Microsoft Security Intelligence Report

April 22, 2008 Leave a Comment

Microsoft has published their Security Intelligence Report for July – December 2007.

When reviewing the document some items caught my attention. The strategy to distribute malware has been shifted from emails with an attached executable to, sometimes cleverly, constructed emails with a link towards a web site where the malware is downloaded.

At MX Lab we also see an increase of emails with links to web site that include potential harmfull files for download. See the recent article Malware distribution techniques on the MX Lab blog.

This is because many anti virus vendors have improved scanning engines and have heuristic scanning integrated in their programs giving us more and more a zero hour virus protection.

75% to 80% of the phishing attempts is in the English language. Based on our experience we can add that the most popular phishing attempts are related with banks, Google Adwords and PayPal.

You can download the Microsoft Security Intelligence Report for July – December 2007 at the Microsoft Download Center.

Filed under Various Tagged with , , , , , ,

Blog moved to blog.mxlab.be

April 22, 2008 Leave a Comment

The MX Lab Blog has been moved to http://blog.mxlab.be. For this I have purchased and configured the domain mapping. Please update your bookmarks.

Filed under Various Tagged with

Malware distribution techniques

April 21, 2008 1 Comment

At first I thought of a new phishing email, based on the fact that it comes from a bank, includes a long URL in the body and it is related to your banking account where you need to renew your certificate.

Connection-Colonial Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert  Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date – 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten days and 3 hours before the certificate is due to expire, if it has not been renewed. Upon receiving the renewal notice, certificate owner is required to connect to Colonial Bank Certificate Management System and present the client certificate. Secure Server e-Cert  Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date. Successful renewed application will receive an email notification from Colonial Bank. Applicant can just browse to the URL stated in the email and then download the certificate.

Download now

2003 Colonial Bank, N.A.

Further investigation show us that it is indeed a technique to distribute malware. The download URL doesn’t give a login screen but takes you to a web site where you need to download the certificate and this is an .exe.

The download gives us an Colonial_CertificateUpdate04192008.exe and is in fact the Trojan-PSW.Win32.Papras. This trojan steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.

As always, take extra attention if you receive these kind of formatted emails.

Filed under Email security Tagged with , , , ,

Google spam backscatter

April 14, 2008 Leave a Comment

If you have received a “Your mail could not be delivered” bounce notification, a “Your mail contained a virus” notice, or a request to confirm your signup request for a mailing list you’ve never heard of, you’ve probably received backscatter. There is also spam backscatter when spammers use your domain in their activities.

Some time ago, when virus outbreaks where very common, we did had a lot of backscatter from mail servers that intercepted the virus. Mail administrators where so concerned, or may I say stupid, to send out these notifications to the sender, most often to spoofed email addresses.

Today, we have Google backscatter:

 Hello souillet1957@**********.com,

We’re writing to let you know that the group that you tried to contact (designateh) doesn’t exist. There are a few possible reasons why this happened:

* You might have spelled or formatted the group name incorrectly.
* The owner of the group removed this group, so there’s nobody there to contact.

If you have questions about this or any other group, please visit the Google Groups Help Center at http://groups.google.com/support.

Thanks, and we hope you’ll continue to enjoy Google Groups.

The Google Groups Team

Thank you Google.

Filed under Spam, Various Tagged with , , ,

Phishing levels peak

April 14, 2008 Leave a Comment

MX Lab detects in increase in phishing emails between 09/04/2008 and 13/04/2008, bringing the phishing level up to 0,28% of all blocked messages where in the past this level was 0,03%.

These phishing emails are mostly regarding a “locked bank account” or “verify your details” but we see other phishing attempts targeting Google Adwords customers stating that their account is locked.

Filed under Phishing Tagged with , , , ,

MessageLabs and some ISPs on blacklist

April 13, 2008 Leave a Comment

One of the biggest spam block lists on the internet suffered an embarrassing technical cock-up today which blocked emails from some servers at web security monitoring firm MessageLabs and at some ISPs for about five hours. Read the full story.

Filed under Various Tagged with , ,

Mailings from FashionShopping.com

April 13, 2008 3 Comments

Last week I have received mailings from FashionShopping.com to two email addresses on my other domain pixeldesign.be. The first thing I noticed was that these email addresses wheren’t in use anymore. One of them was only being used as a default system reply address from webforms on one of my servers. When a site visitor doesn’t fill in his or her email address this default address was used to avoid processing errors. The other one was a temporary emailaddress that I created for a project. This indicates that their process of getting email addresses isn’t really a good one.

This mailing was send 3 times on a row with an interval of approx a day. Two days later I get a new mailing from FashionShopping.com. When browsing through the global logs at  MX Lab, I see a smiliar behaviour towards other domains. This is quite an anoying behaviour if you ask me.

Intriged by this case I examine the HTML source and unsubscribe link. I decided to take action to see what will happen. The unsubscribe request is followed by a confirmation. So far so good.

To take it even to a higher level, I submitted the campaign as an abuse case to  the company EmailVision that performs the service for FashionShopping.com as an abuse case. They seems a genuine company to me based on the high quality web site they have.

The mailing was sent too often and according to Belgian laws this company has no opt-in confirmation from me to use the email addresses they target. Not that the Belgian law will be respected by foreign marketing campaigns but okay.

Case closed I thought, I got an unsubscribe confirmation on my screen and stated my complaint.

Until yesterday I receive a new mailing from FashionShopping.com. And today another one. I’m not the only one who is receiving the same over and over again, clients at MX Lab receive the same mailing again.

What is different? Their sending email address is now invitation@fashionshopping.onlineresponse.net. The domain onlineresponse.net has no web site so this is a dummy domain they use to avoid filters based on the senders details. Why else would you change your sending address? If you send out mailings you make sure that you have a sending address that  you keep so that recipients can whitelist it to avoid interception by their spam filters. No?

You can see this kind of tricks a lot by so-called “email marketing” companies that keeps on sending the same mailing each time from a different domain. By doing this they still can keep on mailing you because your unsubscribe request was for a different campaign/domain. The unsubscribe in this case is still handled by the same company so we give it the benefit of the doubt. 

The Emailvision web site states “Emailvision only supports permission-based marketing practices. Since our inception in 1999 and before any anti-spam legislation had been introduced, Emailvision has always had a zero spam tolerance policy.” and furthermore “ If you believe you may have received an unsolicited commercial email from Emailvision on behalf of any of our clients, please click here to fill out the form including full details of the “from address” or sender of the email. Emailvision thoroughly investigates any complaint. If the email address of the complainant is known, it will be immediately unsubscribed from the relevant client mailing list.

Okay, I have made my conclusions.

Filed under Spam, Various Tagged with , ,

Very good PayPal phishing email

April 2, 2008 Leave a Comment

A certain phishing email from ‘PayPal’ caught our attention. When investigating the phishing email we could find that this is a very professional one. The email in fact confirms your payment to a company, in this case Plimus, for an amout of$55,89 USD. The email provides a link to dispute the transaction and this is where the phishing starts.

Following the link to report a dispute results in being directed to http://**-***-**-***.fld-bsr1.chi-fld.il.******.cable.rcn.com:90/www.paypal.com/cgi-bin/ and it brings you to the “PayPal login screen”.

Typical to phishing sites is that you can type in whatever you want as login or password, you will always be directed to a webform.

These guys have even included the animated screen ‘Logging in’ that you have when logging in to the real PayPal web site. After this screen you get a full webform which will try to get your full details.   

Filed under Phishing Tagged with , , , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers