Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 21st, 2014

    Spammers are constantly trying new ways to bypass filters to deliver spam. One of the more typical methods is the use of word salad spam, wherein spammed messages are filled with random words. We recently noticed a spike in salad spam that’s circulating in the wild. Aside from the sudden increase, what’s interesting about this particular spam run is that it uses exact sentences copied from Wikipedia articles.

    For example, in the spammed message below, the first sentence is “Knipe taught his Hawkeye team 75 new plays in one week.” That sentence comes from the Wikipedia article about the American football player and coach Alden Knipe. The second sentence, “As a result, wine consumption in Australia has greatly increased as of 2006.,” comes from the article about cleanskin wine. The last sentence, referring to the House of Blues and the Theatre of the Living Arts, comes from the article about the Verizon VIP Tour.

    Figure 1. Sample spammed message

    This seemingly normal content may ensure the delivery of the message alone.  However, the spammers took it one step further by forging the From form field, making it appear that the email was sent from the recipient’s email account. This adds a layer of legitimacy to the spammed messages.

    Further analysis of the email samples show that this spam run is distributed by computers infected by the Kelihos botnet. This botnet is known for spamming and Bitcoin theft.  Our research indicates that these messages were sent from a variety of countries, including Argentina (18%), Spain (17%), Germany (11%), Italy (11%), and the United States (10%).

    Even though the Wikipedia salad spam may not be malicious—it can be described as a “nuisance” at best—the technique shows that bad guys are still refining known spamming techniques. While there was no malicious payload for this particular spam attack, the same could not be said for future spam runs. Users are advised to be cautious when opening emails. A good rule of thumb would be immediately deleting emails from unknown senders.

    Trend Micro protects users from these threats.

    Posted in Spam | Comments Off on Wikipedia in Your Salad (Spam)

    News of a maritime disaster happening on South Korea waters hit full force on April 16, 2014. MV Sewol, a South Korean vessel, capsized off of the country’s southern coast.

    While the world was still reeling from the horrific turn of events, cybercriminals began getting to work. Just mere hours after this event was reported worldwide, we have seen some spammed messages using this piece of news. In the samples that we have observed, the actual news is not used as bait but made as part of the message itself.

    Figure 1. Spammed message

    Notice that everything else in the spammed message speaks of nothing about the ferry incident. However, looking at the entirety of the message, one finds the incident used at the bottom of the message. This technique, adding random clips of incidents or news that maybe relevant given the date and time, is used by spammers to avoid email filters.

    Once email of this kind gets through your filters, only your anti-malware solution and your ability to distinguish legitimate emails from spam are the only protections that you can rely on. Notice that in the image above, there is an attachment that points to a court appearance notification. Once you mistakenly open said attachment, a backdoor runs on your computer. Further analysis of this particular case lead us to the detection of the attachment as BKDR_KULUOZ.SMAL. This backdoor can allow a remote malicious user to perform commands like update the malware version, download and execute files, and set the computer to idle or sleep.

    KULUOZ is known to be distributed by the Asprox botnet. KULUOZ downloads other malware such as FAKEAV and ZACCESS, as well as install components of the Asprox botnet on your computer, possibly making your computer a spam distributor. Further analysis revealed that this particular KULUOZ variant is part of the Asprox botnet.

    Events like this, unfortunate as they are, are the items that spammers and cybercriminals use to further their activities. Cybercriminals often use just-occurred events as they know there is a demand for more information—any information—about said events. In that type of situation, people might be more inclined to open emails or click any links.

    While Trend Micro products readily filters email messages of this nature and prevents execution of malicious attachments, your best line of defense also is your knowledge. Identify spam from legitimate email by looking closely at the sender, the subject, and the message. Most spam use bogus email addresses, and subject lines and/or messages that are attention-catching. Identifying spam saves you a lot of time and headache associated with keeping your data and your computer safe.

    With additional analysis from Mark Aquino

    Posted in Malware, Spam | Comments Off on News of South Korea Ferry Used for Spam Evasion


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice