Security Response Weblog

Increase in USB-Based Malware Attacks

Security Intel Analysis Team — 2008-11-20T00:17:03+00:00

Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. Just as a clarification for any of our readers that are not familiar with the term “USB flash drive,” a USB flash drive is typically a removable portable storage device that uses a USB (universal serial bus) port to interface to a computer. USB ports are part of most modern computers and they are designed to allow many peripherals to be easily connected (plug-and-play) to a computer through a standardized interface. These USB flash drive storage devices are very useful and are becoming fairly ubiquitous in the workplace.

The USB flash drive storage medium is designed to be portable, making it easy to connect to many computers in its lifetime. This, unfortunately, exposes the flash drive to the risk of infection. There are many malicious applications that propagate simply by making a copy of themselves on all drives that are attached to a computer. The portability of the USB device and its small form factor can also make it easy for attackers to plug it into computers that they have limited physical access to, potentially granting them remote access at a later time.

At the moment, there are two popular methods that malicious applications use to infect USB flash drives:

Simple file copy method

With this method, a malicious application that is installed on an infected computer simply makes copies of itself to all storage devices that are attached to the infected computer. A copy of the malicious code will be placed on network shares, local drives, and removable media (such as USB flash drives) that are connected to the computer. Usually the malicious application will also attempt to copy itself to peer-to-peer (P2P) file-sharing shared folders as well. With this method, a malicious file is often named with a sensational filename to lure a victim into launching the file and causing malicious code to be executed. Quite often there are familiar file icons such as Microsoft Windows icons for videos and images that are used to trick unsuspecting victims into thinking that an executable file is a harmless image or video. This infection method requires that the victim manually execute the malicious file from their computer to become infected.

AutoRun.inf modification method

Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.

On Microsoft Windows platforms, “autorun.inf” is the file that contains instructions for the AutoRun functionality. The autorun.inf file can instruct AutoRun to use a certain type of icon; add menu commands; and among other things, start an executable.

With this infection method, the malicious application modifies or creates an autorun.inf file on all of the network shares, local drives, and removable media (including USB flash drives) that are connected to the computer. When an infected USB flash drive is inserted into another computer, the copy of the malicious application is automatically executed. Under a default configuration of Windows, this infection method does not require any interaction from the victim other than physically attaching the media to the computer.

Increasing trend of drive-infecting malicious code

Symantec has recently observed that both of the above methods are becoming an increasingly popular propagation method for malicious code. We have noticed the following percentile increase in several pieces of malicious code that Symantec antivirus currently blocks:

This trend is substantiated in vol. XIII of the Symantec Internet Security Threat Report (quoted from page 56, Propagation mechanisms subsection of the Malicious Code Trends section):

"In the second half of 2007, 40 percent of malicious code that propagated did so as shared executable files (table 9), a significant increase from 14 percent in the first half of 2007. Shared executable files are the propagation mechanism employed by viruses and some worms that copy themselves to removable media. As stated in the “Malicious code types” section above, the increasing use of USB drives and media players has resulted in a resurgence of malicious code that propagates through this vector.

This vector lost popularity among malicious code authors when the use of floppy disks declined and attackers instead concentrated on other more widely used file transfer mechanisms such as email and shared network drives. However, as use of removable drives has become more widespread, attackers have again begun to employ this propagation technique. Although current removable drives differ from floppy disks, the principle remains the same, enabling attackers to make simple modifications to old propagation techniques.”

How to mitigate this threat

There are many policy- and configuration-based mitigations that can be used to adequately limit the propagation of these threats. Network administrators are advised to:

•    Ensure that antivirus software is up to date.
•    Disable AutoRun functionality for removable media, which should be possible using endpoint security systems. For personal computers, there are many detailed tutorials on how to disable AutoRun. Also, holding down the SHIFT key while inserting a USB flash drive can temporarily disable AutoRun.
•    If removable drives are not required, endpoint security systems can distribute policies to prevent removable media from being recognized.
•    User education should be a priority to educate network users about these threats.

Message Edited by SR Blog Moderator on 11-20-2008 04:03 PM

Spammers Continue Their “Acquaintance” With the IRS – in November!

Dermot Harnett — 2008-11-19T17:21:14+00:00

January to March is traditionally the time when taxpayers in the U.S. become reacquainted with their tax advisers as the mid-April “tax day” deadline looms. Unfortunately, this period has also become a time when phishing directed towards the IRS becomes more prevalent. As reported in the Symantec State of Spam report for April 2008, spammers continued to attempt to disguise themselves as the IRS, dangling an offer of a tax refund to unwitting recipients.

Imagine our surprise when we observed a phishing attack using the IRS brand in November—nearly five months before the next deadline for individual taxpayers. This phishing email indicated that the recipient was eligible to receive a tax refund and directed them to a website where the refund would be processed. The fraudulent site, branded with the IRS logo, is being used as a collection tool for credit card and other personal information.

The spam attack could be trying to take advantage of individuals who filed for a tax extension with an October 15th deadline and who might be looking for their tax refund. In addition, the IRS recently reported that it is looking for taxpayers who have not yet received their economic stimulus checks (checks totaling about USD $163 million were returned by the U.S. Postal Service due to mailing address errors). By law, economic stimulus checks must be sent out by December 31st of this year.

So, email users beware of these attacks. "If it looks too good to be true, then it probably is!" And, as the IRS indicates on its website, it “does not initiate communication with taxpayers through email.”

Lost and Found

M.K. Low — 2008-11-17T15:16:26+00:00

A while back I came across an article about a website that tries to reunite lost photos with their owners. People who come across cameras, memory sticks, or photos are asked to upload a few of them onto the site with information such as location, date, or other specific details that may be recognizable by the owner. These photos are public to everyone on the Internet and the goal of the website is for people to browse through the pictures and to connect the photographer back to the photos.

While I can appreciate the spirit of the site, as a security person, I'm very skeptical about introducing a found memory stick or photo memory card into my computer. As noted in the ISTR XIII, memory sticks (or USB thumb flash drives) represent a serious security concern because they can be entry points for malicious code into a computer or network. As with the floppy disks of the past, these USB drives can be infected with malicious code, such as viruses, worms, or Trojans, which can propagate when inserted into a computer. A user who finds this type of removable drive may unwittingly copy the infected files onto his or her own computer and, if the computer is connected to an enterprise, may potentially infect the network. Also, since many USB drives have huge storage capacities, a small infected file among hundreds of MB-sized photographs would be difficult to detect.

