Malicious Spam « M86 Security Labs Blog

Posts Tagged ‘Malicious Spam’

Hi my love, please don’t click that “pic.exe” file

By Rodel Mendrez • November 3rd, 2010 • Spam

Nowadays, spammers usually craft elaborate and enticing scams to lure a lot of people into taking action. However, a spam campaign we observed recently is one of the more cruder forms of social engineering. Attached to the spam message is simply an executable file named “pic.exe” that claims be naked pictures. This spam has been circulating with the subject line, “hi my love“:

Spam sample 2

Thankfully, with this low level of social engineering, this spam campaign would probably not fool most people. But, being curious, we gave in, opened the attachment and analyzed what it does. The file “pic.exe” is a downloader Trojan that fetches and executes malicious files from the Web.

Trojan code that downloads additional malicious files

Trojan performing a HTTP request to download files

The first file downloaded is “ebulker_dlfjihgsleigh.exe” an installer of the infamous “SecurityTool” fake antivirus, the same flavour of fake AV distributed by other downloaders such as Bredolab and Sasfis. The installer phones home to its affiliate server by using the HTTP request with this format, http://<remote IP>/cb_soft.php?q=<hexadecimal>.

SecurityTool - A fake AV

The second malicious file downloaded is “outlook.exe”, a sniffer Trojan that monitors FTP, SMTP and POP3 traffic in the infected machine and sends captured data back to its control server. We did not observe any data being sent, but it is most likely targeting user credentials.

Trojan code that monitors the FTP (port 21),POP3 (port 110) and SMTP (port 25) protocol.

This sniffer Trojan drops a legitimate file wpcap.dll and packet.dll in the Windows system directory as well as the packet filter driver npf.sys. This files are commonly used by legitimate network monitoring software such as WireShark. In this case, the Trojan utilizes these DLLs for malicious purposes.

There are a couple of points to this story. The first is that spammers probably don’t care if a spam campaign is unsophisticated. They can send millions of messages, and a few people will inevitably get sucked in anyway. Secondly, these days getting infected usually means multiple pieces of malware doing different things on your computer. Some malware may be obvious like Fake AV, but most will be hidden.

Tags: Data Stealer | Fake AV | Malicious Spam | Social Engineering

Malicious LinkedIn Campaigns Continue

By Phil Hay • September 30th, 2010 • Spam

The malicious LinkedIn spam campaigns of the last few days are continuing in force. The source is the Pushdo botnet, which is back in full force following disruption to its operations last month. The campaigns mimic a LinkedIn update notification. Here is a sample from today:

LinkedIn Update with URL pointing to malicious web page

The malicious web page displays code that includes an iframe that loads the Phoenix exploit kit, which attempts to exploit the victim’s browser.

Web code includes iframe incorporating Phoenix exploit kit

The Phoenix admin login page was at the same server location as the index.php file.

Phoenix exploit kit login page at the same location

And, just in case the auto-exploit doesn’t work, the user is prompted to manually download flash_player_07.78.exe, which is none other than the Zeus (Zbot) data stealing trojan.

User prompted to install a "Flash Player"

This campaign is slicker than normal. The LinkedIn email and the Flash Player download image look convincing, signifying that these cybercriminals have taken it up a notch. Going by the number of URL hits we intercepted with our TRACEnet system, some users are falling for it too. Don’t be one of them.

Tags: LinkedIn | Malicious Spam | Phoenix exploit | ZeuS

Cutwail’s Spam Cocktail

By Rodel Mendrez • September 21st, 2010 • Spam

Since June of this year when we first saw a FIFA World Cup 2010 spam campaign, we have regularly observed spam campaigns where an HTML attachment contains obfuscated JavaScript redirect code.

The Pushdo botnet’s spamming component, Cutwail, has been the culprit behind these types of malicious campaigns. Many different themes and subject lines have been used, such as the following:

America’s Got Talent

Apartment for rent

Shipping Notifications

Labels and such

Invoice for Floor Replacement

Delivery Status Notification (Failure)

Welcome Letter

NFL Picks Week 2

and other random subjects including this one that uses celebrity names:

Figure 1. Cutwail spam campaign sample

The attached HTML source code is an obfuscated JavaScript, and the snippet of code below is just one of the many variations:

Figure 2. Obfuscated JavaScript code

Tags: Cutwail | Fake AV | Javascript | Malicious Spam | Pushdo

Malicious EFTPS Tax campaign

By Phil Hay • September 14th, 2010 • Spam

Today we noticed some unusual looking messages claiming to be from the the Electronic Federal Tax Payment System (EFTPS). Spam with a tax theme always piques our curiosity, so we took a closer look.

Tags: EFTPS | IRS | Java | Malicious Spam | Tax Scam

Pushdo Botnet Crippled – II

By Phil Hay • September 9th, 2010 • Botnets

Two weeks ago we reported on the sudden drop in spam from the Pushdo botnet as a result of many of its control servers being taken down. Since then, spam output from this botnet has remained subdued, as the following updated chart shows.

As Pushdo (otherwise known by its spamming component Cutwail) was only responsible for about 10% of spam prior to the takedown, overall spam volumes have not been hugely affected. It is not uncommon to see 10% volume swings in a day. Having said that, last week our spam volume index did show slightly reduced overall levels of spam for the week.

Things seem to be warming up, however. Other researchers have observed more Cutwail control servers being added. Also, yesterday we saw a resumption of malicious spam from Pushdo with the Sasfis downloader as the payload. This simply reaffirms our earlier suspicions that these guys will not be down for long.

Tags: Cutwail | Malicious Spam | Pushdo | Sasfis | takedowns

Pushdo Botnet Crippled

By Phil Hay • August 27th, 2010 • Botnets

This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble. The chart below shows an index of Pushdo spam volume over the month of August.

Pushdo Stats

So what’s the reason for this sudden decline? It turns out that the folks at TLLOD have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data.

As the chart above shows, this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about.

Tags: Cutwail | Malicious Spam | Spambot | takedowns

Malicious Spam on the Increase

By Phil Hay • August 17th, 2010 • Spam

If you thought that malware propagation through email was a dying art, or that spam is fairly harmless, think again. We are currently seeing increased levels of spam-borne malware. Our figures over the last three months show an increasing trend in the proportion of malicious spam. In the week ending 8 August, this figure spiked to over 6% of spam, or in other words, 6 out of every 100 spam messages.

So what are the underlying reasons for all this activity?

Tags: Cutwail | Malicious Spam | Pay Per Install | Pushdo

Pushdo uses World Cup Theme to Spread Malware

By Gavin Neale • June 15th, 2010 • Malware

Over the last couple of days we have been seeing numerous malicious and Canadian Pharmacy spam campaigns sent from the Pushdo botnet. This campaign features an HTML file as an attachment and some subject lines, including one that mentions the FIFA World Cup, that may fool unwary recipients. Some of the email subjects we have seen are:

FIFA World Cup South Africa… bad news

[Recipient Domain] account Information

[Random Email Address] has sent you a birthday ecard.

Reset your Twitter password

The HTML file attachment contains the following JavaScript:

We have seen several different variations of this script but all have the same purpose which is concealed by some very basic obfuscation. If we remove the parts of this script that aren’t doing anything and clean up some of the text we get the script below:

If this attachment was opened in a browser with JavaScript enabled then the script will redirect the browser to the file z.htm (shown below) on one of several different web servers.

This page waits for three seconds and then redirects the browser to a Canadian Pharmacy website. While waiting, a hidden IFrame is loaded. We have removed some of the obfuscation to make the script in this IFrame more readable:

This script checks each of the browser’s plugins to see if any contain the words ‘Adobe Acrobat’ or ‘Adobe PDF’ in their name. This is looking for any Adobe PDF readers and if one is found, adds an IFrame to the page pointing to a malicious PDF file.

The script then checks if Java (Thats Sun Microsystem’s Java, not JavaScript) is enabled, and if so, adds an IFrame that exploits vulnerabilities in Java.

The exploits install an executable named game.exe which we have not yet analyzed and is not detected by many anti virus products.

Tags: Malicious Spam | Pushdo | Spambot | World Cup

iTunes Gift Certificate Malware

By Rodel Mendrez • May 13th, 2010 • Malware

The Pushdo (Cutwail) spambot is a notorious scam machine which has recently been using a variety of social engineering themes and targets to push fake anti-virus, Bredolab and Zbot executables. One of Pushdo's latest themes is the online iTunes store which attempts to lure users to open a rich text format (RTF) file attachment claiming to be a "$50 iTunes Gift Certificate".

It seems a bit odd for the iTunes store to use a RTF document format for sending out iTunes gift certificates, and this alone should make most users suspicious. When we extracted the RTF file, we discovered an embedded executable that was a fake anti-virus installer.

Figure 1. Sample iTunes scam spam campaign

Opening the RTF document does not automatically run the executable file. However it relies on social engineering to convince a potential victim to click the file by using the unsophisticated filename "CLICK HERE.exe".

It pays not to get too excited with free stuff like this because opening a "$50 iTunes Gift Certificate" attachment could force you to pay $50 for bogus anti-virus software, not to mention placing your credit card information at risk.

MailMarshal Customers are protected from these campaigns with SpamCensor 443.

Tags: Apple | iTunes | Malicious Spam