Posted on behalf of Dan Bleaken, Malware Data Analyst and Nick Johnston, Senior Software Engineer, Symantec Hosted Services This week MessageLabs Intelligence noticed some eye-catching artwork from spammers. ‘ASCII art’ is the use of the ASCII character set (just under 100 characters available on standard keyboards), to produce a picture. For example: Over the years ASCII art has been used sporadically in spam. Spammers use it as a way to obfuscate words, presenting messages written in ASCII art rather than simple text. This often frustrates attempts by some of the more basic anti-spam technology to recognise certain phrases. The same thinking is behind the use of images containing text. This Wikipedia page (http://en.wikipedia.org/wiki/Ascii_art) has a detailed history of ASCII art. Previously, ASCII art that we have seen in spam has been basic black and white ASCII art, referred to on the Wikipedia page above as “OldSkool” (as shown above) or “NewSkool” (bit more complicated, but still just black characters. These images aren’t painstakingly composed by hand; there are lots of tools available to produce ASCII art, including this one http://www.network-science.de/ascii/ . These spammers (screenshot below) have taken something of a leap forward with their ASCII art, compared to the ASCII normally seen in spam. They have used some software to perform an image to text conversion (http://en.wikipedia.org/wiki/Ascii_art#Image_to_text_conversion), taking a picture of the blue pill and turning it into some HTML that renders the image in a browser or email, as colourful ASCII art. If the recipient clicks on the link in the email, they are taken to a pharmaceutical website selling a large variety of sexual enhancement pills. It can be seen in the image above that the ASCII art appears as a colourful blue pill comprised of the character ‘6’. Looking more closely we can see the source code which the email client uses to display it. Just 1 and a bit lines shown here (23 lines in total), but it’s really very simple. Each ‘6’ is given a colour, and there are 50 ‘6’s in each line. The final image is actually a square of ‘6’s. Highlighting the image reveals this: But many of the outer ‘6’s are coloured white. The inner ‘6’s are given a whole variety of different subtle shades to display: Visiting this link displays the image and the HTML source code behind it (CTRL-U in most browsers, or View>Page Source): http://bit.ly/cS0idp While MessageLabs Intelligence hasn’t seen a great number of these, and cannot yet be certain if one of the major botnets is behind it, it may likely be a technique that will appear more in the coming months. In March, MessageLabs Intelligence measured 82% of all spam related to pharma/pills, and it seems that the variety of different styles continues to grow all the time.