Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Michael Casayuran (Anti-spam Research Engineer)

    The malware UPATRE was gained much prominence following the demise of the Blackhole Exploit kit. It was since known as one of the top malware seen attached to spammed messages and continues to be so all throughout 2014 with particularly high numbers seen in the fourth quarter of the year. We have released our annual roundup where we talked about the different trends related to spam, and this entry offers a closer look.

    Looking back at 2014: Notable Spam Trends

    Based on our backend honeypot data for 2014, UPATRE stood out as the most prevalent threat that arrives via spammed messages. UPATRE is commonly distributed by the Cutwail botnet, which has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    2014 also saw a significant rise in spammed emails with attached Microsoft Word documents that come with malicious macro codes that eventually lead to downloading various information stealing malware like VAWTRAK, DRIDEX, and ROVNIX malware. One example is the DRIDEX chain of infections seen in Q4 of 2014, in which we observed an uptick in spammed emails that lead to malicious .DOC and .XLS files that carry the malware.

    Yearly Spam Volume

    Figure 1. Year on year growth trend of spam
    Source: Honeypot data

    Results from our honeypot data show around 1.9 billion spammed emails in 2014. The numbers slightly rose from the one that of 2013 (1.6 billion). While this is no way represents the entire spam landscape it does give us an idea of the overall trends when it comes to spam. It also matches the trends from Trend Micro messaging products in our annual roundup. Note that the spam spike in 2011 can be attributed to a rise in .ZIP file attachments in spammed emails that led to the malware BREDOLAB.

    Spammed Messages Carrying UPATRE

    While there are bulk mail like those that sell pharmaceutical drugs or advertise replica watches, a certain percentage of spam carry malware. We will refer to these as “mal-spam” in the rest of this entry.

    Similar to our 1H blog post on spam trends, UPATRE takes the lead as the top malware distributed via spam, followed by TSPY_ZBOT and BKDR_KULUOZ. In our 1H 2014 post, we wrote that the number of spam campaigns related to UPATRE went down in June due to the Gameover takedown that same month. Come July we observed a gradual increase, which can be attributed to the use of the Cutwail botnet.

    Our honeypot data shows that UPATRE made up almost 30% of all mal-spam seen in 2014.

    Figure 2. Top 10 malware from spam mails seen in 2014
    Source: Honeypot data

    Figure 3. TROJ_UPATRE vs. total mal-spam seen in 2014
    Source: Honeypot data

    The overall mal-spam decline toward the end of the year (Figure 3) can be attributed to the continuous decline of UPATRE spam samples seen in Q4. UPATRE spreading via attachments drastically declined in Q4. ecline in Q4, it still remains the most distributed malware via spam in 2014. Here’s a rundown of the blog entries we wrote about in 2014 that talk about UPATRE attached to spam.

    Top Social Engineering Lures of 2014

    Social engineering plays a vital role in carrying out spam attacks. We found that the holidays and any type of breaking news are still effective ways to carry out social engineering attacks in spam. Here are some notable social engineering lures we wrote about in 2014, whose topics range from celebrity deaths to popular sporting events.

    Mixing Old and New Spam Techniques in 2014

    Spammers have and continuously will blend old techniques with new ones in order to avoid detection to successfully victimize users. Some new techniques we’ve noted in 2014 include spam attached to spam, which is similar to backscatter email.

    The blending of spam techniques is seen mostly in commercial spam. For instance,  newborn domain spam often use the salad words technique mixed with invisible ink, character padding and newly registered domains.

    With the prevalence of UPATRE and malicious macro downloaders on the rise, we can predict that spammed emails that carry these type of malware may soon bear more complex techniques. The social engineering aspect in spam, for one, is starting to veer away from social networking spam (Facebook and Twitter notifications) and instead uses templates known couriers and banks.

    More in-depth information about the spam that dominated the threat landscape in 2014 can be found in our upcoming report, TrendLabs 2014 Annual Security Roundup – Magnified Losses Amplified Need for Cyber-attack Preparedness.

    Posted in Spam | Comments Off on 2014 Spam Landscape: UPATRE Trojan Still Top Malware Attached to Spam

    A new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final  payload- a BANKER malware related to the DYREZA/DYRE banking malware.


    In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.

    Figure 1. Screenshots of spammed messages related to CUTWAIL/PUSHDO

    Read the rest of this entry »

    Posted in Malware, Spam | Comments Off on CUTWAIL Spambot Leads to UPATRE-DYRE Infection

    During the last week of August 2014, we observed a salad spam surge caused by KELIHOS spambot.  Salad spam contains gibberish words in the email body, and is usually employed by cybercriminals so as to bypass spam filters. Here are some samples we spotted:



    Figures 1-2: Screenshots of spammed messages

    Majority of this outbreak’s victims are from the United States.  Based on our data, the top sending countries for this spam run are Spain, Germany, Italy, Iran, and the United States.

    Figure 3: Top sending countries by KELIHOS spam attack

    The spammed emails sent out by KELIHOS used a similar spoofing technique as RUSTOCK, another spam botnet that acts as proxy server, which allows it to control infected systems to send spam emails with pharmacy/medical content.  Both KELIHOS and RUSTOCK send out spam via getting templates from C&C servers.

    In the past, KELIHOS has launched various spam runs. In one instance, it copied sentences from several Wikipedia articles last April to pass spam as a legitimate and/or normal.  The tragic explosion on Boston Marathon last year was also leveraged by a KELIHOS variant.

    Security risks that improperly configured SPF Records pose

    During our investigation, we found that the KELIHOS spam surge inadvertently highlighted a security risk in SPF records.  SPF functions as a checking system to verify if a particular domain of a sender is included in the authorized list. This is typically done to prevent email spoofing. However, if the SPF records is misconfigured, it allows ‘authentication’ or to pass as originating from a certain domain, when in theory, only legitimate email is supposed to pass an email authentication check.  As such, when spammers compromised at least one IP from a certain block, SPF check has no way of verifying or knowing that the IP has been compromised already.

    Our findings also show that KELIHOS spam run used bogus From field and envelope information, which can also pass the email authentication of sender policy framework (SPF).  In this specific case, it is able to bypass SPF via a spoofing technique similar to RUSTOCK.  For example:  XXX  IN  TXT  “v=spf1 include:_spf.{HOST}.com ip4: ip4: ip4: ip4: -all”

    As seen here, the SPF record of {domain}.net shows three /32 (single IPs) and an IP block of /16, containing around 65,000 or unique IPs that are allowed to send email in behalf of {domain}.net.  As previously mentioned, spammers can potentially leverage even at least one of these IPs in the list, compromised it so as to use it for sending spam emails.  The IP block also makes it arduous for IT administrators to monitor each one of this IP. Hence, we highly advised that the SPF record should contain only a few IPs or be limited to a certain number for easy monitoring.

    One indication of a bad setting in SPF record is if it contains too-large range, considering that a small number of IP addresses (e.g., two to eight) are typically responsible for the relay of a domain. Furthermore, if the SPF settings do not contain smaller or more specific range, it’s possible that machines (which fall under the too-large range) can become compromised and used to send spam.

     Best Practices

    Spam continues to be a security problem for enterprises and large organizations, given that it can be a malware carrier or infection vector for targeted attacks, potentially leading to data theft. And while security measures like SPF provides another layer of protection, it can still be circumvented, if the configurations are not set properly set as seen in the recent KELIHOS spam run.

    To protect your network from such security risk, we advised enterprises to configure their SPF policy to allow only the authorized domains from sending email. This should go hand in hand with an authenticated SMTP. It is also important to check first if the email address is existing or not instead of checking the sender. Once they determine that the email address does not exist, it should automatically fail the SPF results.

     With additional insights from Jon Oliver and Loseway Lu

    Posted in Botnets, Malware, Spam | Comments Off on KELIHOS Spambot Highlights Security Risk in SPF Records

    “Get rich fast” scams have been circulating online for several years now. Some examples would be the classic Nigerian or 419 scams, lottery scams, and work-from-home scams. The stories may vary but the underlying premise is the same: get a large sum of money for doing something with little to no effort.

    Scammers have now added a new topic to their roster of lures: the cryptocurrency Bitcoin. The continued rise and fall (and rise and fall and…) of Bitcoins has captured the interest of the media and the public. Certain events in the cybercriminal underground have also played a significant part in boosting the profile of this digital currency.

    The fact that Bitcoin is being recognized as a legitimate form of currency with real-world value has not gone unnoticed by cybercriminals. We have seen different types of Bitcoin-related threats appear over the past years and now, we can add yet another incident to this roster.

    We came across several spammed phishing messages that use Bitcoin as bait. These messages promise recipients that they can earn a large amount of Bitcoins in a short span of time, with one email promising up to more than US$23,000 in a single day. The emails encourage users to click the embedded link for more information.

    Figure 1. Spammed message about Bitcoin

    The links lead to a site that asks for details like name, address, and credit card information. The registration page appears to have no means of verifying the information; it accepts any data provided in the form fields. This type of behavior is very much typical of phishing sites, which aim to get as many credit card credentials as possible.

    Figure 2. Phishing site

    Scammers often use “get rich quick” schemes because these hold a certain appeal to users. After all, who wouldn’t want to get a large amount of money easily? However, these things are often too good to be true. We encourage users to refrain from opening emails and clicking links from unknown or unverified senders. Users should also do research before sharing personal information—especially those financially related—online with any site or service.

    Trend Micro protects users from all related threats in this incident.


    Rockstar Games’ latest offering for the videogame industry, open-world crime simulator Grand Theft Auto V, came out several months ago for consoles to fanfare and anticipation. Unsurprisingly, people have been waiting for the PC version, despite Rockstar Games being very mum about its release date (or even its existence).

    This uncertainty did not stop cybercriminals from taking advantage of the pre-release publicity. We recently found a spam campaign making the rounds; this one claims that the user has been invited to the GTA V PC beta test.

    Figure 1. Spam message

    The second half are links written in Slovak, leading to several sites, one of which is a phishing site. The biggest problem is the attached .ZIP file, which when opened reveals an application named Your promo code in app The extension may actually make people believe that it is a link to the Rockstar; in fact it is a backdoor detected as BKDR_ANDROM.ATG.

    Figure 2. Contents of malicious attachment

    Even though the existence of a PC version of GTA V is an unproven rumor, cybercriminals still managed to make convincing bait out of it.

    We recently covered a similar incident using the non-existent desktop version of the messaging app WhatsApp. Like GTA V, the desktop version of WhatsApp has yet to even be announced, and yet it managed to garner its own share of victims.

    As always, we remind users to always be vigilant and alert when it comes to spammed mails such as these. Make sure to check valid and reputable news organizations/websites first before clicking on anything that seems too good to be true. If possible, seek verification from first-party sources (in this case, Rockstar Games). It saves everyone a lot of wasted time, effort and hassle.

    Additional analysis by Christopher So and Mark Manahan.

    Posted in Malware, Spam | Comments Off on Grand Theft Auto V PC Beta Test Lures Victims


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice