Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« November 2009 | Main | January 2010 »

December 17, 2009

Are AV Researchers Feeding the Spam/Malware Economy? Permalink

Before I stir this pot, let me say up front that I am not accusing any legitimate antivirus software company of intentionally doing anything bad. It's just something that has crossed my mind in the past and came spilling out today.

What prompts this post is a SophosLabs blog entry that describes how a pair of malware infections work. This is important information for security researchers and should be published.

To complete their investigation of how the infection worked and what the infection consisted of, they allowed their test machine to be infected. In particular, "the iframe payload was delivered."

My question is: What if the malware spreader is paid for each delivery (trackable at the server end) or each installation (trackable when the malware phones home or responds to control commands)? Take into account the dozens of antivirus firms and probably an order of magnitude more independent researchers (academics, governments, curious nerds), and you could have a sizable number of financial transactions taking place as a result of this research — even if not a single login credential is lifted or working bot put into operation.

As I impress on readers of Spam Wars, it doesn't take much to make an evil internet campaign work to the financial benefit of the originator or facilitator, whether it be spam for fake diplomas or secretly installing adware onto PCs (the latter has been well-documented in legal actions against adware purveyors). Costs are so low that just a handful of users acting on the messages may be sufficient to reach the break-even point.

I even cringe a bit when U.S. government agencies order spam-driven medz, not necessarily to track down and prosecute the networks, but just to test the efficacy of the pills and patches arriving from overseas in unmarked brown mailers. On the one hand, the public should be told that such medz are usually of little medicinal value (if not outright hazardous); on the other hand, the spammers and medz makers don't care if buyers flush the product down the toilet: The money has already changed hands and encourages more spamming because it succeeds in generating revenue.

Even if I had my way that every internet-surfing, email-reading internet user in the world knew to filter, ignore, and delete every spam message and malware lure intended for the inbox, I still wonder: Would researchers keep the underground economy going?

Posted on December 17, 2009 at 10:31 AM

December 08, 2009

More "Canadian Pharmacy" B.S. Permalink

The so-called Canadian Pharmacy spammers have a new campaign running. Here are some samples:

Subject: Please answer me

Hello, it`s your link or no? :-)
[URL removed]

Best regards,

Subject: Please

this is your url or no? ;-)
[URL removed]

Best regards,

Subject: Wrong

Hi, My name is Mary,
It`s about you or no? [URL removed]
See you later ;-)

All of the links in the messages point to pages on hijacked servers around the world that use JavaScript to redirect to a Chinese site bearing the Canadian Pharmacy name. That Chinese site uses additional JavaScript to capture the referring URL and add it as an argument to an image URL. This would allow the Chinese site owner to register where the user arrived from (although there are other ways to do this directly and discreetly on the server), and possibly pay the spam sender for each redirection to the medz web site.

(Because I examined the source code of the link destinations to find the Chinese site, I was able to view that site's page source code without conveying a referrer.)

One measure of an effective spammer is how successful he is at getting recipients to open a message and (more importantly) act on the message content by clicking a link. These three sample messages have provocative Subject: lines (I'm sure there are others in this campaign) and message bodies that will certainly draw in lots of recipients who will be curious if the link destination has something mentioning the recipient. Instead, they'll be offered their choice of fake medz. The misled victims will be pissed, but the spammer may benefit from that click, and be encouraged to do more of the same.

Posted on December 08, 2009 at 11:15 PM

December 07, 2009

Phony Walmart Survey Phishing Permalink

A very simple email message leads to an elaborate bogus web site that will lure many an unsuspecting recipient.

From: Walmart
Subject: Customer Satisfaction Survey

You have been selected to access the Walmart 2 Step Survey and win a $150.00 gift certificate.

Please click here and complete the form to receive your reward. Thank you.

This is an automated message. Please do not reply.
Message Id: 0019268154-wmrtsrv.

The link is to an unused server within the btopenworld (part of what once was British Telecom) broadband service. That destination is a redirector to the actual phishing site.

On the first page is an innocuous survey, which asks for nothing more personal than your name, telephone number, and (optional) email address. The page has a professional design, and may be a copy of an earlier Walmart template. The phishing site's design, however, does not match the current walmart.com web site design. That probably won't stop recipients from pursuing the supposed $150 "gift certificate."

If you fill out the survey form (I strongly doubt the phisher even bothers collecting the name/phone number/email address from the form), you proceed to a page that gets down to the nitty gritty of ripping off your information. This page begins (showing only the text here):

Thank you for taking the time to respond to this survey. In return, we will credit $150 to your account - just for your time.

Please enter your account to credit your $150 reward

Then comes a form that gathers everything a crook needs to take over your credit card and more:

*First name:
*Last name:
*Date of birth:
*Social Security Number:
*Street Address:
*Zip Code:
*Card Issuing Bank:
*Card Number:
*Card Expiration Date:
*Card Verification Value:

If, as reported in previous news articles, people will give up personal and corporate passwords for a real piece of chocolate, imagine what they'd give up for a promised $150 at Christmastime. Anyone who fills out this form with their information will eventually get a lump of coal the next time they open their credit card bill or check their credit report.

Posted on December 07, 2009 at 10:26 AM

December 03, 2009

Phony Microsoft Update du Jour Permalink

As someone whose career consists of converting ideas inside my head into material for consumption by others (in the form of words or software), I think I understand how one malware distributor went off the rails. Sometimes an idea sounds good in your head, but when you try to execute the idea, you discover flaws. The key to success is recognizing and fixing the flaws before exposing your work to the world. One Windows malware distributor ignored that last step.

Exhibit A is an unusually wordy email claiming to originate from Microsoft.com Update Center, titled Critical Security Update. I think the idea inside the miscreant's head was to make the message sound as though this email was a necessary diversion from the usual Windows Update process. But somewhere between his brain and his keyboard, a major snafu occurred:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista and Microsoft Windows 7.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message KB958644-ENU
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner,
Director of Security Assurance
Microsoft Corp.

Doesn't it seem as though the main thrust of this email is to explain why the update is being sent in the mail, rather than downloaded? And yet there is no attachment. Instead, the two links point to a file named Windows-KB958644-ENU.exe on a hijacked Italian web server. Perhaps he believes unsophisticated users will click on anything resembling a link, whether there is an attachment or not (and he's probably right).

I like the unintentionally humorous touch with the last paragraph apologizing for a back order. This line was copied/pasted from another (and old) malicious email that used a delayed shipment of Microsoft Office as the lure (an open-the-attachment-for-details kind of thing).

With a little bit of digging, I eventually got to the bottom of the confusion. You see, this message was used about 14 months ago for a previous malware distribution attempt. That attempt appears to have included an attachment, which followed the message's logic more closely. This year's criminal was too lazy to dream up his own email message — or fully understand the original, for that matter. He did update the list of OS versions to include the new Windows 7, but that's about it. At the start of this posting, I gave the sender way too much credit for having an idea.

Tell every unsophisticated user you know that Microsoft does not send email messages to users about software updates.

Posted on December 03, 2009 at 08:59 AM

December 02, 2009

Why I Never Unsubscribe Permalink

I was reminded today why I never unsubscribe from any list or newsletter to which I do not explicitly remember subscribing.

I'm not sure exactly what product the spam message was selling, although with a Subject: line of Wang up!, it doesn't take much imagination to figure out the category. The product pitch was presumably in a downloadable image that I chose not to download (the image file had a code-like name that could conceivably be linked to the recipient address — a risk I didn't want to take).

Under the image space were five small-type links labeled:

Subscribe  Unsubscribe  Send to a Friend  Preferences  Report Spam

Rolling over those links revealed that they all pointed to the top level of the same website linked from the image (also coded to act as a link). In other words, the separately-named links did not go to specific pages within a web site — just to the home page.

Then came the kicker. In gray type was the following:

You are receiving this communication because you subscribed [removed]@[removed].com at our site. If for any reason you wish to stop receiving this communication, click on this Unsubscribe link [not coded as a link]. This will create a new email that contains your unsubscribe request. Please send that email to us, and we will reply back confirming the completion of your unsubscription request.

This message was addressed to a role account at one of my domains, and that was the address from which this message tells me I had subscribed. The role account (things like "postmaster" and "abuse") was one that I have never used for any purpose from any domain in all 14 years I've been hosting my own sites. At some time in the past, the address was made up by a spammer, and it has been circulating here and there among spam runs ever since. The assertion in the unsubscribe advisory is an outright lie.

Spammers lying about you having subscribed to their mailing lists has been going on for years and years. If you get in a huff and go the email equivalent of "postal" on them for continuing to email to you, you are wasting your time, and simply assuring that your email address is added to more lists in perpetuity. Like it or not, the instant your email address gets on a spam list, that address is hosed. If you want to hang onto that address, the best you can do is slow further spread by not letting the spammer know that you or your address is alive.

Posted on December 02, 2009 at 02:51 PM