Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services
MP3 Spam Returns to Attract Recipients to Canadian Pharmacy Website
I remember the excitement in the MessageLabs anti-spam team when the first spam with an MP3 file was intercepted, back on 18 October 2007. At that time we were watching particularly carefully for the appearance of new file types in spam. Image spam had been huge over the Summer of 2007, especially images containing randomised pixels (an attempt to bypass traditional signature-based detection). Later in the same year, PDF files were also being used as well as some other file types that hadn’t been seen in spam before. At that time it seemed as though spammers were keen to explore the use of new attachment types; anything to keep their spam runs varied and shifting.
Today of course, we still see various file formats being used in spam messages, but not nearly as much as in 2007 and 2008. The favored approach now is to include a hyperlink that leads to spammers' websites. Images are still seen frequently in spam, but they too are shifting from being physically attached to the mail, to being hosted on some website and presented in the content of HTML spam emails.
Back in 2007 it was particularly interesting to discover the use of MP3s in spam messages as it had been the first time that audio was being used to relay the spammers' messages, and was used in stock spam emails (An attempt to ‘pump and dump’ – something we have also recently seen the return of – see http://tinyurl.com/ybmaux8). These stock spammers used voice-synthesised MP3 files containing the (rather distorted and poor quality sounding) message:
“Hello. This is an investor alert… We are expecting amazing results in the USA. Go read the news and get on E X T O.....” (to listen to this MP3, please find a copy of the loveyou.mp3 attachment below).
Following this burst of MP3 attachment spam, expectations were that we would see a lot more, but in fact we saw very little. Until yesterday, more than 2 years later, when MP3 spam returned.
This time it wasn’t stock spam, it was related to “CHEAP VIAGRA”. Again, these spammers used voice-synthesised MP3 files, about 5 seconds long, containing the message:
"W W W dot 7 7 5 5 7 dot NET" (to listen to this MP3, please find a copy of the gadded.mp3 attachment below).
The MP3 filenames are seemingly changed for each message, including filenames like: disliker.mp3, millionary.mp3, bowes.mp3, roadsters.mp3, prewar.mp3, varna.mp3, displaces.mp3, realignments.mp3, shims.mp3, tonicity.mp3 ...
The properties of the files reveal that the title of each MP3 recording is the same, "WWW.77557.NET - CHEAP VIAGRA". In the background, the spammers have added a recording of what seems to be the sounds of a woman recreating "that scene" from the film, "When Harry Met Sally."
Something that the spammers did not do back in 2007, was that they added extra information in the Lyrics3 tag (see www.id3.org/Lyrics3v2), normally used for storing meta data such as artist, album, track name, and lyrics. In here, they seem to have inserted random characters, we believe in an attempt to make the MD5 cryptographic hash function different in each MP3 file, although the sound recording doesn’t change. This may be an attempt to bypass traditional signature based spam detection.
The MP3 spam from 2007, and the latest spam that began yesterday, are similar in a lot of ways, but unfortunately it isn’t possible to determine whether they were both sent by the same spam gang. The spammers put in a little joke too. The "Genre" of the MP3 recording is set to "Blues," presumably in a reference to the famous blue pill the spammers were touting.
On visiting the website referenced in the MP3 audio, the recipient of the spam is taken to the well known Canadian Pharmacy website (but hosted on a new domain), which at the moment is Christmas themed, of course:
This latest spam run began at 15.30 GMT on 16 December 2009 and ended at 10.00 GMT on 17 December 1009. During the period 00.00-10.00 GMT on 17 December, it accounted for 1.2% of all spam, which in terms of actual volumes, based on Symantec’s 2009 average daily spam volume of 107 billion, could be more than 500 million messages sent globally during that period. Perhaps today, this could be the most frequently "downloaded" MP3 track in the world... whether its recipients want it or not.
The spam originates from the "Cimbot" botnet – estimated to be between 10,000 and 20,000 bots in size. MessageLabs has tracked Cimbot since September 2008.Cimbot is heavily based in Europe, with 75% of its bots located there. 29% are in Spain, 22% are in Italy, 12% are in France, 10% in Germany. Outside Europe most of the bots are in Republic of Korea (8%) and Brazil (5%). Apart from a relatively small burst of spam between 8 and 9 June, Cimbot has been very quiet in 2009 and didn't feature in the MessageLabs Intelligence 2009 Annual Security Report (available at www.messagelabs.com/intelligence).
Cimbot began spamming again on 8 December 2009 17:41 GMT, with image attachment spam displaying some pills and the distorted text of a URL that was the Canadian Pharmacy website. It then continued spamming this until 16 December 2009 13:41 GMT. After a 2 hour break it launched into sending this latest MP3 spam campaign.
Perhaps we’ll see a lot more from Cimbot in 2010...