Maware authors have employed Google’s paid advertisements to direct surfers to virus infected websites. Hackers are buying paid advertisments for keywords such as Better Business Bereau, BBB, and Cars.com. When surfers click on a hacker’s advertisment that shows for a given search, they are routed through an intermidiary website, where malware is downloaded to vulnerable machines, before being redirected to the website they intended to visit. The tactic was first reported last week.
Google began removing known bad links as of late last week. However, experts are doubtful that there is a permanent solution to the problem given the size and automated nature of Google’s advertiser platform.
There were 23,000 new cases of Web Based Malware in the first quarter of 2007, compared with 9,000 in the first quarter of 2006. This represents an increase of approximately 150%. 70% of infected web pages were legitimate sites that had been hacked (recent, high profile examples are the Circuit City, Dolphins Stadium web sites). The increase coincides with a shift in tactics used by malware propogators to infect unsuspecting surfers. In addition to hacking/infecting popular, heavily visited sites, Bot herders are inserting links to malware infected sites in spam email. Another tactic used by malware authors is the use of Google PPC ads to lure surfers to malware infected web sites.
A twisted social engineering ploy offering camera phone footage of the Virginia Tech shootings is being used by malware spammers to get viewers to open spam messages containing a picture of the shooter and click on a link that installs a malicious screensaver file (TERROR_EM_VIRGINIA.SCR). The file is a banking spyware Trojan horse, known as Mal/Packer. The trojan seeks to steal passwords and usernames for online banking sites, opening up the possibility of identity theft and financial loss to any user infected with the program.
Using spam-mails with subject lines and pictures related to current/recent news events has become an ever more common tactic of spammers/malware distributors. This is how the storm worm, which resurfaced last week got its name. As a matter of policy, IT managers/administrators should strongly emphsize to users that any inbound email referring to current news evetns should be treated with extreme sketacism. If it is a topic they are interested in, direct them to visit a reputable news source at an appropriate time.
The storm worm trojan spam outbreak that started last Thursday (which we reported on here) pushed global virus levels to 60 times the normal daily average. Users should continue to be on the lookout for “love” and “worm alert” related subject lines and emails with password protected zip files.
Given the fact that the storm worm senders have relied on subject lines citing real world news events in the past, it might also be prudent to be on the lookout for emails with subject lines referring to the terrible tradgedy at Virginia Tech University today.
According to research results released by IDC, the volume of spam will exceed the volume of legitimate email in 2007. IDC projects that Spam will account for 40 billion messages in 2007, out of a predicted total of 97 billion (not including automated messages such as delivery confimations).
An email with the attached text picture is circulating heavily today. The message appears to be from a service provider and tells the recipient that they are infected with a virus and need to download and run the attached password protected file to fix the problem (password is embedded in the message image). The file, patch-6280.zip contains a currently unknown virus. Users should not, under any circumstances download the attachment.
The Virus is W32/Nuwar@MM, aka the Storm Worm, a security application termination virus. We first saw this worm in January. It is called the Storm Worm because the original spam/malware campaign had email ssubject lines alluding to a major storm in Europe.
It first installs a rootkit to evade detection. It then connects to a custom peer-to-peer network where the worm’s creators issue commands, such as to download additional malware, send spam or transmit personal data stolen from the victim computer. To spread itself further, the worm also searches for email addresses on the victim machine and sends itself to any discovered addresses. The worm is self-mutating. If the virus is undetected/unremoved, it opens doors for future spam and malware attacks.
Additional subject lines include:
Virus Activity Detected!
Worm Activity Detected!
As a side note, when the emails first started circulating on Thursday, the subject lines had romantic themes (“”A kiss so gentle”, or “I dream of you”).
Title variations of the zip file include the words “patch,” “hotfix,” “removal,” and “bugfix,” followed by a random four digit number.
An email worm is circulating with subject lines claiming the US has launched a missile strike on Iran. The most common subject line thus far is “USA Missle Strike: Iran War just have started”. Other known subject lines are:
“USA Just Have Started World War III” “Missle Strike: The USA kills more then 20000 Iranian citizens” “Israel Just Have Started World War III”
The emails contain an attachment with the title “Read More,” or “Video”.
This is an opportunity to remind your users that emails claiming sensational news events should never be opened, nor should any attachments. If readers wish to validte any sensational claims, they should instead visit a reputable news source and check the headlines there.
