Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Michael Casayuran (Anti-spam Research Engineer)

    A new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final  payload- a BANKER malware related to the DYREZA/DYRE banking malware.


    In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.

    Figure 1. Screenshots of spammed messages related to CUTWAIL/PUSHDO

    Read the rest of this entry »

    Posted in Malware, Spam | Comments Off

    During the last week of August 2014, we observed a salad spam surge caused by KELIHOS spambot.  Salad spam contains gibberish words in the email body, and is usually employed by cybercriminals so as to bypass spam filters. Here are some samples we spotted:



    Figures 1-2: Screenshots of spammed messages

    Majority of this outbreak’s victims are from the United States.  Based on our data, the top sending countries for this spam run are Spain, Germany, Italy, Iran, and the United States.

    Figure 3: Top sending countries by KELIHOS spam attack

    The spammed emails sent out by KELIHOS used a similar spoofing technique as RUSTOCK, another spam botnet that acts as proxy server, which allows it to control infected systems to send spam emails with pharmacy/medical content.  Both KELIHOS and RUSTOCK send out spam via getting templates from C&C servers.

    In the past, KELIHOS has launched various spam runs. In one instance, it copied sentences from several Wikipedia articles last April to pass spam as a legitimate and/or normal.  The tragic explosion on Boston Marathon last year was also leveraged by a KELIHOS variant.

    Security risks that improperly configured SPF Records pose

    During our investigation, we found that the KELIHOS spam surge inadvertently highlighted a security risk in SPF records.  SPF functions as a checking system to verify if a particular domain of a sender is included in the authorized list. This is typically done to prevent email spoofing. However, if the SPF records is misconfigured, it allows ‘authentication’ or to pass as originating from a certain domain, when in theory, only legitimate email is supposed to pass an email authentication check.  As such, when spammers compromised at least one IP from a certain block, SPF check has no way of verifying or knowing that the IP has been compromised already.

    Our findings also show that KELIHOS spam run used bogus From field and envelope information, which can also pass the email authentication of sender policy framework (SPF).  In this specific case, it is able to bypass SPF via a spoofing technique similar to RUSTOCK.  For example:  XXX  IN  TXT  “v=spf1 include:_spf.{HOST}.com ip4: ip4: ip4: ip4: -all”

    As seen here, the SPF record of {domain}.net shows three /32 (single IPs) and an IP block of /16, containing around 65,000 or unique IPs that are allowed to send email in behalf of {domain}.net.  As previously mentioned, spammers can potentially leverage even at least one of these IPs in the list, compromised it so as to use it for sending spam emails.  The IP block also makes it arduous for IT administrators to monitor each one of this IP. Hence, we highly advised that the SPF record should contain only a few IPs or be limited to a certain number for easy monitoring.

    One indication of a bad setting in SPF record is if it contains too-large range, considering that a small number of IP addresses (e.g., two to eight) are typically responsible for the relay of a domain. Furthermore, if the SPF settings do not contain smaller or more specific range, it’s possible that machines (which fall under the too-large range) can become compromised and used to send spam.

     Best Practices

    Spam continues to be a security problem for enterprises and large organizations, given that it can be a malware carrier or infection vector for targeted attacks, potentially leading to data theft. And while security measures like SPF provides another layer of protection, it can still be circumvented, if the configurations are not set properly set as seen in the recent KELIHOS spam run.

    To protect your network from such security risk, we advised enterprises to configure their SPF policy to allow only the authorized domains from sending email. This should go hand in hand with an authenticated SMTP. It is also important to check first if the email address is existing or not instead of checking the sender. Once they determine that the email address does not exist, it should automatically fail the SPF results.

     With additional insights from Jon Oliver and Loseway Lu

    Posted in Botnets, Malware, Spam | Comments Off

    “Get rich fast” scams have been circulating online for several years now. Some examples would be the classic Nigerian or 419 scams, lottery scams, and work-from-home scams. The stories may vary but the underlying premise is the same: get a large sum of money for doing something with little to no effort.

    Scammers have now added a new topic to their roster of lures: the cryptocurrency Bitcoin. The continued rise and fall (and rise and fall and…) of Bitcoins has captured the interest of the media and the public. Certain events in the cybercriminal underground have also played a significant part in boosting the profile of this digital currency.

    The fact that Bitcoin is being recognized as a legitimate form of currency with real-world value has not gone unnoticed by cybercriminals. We have seen different types of Bitcoin-related threats appear over the past years and now, we can add yet another incident to this roster.

    We came across several spammed phishing messages that use Bitcoin as bait. These messages promise recipients that they can earn a large amount of Bitcoins in a short span of time, with one email promising up to more than US$23,000 in a single day. The emails encourage users to click the embedded link for more information.

    Figure 1. Spammed message about Bitcoin

    The links lead to a site that asks for details like name, address, and credit card information. The registration page appears to have no means of verifying the information; it accepts any data provided in the form fields. This type of behavior is very much typical of phishing sites, which aim to get as many credit card credentials as possible.

    Figure 2. Phishing site

    Scammers often use “get rich quick” schemes because these hold a certain appeal to users. After all, who wouldn’t want to get a large amount of money easily? However, these things are often too good to be true. We encourage users to refrain from opening emails and clicking links from unknown or unverified senders. Users should also do research before sharing personal information—especially those financially related—online with any site or service.

    Trend Micro protects users from all related threats in this incident.


    Rockstar Games’ latest offering for the videogame industry, open-world crime simulator Grand Theft Auto V, came out several months ago for consoles to fanfare and anticipation. Unsurprisingly, people have been waiting for the PC version, despite Rockstar Games being very mum about its release date (or even its existence).

    This uncertainty did not stop cybercriminals from taking advantage of the pre-release publicity. We recently found a spam campaign making the rounds; this one claims that the user has been invited to the GTA V PC beta test.

    Figure 1. Spam message

    The second half are links written in Slovak, leading to several sites, one of which is a phishing site. The biggest problem is the attached .ZIP file, which when opened reveals an application named Your promo code in app The extension may actually make people believe that it is a link to the Rockstar; in fact it is a backdoor detected as BKDR_ANDROM.ATG.

    Figure 2. Contents of malicious attachment

    Even though the existence of a PC version of GTA V is an unproven rumor, cybercriminals still managed to make convincing bait out of it.

    We recently covered a similar incident using the non-existent desktop version of the messaging app WhatsApp. Like GTA V, the desktop version of WhatsApp has yet to even be announced, and yet it managed to garner its own share of victims.

    As always, we remind users to always be vigilant and alert when it comes to spammed mails such as these. Make sure to check valid and reputable news organizations/websites first before clicking on anything that seems too good to be true. If possible, seek verification from first-party sources (in this case, Rockstar Games). It saves everyone a lot of wasted time, effort and hassle.

    Additional analysis by Christopher So and Mark Manahan.

    Posted in Malware, Spam | Comments Off

    The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook for a staggering $16 billion. Cybercriminals didn’t waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested.

    Figure 1. Screenshot of spammed message

    Our engineers found a spam sample that mentions Facebook’s purchase of WhatsApp, and also says that a version of WhatsApp is now available for users on Windows and Mac PCs. The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices.)

    That is the case here; TSPY_BANKER.YZV is downloaded onto the system. This BANKER variant retrieves user names and passwords stored in the system, which poses a security risk for online accounts accessed on the affected system. The use of BANKER malware, coupled with a Portuguese message, indicates that the intended targets are users in Brazil. Feedback from the Smart Protection Network indicates that more than 80 percent of users who have accessed the malicious site do come from Brazil.

    Although the volume of this spam run is relatively low, it is currently increasing. One of our spam sources reported that samples of this run accounted for up to 3% of all mail seen by that particular source, which indicates a potential spam outbreak.

    We strongly advise users to be careful of this or similar messages; WhatsApp does not currently have a Windows or Mac client, so all messages that claim one exists can be considered scams. Trend Micro protects users from this spam attack via detecting the malicious file and spam, as well as blocking the related web site.

    With additional analysis from Sabrina Sioting.

    Posted in Malware, Spam | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice