Late last year, Trend Micro senior threat researcher Ben April discussed the security implications of using internationalized domain names (IDNs). IDNs are domain names that use non-English/non-ASCII characters. As Ben discussed, there are several ways by which cybercriminals can abuse IDNs and use these in their malicious attacks. Today, we saw such abuse, as spammers used IDNs as spam URLs.

We recently got hold of a spam sample that contained a Russian IDN URL:

The availability of IDNs gives spammers more room to create spam domains. Since domain names are no longer limited to just English characters, non-English domains can also be registered. As such, more domains can be used and housed for spamming activities. Other spammers can also use the punycode version of URLs, which is the encoding syntax for the IDN in ASCII format. This will require more effort for signature blocking or blacklisting.

More spammed messages such as the one above indicates that IDN URL usage for spamming may increase in number as time goes by.

The Trend Micro™ Smart Protection Network™, through the Web reputation technology protects users from threats that may be delivered using IDNs.

In the past few months, Russia has climbed up the list of top spam-sending countries. From seventh in August, it climbed to sixth place in September and to fourth place in October. We noted that many of the spam runs this month originated from Russia. Below are some of the spam samples we saw and detected this month.

Russian spam played a key role in many of the spam runs seen this month. From pharmaceutical to replica, casino, dating, malware-related, and salad spam, Russian IPs were found to be consistent contributors. Here are the top 3 spam-sending countries for the quarter ending in September.

Read more insights about today’s threat environment in the October 2010 Threat Roundup.

Text scams are increasingly becoming common again due to the forthcoming Philippine national and local elections, as political campaigns take to rampant text messaging for faster political mobilization. Earlier, I received a text message with the following content:

May GOD bountifuly bles u & ur family. Have a blissful day Fr Frends of UNI-MAD Party List, United Movement Against Drugs no.181′Luv ur famly, say NO 2 drugs.

According to the Philippine National Statistical Coordination Board, the National Telecommunications Commission (NTC) reported an average of 250 million text messages sent daily in 2005. A more updated study reported an upsurge, which more than doubled the said figure in 2009, along with a growth in the number of mobile phone users (i.e., over 63 million).

Numbers such as these in a country known as the “text capital of the world” set the stage for the proliferation of texts scams such as one that features the following message:

CONGRATULATIONS!!!Your # WON TOYOTA AVANZA car w/ 300thou via electronic last Dec.21,2009. For details,please call now Rene Samonte. of Phil. Info. Center on this #.

As similar instances of text scams have already occurred in the past, it is best to take heed and be wary of your mobile phone activities before you fall prey to potential text scams.

Political spats and issues are once again seen bleeding into cyberspace as notable attacks related to politics were seen today.

The Israeli Legislative Election for 2009 to be held on February 10 was used by spammers as bait for users to download malware on their systems. The election is supposedly to be held in 2010. However, due to the resignation of Prime Minister Ehud Olmert as leader of the Kadima party, and the failure of his successor, Tzipi Livni, to form a coalition government, the elections will now be held earlier – informs BBC .

The spam lures receivers of the spammed message to download the malware by posing it as an electronic game to play with, themed in the Israeli Election Competition.

Figure 1. Email inviting people to play the electronic game

The malicious file is housed in a popular web-hosting service provider. This technique buys the malicious file an “immunity” of some kind; the URL leading to the malicious file can not be blocked, since the hosting site used is a legitimate service.

Figure 2.The malicious file posing as a game

The downloaded file is in .zip format and is using the file names game1.exe and game2.exe, bearing the Flash icon. This file is malicious ( TROJ_DROPPER.JCM) which drops an email address harvester ( TROJ_MYDOOM.CV).

Other news inform (unverified) about Russian hacktivists believed to have staged an attack against Kyrgyztan. Security researchers discovered that several Internet Service Providers in the said country were suffering from DDoS attacks. The hackers behind the threat were assumed to use Russian servers.

Hacktivism, which to put it simply is a combination of both hacking techniques and activism, is a growing trend that not only has implications on Web security but on global political relations as well.

Trend Micro Advanced Threats Researcher Paul Ferguson discusses hacktivism and some notable examples in this blog post. Other cases include:

• New Year Ushers in New Waves of Hacktivism
• Defacers UNmask the UN
• Web War Erupts between Sweden and Turkey

Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant.

Figure 1. Spammed Valentine’s greetings.

These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR.

Figures 2 & 3. The link in the email leads to malware.

WORM_WALEDAC.AR propagates by spamming email messages with malicious links where copies of the same worm are downloaded. Like other WALEDAC variants, it compromises the security of infected systems by opening random ports to listen for commands from a remote user.

These other earlier threats by this same malware family exhibit routines and characteristics very similar to Storm:

• Fake Obama News Sites Abound
• What is Old is New Again: Malicious New Year e-Card Spam
• Merry Malware Greetings Flooding Inboxes

Beside the social engineering techniques used in email,  following are the similar methods applied by this worm family:

• Fast-flux networks and several different name servers used per domain
• Files names ecard.exe and postcard.exe
• In some instances, the installation of rogue antispyware

The Trend Micro Smart Protection Network blocks the email messages spammed by this worm, and detects the worm itself so it doesn’t run from systems anymore. Users should be careful in clicking links in spammed messages and in downloading files from unknown websites.