View All Spam

Cutwail Spam Campaigns Lure Users to Blackhole Exploit Kit

By Rodel Mendrez  •  December 1st, 2011  •   Spam

Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do not have malware attachments, instead the payload is delivered via links to malicious code hosted on the web.

The subject lines used in the Facebook spam campaign are similar to those in the image below. Notice that they use varying letter case and random Facebook profile names.


The message body may look like a legitimate Facebook notification. However, further inspection reveals the underlying link redirecting to a malicious webpage.


Another campaign spammed out by Cutwail claims to be a flight ticket order.  The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image below.


Here is an example of the message:

There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a  clumsy mistake from the spammers. Other similar messages use “” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.

Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”.

The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications.

If you are a system administrator, you may want to block the following exploit kit landing pages.

  • crredret[dot]ru/main.php
  • www[dot]btredret[dot]ru/main.php
  • bqredret[dot]ru/main.php

At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the  Bobax spambot on to our vulnerable hosts.

View All Vulnerabilities

TrueType but not Truly Safe: The New Zero-Day Event

By Ziv Mador  •  November 8th, 2011  •   Vulnerabilities

A new vulnerability in Windows, CVE -2011-3402, has been
recently identified and is already exploited in the wild.  For now, only a
handful of targeted attacks have been found. The vulnerability exists in
Windows TrueType Font Parsing Engine and affects most Windows versions,
including Windows 7. An attack involves a file which has a maliciously crafted
TrueType font file (TTF) embedded in it. There are several file formats that
use TrueType fonts, for example, file formats of Microsoft Office and Adobe
Acrobat Reader. In the currently known targeted attacks, a Microsoft Word
document was used. Once rendered on a vulnerable system, parsing the TTF file
may end up with execution of malicious code. Microsoft has released an advisory
for this issue and also released a FixIt tool as a workaround. It disables access
to the system file T2embed.dll in order to avoid TrueType font processing.
However, a word of caution: Applications that use these fonts may break after
this workaround is deployed.

In the known attacks, the installed malware is known as Duqu.
The Laboratory of Cryptography and System Security (CrySyS) at Budapest University
first reported these attacks and they were thoroughly investigated by that team
and by Symantec in the following article.

M86 Security Secure Web Gateway (SWG) can be deployed with
three possible antivirus scanners and they already released protection: Kaspersky,
McAfee and Sophos. No additional Security Update by M86 Security is required. In addition, we are
investigating adding more layers of protection in the future. Keep in mind,
these attacks currently are not delivered via web browser but that can obviously change
in the future.

We will continue to monitor the situation and update this blog post as necessary.


View All SpamView All Vulnerabilities

“Steve Jobs Alive!” Spam Campaign Leads To Exploit Page

By Rodel Mendrez  •  October 7th, 2011  •   Spam Vulnerabilities

It was a sad day in the technology industry with the recent passing of Apple’s legendary leader, Steve Jobs. Unfortunately, the cyber-criminals see this as an opportunity. Today, we started seeing a Steve Jobs spam campaign, with the subject suggesting that he is still alive.

Steve Jobs Alive!

Steve Jobs Not Dead!

Steve Jobs: Not Dead Yet!

Is Steve Jobs Really Dead?

Sample of the Steve Jobs spam campaign

The URL links in the spam are many and varied. The websites that they point to all look to be hacked by the addition of obfuscated code that, after two layers of redirects, ultimately ends up at a BlackHole exploit kit landing page.

The HTML source code of the Blackhole Exploit kit landing page

The intermediary redirect URLs are random-looking domains, with a top level domain of .ms (Monserrat in case you didn’t know), here are some examples:

  • hxxp://xnyiinobfb[dot]ce[dot]ms/index.php
  • hxxp://derhvbq[dot]ce[dot]ms/index.php

The purpose of the exploit kit is to try and exploit vulnerabilities on the system and eventually download malicious executable files. At this stage, we are not sure what the ultimate payload is, as no files were actually downloaded on our test system.

Unfortunately, many people may find this spam campaign “click-worthy” given the icon that Steve Jobs was. The usual advice applies – avoid clicking links in unsolicited email. In this case, one simple click is all it takes to get compromised.

View All Phishing

New Google AdWords Phish In-the-wild

By Rodel Mendrez  •  October 4th, 2011  •   Phishing

For those of you who have a Google AdWords account, be wary of a new Google AdWords spam campaign we have seen in-the-wild earlier this week. The spam email may use the following subject lines:

Google AdWords: You have a new alert.

Google Team: You have a new alert

Here is an example of the spam email posing as a notification email from Google AdWords.


If you notice in the sample email, the URL link that appears to be linking to your Adwords account looks dodgy. But if that obvious sign didn’t prevent you from clicking the link, you would have been redirected to a Google AdWords phishing webpage.

After entering a username and password, the webpage sends these credentials to the cyber-criminal’s webserver.

The HTTP POST request when the user enters their Google account credentials. It sends the username and password to the phisher's webpage.

Of course, once you enter your Google account credentials in the phishing page this will NOT just compromise your Google AdWords account but all your Google services like GMail or Google+ will be affected as well. When you receive these sorts of notification emails, always double check the URL before you click on them – if it looks suspicious, it probably is.

View All General

The Beauty and the BEAST

By Avri Schneider  •  September 28th, 2011  •   General

Transport Layer Security – (TLS) is a protocol often used during HTTPS connections to secure web sites. For almost a decade, it has been known that TLS 1.0 was insecure and vulnerable to attack – primarily due to its usage of the Cipher Block Chaining (CBC) mode of operation.  TLS version 1.1 and then TLS version 1.2 have been designed to cope with this and other weaknesses.

The theoretical attack published by Gregory V. Bard back in April 2006 has been exploited (although not in the wild) and a proof-of-concept has been recently developed. Just a little over a week ago, researchers Thai Duong and Juliano Rizzo demonstrated their proof-of-concept called BEAST – Acronym for Browser Exploit Against SSL/TLS and a few days ago, published a blog post describing the attack in detail.

Even though Microsoft, Google, Mozilla and Opera have  already released information or fixes for this issue, it is surprising that Internet Explorer, Chrome, Firefox and Opera, all recent web browsers, had this vulnerability unpatched for this long – leaving many users vulnerable to the particular type of attack SSL was designed to protect against.

OpenSSL has implemented a workaround for this vulnerability since version 0.9.6d which was released in May 2002, however some browsers use the Network Security Services (NSS) library, which remained vulnerable to this attack.

The beauty is that the M86 Secure Web Gateway appliance in its default configuration provides zero-day protection against  this (and other) types of attack.

The complexity, time and cost of keeping all browsers in an organization patched against all the latest security threats highlights the importance of not relying solely on client-side security solutions.

Regardless of whether browsers behind the Secure Web Gateway get patched and how quickly that happens, they are protected behind M86 Security Secure Web Gateway.

View All General

DigiNotar Certificates Revoked Following Theft

By Anat Davidi  •  September 13th, 2011  •   General

Last year as we considered possible future threats, one of our predictions for 2011 thoughts turned to the use of stolen digital certificates becoming increasingly more common.  We envisioned malicious websites and applications being signed using stolen digital certificates and validated by products and applications that fail to keep up to date with these events. It appears that our predictions are becoming a reality as we begin to see more and more cases of stolen certificates.

Recently, certificates belonging to a Certification Authority by the name of DigiNotar were stolen.  These were used to issue hundreds of certificates, amongst them, a certificate for the domain * which was used to execute Man-in-the-Middle attacks against users of encrypted Google services.

Following this incident, companies such as Microsoft, Google and Mozilla have all taken action to protect their respective products.

M86 Security has issued a Security Update for our Secure Web Gateway product, moving the five stolen root certificates to the untrusted list:


  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie – G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven



Given that some of these certificates are already being used in active attacks, customers are highly advised to install this update (M86 Security Update 120).


With the update installed, Secure Web Gateway clients will be protected against malicious files signed with certificates issued by this Certification Authority in an attempt to appear legit, as well as Man-in-the-Middle attacks against users of various encrypted services. These will be blocked for a digital certificate violation.


To verify that the update has been installed and to observe the changes to Secure Web Gateway’s digital certificates, customers may inspect the product’s web administration interface under Administration > System Settings > Digital Certificates.  Here customers will see the certificates removed from the “M86 Security Trusted Root CA”, which can now be found under “M86 Security Untrusted Publishers”.


Secure Web Gateway Digital Certificates - "M86 Security Untrusted Publishers" list contains the five DigiNotar certificates


M86 Security will continue to keep track of the situation and take actions as necessary to keep our customers safe.

View All Cybercrime

Typosquatters exploit misspelled variations of domain name

By Rodel Mendrez  •  September 8th, 2011  •   Cybercrime

Here is a scenario that may sound familiar to you. You were in front of your computer one night and decided to watch some YouTube clips. So you opened your favourite browser and because you have clumsy fingers, instead of typing “” in the address bar you entered “”.  A second later, a Web page loads up, but instead of YouTube’s homepage, the page redirects you to an online survey. You got confused and didn’t expect this webpage, but since the website looks like the real YouTube site, and you get a chance to win an awesome Macbook Air, iPhone 4 or an iPad 2, you decided to take the plunge anyway.


Welcome to typosquatting. Typosquatting is a form of cybersquatting where someone registers an intentionally misspelled domain name which is nearly identical to the target’s brand name and takes advantage of users who mistakenly enter misspelled domain names. Typosquatting is not a new phenomenon but it is widespread. Only last week the folks at OpenDNS observed a typosquatting scam driven off Twitter’s domain.

In our YouTube example, traffic is redirected to the “online survey” website when the user enters According to, the domain was only created on August 24 and has had a rapid spike in traffic with a 29% increase in the percentage of global page views. We believe this spike was due to users being redirected by typosquatted domain names.

We have found the following misspelled variations of “YouTube” domains redirecting to either, a “survey” website, or to an online dating website.