We have seen a rash of obvious spam touting vulgar pictures of Britney Spears this week. Users receive an email with the subject line “Hot Pictures of Britiney Speers” that is written in HTML and has anti-spam avoidance text within the HTML comments. Evidence that came to light this morning suggests that this particular spam campaign is directly related to the animated cursor exploit flaw that has been causing problems since last week. Links in the spam messages lead to sites either compromised, or built, to deliver trojans and keystroke loggers to any windows machine with animated cursors. Users should never, ever click on links in spammy messages…especially not these, no matter how badly they want to check out the hot pictures of Britney Spears.
Directory Harvest Attacks Can Turn You Into an NDR Spammer
If you don?t know what Exchange Recipient Filtering is, then your company may be sending out spam. Many of our customers and friends run Exchange servers, so we like to periodically discuss Exchange best practices. Fortunately, adding recipient filtering is a very simple and straight forward change to make.
First, a little background. Directory Harvest Attacks (DHAs) are an extremely common way for spammers to infiltrate your corporate users’ inboxes. The idea is simple?the spammer connects to your mail server and just starts guessing email addresses (e.g. john@, sally@, sales@, etc). They might literally try thousands of combinations…and why not? They are not paying for it and have all the time in the world. This is of course very bad news for you. Two problems arise: 1) The spammer(s) will eventually have your entire corporate email directory, and 2) All of these lookups can bring your mail server to a grinding halt.
Microsoft decided to address this threat in an unfortunate way. By default, Exchange will asynchronously bounce bad recipients. That means instead of telling the sending mail server right away that a recipient does not exist, Exchange says all recipients are valid. According to the idea, spammers are just wasting their time with directory harvest attacks. The server appears to accept ALL recipients for your domain, so the spammer cannot tell the good addresses from the bad. The theory was that since this would provide little value to spammers, they simply would not do it. It turns out a differently in practice.
The problem with this approach is that Exchange must at some point notify the sender that the recipient was not found. So, Exchange generates a NEW email message (called an NDR or Non-delivery Report) and sends it to the sender of the email message. But, wait. What if the spammer did not use his REAL email address? In fact, what if he LIED and said the message was coming from email@example.com? Your server just spammed the real victim. Not only have you inadvertently contributed to the spam epidemic, you have also put the reputation of your company, domain name, and IP address reputation at risk.
Configuring Recipient Filtering
We highly recommend that anyone running a corporate email server invest in top-of-the-line Anti-spam technology. It will pay off a thousand fold in the long run. Most good anti-spam solutions do a reasonable job of limiting the impacts of Directory Harvest attacks. But almost all still will allow a sender to try quite a few bad recipients before shutting them down.
That means that EVERYONE running an Exchange server should consider the following configuration change to limit the impacts of this problem. If you are running Exchange 2003, then you need to add a recipient filter rule:
To configure recipient filtering, follow these steps:
1. Start the Exchange System Manager tool. 2. Expand Global Settings, right-click Message Delivery, and then click Properties. 3. Click the Recipient Filtering tab, click to select the Filter recipients who are not in the Directory check box, and then click OK. 4. When you receive the following message, click OK: Connection, Recipient, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help sections. 5. Expand Servers, expand your computer, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Properties. 6. On the General tab, click Advanced. 7. Click Edit, click to select the Apply Recipient Filter check box, and then click OK three times.
Note If you are running Exchange in a front-end/back-end environment, recipient filtering must be enabled on the SMTP bridgehead server or servers.
If you are on an older version of Exchange, then you are out of luck (sorry). You might want to consider migrating to a business class hosted email solution and let all of this become someone else’s problem. Alternatively, you can use a gateway email solution, which rejects bad recipients synchronously via its own internal directory, or via LDAP against your Active Directory.
MxToolBox customers who need help with this issue should contact our support team. We are happy to walk you through the options.
Research results released by Nucleus Research suggest that spam costs $712 in worker productivity per employee, per year. The study found that business email users typically receive 21 spam messages in their inboxes per day. Workers spend 16 seconds identifying and deleting each spam message, which translates into an annual cost of $70 Billion to US Businesses.
Bear in mind that this number only reflects lost productivity, and does not take into account the cost of anti-spam solutions employed by businesses. Although, a ” solution” that lets more than zero to five spam messages into a user’s inbox per day is really no solution at all.
How many spam messages do your users receive per day? How many spam messages do you block?