As part of any best practices, be suspicious of introducing any foreign media into your computer, especially if you don't know where it came from. Some lost things may need to stay on the island!

Message Edited by SR Blog Moderator on 11-18-2008 11:43 AM

A Smart Worm for a Smartphone – WinCE.PmCryptic.A

Andrea Lelli — 2008-11-13T22:41:15+00:00

We have already seen a file infector working on smartphones (see WinCE.Duts.A) and a worm that could spread by infecting storage cards (see WinCE.Infomeiti). Now, we have the first polymorphic worm (although some refer to it as a companion virus) that affects smartphones running Windows CE platform on ARM processors—it is known as WinCE.Pmcryptic.A. It spreads by generating new polymorphic copies of itself each time, and can cause a severe nuisance on a compromised phone (including unwanted phone calls to toll numbers).

After analyzing the sample, we discovered it contained many interesting payloads. So, we executed it on a test smartphone to see the threat in action. It started with an error message box:

Image 1: It begins with this message box.

A few minutes later, the phone started feeling lonely and decided to call someone:

Image 2: A phone call is started automatically.

The call is to 1860 and lasts a few seconds. 1860 is a toll number that differs between telephony providers, but is often directory services. The compromised phone will dial this number approximately every 11 hours, so pay close attention. If your phone gets infected by this worm, you may receive a very high bill next month!

Eventually PMCryptic got bored and decided to change its look:

Image 3: The phone starts cycling through different combinations of colors. This is just one of the many combinations!

Woah! The system colors started changing randomly, making it more difficult to actually analyze the phone. Unfortunately, the color party was over pretty soon, and the phone set itself to a black theme. This is what the phone looked liked in the end:

Image 4: “Fade to black” goes the smartphone.

Dead. Well, the phone was actually working, but I could not see anything I was clicking. And, a restart did not help, the color stayed black.

Also, for each payload, the worm seems to create a thread and therefore saturates the smartphone capacity pretty quickly. I often experienced system delays and unresponsiveness, forcing me to restart the device:

Image 5: These files have been created by the worm. Notice how the files’ dates and sizes seem to be random.

The worm isn’t just a nuisance. It also copies itself in a polymorphic fashion to flash storage cards and the Windows directory. Each replication will have a different size and MD5, and will also use a randomly created date time stamp. The worm will choose random existing folders on the device, enable the hidden attribute for them (so they will not be visible in the file explorer), and then create a copy of itself with the same name as the hidden folder(s). The icon of this worm is the icon of a folder, so its very easy to be tricked into thinking you are seeing the actual folder and not an executable file. When these files are clicked, they will run and display the content of the folder they are trying to mimic, in order to deceive the user into believing he or she actually clicked a folder and not a file.

Having hidden folders causes an unintended side-effect: the “Today” screen can’t show some of the folders anymore, therefore it shrinks in size:

Image 6: Where did the menu items go?

You can see that the main menu behind the message box is smaller than it should be (you can check Image 1 above to see how the menu might normally look). The same also applies to the Start menu. This is already annoying, and the best part is yet to come.

Time to go for deeper analysis! During the tests, several new generations of the worm were generated, so I compared them and it was pretty easy to spot the differences. First, the worm appends random data to itself at every generation, so that the file size will be slightly different from each other copy of the worm. Second, the worm changes almost all of its code, leaving unchanged the various data sections. As one can imagine, the code has a common stub that will decrypt the real viral part of the worm.

In fact, the first 400 bytes of the code section contain a small loader, which will decrypt the following bytes. It is also interesting to note that these bytes are interwoven with randomly generated junk instructions, in order to make everything more dynamic and messy. The encryption scheme is a simple XOR operation with a repeating 8 bytes long key. So, every generated worm will have random appended data, a common loader that has random junk instructions, and a block of encrypted code—where the encryption key is random in every generation. This makes every generated worm different from its other brothers both in size and MD5. The encryption is also not unique: there are three different layers of encrypted data that need to be undone before you can actually see all the original code.

Once decrypted, the analysis is quite straight forward, all the described functionality was observed in the code:

Image 7: Here is the viral code responsible for the ghost phone call.

For an ARM threat, this is very interesting! Once all of the worm executables have been deleted, one still has to unhide the folders on the file system and return the system colors back to their default values. Unfortunately, WinCE does not provide, by default, tools for doing this, so it is likely that an infected user will need to download and run third party tools in order to bring order back to the compromised device.

Always apply the following general precautions and you will avoid many painful troubles:

1) Pay attention to what you are running.
2) Pay attention to the storage cards you are plugging into your phone.

* Note: Thanks to Eric Chien for his precious help during ARM analysis and our friends at Kasperksy for providing a sample.

Hosting Company Shutdown Causes Spam Volumes to Fall - For Now!

Dermot Harnett — 2008-11-13T19:59:49+00:00

The recent shutdown of a San Jose-based Web hosting company named McColo.com appears to have resulted in a significant short-term drop in spam traffic worldwide. At approximately 21:30 GMT on November 11, 2008, multiple upstream network providers shut down access to McColo.com hosted systems, based on abuse complaints. One of the results of this action was a quick and dramatic decrease in spam sent worldwide.

The volume change could be measured directly in the Symantec probe network, which saw a 65% drop in traffic when comparing the 24 hours prior to the McColo.com shutdown to the 24 hours after. It is interesting that shutting down a single hosting company could have such a large impact on overall spam volume, but when you consider that McColo.com was allegedly hosting a significant number of botnet command-and-control systems, it is not totally surprising. Their IP range has, in the past, been linked with reports of serving up Rustock downloaders and also for controlling the spambot component. Simply performing a Web search of the addresses associated with this range returns write-ups from several security company vendors, and all of the articles are related to Rustock. By cutting the link between these systems and the bot-infected machines they control, the ability to send spam from botnets such as Rustock and Srizbi can be significantly impacted. The speed with which spam volumes decreased also demonstrates the fact that while botnets are becoming increasingly robust, there are many that can still be impacted by losing a critical command-and-control link.

However, this decrease in spam volume will not be sustained and it is certain that while this battle may be won, the spam war is not over:

• Command-and-control systems will be re-established and more importantly, this event may drive spammers toward the continued use of peer-to-peer botnets, which are generally more resilient.

• In this turbulent economic climate there may be other hosting companies around the world who might be willing to facilitate this sort of spam activity. In October, Symantec reported that the presence of active zombies around the world was shifting. Turkey, Brazil, and Russia are the top three countries hosting active zombie machines. The U.S. comes in at fourth place, hosting six percent of active zombie machines.

• Historically, the end of the calendar year sees a large increase in spam volume, often driven by the holiday season.

While this event may present an obstacle for spammers looking to get their message out in the short term, the profit motive still exists and will undoubtedly drive new spam campaigns. Look for more to come from us on this as we monitor spam levels during the coming days.

Message Edited by SR Blog Moderator on 11-13-2008 03:54 PM

Image Spammers Show That There is Some Fight Left in the Old Dog

Dermot Harnett — 2008-11-13T15:19:06+00:00

Mark Twain once said, "It's not the size of the dog in the fight, it's the size of the fight in the dog.” And, this idea also seems important when considering image spammers. While image spam has not yet regained the dizzying heights of 2007—when 52% of all spam was image spam—in the last seven days, image spam has hit an average of seven percent of all spam messages. As image spam struggles to find its feet within the overall composition of spam messages, another image spam vector has emerged. By analyzing image spam recorded in the last seven days, Symantec notes that over this period:

• 9.7% of image spam had a message size greater than 100kb
• 48% of image spam had an average size of between 10kb-50kb

In the last 24 hours alone, 28% of image spam had an average message size greater than 100kb:

When you consider spam messages in total for the last 30 days, only six percent fall into the 10kb+ range, with the majority (78%) of messages falling into the 2kb-5kb range. Large message size can put inordinate strains on mail infrastructures and could possibly prevent end users from receiving legitimate email. If image spam continues to fight for its position within the "spamscape" it could indicate trouble for unprotected mail infrastructures. The good news is that Symantec antispam effectiveness is not being negatively impacted due to this trend.

Microsoft Patch Tuesday - November 2008

Robert Keith — 2008-11-11T19:25:23+00:00

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a light month, with two bulletins covering four vulnerabilities.

The only “Critical” issue this month is a previously public remote-code execution vulnerability (BID 21872) in Microsoft XML Core Services. The remaining three issues are rated “Important” and include two information-disclosure issues affecting XML Core Services and a remote code-execution issue in Server Message Block (SMB).

As always, customers are advised to follow these security best practices:

- Block external access at the network perimeter to specific sites and computers only.
- Avoid sites of questionable or unknown integrity.
- Never open files from unknown or questionable sources.
- Run all software with the least privileges required while still maintaining functionality.

Microsoft’s summary of the November releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx

1. MS08-069 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)

CVE-2007-0099 (BID 21872) Microsoft XML Core Services Race Condition Memory Corruption Vulnerability (MS Rating: Critical /Symantec Urgency Rating 8.5/10)

This is a previously public vulnerability in Microsoft XML Core Services disclosed on January 4, 2007, and documented in BID 21872. The problem occurs when rendering 'XML' documents that contain an excessive amount of nested tags and are displayed in an 'IFRAME'. If the rendering process is repeatedly disrupted with a JavaScript timer, forcing the page to reload every 50-100 milliseconds, the application becomes corrupted and the vulnerability is triggered. Attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable application. Failed exploit attempts will cause denial of service conditions.

Affects: Microsoft XML Core Services 3.0

CVE-2008-4029 (BID 32155) Microsoft XML Core Services DTD Cross Domain Information Disclosure Vulnerability (MS Rating: Important /Symantec Urgency Rating 6.7/10)

A cross-domain information disclosure vulnerability affects Microsoft XML Core Services due to how it handles error checks for external document type definitions (DTDs). An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the disclosure of potentially sensitive information from other domains. Information obtained may aid in further attacks.

Affects: Microsoft XML Core Services 3.0, and 4.0

CVE-2008-4033 (BID 32204) Microsoft XML Core Services Transfer Encoding Cross Domain Information Disclosure Vulnerability (MS Rating: Important /Symantec Urgency Rating 6.7/10)

A cross-domain information disclosure vulnerability affects Microsoft XML Core Services due to how it handles transfer-encoding headers. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the disclosure of potentially sensitive information from other domains. Information obtained may aid in further attacks.

Affects: Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0

2. MS08-068 Vulnerability in SMB Could Allow Remote Code Execution (957097)

CVE-2008-4037 (BID 7385) Microsoft Windows SMB Credential Reflection Vulnerability (MS Rating: Important /Symantec Urgency Rating 8.5/10)

This is a previously documented remote code-execution vulnerability affecting the Microsoft Server Message Block (SMB) protocol. The problem occurs because of how SMB handles NTLM credentials. Specifically, if an attacker can trick a victim into connecting to a malicious SMB server, the attacker can reflect the victim’s credentials back, and gain access to the victim’s computer in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Message Edited by SR Blog Moderator on 11-11-2008 11:55 AM

Acrobat util.printf() Exploit Detected with Existing IPS Signatures

Sean Hittel — 2008-11-07T23:16:59+00:00

It appears that last night, an exploit for the Acrobat util.printf() vulnerability was added to a well known Web attack toolkit. The attack exists as a compressed PDF. Once decompressed, the exploit is encoded with a simple eval()+ concatenation block:

--

function main() {

eval(unescape(""+"%"+"76%61%"+"72%20%7"+

..

this.closeDoc(true);
}

app.setTimeOut("main()", 5000);

--

This decodes into an exploit for the util.printf() vulnerability:

---

var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+ ...);

...

util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);

---

In spite of the two-layer encoding on the exploit, the attack is detected as HTTP Acrobat PDF Suspicious File Download on NAV/NIS/N360, using any IPS definition set after October 3.

There are some reports of detection problems on this attack, but they are not accurate. Symantec products rely on several defensive mechanisms to protect a host, including network and host intrusion prevention, as well as antivirus. Currently, our products do not have antivirus protection for this attack (although an update is being released for Trojan.Pidief.D), but the intrusion prevention systems resident in NAV/NIS/N360 will catch it with existing definitions. I believe this discrepancy is simply a testing issue in some of the public test harnesses.

UPDATE: Bloodhound.exploit.213 has since been released to cover this vulnerability specifically.

We recommend that customers update their Adobe Reader and Acrobat installations if they haven’t already. Please also review Adobe's bulletin here: http://www.adobe.com/go/apsb08-19.

Message Edited by SR Blog Moderator on 11-08-2008 04:37 AM

Spammers Continue to Wage Their Own U.S. Presidential Campaigns

Dermot Harnett — 2008-11-05T21:24:21+00:00

While the U.S. voters have now been heard and are welcoming their new president, it is important for us to remember that the spam campaign is certainly not over. Spam levels averaged in at 76.4 percent of all messages in October 2008. This spam level represents a year-on-year increase of nearly six percent since October 2007.

Over the last year, Symantec has been monitoring spam related to the U.S. presidential campaign. It all began 12 months ago when spammers cast their first votes for Republican nominee Ron Paul. With spam subject lines such as “IRS Fears Ron Paul?”, it was certainly an early indication that it was going to be an interesting year for spam related to the presidential campaigns. February 2008 saw a round of bogus links to Hillary Clinton videos that were cloaking a malicious Trojan. This tactic emulated a popular technique being used by spammers to link malicious code and spam. This trend continued in amongst other types of spam attacks during 2008.

March 2008 saw the U.S. presidential spam race heat up even further. URLs containing Hillary Clinton’s name were observed in pornography and male enhancement pill spam. After Hillary, spammers moved on to the remaining frontrunners. One spammer cast his vote for Mike Huckabee, with Barack Obama and John McCain having their names linked with "portable dewrinkle machine" spam, medical product spam and get-rich-quick spam messages.

When Obama took his trip to Europe in July, spammers followed up with a presidential spam campaign that contained spam subject lines such as “Kick-up – Obama speaks in London – video.” In August, as McCain was about to announce his VP nominee, a spam email was circulated from spammers with the subject line “McCain chooses Paris Hilton as running mate.”

These Presidential spam attacks were certainly not harmless – if the recipient opened one of these messages, they were often asked to click a URL link that hosted malware. This malicious spam is designed to infect other computers with viruses and Trojans rather than simply promoting a spam product. In October 2008, presidential gift card spam continued to be observed. Recipients were asked to complete a survey on the election with the promise of receiving a free gift card. This gift card spam attack was designed to harvest personal information.

As the race for the presidency entered its final hours, spammers were observed offering one of their last presidential spam products. Dubbed by spammers as a "Barackumentary,” spammers offered a free DVD about Barack Obama. However, in order to receive this "free" video, recipients were asked to provide personal credit card details to the sender. When the race finally concluded on November 4th, spammers persisted and issued a new Obama malicious code/spam attack. One particular message that included the subject line “Obama Wouldn’t Be First Black President” actually noted that Barack Obama had been elected the 44th President of the United States. Recipients were encouraged to click on a link to “Watch His amazing speech at November 5!”, but beware, malicious code would be downloaded if the video player is clicked. As we reflect on the presidential spam campaign of 2008, which was notable for its use of news headlines and the continuing linkage between malware and spam, it serves as a good reminder that we must remain vigilant against spam attacks that are currently in the cooking pot. Especially considering that Thanksgiving and Christmas are just around the corner.

This is what the message body looked like:

"Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page >> [malicious URL removed]
2008 American Government Official Website - This site delivers information about current U.S. Foreign policy and about American life and culture."

Spammers Ride the Economic Roller-Coaster in October 2008

Dermot Harnett — 2008-11-05T12:26:25+00:00

As the gut-wrenching roller coaster that world economies have experienced over the last 90 days continues, it is not surprising that spammers are still attempting to tap into the economic angle to try and deliver their spam messages. Spammers often use the “issue du jour” in their spam campaigns. To borrow a phrase coined by strategists for Bill Clinton in 1992 and apply it to today’s issue: "It's the economy, stupid."

Just like Angelina Jolie, Brad Pitt, Paris Hilton, and Britney Spears, the U.S. Treasury Secretary (Henry Paulson) has joined the list of spammers’ favorite “celebrities.” In October 2008, Symantec observed a spam attack that contained a message claiming to come from the U.S. Treasury Secretary. The message suggested that Paulson had been instructed by the United Nations to "wire a sum of $1m into your Bank Account in a Legal way." [sic] In addition to this attack, Symantec also discovered that the FDIC was being used in a malware-related attack in October.

Although the U.S. presidential election may be winding down, it is clear that spam campaigns are not going to follow suit. Spam levels clocked in at an average 76.4 percent of all messages in October 2008. This spam level represents a year-on-year increase of nearly six percent since October 2007, but a decrease since the 80 percent level in August this year. Image spam has also reemerged. While image spam has not reached the dizzying heights of 2007, in October 2008 image spam averaged nine percent of all spam, which represents an increase of seven percent since September 2008.

To read about these or other trends in the Symantec Monthly State of Spam Report, such as lottery scam messages targeting the London Olympics and South African World Cup, please visit the State of Spam website.

A Double Dose of Worms Exploiting MS08-067

Symantec Security Response — 2008-11-03T18:21:25+00:00

It's nearly been a couple of weeks since Microsoft released their patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). This problem was rated as such a serious risk that Microsoft took the extraordinary step to release an out-of-band patch for it.

There was much speculation as to how and when it was going to be used in worms or other malicious code. Unfortunately, we didn't have to wait long for the first one to appear. First we saw Trojan.Gimmiv.A, which appeared to be already in the wild when the patch was released. However, that Trojan never really got around very far due to its weak method of propagation—manually controlled by the attackers through a channel that was quickly shut down.

Then there was a lull. So we waited. And, we waited. Sometimes waiting for these new malicious code samples to appear is like waiting for the bus. You wait for an age and then out of nowhere comes two or more of them. (Of course, the bus is always full.) Today our wait was over. First we received reports of a new malware targeting users of Chinese versions of Windows 2000. The malware that we detect as W32.Wecorl was first picked up by our honeypots that are based in China.

The second of the new arrivals is W32.Kernelbot.A. This is a worm with bot functionality. We managed to retrieve the configuration file for this botnet (cmd.txt) and it currently contains locations for downloading additional modules (including the propagation and exploit unit) and instructions to perform DDoS attacks against various websites.

Fortunately at this stage, these worms have implemented the exploit as an external module file that has to be downloaded first. Blocking the following addresses may help to prevent their propagation:

• 10Wrj.com

• zz.ushealthmart.com

So, as you can see, we've had a little bit of a window of calm since the original patches were released. However, that window has well and truly slammed shut and we are now seeing more successful and widespread use of this vulnerability by malware in the wild. If you haven't already patched yet, perhaps the appearance of these latest terrible twins will help you to seriously consider doing so.

Vulnerabilities in Malicious Code – Owning the Owners, Part 2

Davide Veneziano — 2008-10-29T15:59:40+00:00

My previous post was intended to demonstrate that malicious software could also be affected by security vulnerabilities. The example considered a remote code execution in a PHP page used in a phishing attack. However, the debate is still open concerning the possibility that the security issue had been intentionally introduced as a back door.

I want to now focus my attention on another piece of malicious code used to control and coordinate the systems belonging to a particular botnet. A botnet is a group of infected zombie machines under a common control infrastructure; usually, a Web application is employed to remotely instruct the systems in order to pursue a variety of illicit purposes.

An authentication bypass vulnerability was found to be affecting the command and control Web interface used in this particular botnet, thereby allowing users to bypass the authentication mechanism and take the control of the botnet and its zombies. The code responsible for authenticating the credentials supplied by the users is shown below:

The application allows the user to enter the administrative interface only if the “logged” variable evaluates to true (line 29). Let’s have a deeper look at the “else” branch, starting on line 18. The “logged” variable is used to temporarily store the value of the authentication cookie, which is supposed to contain the password whose validity is going to be checked on line 20. But, consider the situation of passing a cookie named “logged” that contains an arbitrary value to the page—it will fail this check (so the variable will not be set to true), but the evaluation on line 29 will be true since the value of “logged” is still set to the arbitrary value passed along within the cookie. This would allow access to the Web application without the need to know the valid credentials.

In some cases, a botnet is like any other software; for example, it is regularly developed and new versions are periodically released. Let’s have a look at the authentication routine implemented in a new version, which was released sometime after the vulnerable one I have just discussed:

Even if a more sophisticated method of managing user sessions is implemented, the application still suffers from an authentication bypass issue. The key is on line 4, which instructs the browser of an unauthenticated user to jump on the “login.php” page; however, the script does not terminate its execution, thus returning to the command and control administrative interface due to a missing “exit” instruction.

The fact that two different versions of the application are affected by the same vulnerability, even if the authentication routine has been completely rewritten, is really quite bizarre. It is again hard to say if we are facing poor coders who lack basic security development principles, or very smart people who are adding back doors to their programs in order to ensure they can regain possession of the software at any time.

Message Edited by SR Blog Moderator on 10-29-2008 09:02 AM

ActiveX File Overwrite/Delete Vulnerabilities - Continued

Parveen Vashishtha — 2008-10-28T18:38:25+00:00

In a blog article from last year, I discussed the rise in popularity of exploits using ActiveX overwrite/delete vulnerabilities due to their ease of use. Since that time, we have seen over 100 such vulnerabilities.

Microsoft requires developers of ActiveX controls to mark their controls “not safe for scripting” if they can arbitrarily write or delete files. However, developers not realizing the security implications or the full capabilities of their ActiveX control often fail to do so, allowing unauthorized remote users to arbitrarily write files to disk. In some cases, the ActiveX control does not even need to be installed by the user—as was the case with the Access Snapshot Viewer ActiveX Vulnerability.

Recently we’ve seen a sharp rise in these types of vulnerabilities and have discovered them being exploited in the wild as part of an exploit pack. Symantec’s DeepSight honeypots observed the exploit pack attack leverage a number of older ActiveX overwrite/delete vulnerabilities, which had not been previously seen in the wild. The attack contained exploits for ActiveX overwrite/delete vulnerabilities in Microsoft, Yahoo, C6, Macrovision, Zenturi, Clever Internet suite, JetAudio, and other ActiveX controls.

Exploits for these vulnerabilities are detected by IPS (NIS, NAV, N360, SEP, and SCS) products as:

HTTP SnapShot Viewer ActiveX File Download
HTTP EDraw Flowchart ActiveX Overwrite
HTTP Yahoo! Messenger CYFT Ctrl GetFile
HTTP Clever Internet Suite Overwrite
HTTP Zenturi PogramChecker DownloadUrl ActiveX File Overwrite
HTTP Cowon jetAudio ActiveX Dir Trav.
HTTP C6 Messenger ActiveX File Overwrite
HTTP MacroVision FlexNet USWA ActiveX BO

Encoded versions of these exploits are detected by Symantec Browser Protection (NIS 2008, NAV 2008, N360 v2) as:

MSIE MS Snapshot ActiveX File Download
MSIE EDraw Flowchart File Overwrite
MSIE Yahoo! Messenger GetFile Method File Upload
MSIE Clever Internet ActiveX File Overwrite
MSIE Zenturi ProgramChecker ActiveX File Overwrite
MSIE jetAudio JetFlExt ActiveX Insecure Method
MSIE C6 Messenger Suspicious File Download
MSIE InstallShield Macrovision ActiveX BO

Additionally, Symantec antivirus programs will detect this attack as Downloader. Various toolkits provide heavily obfuscated exploits to evade IDS. Symantec customers are protected against these attacks because Symantec products have a built-in Browser Protection feature that defends against obfuscated code attacks using ActiveX, JavaScript, VBScript, and drive-by downloads.

While application security improves and technical difficulty in exploiting memory corruption flaws continues to increase, a number of easier to exploit and more reliable attack vectors still remain. ActiveX overwrite/delete vulnerabilities are very trivial to exploit and that’s why many malicious toolkits contain exploits for these vulnerabilities. Unfortunately we can expect continued discovery and exploitation of these vulnerabilities in the future.

Reactive Phishing Defenses - Part 2

Antonio Forzieri — 2008-10-27T18:01:57+00:00

My previous blog article was intended to highlight two new features observed in a number of phishing kits that held the aim of making the lives of security analysts more difficult. I want to now focus my attention on another trick that has been used in phishing kits in order to protect the attack against a technique called "dilution." Dilution is a method of providing a certain amount of false credentials, names, account numbers, and other personal information to a phishing website. With this technique, real credentials are diluted in a sea of false data, making the fraudster's job harder.

There are several different kinds of dilution strategies, classified by the type of data provided to the phishing site:

•    Random Data: a large amount of random unformatted data is submitted. This strategy attempts to fill up the collection point, but has a drawback in that the fraudsters can easily identify fake data.
•    Properly Formatted Data: a large amount of properly formatted data is submitted. This process avoids the drawback of the first dilution type, but still fills up the collection point.
•    Tag Data: this time, the fake data submitted is indeed valid and accepted by the institution's website. The injection of this data allows financial institutions to more easily track criminals and gain additional forensic information.

Fraudsters are aware of these techniques and are continuously trying to optimize their attacks and thus their profits. As a proof of concept, shown below is a piece of PHP code revealed from a phishing attack that is intended to check the validity of the credit card number provided by the user according to card number conventions:

Figure 1. Fraudster checks for a valid card number

After performing this check, the fraudster tries validating the card number by using the Luhn algorithm (figure 2). If both conditions are met (the card number appears to be correct and the Luhn algorithm is verified) the information is delivered to the drop box. This approach makes the Random Data Dilution strategy described above useless, because invalid data won't be accepted.

Figure 2. Fraudster using the Luhn algorithm

Even if Random Data Dilution is useless against phishing sites implementing the tricks described above, the Properly Formatted Data Dilution continues to work because the provided data passes both tests described above and is correctly delivered to drop boxes. However, we have recently observed some phishing kits implementing a new feature that helps fraudsters fight against even the Properly Formatted Data Dilution strategy. The piece of code in figure 3 (below) shows one of these tricks, which checks to see if the credentials provided by the user are indeed valid. It has been implemented by submitting the credentials to the original website and then identifying specific patterns in the response page in order to verify their validity. Only after this validation step is other information requested-such as credit card numbers, cvv2/cvc2 codes, or sometimes even the entire battleship card-and if provided, then delivered to the fraudster's drop box.

Figure 3. User credentials validation

This technique actually makes the second type of dilution ineffective, because fake credentials, even if properly formatted, are no longer accepted. So far, the evidence collected demonstrates how some dilutions techniques may be avoided through the validation of both the card number and the credentials provided. However, "tag data" is a very efficient strategy, allowing financial institutions to more efficiently monitor and identify fraudulent activities. By using this means of detection, and once the source of the attacker is known, organizations can correlate this information with login records in order to identify other compromised accounts and take reactive countermeasures in order to prevent the loss of money in a much more efficient way.

Message Edited by SR Blog Moderator on 10-27-2008 11:05 AM

MS08-067 Exploited in the Wild

Sean Hittel — 2008-10-24T22:32:08+00:00

I am sure by now that many have read about Trojan.Gimmiv exploiting the new MSRPC vulnerability. While we have not seen any evidence of Gimmiv replicating by itself, we analyzed a second component, related to Gimmiv, which is able to exploit the vulnerability patched on Wednesday. Interestingly though, Gimmiv exploits a 2006 vulnerability described in MS06-040 along with its MS08-067 exploit. Because of the way that Gimmiv does this, Symantec IPS definitions circa August 2006 will block this attack.

Because the MS08-067 vulnerability can be exploited without triggering the 2006 IPS signature, we strongly recommend that all users run LiveUpdate to get the latest signatures. This will add specific coverage for MS08-067 for Symantec Endpoint Protection (SEP) and SCS customers as well as all NAV/NIS/N360 customers. It is quite likely that this vulnerability will be used by a widespread worm in the near future.

The vulnerability defined by MS08-067 will be detected by the following IPS signatures:

The attack used by Gimmiv will be detected by the following 2006 signatures first, however:

Symantec AntiVirus will also detect the files associated with this attack as Trojan.Gimmiv.A.

Tracking MS08-067

Symantec Security Response — 2008-10-23T23:42:58+00:00

This morning Microsoft released an out-of-band security update - MS08-067 - for a vulnerability in the Server service. This issue is tracked as BugTraq ID 31874. This issue affects all supported versions of the Windows operating system.

The weakness allows an attacker to effectively take complete control of a vulnerable system. It is imperative that end users apply the patch from Microsoft as soon as possible.

While we haven't seen widespread exploitation of this issue, there have been reports of a certain file, "n2.exe," being downloaded on compromised computers. This file copies another piece of malicious code onto the compromised computer. Symantec products already detect both of these files as Infostealer.

Ever since we were able to get our hands on the vulnerability details we have been analyzing the exploit mechanism with the intent of providing protection for our customers. We will be publishing signature updates within the next few hours to detect attacks trying to exploit this vulnerability.

Updates will be made to this blog article when signature updates have been published. Stay tuned!

Update

Two IPS signatures, 23179 - "MSRPC Server Service BO" and 23180 - "MSRPC Server Service BO2," as well as an AV signature for Bloodhound.Exploit.212 went out in response to the Microsoft out-of-bound patch release today.

A second MDD certified daily build that contains Bloodhound.Exploit.212 will be released around midnight Pacific time. The version number for the second MDD is 20081023 rev.41 (sequence: 87199).

Message Edited by SR Blog Moderator on 10-24-2008 09:37 AM

Web Attacks Using Microsoft Help and Support Center Viewer

Security Intel Analysis Team — 2008-10-23T14:35:13+00:00

The Symantec DeepSight Threat Analysis team recently observed an interesting attack development related to a known vulnerability type. This seemingly new technique allows attackers to execute a malicious payload immediately on a victim's system, where in the past they weren't able to achieve instant code execution by exploiting such vulnerabilities.

Public examples of this new attack typically employ file-overwrite and file-download vulnerabilities in ActiveX controls to download a malicious file onto the target machine. In the past, attackers were able to download files without much difficulty, but until recently the options for attackers seeking to have malicious programs executed on a victim's system were limited. In order to execute a malicious file on an affected computer, attackers generally needed to place the file in one of the load points such as the "Startup" directory in Microsoft Windows, or use social-engineering or other attacks to have the file executed. This presented a problem for attackers since they were forced to wait for the victim to reboot their machine or execute the file, which could take some time and therefore increase the chances of discovery and failure of the attack.

In some recent exploit developments, we observed that it is possible to utilize the "Microsoft Help and Support Center Viewer" application in conjunction with a file-overwrite or file-download issue to immediately execute a malicious file on a vulnerable computer. A typical attack scenario using this technique takes place like this:

1.    An attacker creates a malicious Web page that uses an arbitrary file-overwrite issue to place their malicious binary on the victim's machine. The attacker then tricks their victim into visiting this page.

2.    When the victim visits the page, the attacker exploits the same vulnerability to overwrite one of the Help and Support Center's HTML files, such as "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm." The attacker overwrites this file with script code that performs malicious actions on their behalf.

3.    Once the previous steps have been carried out successfully the attacker redirects the victim's browser using the "window.location" method such as "window.location = hcp://system/sysinfo/sysinfomain.htm."

4.    The Microsoft Help and Support Center viewer, which handles "hcp://" links, runs the attacker's script, which in turn executes their malicious binary.

What makes this attack remarkable is that because the Help and Support Center can run script commands in the context of the local user, attackers can utilize inherent ActiveX controls not marked as "Safe for Scripting" to execute a malicious binary that they have already placed on the vulnerable user's computer.

It's worth noting at this point that in order for this attack to be successful the user must be logged in with Administrator privileges. However, since the standard Windows XP setup on stand-alone systems often has Administrator privileges enabled, and most users don't follow best practices to set up a limited user for general use, this attack may be possible on a large number of machines.

The DeepSight Threat Analysis team has also created the following video which demonstrates an attack of this type:

Message Edited by SR Blog Moderator on 10-23-2008 07:38 AM

A Guide for Beating Phishing Attacks

Kelly Conley — 2008-10-21T23:37:52+00:00

Phishing is a way for individuals who are known as "phishers" to obtain your private information such as bank account details and passwords. Phishing messages come in the form of an email message that is directed to you and appears to be from a reputable company or business-often one that you have an association with and trust. But, it is not. The message will tell you to confirm your bank details, password, or login credentials or "your account may be closed." You are then directed to click on a link in the email to take you to a website to enter in the requested details. By employing scare tactics such as the threat of account closure, phishers are hoping to lure you in to their trap.

Once you click the link you are taken to a website that looks like the real website of the company the email is purporting to be from. But it is not. You enter your details and the phishers now have the information they need to steal your identity. What just happened? The phishers lured you in on false pretenses and stole your account information and passwords, which will allow them to buy things with your money and potentially damage your credit history.

By utilizing the following steps it is possible to keep safe from phishing:

Know that your bank will never ask you to confirm your details via email. So if it looks like it's coming from your bank and asks you to confirm details, you should not click it. Remember that you can always call your bank directly and ask them about any email you receive. They will know if they've requested that you update your account details.
Is it addressed to you? It is common for phish messages to begin with salutations such as "Dear Valued Customer" and "Please Confirm" instead of your actual name. If it's not addressed to you, don't click it.
Rest your mouse pointer on the URL in the body of the email. The real destination of the URL will be displayed. If the URL looks like a different name than the name of the company, don't click it.
Look for spelling mistakes. If there are spelling mistakes, or the email doesn't look professional, don't click it.
Get security software that includes anti-phishing and identity protection features. Symantec has products that do just this.
Don't use links in emails to get to websites. Instead, manually type in the URL destination into the address bar of your Web browser. It may take a little longer, but you will be more effective at protecting your identity.

Please take a look at the video below that Symantec produced, which will provide some insight on the above points regarding phishing attacks:

Message Edited by SR Blog Moderator on 10-22-2008 04:48 AM

The Security Response Blog Will be Changing its RSS Feed

SR Blog Moderator — 2008-10-20T23:30:53+00:00

This is an informational blog for the readers of the Security Response
Blogs, particularly those that prefer to use an RSS client to keep
up-to-date with our articles.

This Thursday morning (Pacific Daylight Time), October
23rd, we will switch over our RSS feed to a new URL. Please be sure to
update your RSS feeds to use the new URL:
http://www.symantec.com/xml/rss/srblogs.jsp

The URL for our main page remains unchanged, please add it to your bookmarks:

http://www.symantec.com/business/security_response/weblog/

We hope you can visit very soon!

Message Edited by SR Blog Moderator on 10-21-2008 04:02 AM

Vulnerabilities in Malicious Code – Owning the Owners, Part I

Davide Veneziano — 2008-10-17T17:52:50+00:00

Volume XIII of the Symantec Internet Security Threat Report highlighted the fact that the number of vulnerabilities affecting web applications is growing. However, these security issues are not only affecting common legitimate applications, but also malicious code. In fact, a source code analysis of several samples revealed serious vulnerabilities that could, ironically, open security holes in programs designed to compromise other users' security.

The investigation originated while analyzing a phishing kit (that is, a package containing a clone website of a financial institution) including a PHP page that was neither called nor apparently used by the fraudster to accomplish his task. The phishing kit contained the following code:

The code does nothing special except getting a parameter and using its value within an include() function to load another PHP file. However, it could also be used to force the application to load a piece of remote code and then execute it in the context of the server on which the caller application resides. By exploiting this scenario, it may be possible to trigger a vulnerability called "remote code execution" that could allow gaining access to the server.

But, why has this vulnerable code has been included and distributed within several phishing kits? Probably the fraudster hopes that a system administrator will ignore the file because it has a familiar name, even after discovering that a server has been compromised. This would allow the fraudster to maintain access on the server and re-deploy the web pages used for the phishing attack.

On the other hand, it is not uncommon that the person building the kit is not the one who is supposed to use it. So why not consider the hypothesis of a back door intentionally left behind in order to allow the writer access to all the servers compromised by the people using the kit? This could help the malware author save time and effort since a huge amount of systems could be easily conquered without the need of identifying how to compromise them.

The existence of back doors in malicious software is not unusual. Take, for example, the time malware started using IRC as a control channel, when a specimen called SlackBot joined an undocumented channel under the control of the author. This allowed the virus writer to control infected systems at no additional cost.

Recently, a new version of the vulnerable file discussed above has been identified, with some changes in the code:

This time, the script includes a legitimate website when provided with the vulnerable parameter, not the PHP code the caller is willing to execute. Indeed, a new parameter should be used in order to emulate the original behavior: the new piece of code has probably been added in order to hide the vulnerability still keeping the door open.

Message Edited by SR Blog Moderator on 10-23-2008 07:52 AM

Keep It Simple Stupid

Liam O Murchu — 2008-10-16T11:39:57+00:00

When someone is asked to present an analysis of a modern threat, the explanation often becomes complicated very quickly. Here I will present a brief analysis of a Trojan that uses the KISS approach-"keep it simple, stupid."

The reason for this article is that upon hearing what I do for a living, people often ask, "why do people write viruses?" After explaining the various dangers of using a computer online, people often follow up with the following question: "I don't bank online, I don't shop online, etc... so why would someone want to attack my computer?" This article is dedicated to anyone who has ever sat beside me on a plane/train/automobile and asked me these questions. ;-)

The Trojan that is shown below will help to explain why a computer is still valuable to an attacker, even if that computer contains no sensitive data. The Trojan presented is a Trojan that does not steal private data (such as banking credentials, etc.); however, it does contribute to one problem of online computer usage that everyone is familiar with-spam.

What is presented here is nothing new or groundbreaking. Anyone up-to-date on security will be familiar with these Trojans. These Trojans have been around for some time now, but what caught my attention was the simplicity of this particular sample and how easy it is to understand it-perfect for a simple explanation of how these types of Trojans operate. (No encryption, no obfuscation, no time delays or crazy features.)

The threat is called Trojan.Spamthru. It is a threat that simply runs silently in the background whenever an infected computer is online, and its goal is to continuously send spam. When Trojan.Spamthru is executed it immediately connects to a control server to receive configuration data. This configuration data is received as plain text and consists of the following variables:

•    A generic email template
•    A list of first names
•    A list of last names
•    A list of subjects
•    A list of domains
•    A list of URLs
•    Other data that is not essential to this article

This is the template that was received the first time the Trojan was executed:

Date: {DATE}
From: {$FNAME$} <{$FNAME$}_{$LNAME$}@{$DOMAIN$}>
To: {TO}
Subject: {%SUBJECT%}

This message is intended for {TO}:

*SAVE! SAVE! SAVE!*

*TOP SELLING {SCRAMBLE:MEDICATIONS}*
- Available without a prescription
- Our brands simply cost less
- Fastest processing times online

http://www.{$URL$}

{$WIKIARTICLE$}
Use http://www. {$URL$}/a.php for removal

Anything within curly brackets (shown in bold) in the above template will be replaced with appropriate data before the spam email is sent. The Trojan knows what appropriate data to use by checking the lists that were previously received as part of the configuration data.

For example, in the configuration data downloaded, the variable {$FNAMES$} refers to a list of 5,494 first names:

mary
patricia
linda
barbara
elizabeth
jennifer
maria
susan
margaret
etc.

Before the Trojan sends a spam email it will replace all occurrences of {$FNAMES$} in the template with a randomly chosen first name from the list above. The same procedure is followed for all of the other variables in the template:

{$LNAMES} = a list of 88,799 last names.

{$SUBJECTS} = a list of 189 different subjects:
Leading Online Pharmacy For Generic Medication
You Are Invited To The Leading Online Pharmacy For Generic Medication
Save money by buying generic brand medications
Generic leading brand weight-loss products
Generic Medication For Everyones Needs
No prescription is required for our medications
Get your medications without a prescription
Huge invetory of generic medications
Substantial savings on your medications
etc.

{$DOMAINS} = a list of popular webmail companies and ISPs to target for sending spam to.

{$URLS} = a list of spam URLs that sell fake products:
rateyaec.com
jeailkic.com
cosatamm.com
kralpeal.com
chinmich.com
liatioslo.com
mistatok.com
slapoute.com
inmidels.com
etc.

The Trojan chooses a random entry from each of these lists, inserts those entries into the template, and then sends a spam message. It then repeats the process while choosing new random entries from the lists.

Here is a sample mail that the Trojan was attempting to send:

Date: Thu, 26 Jun 2008 07:06:14 GMT
From: booker <booker_yamauchi@rr.com>
To: <skrmusic@bellsouth.net>, <skrob@bellsouth.net>, <skrobot@bellsouth.net>, <skrock@bellsouth.net>
Subject: Generic Medication For Everyones Needs

This message is intended for <skrmusic@bellsouth.net>, <skrob@bellsouth.net>, <skrobot@bellsouth.net>, <skrock@bellsouth.net>:

*SAVE! SAVE! SAVE!*

*TOP SELLING M:ICEITLONBEMDAS*
- Available without a prescription
- Our brands simply cost less
- Fastest processing times online

hxxp://xxx.[removed].com

The URL at the bottom of the email was a fake medical supplies site that looked something like this:

The templates are continuously changing. Also, the Trojan reconnects the control server at specified intervals and receives new templates. Here is an example of another spam email that was sent a few days later:

Date: Wed, 10 Sep 2008 07:16:20 GMT
From: justin <justin@branch3es.info>
To: <realtor@blahblah.com>
Subject: Own your own Rolex

MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Huge discounts on Gucci bags

hxxp://xxx.[removed].com

This site was trying to sell fake watches and designer bags-the name of the site was Kings Replica, which is a name associated with a well known spam campaign that has been running for a long time. (See here for more details.)

A colleague of mine, Dermot Hartnett, who works in our anti-spam team was recently interviewed about the current trends within spam. Although the interview is from July, the information presented is still relevant and shows what you might expect to see in your inbox (or, rather, what was blocked before it ever got to your inbox):

This Trojan is an example of a very simple threat that can use an infected machine for purposes other than stealing data. Malicious code authors will try to infect thousands of computers with similar Trojans and then use the infected computers in unison, allowing them to send millions of spam emails every minute. A network of 10,000 infected computers would not be considered large!

Although this simple Trojan is capable of sending out a torrent of spam, due to its simplicity it is very easy to detect—both the actual Trojan file and the spam that the Trojan sends. Symantec detects these types of threats as Trojan.Spamthru.

P.S.> The good news is that the end of this spam campaign may be in sight. The FTC is taking action against the supposed organizers of these spam campaigns, as reported here: http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/

Message Edited by SR Blog Moderator on 10-17-2008 04:49 AM

Image Spam Trying a Comeback - Without Success

Kelly Conley — 2008-10-15T12:47:16+00:00

Symantec has observed an increase in the use of image spam attacks over the past few weeks. Symantec defines image spam as an unsolicited message containing an image in the body.

In August, image spam attacks accounted for approximately 1.6% of total spam. In September we observed that image attacks almost doubled, representing approximately 2.6% of total spam. Over 50% of image attacks observed are English, and the second largest group of messages is Russian. In the first ten days of October, image spam messages have averaged approximately 8.6% of total spam. This is the highest mark to date over the last 90 days. From May of this year up to September, image spam was relatively quiet. As stated above, these numbers have been increasing since mid-September. We have not seen image spam of this volume since February of this year.

Commonly seen image spam messages have included Russian online dating offers, random product offerings with an image opt-out, and the all too familiar Viagra offers. Nothing is blatantly new here, but the recent volume increase is notable enough for us to ask if this old trend could be trying for a comeback.

Another observation with image spam is its connection to phishing attacks. Several phishing attacks have used images recently, which have in turn classified them as image attacks. We recently observed some large phishing attacks on banks with attached logo images. The good news is that anti-spam effectiveness is not being negatively impacted due to this trend. Symantec is effectively protecting our customers from these attacks with our anti-spam products.