The survey website also caters for localized versions of itself. It utilizes the IP address geolocation to make it appear more convincing. In the screenshot below, a German webpage is shown if you are located in Germany.

At first glance, the survey website looks rather harmless. However, in order to participate and “win” prizes it requires entering your email and mobile number. At this point you may feel that this is starting to look somewhat dodgy.


However, the worst part comes after you enter your mobile number. The screenshot below shows that main purpose of the “survey” is to convince people to subscribe to an auto-renewing SMS subscription service which will be charged to the user’s phone bill.


You can clearly see how the people behind this typosquatting scam take advantage of an organization’s strong visual brand to trick unsuspecting users in parting with their personal information. In this case, by imitating YouTube’s look and feel, the scamsters piggyback on that brand’s trust to make the “rewards” seem genuine.

Be careful what you type in your browser’s address bar, and always read the fine print to avoid being scammed.


View All MalwareView All Spam

An analysis of the ACH spam campaign

By Rodel Mendrez  •  September 6th, 2011  •   Malware Spam

Recently, we have seen a resurgence of malicious spam campaigns using an “ACH” theme. The Automated Clearing House (ACH) is an an electronic network for financial transactions in the United States overseen by NACHA. Last week, we came across a suspicious looking spam campaign with the unusual subject line “UAE Central Bank Warning: Email scam alert”. After closer investigation, we determined that it was indeed a fake ACH notification. The message contained an attached malicious file using the filename “”. As suspected, the malicious file attachment was a downloader that we have seen a lot of lately – Chepvil.

ACH spam campaign from the Donbot botnet


The Chepvil downloader, unsurprisingly, proceeded to retrieve more than just one piece of additional malware. First was the password stealing malware, Zbot, which was obtained from the domain name rattsillis[dot]com using a standard HTTP request, downloading the file “s.exe” – a Zbot variant.

GET /s.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Cache-Control: no-cache

The file “s.exe” is executed immediately after being downloaded and drops the following files in the infected system:

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Ahob\paygi.ujl.0 – encrypted configuration file

C:\Documents and Settings\{USER}\Application Data\Iqkohi\lady.exe – dropped copy of Zbot itself

C:\Documents and Settings\{USER}\Application Data\Microsoft\Address Book\Administrator.wab – an empty Windows address book.

Zbot then attempted to connect to a random generated domain to contact its command and control server.

The second piece of malware that Chepvil downloaded was a proxy-based spambot, an executable file “22.exe” from the same domain rattsillis[dot]com.

GET /22.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Cache-Control: no-cache 

The file “22.exe” was interesting because we had not encountered it before. It was detected by 22 out of 45 antivirus programs with various generic detection names, although some identified it as Trojan.Scar.eaml. Upon execution, the proxy spambot drops a copy of itself in the Windows TEMP folder as svchost.exe, with a file size of around 10kb.

C:\Documents and Settings\{user}\Local Settings\Temp\svchost.exe

It also drops another copy of itself in the Application Data folder using the filename format: KB{6 random number}.exe.

C:\Documents and Settings\{user}\Application Data\KB117188.exe

Then the malware adds an autorun registry key to ensure that it will survive on Windows start up.


KB117188.exe = “”C:\Documents and Settings\{user}\Application Data\KB117188.exe”"

After installation, the parent spambot process executes the file Svchost.exe it dropped in the Windows TEMP folder and exits itself.

Instead of listening to a specific port and waiting, the proxy spambot attempts to connect to a control server by performing a standard DNS A query to the domain name luis-vuitton-elite[dot]com. However if that fails, the bot attempts to connect to a randomly generated domain name.


The malware code that attempts to connect to the control server


Once connected, the proxy spambot initializes port 1001 where it sends and receives packets of data from the control server.

Exchange of data between the control server and the spambot


Meanwhile at port 1002, the spambot receives the actual spam data from the control server and relays this data to the final recipients. This simple proxy can relay spam at a rate of up to 1000 messages per hour.

Spam is received by the spambot from the control server and relayed to the recipients.


The command and control server’s IP address is based in Germany:

WHOIS information about the control server


This spambot’s recent spamming activities includes both pharmaceutical, and further ACH campaigns that appears to be from; and are very similar to the one which led to this infection in the first place.

Sample spam email from the Proxy-based spambot

In conclusion, there is not much that is new in this sequence of events. A spammed-out trojan downloader which triggers the execution of multiple pieces of malware on the host, including the obligatory data stealer, and a spambot to further propagate the nastiness. As we always say, there is no patch for social engineering and the best way to protect yourself is to be cautious.

View All Malware

Want to be friends on Facebook? Don’t click the link!

By Phil Hay  •  August 29th, 2011  •   Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links.  However, there are clues it is fake.  The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.


By contrast, here is a legitimate Facebook friend request.


Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.



The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.


View All Spam

Massive Rise in Malicious Spam

By Rodel Mendrez  •  August 16th, 2011  •   Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.


Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.


Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign


Invoice spam campaign

Change Log

Change Log spam campaign


Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox


The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.