Back in May, we noted that malware was increasingly being distributed via the web. Recent findings suggest this is not only a trend, it is a stampede. The increasing popularity of web forums, blogs and social networking sites with their rich user interaction is changing the way cyber-criminals are distributing malware.

Traditionally email has been the weapon of choice in distributing malware. Simply spamming out email with malware attachments and a good social engineering hook was, and still is it seems, a useful means to spread your ware.

The next step in the evolution was email advertising, where email is spammed out with a URL link pointing to malware hosted on a web server. The link can be as unsophisticated as a link to an executable which needs the user input to download and execute it. Or the website may host malicious code that seeks to exploit browser vulnerabilities. The Storm Trojan phenomenon in the latter half of this year was a good example of this ‘mal-advertising’ in action.

More recent research shows that the cyber-criminals have adopted even more sophisticated web methods. They have not only made their malware available via websites, they have adopted elaborate systems that help drive traffic to those websites. Analysts at Sunbelt have uncovered a network of bots that do little else but post dubious URL links and keywords to many online forums and blogs. This serves to increase the search engine rankings for the web pages that happen to be stuffed full of those same keywords. Landing on one of these web pages can automatically redirect the browser to other websites that host the malware. The end result is that a user searching for a seemingly innocuous term like “microsoft excel support” may end up at a website hosting malicious code. These websites host the usual array of exploits that could end up with computer users getting compromised without realizing it.

Simply browsing the web now has more risks then ever before. So what can we do? The usual advice holds. Keep your computer fully patched and up-to-date, and be wary of strange looking search results, websites, or download prompts.

Last night the Celebrity spam gang once again mass mailed its spam-bot malware in another attempt to grow their botnet. In the typical celebrity gang style they try to entice the recipient with a game featuring Angelina Jolie. This game is actually malware that will download the spam sending bot. The malware has been modified enough since their last spam run on Sunday to avoid detection by 17 of the 32 antivirus vendors on virustotal at the time we checked. The version that was sent out just three days ago is now detected by 30 of the 32 antivirus engines.

This really demonstrates the spammer’s attempts to stay ahead of the antivirus companies by continuously modifying their malware in order to avoid detection.

MailMarshal customers should note that they are already protected from this latest spam outbreak with SpamCensor version 210 and Zero Day Threats version 17.

The Celebrity spam gang has again spent the weekend sending out copies of their spam bot. Emails with subject lines such as ‘you have card’ and ‘Sexy card from hot girl‘, try to entice the reader with an animated card with nude photos. The malicious attachment is now well recognized by antivirus software. As soon as it is run the attached file will download the spam bot program and begin sending copies of itself.

This is the second weekend in a row where this gang has sent out mass emails in an attempt to increase the size of their botnet. Last week we commented on the use of Britney Spears’ name in similar emails. As we have noted before, this gang's botnet is responsible for over 20% of all spam.

MailMarshal customers should note that they are already protected from this latest spam outbreak with SpamCensor version 209 and Zero Day Threats version 17.

Almost as reliable as Christmas itself, is the end-of-year surge in Christmas-related spam. This year is proving to be no exception, with the Christmas spam rush starting in earnest last week.
First off the mark were the Watch Spammers – touting replica Rolex watches, pens, lighters, handbags and all sorts of potential holiday gifts.This was followed closely by an altogether different type of Christmas present – the all too familiar enlargement spam.

By mid November, Christmas spam had still not arrived in any great numbers, accounting for no more than 0.3% of all spam. However, within one week the floodgates were opened, with Christmas-related junk making up over 12% of all spam received.

This sudden surge in spam has affected the overall spam landscape. Between them, Watch Spam and Enlargement Spam account for a massive 96% of all spam. Indeed, in the last week alone, the volume of watch-related junk has nearly trebled, from a baseline of little over 12% to a whopping 35% of all spam. Other types, such as scams, porn and diploma mill spam have been pushed to the fringes in this surge. Overall spam volumes have risen considerably as a result, with our Spam Volume Index (SVI) jumping to a record 6098 points, an increase on nearly 20% in one week.

The Celebrity spam gang, which we have previously commented on as using celebrities to entice users into opening their mail, has switched from Angelina Jolie to Britney Spears. In two eight and a half hour bursts on Sunday and Monday, the celebrity bot-net sent spam emails with the subject ‘New Britney naked video’ and containing a .zip attachment. The message content merely tells the reader to check the attachment. An executable file inside the zip file is a new variant of downloader that is not as widely detected by antivirus programs as their previous one.

