Since McColo Corp’s network was taken offline on 11th November we have seen a huge reduction in spam volumes. Three of the major botnets have been unable to contact their control servers, resulting in a 70 percent drop in spam. We have previously seen other botnets, such as Mega-D, temporarily stop sending spam after their control servers have been disabled, only to see them start back up again with a new control server.

The Srizbi botnet has been one of the biggest sources of spam over that last year. Today only a very few spam emails from Srizbi have made it into our spam traps. So when can we expect to see Srizbi up and running again?

Each Srizbi bot is hard coded with the IP address of one of several control servers that were previously being hosted by McColo. Now that none of these control servers is reachable the bots cannot download new templates and address lists in order to send spam. How then are the Srizbi bot-masters going regain control of their botnet?

We have observed that when a bot is unable to contact its hard coded control server, it will try to resolve the IP address of up to four domains. In our lab we have seen that a bot will then contact the server with this IP address and request a new template. Once a template is received it will begin spamming again. Bots with different original control servers seem to try different sets of domains in the given order. One bot tries to resolve the following four domains:

gyprtwqy.com
faruoeqa.com
dqdpdrqq.com
syudwtqy.com

While another bot tries these four:

tdqyioow.com
opqagwwe.com
duqquppr.com
wrqyfeet.com

And yet another bot tries these:

usqietrw.com
diqgtoue.com
rrquudpr.com
pgqfowdt.com

We are currently unsure of how many different domains there are. Presumably the bot-masters intend to use these domains to host new control servers. However, so far none of these domains have been registered. Perhaps sometime in the near future these domains will be registered by the spammers, or someone else looking to hijack the Srizbi botnet.

Yesterday, MCColo Corp, the company responsible for hosting the control servers for several of the biggest spam botnets was taken offline. Srizbi, Rustock, Mega-D and Pushdo botnets, as well as several others, all had control servers hosted on McColo’s network. Last week these four botnets accounted for over 80 percent of all spam. In addition to botnet control servers, McColo was also known to host malicious software, fake antivirus and child pornography websites.

The hosting company was taken offline after a reporter from the Washington Post contacted two of McColo’s Internet service providers and presented them with information about the malicious activity on McColo’s network. The information was gathered from the security industry over the last four months.

Today, spam has significantly decreased and three of the major botnets, Mega-D, Srizbi and Rustock have almost completely stopped sending spam. Our daily spam volume index showed a massive drop over the last two days as you can see below.

We do not expect this drop in spam to continue for long; often the people or groups responsible for the malicious activity simply move to a new host and continue as normal. Nevertheless, such a dramatic decline in spam, however short-lived, is good news indeed and represents another blow for the cyber criminals.

Over the past week, we have observed a large volume of phishing messages sent by the Srizbi botnet. The messages falsely appear to be from the U.S. Federal Reserve Bank. The pretext for the message is a notification of changing wire transfer restrictions in response to a phishing attack.

The language used in the message is poor making for a crude phishing attempt that security conscious recipients should pick up on. What is interesting with this particular scam is that the message does not ask for the recipient’s logon information which would normally be the goal of a phishing attempt. Instead the intention seems to be to draw you to a legitimate looking website for the purposes of presenting you with an advertising message.

What is most interesting about this particular piece of spam, is the way the ”legitimate” website is coded. The link in the message takes you to a website which looks like this:

Note that the site contains broken links and appears to be suffering from a delay in loading some graphic elements. What is actually happening is a 1000 millisecond delay has been intentionally coded into the site’s HTML. After the delay an alternative pornographic advertising site is displayed.

Here is a sample of the site’s HTML code showing the 1000 millisecond delay in the highlighted area:

This is the site which loads after the delay. Clearly the intention is to advertise this site to recipients.

So the goal behind this scam seems to be advertising. However, the motivation or intentions of burying this advertising under a false phishing message and then placing the advertising behind a page loading delay error are not clear. It would seem to be largely redundant?
What may be at work here is an attempt by the spammers to bypass spam filters with a supposedly legitimate looking message (the Federal Reserve Notification) which unintentially appears to be phishing to most recipients. The delay on the page loading maybe an attempt to obfuscate the site’s real purpose, perhaps from a security researcher who casually follow’s the link and doesn’t initially see anything wrong with it. Whatever the intention, the ruse would appear to be a failure.
This seems to be a case of the spammers shooting themselves in the foot. It is certainly not the most sophisticated threat we have ever seen.

MailMarshal Customers are protected from this scam with SpamCensor 281.

Over that last several months we have been seeing spam using the US presidential election to entice recipients into opening their spam. Now that the election is over we have begun to see spam purportedly coming from news websites reporting Barack Obama’s win and containing a link to an election results page.

The spam appears to come from addresses such as ‘news’ or ‘election’ at bbc.com, cnn.com, online.com, unitedstates.com or usatoday.com. These spam messages are in fact originating from the Srizbi botnet.

The link, which an unwary reader may think is to the official american government website, leads to a website which looks similar to the America.gov website. After visiting the site the browser will ask to download the file adobe_flash9.exe. Below the image of a video player is a notice that you will require an Adobe Flash plugin to play the video.

The adobe_flash9.exe file is actually an information stealing Trojan horse.

This malicious email campaign is only a small portion of the spam that is being sent by Srizbi, all of which is being blocked by SpamCensor version 280.

This morning we received a couple of phishing emails targeting HSBC clients in the United Kingdom.

Nothing new about this, but the intriguing thing is, the phishing site linked in this email was hosted by a Malaysian-based website called Mumcentre.com.my, an online parental-related retail and service provider.

As shown in the email, the “Log-on” link will take you to a webpage in www.mumcentre.com.my, which hosts the phishing webpage shown below:

In this case the phisher is using someone else’s website to host their landing page. It is not clear at this stage how this website was hacked, but we are currently trying to contact the administrator of MumCentre website to inform them about this threat.

A low volume phishing campaign targeting customers of the domain name registrar, Network Solutions, is being spread via spam from the Pushdo botnet. The emails appear to come from an address at networksolutions.com. Some of the subject lines are:

Your domain are expired at this time!

Your domain is expired today!

Your domain must be deleted today!

Your domain will be deleted soon

Your domains will be expired tomorrow!

Following the link will take you to a website, registered in the .asia domain that looks very similar to the real networksolutions.com website and presents the user with a login screen.

A possible objective of this campaign could be to hijack the domain name of anyone who fell for this scam. Using the stolen credentials from a victim, an attacker could transfer a domain name to another registrar and set up their own website using the victim's domain. An attacker could also modify the victim's website, if it is hosted by Network Solutions, to include malicious content.

Rustock is at it again. After sending malicious spam under the guise of fake news updates pretending to be from CNN and MSNBC in August, Rustock has now come up with another spamming template using CBS News. But, the odd thing is, the message is not news-like. Instead it comes with a clickable image, downloaded from the web, advertising an online pharmacy rather than fake news links.

This would seem to defeat the purpose entirely. The malicious spam sent during August provided links to malware infected websites and used a news headline theme to entice recipients into clicking on the links to infect themselves. In this latest fake CBS News campaign there is no convincing ruse, it is readily apparent that the nature of these messages is spam.

The only compelling feature of these messages is subject lines following the theme of the U.S. Presidential elections. Obviously the spammers are counting on the hype of the 2008 elections to lure recipients into opening the message.

We can only surmise that the intent of these messages is to use the fake news headlines to make the spam look legitimate at first glance and get their advertising in front of email users. Clicking on any of the links within the message will take you to an online pharmacy selling sex-enhancement drugs.

MailMarshal Customers are protected from this latest spam with SpamCensor 276.