If you thought that malware propagation through email was a dying art, or that spam is fairly harmless, think again. We are currently seeing increased levels of spam-borne malware. Our figures over the last three months show an increasing trend in the proportion of malicious spam. In the week ending 8 August, this figure spiked to over 6% of spam, or in other words, 6 out of every 100 spam messages.
So what are the underlying reasons for all this activity?
The vast majority of it can be traced back to one spam botnet family – Pushdo (or Cutwail). This botnet is a prolific and multi-faceted spammer, and has historically been very active in malicious spam campaigns. Every day we observe it spamming out emails with malicious attachments, or, less often, with URL links to malicious web pages. Here is a Pushdo spam message with a malicious attachment:
And here is a sample with a malicious link:
The malware distributed in this fashion is usually some form of downloader. The themes of the campaigns change almost daily. Recent subject lines include:
Burress Wedding Expenses
Cancellation Notice
Copy of our business contract
DHL International. Error in delivery address
DHL Tracking NR 9634246907
Flight Attendant-0600003A at AirTran Airways
Good music
ID Intern Job Description
More stuff
Official 2010 Expenses
Resume
Tracking # and Invoice
resume
tech resume
The actual malware also changes often. Depending on the anti-virus vendor, many different names are assigned to these downloaders, including Bredolab, Oficla, and Sasfis to name just a few. In a sense, the name is unimportant. The job of the downloader is to reach out to the web to download and install more malware. Most commonly, we see fake AV, spambots and data stealers like Zbot being downloaded and installed in this second stage of infection.
So how do we know it’s Pushdo doing this spamming? In short, we regularly observe Pushdo spambots in our lab – it’s a foe we have come to know. Take this spam template from a recent Pushdo bot (which we have simplified to illustrate the point). In it you can clearly see the ‘look at my resume’ campaign, as well as the instructions to add one or more malicious attachments.
The gang behind Pushdo have this system down to a fine art. Our guess is that they are affiliated to one or more pay-per-install schemes, where they get rewarded for each successful install of the different types of malware they spread around.