Two years ago we first encountered a spam campaign which delivered its message via an MP3 file attachment. Today, a huge influx of MP3 spam has reappeared. The spam aims to promote a Canadian pharmacy website selling cheap viagra.

The spam campaign is almost identical with what we saw a couple of years ago. It has a similar headers, plain text, no subject line, no message body, and only one attachment; an mp3 file. The file, which promotes a cheap viagra website in a 5 second audio clip (complete with sexy background noise) – represents a clever attempt to bypass spam filters.

While a novel idea, we echo what we said two years ago; it is unlikely to be a long lasting phenomenon. Not only is it hard to discern the message, but people are also leery of clicking on attachments in unsolicted email (or they should be). MP3 spam is altogether too gimmicky to work – even perhaps for diehard internet pill buyers.

Pushdo has moved on to yet another blended threats campaign designed to install the Zeus Trojan horse onto user's PCs. Over the past months Pushdo has conducted a number of different email campaigns, many of which we have previously written about on this blog. This time there is a VISA card theme where the recipient of the spam email is alerted to a possible fraudulent transaction. Users receive an email with one of the following or similar subjects:

possible fraudulent transaction and/or collusion

possible fraudulent transaction has been executed with your VISA card

VISA card 4XXX XXXX XXXX XXXX: possible fraudulent transaction # 29209782000

VISA card 4XXX-XXXX-XXXX-XXXX: possible fraudulent transaction ID 16891657070

The country where the email states your VISA card was used, (Egypt in the above example) changes from email to email. The link in the email does not go to visa.com but to one of over 190 domains hosting the web page below.

The page asks that you download an electronic report for your VISA card. This 'report', named cardstatement.exe is the Zeus (Zbot) Trojan horse. This page also contains an IFRAME to audiodrv7.com that, when we loaded the fake VISA page, caused the browser to pop up a download request for the file pdf.pdf.

This was a malicious PDF file that contained exploits for three Adobe Reader vulnerabilities.

Pushdo is at it yet again, this time spamming out emails claiming to be from the Center for Disease Control and Prevention. The email states that the State is launching an H1N1 (Swine flu) Vaccination program and asks that you create a "Vaccination Profile" on their website.

Some of the subject lines we have seen are:

Create your personal Vaccination Profile
Creation of personal Vaccination Profile
Creation of your personal Vaccination Profile
Governmental registration program on the H1N1 vaccination
Instructions on creation of your personal Vaccination Profile
State Vaccination H1N1 Program
State Vaccination Program
Your personal Vaccination Profile

As with many past Pushdo/Zeus campaigns, the link URL follows a familiar format. A legitimate domain, in this case online.cdc.gov, is used as sub-domains of several random looking domains. For example in this case we have:

online.cdc.gov.yttt4l.co.im/h1n1flu/profile.php
online.cdc.gov.yhnbak.net.im/h1n1flu/profile.php
online.cdc.gov.yhnbad.co.im/h1n1flu/profile.php
online.cdc.gov.nyugewy.be/h1n1flu/profile.php

We have seen over 30 domains hosting the page below:

The page provides a link to your Vaccination profile which is in an archive. This is in fact a link to the executable file vacc_profile.exe, which turns out to be the Zeus/Zbot Trojan horse. This has a very low detection rate among antivirus software.

Today saw the announcement of a huge $15 million fine imposed upon a spammer by a US federal judge. The action marked the final stage of Operation Herbal King, an investigation by the US Federal Trade Commission, the New Zealand Department of Internal Affairs, and other agencies. We at M86 Security Labs were involved in supplying data to the various agencies during the investigation.

The spammer, Lance Atkinson, A New Zealand citizen who resides in Australia, was the ringleader of a group that organized and paid affiliates around the world to send spam emails marketing a range of branded pharmaceutical products. These were manufactured and shipped by Tulip Lab of India, through a business known as the Genbucks (aka SanCash) affiliate program. This business was operated by Genbucks Ltd, a company incorporated in the Republic of Mauritius.

Initial action against the group was back in October 2008, when the group’s assets were seized. Our blog at the time noted that this gang was behind some of spam’s most voluminous and notorious brands, such as “VPXL”, “ManSter”, “MegaDik”, and “King Replica”. At the time one particular spamming botnet, the now-familiar Mega-D , was almost exclusively promoting these brands and was responsible for a whopping 32% of spam we were seeing. Other botnets, including Pushdo and Rustock, were also in on the act.

The interesting aspect of latest action is that the FTC charged them on false and deceptive marketing of pharmaceutical products, not necessarily the actual spamming:

“…the defendants’ spam messages deceptively marketed a male-enhancement pill, prescription drugs, and a weight-loss pill in violation of federal law. They falsely claimed that the medications came from a U.S.-licensed pharmacy that dispenses FDA-approved generic versions of drugs such as Levitra, Avodart, Cialis, Propecia, Viagra, Lipitor, Celebrex, and Zoloft. In fact, the defendants do not operate a U.S.-licensed pharmacy, and the drugs they sold were shipped from India, had not been approved by the FDA, and were potentially unsafe.”

The legal action, and corresponding hefty fines, is important. Its sends a strong signal to these gangs about the possible consequences of their actions. Unfortunately, the spamming underworld has moved on since Genbucks. Affiliate programs constantly morph, or get replaced by new ones. Spam output remains high, and the major botnets just keep pumping out spam of alternative affiliate programs. Currently, one of the most notorious affiliate programs is the Canadian Pharmacy program, which we reported on here.

Further information:

US FTC Press release

New Zealand Department of Internal Affairs Press Release

Since September this year, the Pushdo botnet has favored the IRS (Internal Revenue Service) scam campaign. This campaign is merely one of many that Pushdo has been using to distribute the Zbot executable. Today, we have observed an IRS scam campaign with a new twist – the links point to a webpage hosting a PDF drive-by exploit. But the payload is the same old stuff, the exploit downloads the password-stealing Zbot Trojan.

MailMarshal customers are already protected from this spam campaign with SpamCensor 387.

The latest Zbot spam campaign which we observed this morning targets Social Security Online users. The spam email arrives as a notification about a Social Security statement.

In an attempt to trick the user into opening the link, the bad guys use a well crafted URL format that points to a fake Social Security Online website.

Right after a potential victim enters their Social Security number and clicks the "Continue" button, the page redirects to another page instructing the user to click a button to generate a "self-extracting Social Security statement".

So the keyword is "self-extracting". Remember our previous Zbot spam campaign blog? It uses the same social engineering trick in an attempt to make the executable look more legitimate.

Today, we observed a spam campaign promoting online jobs and pharmaceutical products. What's worth noticing is the campaign utilizes social networking sites to promote and host spam images.

The sample email shown above comes as HTML with a clickable newsletter-like image. The images are being hosted in either Bebo, Facebook or Flickr. Here are other sample image links:

• Flickr – http://farm3.static.flickr.com/2570/4113648137_ba72a9f27d_o.gif
• Facebook - http://hphotos-snc3.fbcdn.net/hs043.snc3/13033_100945279932741_100000518086671_23486_5705714_n.jpg

The clickable image points to a tweet with a link pointing to an online job or an online pharmacy website.

Sadly, its yet another case of social networking sites being misused by the bad guys.

In what is seemingly a daily occurrence, yet another Zbot-flavoured campaign is being spammed out by the usual suspect – the Pushdo (aka Cutwail) botnet.

This time the template is NACHA , the Electronic Payments Association, a body that oversees the Automated Clearing House (ACH) Network payment system. The spammed emails look like this:

As you can see from the image, the domains being used are random looking stuff prepended by nacha.org. Clicking on one of these links will take you through to a fake NACHA landing page complete with a link to "transaction report" with an .exe extension – an extra clue just in case you were not already suspicious. But in an attempt to make the .exe file look legitimate, the authors have specified that it is a "self-extracting, pdf format".

The exe file, of course, is Zbot , and the campaign is just another of a long string of campaigns that we have reported on recently, including IRS, Facebook, MySpace, Microsoft Updates and others. The interesting thing about this campaign is its wide appeal. Anyone who has done an electronic payment of any sort might be curious or concerned about this email, as opposed to a typical phishing campaign which targets a specific financial institution. So the campaign authors are looking for the biggest bang for their buck, or perhaps your bucks if they are successful in installing Zbot on your computer.

Although hardly surprising, today we observed another Phish – Zbot combo that targets MySpace users. The spam uses the very same tactic as the previous Facebook spam campaign sent by the same spambot, the Pushdo (a.k.a. Cutwail).

Some of the subject lines related to this spam campaign are:

• message id #<random number>
• MySpace Account update
• Please update your MySpace account
• update your Myspace account
• You are required to update your MySpace account
• your MySpace account

The unsolicited email message informs about a required update to the target's MySpace account

The link landing page is a fake MySpace login page designed to steal your account details.

After it steals your credentials, the page asks you to download and install the ZBot trojan disguised as an "Update Tool"

Well it seems that Pushdo's flavor of the month is the social networking sites. So what's next? Twitter? Flicker?

Note as we were writing this, we noticed Pushdo had switched back to its IRS "Notice of Underreported Income" campaign that we reported here.

Late last week, the Mega-D botnet (aka Ozdok) suffered as its major control servers were taken out of action. The folks over at FireEye analyzed the botnet’s control structure and fallback mechanisms. They then set about disabling Mega-D by contacting various ISPs to disable control servers, de-registering current control domains, and registering unused fallback domains.

As seen in the chart below, which indicates the relative movements in the volume of spam received by Mega-D by our spam traps, the take down had an immediate effect on the spam from the botnet.

Today the spam has stopped altogether, although there was a very small trickle over the weekend, directed to a couple of small UK-based domains that we monitor.

Mega-D is a well established spamming botnet. We first drew attention to it in early 2008 when it was responsible for a third of the spam we were seeing at the time. The botnet has had its ups and downs. Its control servers have been disabled once before, and it was also affected by the McColo take down a year ago. Lately it has been a 2nd-tier spammer as shown by our spam by botnet statistics.

According to FireEye, Mega-D's orphaned zombies are now pointing to sinkhole servers where over 250,000 IP addresses have been counted, giving an indication of the size of the botnet. We have seen individual Mega-D bots spam at 15,000 messages per hour. Doing the math gives a theoretical maximum of 30 billion spam messages per day from the botnet – although the actual figure is probably at least half that because not all zombies computers are on, all day, spamming.

The other interesting thing highlighted by FireEye’s analysis of Mega-D is the advanced fallback mechanisms should a control server be disrupted. Mega-D bots:

• Use a list of domains, if one fails it moves to the next one.
• Have hard-coded DNS servers
• Use domain generation algorithms in case everything else fails.

These fallback mechanisms are more evidence that the botnet operators have learned from the McColo event of a year ago and made their systems that much more resilient. It remains to be seen whether Mega-D can recover from this one – it's too soon to say it's completely dead yet.

Anyway, kudos to FireEye for their analysis and action on this botnet. It is important to keep the pressure on these bot herders so their lives don’t become too easy. Anyone want to tackle Rustock next?