One particular targeted attack related to the World Cup was socially engineered with emails claiming to originate from a famous sportswear manufacturer while the potential victims were executives and managers of other established companies. What makes this attack more sophisticated is that with the email message included both a malicious PDF attachment and a hyperlink to a website hosting malware.

The hosted malware was discovered to be a version of SpyEye, a new sophisticated bot on the market. Capabilities of SpyEye include harvesting of bank accounts, credit cards information and ftp accounts. Including two different modes of attack greatly increases the chance of success in infecting the victim.

A typical email filtering system would strip the infected PDF attachment and allow the now ‘clean’ version of the email, containing the URL, to be delivered to the recipient. At this point, there is real danger to all the organization; if the malicious link still is visited, the hosted malware can very easily infect the recipient and propagate, stealing sensitive data during the process.

The upcoming release of GFI MailSecurity 2010 is scheduled for the first public beta release in the coming weeks. One of the new features to debut in this release is ‘LinkScanner’. The job of the LinkScanner is to scan the email messages for links (URLs) and perform an action on those emails which link to malware. The LinkScanner is also capable of crawling the linked-to website using the link included in the email as an entry point. This is a novel feature for an email filtering system and should defend organizations from attacks similar to the one discussed above. The proposal of this feature started after an idea was submitted to the GFI Idea Factory (feel free to participate in the GFI Idea Factory and Beta programmes). The idea quickly gained votes and was included for this release.

With the introduction of ‘LinkScanner’ even elaborate scams such as this one can be fought in an effort to decrease viruses from infecting computers and networks.

Surely, not the solution I was looking for. However, the post is strange and did catch my attention. Apart from the broken English, the forum post advertises “bp servers” and “mailing servers” from China to be used and abused by any person willing to pay a fee. Also notice that this is a recent post which might indicate that there seem to be new players in the spam market.

Interesting question: is it so simple to send a mass spam campaign? I just needed to contact the promoter of this service to find out. Here’s how it went:

The simple Math behind a spam campaign

This scenario is even more disturbing than I thought because the manufacturers who wish to sell their wares using spam techniques can actually skip the middle man (the spammer) and operate the campaign by themselves. In this case, the manufacturers are those who produce or resell fake medicine, healthcare products and other items that are typically marketed using spam methods. Many times these manufacturers do hire a spammer for a couple of weeks; however, they have to pay the spammer a commission rate for every product sold.

In such a scenario the costs of a spam campaign are the server and the mailing list. The tools to generate the spam messages are freely available and most probably will be included when hiring the spam service.

At 100,000 emails an hour, one can potentially send a total of 72 million emails in one month at a cost of $1,200. Access to a mailing list will cost in the region of $3,000 to $4,000. Let’s consider that 0.005% of those who receive the spam do purchase a $10 product; that would result in an income of $36,000 with a very high margin of profit.
There is a very interesting read which describes the global situation of spam. There is also a list of interesting webcasts with the one from Spammer-X being the most influential. Spammer-X is the nickname of an ex-spammer who retired from his activity and his webcast  shows how spammers operate and how much money is involved in spam.

What does “bp servers” mean?

Again, I visit my beloved Google.com and enter “bp servers” as search criteria. I did learn that “bp servers” mean bullet-proof servers but more surprisingly is that many of the Google top results are from organizations promoting their spam services. The following screen shot shows part of first page results:

When analyzing such situations, there is always an Easter egg reserved for the conclusion: one of Google’s sponsored links was an organization promoting their spam solutions! By the way, MailingSolution.net is also registered in China. Some of these organizations are so entangled in the spam market that they are paying Google to have more client exposure.

It is fairly easy to send a spam campaign – it is cheap and the resulting incoming is high when compared to the costs and effort. In previous years, a spammer would have to own his network of servers, botnets and mailing lists. Currently, it seems that there is a shift in the spam market where the spam service is being sold directly to manufacturers and spammers alike.

Without any doubt, China is a key player in the spam problem and unless the authorities of this country start taking concrete measures in the fight against such illegal activity, problems will persist for all the millions of people who use email.

Run 1: Facebook.com wall posts

Several users have reported that ‘someone’ posted weightloss messages on their friends’ walls. There text of the message varies with the following three being the most common:

Wow, this woman’s story has inspired me to lose weight facebookhealth4.com

I stumbled across this woman’s weight loss blog today, really interesting facebookhealth5.com

These things must work well for losing weight, check out this woman’s blog and what she did facebookhealth4.com

There are three possibilities how this might have been achieved:

1. A number of Facebook accounts were compromised via a direct attack on Facebook.com (lowest possibility).
2. Malware writers discovered a way to directly post on Facebook users’ walls without their knowledge (might be a possibility).
3. A Trojan was installed on the Facebook user’s machine stealing account login details (highest possibility).

Run 2: Facebookhealthx.com and wwwsecurityscan04.com

Just yesterday ten domains, Facebookhealth1.com to Facebookhealth10.com, were registered by a Chinese registrant carrying the name of TANGHUA. The contacts seem fake and both the Name Servers and IP are located in China. This simple public information already gives us the indication that these domains were created for the malicious activities.

These ten domains redirect immediately to another location hosted on wwwsecurityscan04.com. From the Whois record of wwwsecurityscan04.com, the registrant is an individual who makes use of dynamic DNS service but the contacts do not seem fake.

However, this domain was registered just yesterday, the same as the Facebookhealthx.com domains.

Run 3: Forum posts in various small websites

Fire up your favorite Internet browser and in Google enter “facebookhealth5”. You should receive a list of websites which host posts similar to those on the Facebook wall.

Any of these links will redirect you to a ‘free’ virus scan of your computer. What you would not expect is that malware will be installed.

Run 4: The rouge AntiVirus scan and malicious payload from wwwsecurityscan04.com

As soon as you are redirected to wwwsecurityscan04.com an animation of a rouge AntiVirus software is displayed. The animation is visually very well done and presented. It has the potential to easily fool uneducated users. The following screenshots show a complete run from the rogue AntiVirus software:

It is important to notice the long and complex URL being used to launch the fake AntiVirus scan (first screenshot under Run 4). If you visit wwwsecurityscan04.com (not recommended) nothing should happen and only some text will be displayed.

At the end of the AntiVirus scan by the animated screen, a dialog box requires you to download “Soft71.exe”; the malware. Do not expect that, if the Cancel button is pressed, you will be able to clear everything. The website together with the animation leaves no simple escape route.

I have uploaded the malware to VirusTotal.com for analysis. As at today, 07 October 2009, ONLY 3 AntiVirus Engines out of 41 managed to detect the malware. These engines power your desktop AntiVirus software and those of your place of work. This illustrates how prone we all are to malware and the risks that we all encounter when we do not think about our actions. Just imagine the consequences had you clicked on the malicious link whilst at work. This is the permalink for the VirusTotal analysis.

Run 5: Malware activity

Until now I do not know exactly which activities “Soft71.exe” (the malware) performs on a computer. To understand the actions of the malware, the executable must be disassembled and run under a controlled environment monitoring the changes being performed.

However, it seems that this malware would be writing a number of registry keys and also downloading other malware from the Internet.

The possible malware attacks and how they are orchestrated are next to infinite. We must always be a step ahead of malware writers and, apart from keeping all machines secure and safe, we must ensure that all users are educated. This is valid advice both at the workplace and at home. A weak link in the chain may cause irreparable damage.

As we have seen there are occasions where the machine and software will not defend our resources. Education will always be the key to success against such criminal activity.

Another day, another example exposing the fragile human security in an organization. Malware writers and spammers greatly depend on disguising their payload as innocent messages or software, which may even pretend to be offering a form of service to the innocent victim. The aim is to make the user perform an action: execute an infected e-mail attachment, click on a link to a compromised web site, or reply to fake unsubscribe notices and the list just goes on and on.

Just recently, I discovered an e-mail in my Inbox claiming to be originating from the DHL Support Services. DHL is a high profile legit international company which offers transport and logistics services. The e-mail also had attached a zip archive containing an executable file. The message of the e-mail states that there was a problem delivering my package due to an undisclosed problem. The message continues by trying to convince me to print the ‘invoice’ attached to the e-mail. The ‘invoice’ being referred to in the message is the executable found in the zip archive.

The e-mail body and attachment claiming to originate from DHL Support Services

As previously stated, the e-mail ended up in my Inbox and my personal antivirus did not detect the attachment as malware. However, I am still very susceptible that the attached file is malware for the following reasons:

• The MIME From domain is listed as dhl-support.com. This domain is registered on an individual from Germany but not on the actual DHL organization.
• I did not have any postal packages which were not delivered.
• The structure, grammar and tone used in the message do not seem to match those that would be used by a commercial company.
• DHL have the facility to track any packages using their website. Why would they send an ‘attachment’ with an email?

Whois information for domain dhl-support.com. Clearly, this domain is not registered for DHL.

In order to confirm this, the zip archive was uploaded to VirusTotal.com for analysis. As at the 23rd September 2009, nearly half of the antivirus engines at VirusTotal did NOT manage to detect the attachment as malware.

Partial results after the analysis by VirusTotal.com

These engines form part of some of the most popular antivirus applications that protect desktops of home and business users and organizations’ servers. It takes time for the antivirus vendor to discover the malware, analyze it and distribute the necessary updates to detect it. This time lapse can prove to be the security hole for an organization or a disaster for the home user. This is why it is important to make use of a product which has multiple different antivirus engines such as GFI MailSecurity.

The antivirus engines that did manage to detect the malware, listed it as yet another variant of the infamous Bredolab Trojan. This Trojan firstly appeared around May and variants have been going around in the form of attachments in spam messages throughout all these months.

DHL and any other transport services organization will never send you an executable via e-mail to run on your desktop for any reason. This is simply an attack on users and organizations alike. The best defense is always education. Although software does protect, as we have seen, it is also prone to failure.

Such spam takes the form of a greeting e-card originating from greetingcard.org or 123greetings.com. These two domains are legitimate domains however the spammer is using these brand names to fake the origin of the email. The body content contains a typical greeting message urging the receiver to click the URL to view the e-card. 

The URL in this case does not directly lead to a store promoting the spamvertised products but to a post in a forum or group showing a screenshot of the store. It is this hyperlinked screenshot which redirects the potential victims to the store being operated by the spammer.

This technique offers a lot of advantages to the spammer:

1. Social Engineering – inexperienced users are very prone to accepting the message of an email. In this case a greeting e-card is used which targets this type of user. Content checking and statistical techniques for filtering are bypassed easily because basic English words are used.
2. The spammer is using a ‘middle man’ to lead the victim to the store. The ‘middle man’ is the website hosting the forum\group post. It is the task of the administrators of the forum\group to remove such a post. Obviously this may take a considerable amount of time until the post is reported and action taken.
3. These forum\group posts are very easily generated using scripts and hence there might exist thousands of different forum posts which lead to the same store. Checking only the URL against a blacklist provider such the surbl.org typically results in a negative result because the unlimited possibilities where the post is hosted and typically the forum\group are legit domains.

The URLs of the group of spam messages under test conditions, redirected to a post hosted on Google Groups ,which in turn contained a screenshot redirecting to buybegin.com. This domain hosts a ‘Canadian’ pharmacy store selling Viagra, Cialis and other medicine of dubious quality and origin.

Forum post hosted on Google Groups

The redirected website ‘buybegin.com’ from the post hosted on Google Groups

It is very clear that the domain buybegin.com has been very recently registered and it seems that the owners do not intend to remain in ‘business’ for a long period of time. In fact the domain is registered for only one year. The administrative and billing contacts of the domain are clearly fake and only the contact email address may be genuine. 

Whois record for ‘buybegin.com’ domain

Digging deeper into this information reveals that the registrant with the name “Du Qiaowen” has 24 other domains registered under his name such as MagnetAroma.com. The MagnetAroma.com domain has a very similar whois record as buybegin.com with both domains being registered on the same day. The MagnetAroma.com website hosts the same pharmacy store as buybegin.com. All of these indications are the trademark of a large scale scam operation.

Visiting capturedright.com (do not visit this website) one can notice that there is no Viagra, weight loss pills or berries for sale. Only a very simple and small ‘opt-out’ form with the words “Remove me:”

The innocent victims of spam would be tempted to insert their email addresses to ‘opt-out’ of the spamming list. In reality, this is very similar to a phishing attack. The spammer would be harvesting the email addresses. The benefit to the spammer is that there is a very high probability that the email addresses being harvested are valid.

Innocent looking opt-out form at capturedright.com

It is costly to send SPAM and according to recent studies, the profit spammers make is not as big as it was thought in the past. Hence, it is in the interest of the spammer that the mailing list being used is kept clean of invalid email addresses. As soon as a victim places an email address in the ‘opt-out’ form, the email address is confirmed as a valid address to target spam since there was a manual process of inserting the email address in the form.

Confirmation of ‘removal’ of email address. DO NOT TRY THIS!

The intent of this current trend of SPAM is not to sell or promote a product but more to create and harvest better mailing lists for spamming activities in the near future. In addition to anti-spam products, the best weapon in such cases is the education of end users.