Once run, the downloader retrieves additional malware which has the same signature as spam bots previously used by the Celebrity gang. A few seconds later the victim computer will be part of the spam sending bot-net.
Below is the spam that was being sent soon after infection. Interestingly the first name of the recipient was also used in the subject line.

These spammers are responsible for a large volume of spam, accounting for around 20% of the total spam that we receive.

At TRACE we have been thinking for some time that the distinction between spam and other email-borne malware is increasingly blurred. Back in August we commented that today’s spam botnets are also responsible for most of the email-malware. Well this week we have seen a few examples of “two-in-one” malicious spam. Yes that’s right, not only do you get spam, you also get a bonus piece of malware. In this example, the spam contains a rather typical randomized image touting the usual range of potent pills. But it also contains an attachment called setup.exe.

This nasty creation looks to be the work of the celebrity spam gang we commented on last week. Executing the attachment will turn your PC into a spam-spewing zombie. To date we have only seen a few examples of this dual-nature spam – no doubt it is a trial by the spammers to see if any fish will bite. As usual, be extremely wary of unsolicited messages from unknown sources – especially those with executable attachments!

In this series we examine the common types of email scams. In this part, we take a look at Survey Scams.

With promises of free giftcards, product samples or other rewards the Survey Scam ask for nothing more than some of your time to complete a survey.

Purpose:

• Typically just a lure to attract victims to a website. The site might simply try to flog Viagra or install malware on your machine.
• If a real survey is made available online, there is a good chance the scammers are simply seeking your personal information

Hallmarks:

Several of the following hallmarks are highlighted in the Survey Scam samples at the end of this article.

1. You receive an email inviting you to participate in a survey of some kind.
2. You may be asked to vote on whether you prefer Product A or Product B.
3. You will be rewarded with a giftcard or product samples for your trouble.
4. The giftcard offered is often for a household name like Walmart, Target or Starbucks, or perhaps for a commodity like fuel.
5. The message usually comes from some dubious rewards program which is not affiliated with the products and companies listed in the survey.
6. There may be a reminder that your participation is required in order to claim your free items.
7. The message contains a link to a site which is supposedly hosting a survey.
8. There is usually a token opt-out mechanism listed in the message. The likelihood of it having any effect is minimal.

Could it be legitimate?

Many legitimate companies do carry out surveys via email. Other companies run various reward programs (e.g. air miles, shopping points or credit card usage) and these might bear some of the hallmarks of a Survey Scam. Be mindful of the programs in which you are involved, and treat anything else with suspicion.

If you have any reason to be suspicious, or you have no known business relationship with the party listed in the email, just ignore the request.

The first example is the classic Product A vs. Product B survey (2). In return for simply letting the scammers know whether you prefer Mountain Dew or Sprite, you can receive 20 cases for free (3). If that sounds too good to be true it's because it is too good to be true.

As is usual with this type of scam, the group behind this dubious rewards program (5) offer an email opt-out mechanism (8), probably as a token effort to avoid breaching the CAN-SPAM laws.

Another Product A vs. Product B example (2), here you get a $100 gift card for sharing your opinions on tobacco products (1). Once again a dubious rewards group (5) is described in the email.

Get $1000 worth of donuts (4) in return for taking a short survey (1). We see the common hallmarks of such scams – a link to the survey site (7), information about the rewards program (5) and an opt-out link (8).

Similar to the Dunkin Donuts scam above, this example offers a $500 McDonalds gift card (4).

Today we noticed several legitimate looking spam messages pretending to be from YouTube.com and containing an invitation to share a video with a ‘friend’ on YouTube.

Clicking on links to watch the video or to respond to your friend will direct your browser to a webpage that contains youtube.com in the domain name and very closely resembles the real YouTube website, including images of currently popular videos. In this case the Firefox browser alerts the user of a suspected web forgery for this particular website; however it may not for other websites hosting this or other scams.

In the same way that YouTube does, this website tells the user that they have an old version of Adobe Flash player. The link to get the latest version of Flash player is actually a link to the file install_flash_player.exe hosted on the fake YouTube website.

In fact nearly every link on this website asks the user to download this file. This file is actually a spam-bot that sends a high volume of spam to others. So far we have only seen it send the spoofed YouTube emails shown above, suggesting it may be trying to spread itself and increase the number of infected machines. This spam-bot is not widely detected by antivirus software as provided on virus total.

As always, avoid clicking on links in emails, even if it appears to be legitimate. Check the source of downloaded files that you intend to run of your computer and frequently update your antivirus software to detect the latest threats.

MailMarshal customers should note that we released a zero day threat update on the 15th November that targets this scam.