Posts filed under 'Spam'
May 6th, 2008 by Jake Soriano (Technical Communications)
We were alerted to a spam run that banked on the craze surrounding the highly anticipated worldwide release (except in Japan) of Grand Theft Auto IV (GTA IV) on 29 April 2008.
Below is a screenshot of the sample spammed email message:
It appears to be offering a free PlayStation 3 along with a copy of GTA IV. And the ironic (or appropriate?) come-on: “Enter the Criminal Underworld.” Clicking on the link leads the user to the following site:
Given the immense popularity of this online game, its reception by the online gaming community is no longer just hype. The days before the release provided great opportunities for spammers to trick online users into clicking the links in the spammed email messages. Users who did so were asked to provide their email addresses — instead of the supposed free version of GTA IV, affected users received more spam. This is a common technique used by spammers to check whether the email accounts they have gathered are indeed active. Users who click on links are therefore unwittingly signaling spammers that their email addresses are indeed working accounts.
Fans — in the millions no doubt — proved to be most vulnerable to this spamming operation. And who says “no” to the doubly irresistible promise of being able to play the game before everyone else — and for free, too!
Interestingly, last year’s release of another famous online game, Halo 3, was relatively quiet when it came to online security issues. Both of these games were heavily promoted and marketed, which doesn’t explain why we see the spamming just now. Maybe last year’s media-documented campaign by a Florida lawyer against the game creators makes the game controversial enough to warrant spammers’ time and attention.
As usual, users are advised to refrain from clicking on links regardless of how attractive the offers are.
Thanks to Trina Baetiong of Content Security for details regarding this spam run.
May 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
Last month started with an April Fool’s message being spammed around. The spammed email contained a link from where a variant of the Storm malware could be downloaded. Aside from that, we’ve had our usual fill of Trojans and malicious scripts that plagued compromised Web sites for April.
Notable Malware
TROJ_AGENT.AMAL
This Trojan poses as a browser plugin that must be installed first to view files that are supposed to come from a fake US federal judiciary Web site. Reported last April 15, the link to the fake site comes from spammed email messages claiming to be legitimate court subpoenas. To add credibility to the spammed email, the sender uses a uscourts.com email address, which may seem authentic to unsuspecting recipients of the message.
TROJ_SPAMBOT.AF
TROJ_SPAMBOT.AF is the Trend Micro detection for the malware behind Kraken, which is an emerging botnet rivaling the Storm botnet. Some researchers who have analyzed Kraken have stated that this may be a variant of the Bobax malware family.
TROJ_AGENT.AZZZ
Reported last April 5, this Trojan uses an old technique to trick users into compromising their systems. Users receive a spammed email, under the guise of a Microsoft security bulletin, urging the users to download a patch from a certain link present in the email. Of course, the patch is actually the malware itself, which Trend Micro detects as TROJ_AGENT.AZZZ.
WORM_NUWAR.JQ
TrendLabs researchers discovered a Web site that offers what looks like a YouTube-style streaming video service. The infection vector and messaging are actually still the same — that is, users are most likely to access this site via links on specially crafted blogs. What is interesting this time is that on the suspect site, users are required to download the so-called “Storm Codec” in order to view the video. Yes, you read that right: the codec is called Storm Codec. Of course, the “codec” is actually a NUWAR variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.
Exploits and Vulnerabilities
BKDR_POISONIV.QI and EXPL_NEVAR.B
A backdoor exploiting a recent vulnerability in Microsoft’s GDI processing was discovered right after Patch Tuesday last April 8. A file named TOP.JPG has been found to do this. It arrives on a system as an executable, now detected as EXPL_NEVAR.B. With just this opening available to malware authors, they can do pretty much anything after exploiting this vulnerability. Its specific routine is to connect to a URL to download a file named WORD.GIF (also detected as BKDR_POISONIV.QI).
Web Incidents
JS_DLOADER.TVP and JS_IFRAME.US
Early this month, several Web sites have been compromised by search engine optimization (SEO) poisoning. Some of the compromised sites were that of the Washington State University and several news sites such as Sun Gazette and Tribune-Chronicle. For the past few months, education Web sites (*.edu) were the ones targeted for such attacks, averaging about three per month. In this recent incident, JS_IFRAME.US is the iFrame component that is inserted into the HTML code of the Web page. When the browser is redirected by this malicious iFrame, it downloads the malicious script file JS_DLOADER.TVP.
