SophosLabs blog

As with the recent spate of UPS themed spammed out malware, comes the E-Ticket one.

The idea is the same - “Thanks for using our service blah blah blah ….. here is the attached receipt/invoice”

The messages so far have a subject of “E-Ticket #XXXXXXXXXX” and have the following outline

Greetings,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:

Your login: xxxx@yyyyy.zzz
Your password: somepassword

Your credit card has been charged for $474.46.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Jane Citizen
Some Prominent Airline Company

The attachment is unsurprisingly called eTicket#XXXX.zip, which contains the malware, detected as Troj/Zbot-AE.

If you happen to launch this binary you’ll turn your computer into a willing bot sending your internet bill skywards…

Seems like this flight is grounded.

Today’s UPS spam is brought to you with a French theme (we’ve seen previous instances in English and German).

The messages so far all have a subject of “UPS colis postal” (that’s “UPS postal parcel” or thereabouts), and after a greeting the message says:

malheureusement, nous avons manque de livrer le pli (votre colis postal), que vous avez envoye le 1er juillet,
parce que l’adresse du Destinataire n’existe pas.
S’il vous plait, imprimez la facture envoyee en fichier joint a ce message, et venez chercher le pli
a notre office a l’adresse indiquee a la facture.

This gist of which is that they couldn’t deliver your package because the recipient doesn’t exist, please see the attached invoice for details and come and pick it up from them. The attachment is called UPS_E9712.zip, which we detect as proactively Troj/Invo-Zip, and it contains an executable which we detect proactively as Mal/EncPk-EI, a malicious encryption that the last few waves of malware have used.

In other words they’ve changed the language, but that’s about it.

After the US vs. Iran Dorf (Storm) spam campaign, the malware authors had taken a short break and the botnet stopped sending their regular campaigns.

Starting a week ago, the authors have renewed their attacks and published 3 campaigns within the last 8 days. On the 21st, we have seen a campaign for the new currency Amero (the North American version of Euro). On the 24th, the often-seen “loveyou” postcards campaign was launched.

This morning (28th) at 0630 PST, the malware authors launched a FBI vs. Facebook spam campaign. A capture of the latest Dorf website is below, where the link points to the malware executable fbi_facebook.exe:

The email subjects for the latest campaign include:

F.B.I. may strike Facebook
F.B.I. watching us
The FBI’s plan to “profile” Facebook
The FBI has a new way of tracking Facebook
F.B.I. are spying on your Facebook profiles
F.B.I. busts alleged Facebook
Get Facebook’s F.B.I. Files
Facebook’s F.B.I. ties
F.B.I. watching you

This latest Dorf campaign employs both domains and the IP addresses as links. We have seen 6 Dorf domains so far.

The malware and spam messages changed very little even though the topics and websites were updated regularly.  The malware is proactively detected as Dorf-O, and the spam messages are proactively detected by published antispam rules.

Below are some statistics for the Dorf campaign with IP-based links for the month of July. The Dorf botnet was quiet until the the start of the Fourth of July Fireworks campaign, which was active until July 5th. The botnet then switched to the domain-based “US vs. Iran” campaign until the 8th (not shown in figure). The botnet then lay dormant until the 21st, when the spam campaigns started anew.

One has to wonder what the Dorf authors were doing for two weeks. Perhaps they went off for a summer vacation?

A lot has already been said and written about a vulnerability affecting all major implementations of DNS resolvers, discovered by Dan Kaminsky.

This post is just a reminder that you should apply patches relevant to your DNS server implementation as soon as possible. There are already several publicly available exploits and some indications that attacks are already happening.

For more information about the vulnerability and possible news on attack it is advisable to follow SANS ISC handler’s diary.

If you are unsure whether your DNS server is vulnerable to this particular cache poisoning attack there are several sites, such as this one, that can be used to assess your systems.

Happy patching!

During some time off this week I booked the flights for my summer vacation. Checking for my confirmation email (using a personal email account not protected by Sophos’s PureMessage) I found not one but two emails about my purchase. One was from the flight booking website, but for a moment I was confused about the other one. Recalling that the flight was actually operated by two airlines in partnership, I wondered if this second email was from one of the companies concerned? However, the sender was not an airline I recognised. Being a security researcher who sees spam and malware all day I naturally entered sceptical mode and examined the message source. In this case it was easy to spot some give away signs that this was spam: The sender’s email addresses were inconsistent, the billing figure in this email was totally different to the one I had just paid, and the details of my purchase were supposedly in an attached zip file. A zip file for information that could easily have been included directly in the body of the email? No thank you!

Only one thing now bugged me. Why had I received this spam within a few minutes of making a legitimate flight booking? Was the computer I was using compromised with spyware that could target me with spam related to my online activities? In this case I judged coincidence as the more likely explanation, but my mind was only really set at rest when I caught up with a work colleague who happened to mention that the subject for UPS spam that day was… airline tickets!

Every now and again such coincidences will happen. That is why the authors behind the so called UPS spam keep changing to new subjects. Each campaign will catch out a few people, even computer literate people, because it just happens to resemble something they were expecting. Also remember that some spam campaigns are more professional than others. Some phishes are almost indistinguishable from legitimate emails. Sometimes one will slip through a spam filter, and sometimes the bank targeted will be your bank. Sometimes a random name will resemble someone you know, or the subject will coincide with something you were expecting.

