to specific targetting of this scam. This post will be updated as more information becomes available.

2008 Off to a Fast Start

2008-02-27T10:50:00-06:00

Nice to be back!

Between our webmaster working on a new blogging tool for me to use and the first of three Messaging Anti Abuse Working Group (MAAWG) meetings for the year in San Francisco last week (I am now Chairing the Botnet/Zombie Subcommittee), I've not had nearly the time that I normally have for blogging over the past couple of weeks. I've been queuing up topics in the meantime though so we should be back on our regular posting cadence now.

In comparison to most previous years, 2008 is off to a pretty fast start as it relates to spam and malware. Save for last year when the Storm Worm started January off with a bang, the months of January to April are typically a bit slow from the perspective of new worms, malware, and spam volume. The primary reason for this "slow season" is that a good number of your malware writers are of high school/college age. Those folks are in school or otherwise occupied during the early months of the year. Come May or thereabouts, schools start letting out for the summer, kids find themselves with more idle time, and the flood of malware and spam begins. Infections rise, spam levels rise, and things quickly start hopping around our TOC.

2008 has somewhat bucked the trend in that regard as we have seen a number of developments just in the first two months of the year alone: MBR Rootkits, Drive-By Pharming, and continually high spam volumes which normally drop off by as much as 30% after the first of the year. In fact, the spam volumes that we have been observing this week are UP about 20% from any other week so far this year!

We've also seen social engineering tactics like Fake Microsoft updates with links to malware and IRS phishing scams claiming that you are due a refund from the IRS that will be gladly credited to your credit card if you provide them with your card number (not new tactics, but worth noting nonetheless) as well as Google spam (email with links to Google search results which forward you to sites that have abused Google's PageRank system).

Google spam is currently accounting for around 100,000 messages per hour that we are seeing in our Threat Operations Center. Although this doesn't represent a significant percentage of volume, it is the most prevalent spam tactic that we are currently observing. Compare that to IRS phishing which we are currently seeing at a rate of less than 100 per hour.

If the first two months of 2008 are any indication of what the rest of the year will be like, perhaps it is appropriate that it is the year of the rat according to the Chinese calendar :)

Right on cue, Storm releases Valentine's Day Variant

2008-02-12T09:32:00-06:00

I'm sure nobody saw this coming (tongue firmly lodged in cheek), but the folks that have brought us Storm Worm variants like e-cards and Christmas Greetings have brought us a Valentine's Day variant just in time for the February 14th holiday.

Traffic that we have seen thus far in relation to this worm peaked during the 1am and 2am (mountain standard time) hours this morning and has been steadily dropping ever since, but I have a hard time believing that this trend will continue with Valentine's Day still two days away!

This new variant follows the same paradigm as the ones that we have seen previously: Subject line and message body related to the upcoming holiday and a random link which points the user to a web site where they download an executable (like valentine.exe) and get infected. Nothing new.

Some of the subject lines that we have seen in relation to this worm include:

Is Anything Beautiful As A Rose?

You're my Velentine! (note the misspelling)

You Stay In My Heart

Smiley Kiss

Sample message bodies potentially include the same text as the subject line. We've seen some variances here, but it looks like the subject line and message text are pulling from just about the same static list.

Playing on emotion and holiday themes continues to be a successful social engineering tactic for the Storm Worm gang, and will continue to be popular until such time as it ceases to be effective. As with all of the other variants, don't get hit by this Cupid's arrow. There is no love to be found here!

Article Commentary: Human Error the Leading Cause of Security Threats

2008-02-06T10:13:00-06:00

I ran across this article this morning which states that according to Deloitte that human error is the leading cause of security threats. I agree with this to a point.

I thought it was important to mention this concept as it is also a major point in the Security Awareness presentations that I do. Where my opinion differs is that I believe that human error is the leading cause of *insider* security threats, but not the leading cause of all security threats.

Perhaps I am being myopic because of the type of company that I work for, but I view intrusion as the result of public server vulnerability, virus infection, and social engineering to be a much larger issue.

That isn't however to take away from the importance of the insider threat. When I say "insider threat" am I referring to employees who are going out of their way to do something malicious or to try to access data that they know they shouldn't have access to? Yes, but I am also referring to employees to who stumble upon information due to lack of proper security controls or the maintenance thereof. For example, if you work in your Customer Support department and happened to stumble upon a spreadsheet named "Executive Salaries 2008.xls" somewhere out on a network share, that you had permission to view, would you open it? Perhaps you would report it, but I'll bet you a nickel that you would look at it first, maybe save a copy for yourself, or print it out on the closest printer to show your friends. These are examples of insider threats just as much as the over-eager security novice who is attempting cross site scripting attacks against your production systems in an attempt to learn.

According to the 2006 E-Crime Watch Survey insiders were responsible for 27% of all security incidents and 55% of respondents reported at least one incident that was the result of insider activity. That's more than 1 in 4 security incidents that happen as a result of an internal employee! That's a lot, especially in an age where most of what you read about in security publications talks about the latest worms, keyloggers, and other maladies looking to steal your financial data.

The article also states that "Another security worry is many line-of-business executives' tendency to see information security as solely IT's problem." If your company puts the responsibility of security solely with the IT department, they are missing the boat. Security should not rest with IT for the same reasons that it should not rest with Production Operations or Quality Assurance or any other department; they have their own agendas and their own core competencies to focus on. Adding "make sure we are secure" to that mix is a certain recipe for failure. Your security program implementation, maintenance, and enforcement should be handled by an independent (could be internal) source whose *main responsibility is the security program*.

The article concludes by making a statement in regards to the implementation of a corporate security program, "A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company's overall business strategy, business requirements, and key business drivers." This is completely true. One thing I would add onto it is "...and has the full support of the company's executive team." Without the support of the people who run the company, your program will barely get off the ground.

Storm Worm Authors Identified? To Be Arrested?

2008-01-31T16:28:00-06:00

According to this article at internetnews.com, American and Russian law enforcement agencies know who is behind the creation of the Storm Worm.

The article goes into detail on the difficulties of extradition to the United States if American officials request it so I won't belabor that point here.

What is important is whether or not this could mean the end of the Storm Worm? Unfortunately not. We already know from research done by Joe Stewart that recent variants of the Storm Worm are using a key to encrypt their P2P traffic basically segregating the network into chunks that use this same key to communicate. This means that these portions of the botnet could be sold off and used for whatever purposes the buyer wanted to use them for: more spam, different malware, etc. If the Storm Worm code is also made available, then there is nothing stopping Storm from living on.

Even scarier is the notion that we have seen the evolution of malware and it only gets nastier and nastier with one idea building off the previous. So, even if we don't see additional specific Storm Worm variants if/when the authors are arrested, the concepts and code will certainly live on and take on new shapes in the next popular malware strains.

Another Day....Another Data Breach

2008-01-31T10:59:00-06:00

Hardly a day goes by anymore where there isn't some sort of breach of confidential data. Whether it is the exposure of almost 40,000 Social Security Numbers of Georgetown University alumni, faculty, and staff or the theft of 35,000 records of current and former customers of T. Rowe Price, or even the well documented theft of over 45M credit and debit card numbers from TJX, data theft is rampant and we still haven't learned our lesson.

No matter how much education you do on security best practices and even if 99.99% of your company follows those practices, it only takes one person making one mistake to cause a potential breach. Although some data breaches are the result of large scale infrastructure weaknesses, a large number of them are also the result of the indiscretion of one person. One person who didn't properly secure an open PC or who didn't properly secure a hard drive with sensitive data can cause the loss of millions of records which can result in untold numbers of identity thefts!

We've said this before, but I absolutely believe it to be 100% true: protect your personal information and monitor your bank accounts and credit cards like the data has already been compromised (because it likely has. The real question is whether or not someone is going to use YOURS). As with many things in life, early detection gives you the best possibility of recovery. You may not be able to prevent damage to your credit or reputation from happening, but there is a lot we can do to mitigate it once it happens.

Storm Worm Gets Personal

2008-01-30T13:16:00-06:00

I have to admit that as much as I am tired of talking about the Storm Worm, it keeps giving such great fodder for discussion. Over the past year we have seen fake video clips for current events and e-cards. Now Storm has expanded its horizons and has started sending out one-liner spam with the prospect of a better life between the sheets.

Some of the sample subject lines that we have seen from this new Storm variant include:

-- why you're so unhappy with your bedroom life?

-- Ladies and Gents want to have perfect nights!

-- Become a super-lover-2008!

-- What you will learn from us will change your sensual life for better!

All of the samples that we have received have had one-liner spam where the message body is sometimes the same as the subject line (many times not) followed by a URL pointing to a random IP address like hxxp://61,79,172,152/rqokyj/ (modified so you can't actually click the link).

As if we don't see enough health related spam already, now Storm has jumped on the bandwagon as well. I guess if it works for the spammers...