Posts Tagged ‘Cutwail’

View All Malware

Want to be friends on Facebook? Don’t click the link!

By Phil Hay  •  August 29th, 2011  •   Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links.  However, there are clues it is fake.  The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.

 

By contrast, here is a legitimate Facebook friend request.

 

Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.

 

 

The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.

 

Tags:    |    |    |    |    |  

View All Spam

Massive Rise in Malicious Spam

By Rodel Mendrez  •  August 16th, 2011  •   Spam

In April this year, we reported on a spike in malicious spam. Yes, that was a significant increase but not as massive as we have observed this week. From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors.

 

Last week malicious spam made up at least 13% of the total spam volume we received which is unusual. Yesterday that number spiked to 24%.

Spam by category as of last week

Four of the campaigns, which we identified as originating from the Cutwail botnet are mostly recycled spam themes – Fedex, credit card, changelogs and invoices. The malware is attached within a compressed ZIP archive and is a Trojan that downloads additional malware including Fake AV, SpyEye and the Cutwail spambot itself.

Fedex

Fedex Spam Campaign

Credit Card Blocked

Credit Card Blocked spam campaign

Invoice

Invoice spam campaign

Change Log

Change Log spam campaign

 

Meanwhile, Asprox is continuing to send out malicious hotel transaction spam. The attached malware in this spam campaign installs a password stealer and Fake AV.

Sample of malicious spam sent by Asprox

 

The Festi botnet has also joined the fray and is sending a malicious “UPS” campaign that distributes the Chepvil Trojan, a downloader that is also installing Fake AV.

UPS spam campaign sent by Festi

This is an epic amount of malicious spam. After multiple recent botnet takedowns, cyber criminal groups remain resilient, clearly looking to build their botnets and distribute more fake AV in the process. It seems spammers have returned from a holiday break and are enthusiastically back to work.

Tags:    |    |    |  

View All Spam

Malicious Spam on the increase again

By Rodel Mendrez  •  April 29th, 2011  •   Spam

Malware distribution via email is far from dead.  While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

Read More

Tags:    |    |    |    |    |    |  

View All Spam

Malicious Spam Campaign Preys on Japanese Disaster

By Phil Hay  •  March 17th, 2011  •   Spam

There is a large-scale malicious spam campaign going on currently.  The spam comes in a few different types, one of which imitates a Twitter notification.  The subjects of the spam varies, but sadly, many focus on the recent events in Japan.

 

The links, which you can see in the image above, or if you look at the raw HTML, are distinctive:

http://lowercase_gibberish.(com|org|net)/base64string

The links lead to a page hosting obfuscated malicious JavaScript, which seek to exploit a Java vulnerability. Our host was immediately compromised, botted (added to a botnet), and some not-so-subtle fake anti-virus malware was installed complete with scary desktop warning:

The spam is originating from one of the Cutwail spambot variants. We managed to get this template from Cutwail command and control traffic, which clearly shows the Twitter template being used.

We are still investigating the nature of the malicious landing page and subsequent infection.

With the rise in social networking, we have been seeing increased use of fake ‘notifications’ being used by spammers.  As ever, remain on guard, especially when it comes to Twitter ‘notifications’.

Tags:    |    |    |    |  

View All Spam

UPS Spam.. Oh Wait, It’s an FDIC Spam Campaign

By Rodel Mendrez  •  February 15th, 2011  •   Spam

After more than a week of malicious UPS spam campaigns, the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the Federal Deposit Insurance Corporation or FDIC claiming to notify users of important changes in FDIC regulations, hence a “document” is attached for further reading. However, the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com.

And even worse, yesterday it left the Subject line as “United Parcel Service notification #<6 digits>“. Fail!

FDIC spam campaign with Subject line and From field pertaining to UPS.

The ZIP attachment contains malware which aims to steal online banking credentials, the same payload as the last week’s UPS spam campaign.

Decompressing the ZIP file exposes an executable Trojan file bearing an Adobe PDF icon

This spam campaign contains enough weird errors for users to take notice that the email is indeed suspicious. It may not last however, we expect this spammer will fix or come up with new (and recycled) spam campaigns as they try to distribute their malware.

Tags:    |    |    |  

View All Spam

Cutwail’s Spam Cocktail

By Rodel Mendrez  •  September 21st, 2010  •   Spam

Since June of this year when we first saw a FIFA World Cup 2010 spam campaign, we have regularly observed spam campaigns where an HTML attachment contains obfuscated JavaScript redirect code.

The Pushdo botnet’s spamming component, Cutwail, has been the culprit behind these types of malicious campaigns. Many different themes and subject lines have been used, such as the following:

America’s Got Talent
Apartment for rent
Shipping Notifications
Labels and such
Invoice for Floor Replacement
Delivery Status Notification (Failure)
Welcome Letter
NFL Picks Week 2

and other random subjects including this one that uses celebrity names:

Figure 1. Cutwail spam campaign sample

The attached HTML source code is an obfuscated JavaScript, and the snippet of code below is just one of the many variations:

Figure 2. Obfuscated JavaScript code

Read More

Tags:    |    |    |    |  

View All Botnets

Pushdo Botnet Crippled – II

By Phil Hay  •  September 9th, 2010  •   Botnets

Two weeks ago we reported on the sudden drop in spam from the Pushdo botnet as a result of many of its control servers being taken down.  Since then, spam output from this botnet has remained subdued, as the following updated chart shows.

As Pushdo (otherwise known by its spamming component Cutwail) was only responsible for about 10% of spam prior to the takedown, overall spam volumes have not been hugely affected.  It is not uncommon to see 10% volume swings in a day.  Having said that, last week our spam volume index did show slightly reduced overall levels of spam for the week.

Things seem to be warming up, however.  Other researchers have observed more Cutwail control servers being added. Also,  yesterday we saw a resumption of malicious spam from Pushdo with the Sasfis downloader as the payload.  This simply reaffirms our earlier suspicions that these guys will not be down for long.

Tags:    |    |    |    |  

View All Botnets

Pushdo Botnet Crippled

By Phil Hay  •  August 27th, 2010  •   Botnets

This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble.  The chart below shows an index of Pushdo spam volume over the month of August.

Pushdo Stats

So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down.  According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers.  However, there still remains a few active control servers still serving up spamming data.

As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months.  Still, we must sound a note of caution.  Previous experience has taught us that these botnet take downs are short lived.  Disabling control servers does not incapacitate the people behind the botnet.  It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.

Tags:    |    |    |  

View All Spam

Malicious Spam on the Increase

By Phil Hay  •  August 17th, 2010  •   Spam

If you thought that malware propagation through email was a dying art, or that spam is fairly harmless, think again.  We are currently seeing increased levels of spam-borne malware.  Our figures over the last three months show an increasing trend in the proportion of malicious spam.  In the week ending 8 August, this figure spiked to over 6% of spam, or in other words, 6 out of every 100 spam messages.

So what are the underlying reasons for all this activity?

Read More

Tags:    |    |    |