That’s it for today. As of this writing, it seems that another Italian Job is underway, with ~100 compromised Web sites. We shall take a look at more of this in next month’s malware roundup.
April 29th, 2008 by Jake Soriano (Technical Communications)
Senators Hillary Clinton and Barack Obama battle it out on all fronts, literally. The tight contest, where until now no clear frontrunner emerges, isn’t likely to be dictated by just the debates. So we see extra-political battles in different arenas. The Web would seem one likely sphere where the one hopeful nominee who dominates gains a lot.
The most recent Internet-related clash between these two involved redirection: one candidate’s Web site leads users to the site of the other. Users viewing Obama’s site were redirected to Clinton’s through an attack called cross-site scripting (XSS). Researchers were successful in reversing the attack, too, exploiting vulnerabilities and revealing these glitches to the site owners.
Internet-related incidents are not new in the coming U.S. presidential elections. TrendLabs, as early as November last year, reported on spamming activities that were seen as campaign materials for Ron Paul. Clinton herself was featured in a spam run that spewed malware into systems, turning them into bots to further spread spam.
This time, however, the cross-site scripting attacks are seen as benign as no malware were involved. With the increasing hype around spamming and other malicious activities, this might be a move driven by caution. Those who do it may have realized that malicious activities, once exposed, will inevitably taint individuals and their appearances to the media, or to everyone in general.
Researchers are still investigating how this type of attack could be used in more malicious criminal activity.
April 21st, 2008 by Alice Decker (Advanced Threats Researcher)
Do you know the story where a human and a monkey lived in two rooms separated by a single door?
The first part of the story says that after a while in that room, the human started to get curious and decided to find out what was happening behind the door. As the human peeked through the keyhole, what he saw was another eye, which apparently was the monkey’s.
Cyber criminals can use the simplest of methods and maximum yield by simply exploiting human curiosity. How?
The first step is to send a spam email message. This message is supposedly sent through well-known botnet infrastructure.
The message above was sent in German but it could be sent in any language. The message above reads “With our completely free service, you can find out whoever blocked you in MSN or deleted” in English.
The link opens a Web site that includes the invitation to use the free service to check the validity of the MSN account.
All the user has to do here is “to peek through the keyhole” by typing the MSN account and the right password to figure out if his account is “indeed blacklisted”. Of course no answer comes back but…What happens then?
If the data entered in these fields are valid then the user could be considered an accomplice for the next criminal actions done by the users of the engellembul@gmail.com mailbox, the mailbox where the data is sent.
This gives cyber criminals a free choice to use their unlawfully acquired data in any of their illicit activities. The hacked MSN account can be used to send out spam, distribute malware both through email and the instant messaging application, MSN Messenger. Apart from this, the unauthorized user will then have access to the mailbox and can gather personal data about the affected user.
April 17th, 2008 by Macky Cruz (Technical Communications)
In this recently reported targeted attack on CEOs of various companies (also known as “whale phishing,” due to the size and stature of the affluent targets), a bogus subpoena request attempts to trick recipients into clicking a link in the spammed email messages. The link purports to give users access to the related court documents in a bogus subpoena action.
If victims do click on the malicious link in the email, they will arrive at the Web site pretending to house the information (shown above), then prompted to download and install a browser plug-in to proceed in viewing the files.
The malicious “browser plug-in” (named Acrobat.exe in this instance) is actually TROJ_AGENT.AMAL.
The attack seems to work due to various social engineering techniques, each of which is not necessarily new.
The United States District Court has posted an advisory regarding these bogus subpoena requests, and so has the Internet Crime Complaint Center (IC3).
Anyone receiving such a request is thus advised to treat this solicitation with extreme caution. If there is reason to believe that the email is valid, consult the matter with your lawyer. Do not click on links in unsolicited email. Period.
Additional input from Paul Ferguson, Advanced Threats Research
Previous Posts
