Mmm, Spam and Word Salad, Just Like Mom Used to Make

There has been an influx this past week with spam emails that contain nothing but random words. In the subject line one to three of them appear, and in the body around three to six. These words are various verbs such as “mugging” or “denote”, people’s first names, objects, proper nouns, regular nouns, you name it. This type of spam, or grouping of words that make sense, but certainly not together has come to be known as “word salad”.This certainly isn’t the first time that this has occurred, as it’s been occurring since the invention of Bayesian spam filtering back in the late 1990’s. People have stuck to the notion that this technique is used to break or poison this type of filtering. Bayesian filtering is a statistical approach at filtering spam from your inboxes. Essentially it looks at the individual words in an email and assigns each word a probability value based on how likely a word will appear in a spam message. After every word is assigned a value, in most cases, the filter will look at the words appearing furthest away from a neutral score, in either direction, and average them together to produce the resulting score. These filters do need to be trained however, and this is word salad comes into play. The theory is, is that the spammers are sending these emails in an attempt to render these filters useless by confusing its data. The spammers will send random words, or sometimes specific words in anticipation of an event such as a new movie coming out or an election in hopes that their obvious spam will cause common words to appear as spam in future valid emails. This causes these valid mails to begin to be quarantined as spam creating a slew of false positives. The impending frustration then causes the end user to turn off Bayesian filtering clearing the way for the spammers’ real payload that follows. That’s the theory anyway.
Another theory around this current campaign is based on reputation filtering. It (the theory) says that these are being sent to bypass spam filters by appearing as benign emails, that way the sending IP or source gains a positive reputation because it has in the past sent valid mail therefore future mail from that source is more likely going to be good mail as well. This is supposed to increase the likelihood that a spammer’s future message will make it through. This theory has a lot of holes. The first being that anyone who solely uses a reputation filter with no other type of layered filtering will have a lot more issues than this. Another flaw is that all of these are botnet delivered most through home computers using their local ISP’s access. These botnets range in size, but this one is easily in the tens of thousands, high thousands at least, and the chance of one of these bots randomly hitting the same target twice is less than not worth it.
Here’s my theory, are ya ready? Directory Harvest Attack, yep, I said it! Conspiracy theorists are aghast, I’m sure, but here’s my hypothesis, and facts. First of all, I’ll have to agree with part of the reputation filter theory in that they’re short, sweet and will easily bypass most filters initially. However, the real proof lies with who the intended recipients are. Each email is addressed to about 5 recipients and each of these recipients are all at the same domain. Certainly a sign, and another sign is that in most cases only one of the intended recipients is actually a valid user at that particular domain. A Directory Harvest Attack is designed for the sole purpose of collecting valid email addresses. A spammer will blast out short or sometimes even blank emails to randomized but probable email addresses, and when one sticks, they keep it as valid, if it doesn’t, the invalid address will be omitted from future attempts. The valid email addresses that are collected can be sold to “marketers” or used by the spammer in future campaigns.
There you have it, a long winded explanation for a very short email. And to clarify or fess up perhaps, my mom always fried spam, and she never really served it with salad.

Outlook Trojan

Last week we saw a new malware campaign using a fake Microsoft Outlook update as the social engineering tactic de jour. This week has been much more of the same but with a new and improved twist. The second version of these messages also poses as an Outlook update but is new and improved. These appear to be from "Microsoft Customer Support". The new version of these messages that began surfacing late last week is now running full throttle but this one is much more believable and presumably more effective. In this campaign spammers attempt to coerce you to follow the link to an executable file that they have provided thus getting yourself infected. The link provided in the email even appears to be linked to Microsoft.com, however if you look closely you will find that actual base domain is ikl1l1.com. These messages also contain other links to Microsoft that when clicked actually will direct you to the Microsoft website. This feature certainly makes the message appear more believable.

This is the link contained in the message:

http;//update.microsoft.com.ikl1l1.com/microsoftofficeupdate/isapdl/default.aspx/index2.ph

To the untrained eye this link may appear safe and legitimate

Here is what this message looks like:


Following the link in the message takes you to an equally convincing web page that instructs you to download and install this file: officexp-KB910721-FullFile-ENU.exe. This file actually contains a backdoor banking Trojan which allows a remote user to access and steal sensitive data and provides an intruder with remote access to the compromised system.

Here is an example of the page:

Beware of these fake updates and if you ever find yourself about to install an update that was sent to you through email, stop. Instead of navigating through the link in the email, navigate yourself to the proper website and look for updates. We are currently blocking all known variants of this virus.

Adobe Shockwave Vulnerabilities Patched

Adobe announced and released a security update yesterday that involved its Shockwave player versions 11.5.0.596 and earlier. The vulnerability could potentially allow an attacker who successfully exploits this vulnerability to take control of the affected system.
Shockwave is used as a media player to deliver Adobe content much like Flash but with much more control. A user must open a corrupted Shockwave file in order to initiate the exploit.
As this vulnerability is listed as "critical", Adobe recommends patching immediately, as do I. Go here to get the goods.