Thus the ability of human beings to make contextual judgments is both a strength and a weakness. The more rule-based approach in typical anti-malware and anti-spam software is less easily caught off guard, but more easily circumvented. Current security software has only limited ability to make new judgements in previously unseen situations. Until artificial intelligence parallels that of human intelligence, the best security defence will be a multi-layer defence involving both comprehensive security products and users who are security conscious enough to know what they should and should not click on. The classic model would be one with three layers: the gateway, the desktop and the end user. No one layer can offer 100% protection, but even if each individual layer of protection were only 98% effective, the three layers would combine to be 99.999992% effective.

That is quite a reassuring figure. So we do not need to stress over our own part in the process, just maintain a healthy degree of paranoia. We can still sleep soundly, or fly off for a worry free vacation. I wonder if the spammers can guess which day I will be booking the car hire?

The people who brought you the recent malware in UPS spam, then in tax-themed spam, are now pumping out Customs-based messages.

The current run has subject lines including the following:

Customs - We have received a parcel for you
Customs, please read
Parcel requires declaration
Your parcel is at the customs office

The messages start with a greeting, and go on to say:

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

The attachment this time is called Bill_Tax.zip, and the Trojan inside is a variation of what we’ve seen previously, detected proactively as Mal/Spy-A.

Although I spend less time than I used to processing the operational day to day malware and spam submissions, it did not take me too long this week to start appreciating work of people doing this job every day of every week.

One has to juggle between processing the incoming files queue, customer queries as well as with steady influx of new spam and malware campaigns and infected URLs. During the last few days there were several campaigns that combined spamming with malware planted on randomly compromised domains. On the other hand some campaigns simply sent new malware samples as attachments to email messages. It is a busy week.

I am pleased that most of the Dorf files are proactively detected as Mal/EncPk-DA which means our customers are protected without updates to our products but it also leaves a feeling of unease since we also want to block the messages using anti-spam rules. Dorf email messages are a bit difficult to block based on the content. Some of them include excerpts from the legitimate documents, some simply link to an infected file hosted on a compromised site and some combine the link with a MUA signature identical to the legitimate signature. The number of generated messages is high and it can take up to 30 minutes to get things fully under control and all messages detected as spam.

The mechanism used to construct Dorf emails is not known to me but I would love to be able to analyse it. It seems to me that it uses techniques similar to some random text generators. Here are some subjects and contents observed in today’s Dorf campaign:

Myanmar declares hate for Americans
Hurricane Dolly causes millions of damage
Politician caught in Asian massage parlor
Pitt sues paper over photos leak
Black widow found guilty of killing 5 ex husbands
Sex and the City star found brutally murdered
Cambodia declares hate for Americans
Free cars for every house purchased
Guam B52 crash - miracle survivor found
Cambodia declares hate for Europeans
Christian Bale re-arrested after resisting arrest
Fox Mulder no longer attractive
Red Sox fans run rampage in Times Square
Photos of your wife cheating you
North Korea launches missiles at South Korea
Male escort service hiring now Feel free to enroll
Daughter sets dogs on millionaire father
Court rules lesbians are different from lesbos
Lottery winner attacked by pit bulls
Cambodia declares war on Thailand
Wii console explodes causing death
Pet rabbit saves owners from fire
Monkeys taught to handle a gun
MSN messenger found to have spyware

From the subjects it would seem that Cambodia is quite an aggressive little country, but I have been there this year and I can assure you that Cambodians are a very peaceful bunch these days and a visit to Angkor temples is highly recommended.

Meanwhile, Tibs-related emails carry the following subject line:

Anjelina Jolie XXX Video Free

with a text body that links to an infected file hosted on a compromised site.

Anjelina Jolie seems to be a recurrent theme between the Dorf (that often include a nude photo of the film actress) and Tibs malware campaigns. The style of both campaigns is very similar and once again indicates that both malware families are related.

The UPS malware spamming uses more of a classical way of spreading - as an attachment to an email message. It pretends to be an invoice and sends mesages in English and German, with an attachment being a ZIP file. We have released a detection for yesterday’s and today’s variants as Troj/Spy-AS and Troj/Spy-AT. We will also release a generic signature soon, which should be able to detect the future variants without an update.

This week our colleagues in the web team shared some of our blog stats with us. What an eye opener! If you’ve ever wondered what the most popular search keywords are for visitors to the SophosLabs blog, let me enlighten you with 5 of the top 10 from the last 4 weeks;

Today we’ve released our latest Sophos Security Threat Report, a summary of what we have been seeing over the past six months.

Regular readers of this blog will not be surprised that web threats continue to grow. With a staggering 16,173 new malicious web pages being found every day, that’s one every five seconds! 90% of these are legitimate web sites that have been compromised. Highlighting the risk to not only users, but also the reputation of an organisations brand.

The biggest growth over the past few months has been the use of SQL injection attacks, Mal/Badsrc, which makes up 23.5% of the detections over the past six months, but if we look at just June, it accounts for nearly 35% of all new malicious pages.

As we have reported on this blog previously, it can affect large organisations as well as small, and the frustrating thing for us, is that we have often seen sites, reinfected, just a few hours after they have been cleaned up, so the underlying vulnerability is not being addressed.

The threat report covers the full range of the latest trends in malware, spam and web threats, and I’ll be talking about it more in a webcast tomorrow (Thursday July 24th) if you care to listen in.

For the last few months I’ve been running my own blog internally here at Sophos, and now those terribly nice people in our web team have made it available for the world at large.

You can visit “Graham Cluley’s blog” at http://www.sophos.com/blogs/gc/

Of course, that doesn’t mean anything is going to change on the SophosLabs blog (which the latest stats show is going from strength-to-strength with more users regularly visiting every week).

And, if I am really nice to the SophosLabs guys they may even let me make the odd guest appearance back here from time to time.