Spamming from malware authors
In the month of August we had observed a huge spamming outbreak frommalware authors. Could this be an early warning signal for a new deadlyvirus/Trojan attack? It appears that malware authors are trying tostrengthen their botnet base by injecting and infecting as manymachines possible.
Cyber criminals are increasingly making use of different methods tospread their tentacles and one of the best ways is to globallydistribute huge spam campaigns with either a malicious attachment or aURL link in the spam email, which actually downloads some components ofthe malware code. This is usually in the form of either a rootkit or aTrojan.
The spam email containing the link for the malware download luresthe recipient to willingly download software for testing so that theymay receive a free license. Many users can easily get trapped by suchemails (the lure is getting something for free and when it’s a freelicense for software, many users will proceed thinking they have founda great bargain.)
The spam email could look like this:
From: [REMOVED]
To: [REMOVED]
Subject: Could you give us your opinion?
Date:Would you consider helping us with your opinion of our new program Home Reno Planner
Your help will get us ready for our market release. For helping out, you will receive a free edition and five years of updates.1: Download the software
2: Try it
3: Tell us what you thinkHere is your chance. Follow the link to our secure download center:
http://X.X.X.X/setup.exe
Another observed example of this technique utilizes the greeting card(eCard) spam emails, which often provide a link to download the videoportion of the greeting card. The worst part of such links provided inthese emails are that they start downloading the malicious files assoon you open the URL on your web browser without any pop-up acceptance(e.g.: Do you wish to continue download or the location for download).
The spam email could look like this:
From: [REMOVED]
To: [REMOVED]
Subject: (awesome new video| dude, check out this video, is not out yet| your gonna love this| OMG, check out the new video lol)
Date:Mr. X
See it here before it releases. Go to my server to get the video:
http://xx.xx.xx.xx/
When I first looked at these unsolicited emails, I had one question inmy mind: why is the spammer giving the IP address rather than the DNSname? Is it to make the link look more authenticate or are there anyother reasons?
Simple logic says when an antispam company blocks IP’s such asthese, the chances of effectively blocking future instances of the spammessage or protecting users from website reputation decreases. This isbecause in many cases they are the actual IP of an infected end usermachine which is dynamically assigned by their ISP. The spammers willrotate through these IP addresses contained in their network ofcompromised end user machines and the IP’s will additionally be rotatedthrough the ISP’s pool of end users providing a second layer ofobfuscation. Website reputation systems that are reliant only uponblock lists of URL’s/IP addresses will have a limited level ofeffectiveness for zero-day outbreaks of these incidents due to thismulti-layered obfuscation.
The bottom line is for end users to avoid any kind of downloadsunless you are sure of what you want to download and, if sent bysomeone you know, confirm that they actually sent you the URL or file.
About Security Response Blog
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:
Recently on Twitter
- Strange Case of W32.Xpaj.B as Patient Zero http://t.co/8872Zu17 #virus24 May 2012
- A legitimate digitally signed file is misused in order to load #malware on to a computer: http://t.co/wZjNKKCh24 May 2012
- ZTE Score: Privilege of Escalation in a Nutshell http://t.co/Svj5T57F23 May 2012
- #Worm Posts on SNS Sites and Wipes out Rivals http://t.co/RWRIZdzU18 May 2012
- Beware #419 scams taking advantage of the #Facebook IPO: http://t.co/7TPOvR8w18 May 2012