The Twisting of Twitter

I'm sure everyone that uses Twitter with any sort of frequency has had mysterious people (or things?!) attempt to follow their account. Or seen random posts with links to spam, like the awesome one I got last night for the first proven phonewatch of the future! Wow, I've got to have one of those!
Well in addition to the spam links, Twitter worms and malware are now in full force. The miscreants are now posting links in tweets making use of the many url shortening sites such as bit.ly or tinyurl.com in order to hide the true source of their links. These links, once clicked begin an automatic download of malware., and in order to entice you into clicking these links they're using similar tactics as they would in email based campaigns - Utilizing current news topics such as Air France flight447, NBA Finals, etc etc. Stay away from these.
It was only a matter of time before Twitter was littered with this garbage as well, considering these crooks always follow popularity. Luckily for you AppRiver's own SecureSurf blocks these invites and domains for you.

This Just In - BBC News

Not incredibly interesting or new, yet still just as dangerous; this morning we're seeing a virus campaign flying through with the subject "BBC News", the body contains a single hyperlink with random fake news headlines mostly containing something about Paris Hilton. Is she still really that interesting? Was she ever? I digress. The link attempts to start a download of evil intent. The file is named bestvideo.avi.exe, and as you might have guessed isn't a video news snippet, but a trojan that's up to no good. It looks like it started late last night, and was being proactively blocked by our filters, so AppRiver friends have no fear! Just remember not to fall victim to these scammers' ploys. If there's a big story in the news, you can rest assured that the spammers and malware authors are going to replicate it in your inbox and the rest of the interwebs. Stay informed, and not afraid.

Good Morning Malware

Just after 9am yesterday we began seeing messages reporting to be an “Outlook Setup Notification” the messages contained a fake alert attempting to convince you to click on the link provided. The link is to an .exe that is not disguised very well and contains a malicious payload. Yesterday we blocked more than one million of these messages. All of these used the same domain (liventsov.ru) to deliver the malware. Below is an example of the message:

(click image to enlarge)

Fast forward to this morning, just after 8am today we began seeing a very similar campaign. These messages are clearly a new version of the same campaign. Today’s variant claims to have some crucial information about YOUR credit card account. The message states the need to inform you of suspicious activity on your account. Once again there is a url at the bottom (that they would have you believe is a “Word-formatted copy of your transaction list”) that is actually a link to an malicious .exe. Same as the “Outlook Setup Notification” these messages titled “Information of Your Transaction” are also just using one domain (scananida.com.pl) to deliver the malware. We have netted nearly 1 million messages so far today putting on par with yesterday’s campaign, which is still being sent out. Below is an example of the message:

(click image to enlarge)

Making Money in Underground Pharma Sales

While cruising around the somewhat shady Russian forums today looking for people that are still complaining about the 3FN (Pricewert) ISP shutdown last week, I began bouncing around from link to link between these users' posts. As is the usual, once you get in deep enough, "business" opportunities begin to surface such as PPC (pay per click) services, money mule opportunities, or the average forum sponsored buying and selling of malicious tools and information. Today I found another "in" into the less than reputable dark economy style business, specifically the online pharmaceutical industry.
You see these sites all the time, often they've been placed on the back end of legitimate mom and pop sites that were exploited in order to serve up the familiar Canadian Pharmacy versions or the Indian Pharmacy, or the generic ones even.
Today I found a company that facilitates these webfronts. The ad says "We drive cash your way." and goes on to say "We are a pharmacy affiliate program developed for SEO professionals worldwide. We are a pay per sale type of program offering high commissions, high quality sites and convenient payment plans for our partners. We are a pay per sale type of program offering high commissions, high quality sites and convenient payment plans for our partners. If you are willing to join us, please ask your fellow webmasters for an invitation since we require a recommendation. If you are willing to join us, please ask your fellow webmasters for an invitation since we require a recommendation."
The site's "About Us" section informs prospective partners that they work directly with the manufacturers to offer the most popular medications, that includes rock-bottom prices on men's health medications.
So essentially, what you do is supply the webfronts and handle your particular orders, likely through referral numbers set-up in the web pages themselves, and this company supplies the meds. Something like a pyramid type business where you make more money by referring more people. Seems much easier than achieving Ruby Level selling AmWay. According to the site, you will then earn up to 50% revshare (revenue share) on every sale and another guaranteed 10% on the total commission on any referral sales that are made. Commission payments are made in these not-at-all sketchy business methods: Bank wire, Stormpay, Moneybookers, EGold, Epassport, Fethard, or PayPal.
Another site offers 20% commision on sales up to $4000, 22% from 4-10k, and 25% on 10k+. What they lack in commission, they make up in service.
The internet has opened up a whole new way of doing business, both legitimate and illegal. Unfortunately, the dark side continues to expand, even as the authorities are having better luck shutting some of them down.