Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Spam
Showing posts in English
Vikram Thakur | 21 Aug 2007 07:00:00 GMT | 0 comments

We recently analyzed a sample of Infostealer.Monstres, and our colleague Amado posted an interesting entrywith some details of its actions. As the analysis of this threatcontinued, new details emerged. We've been able to acquire some emailtemplates that the Trojan may use to send targeted spam to individuals,using stolen personal information.

The templates acquired all point to the same position. The job isthat of a 'Transfer Manager' at an investment company. The jobdescription states that the position would entail facilitatingfinancial transactions made by the clients of the investment company.The email looks very realistic and may convince many that it has beensent from or

Here are some of the email...

David McKinney | 14 Aug 2007 07:00:00 GMT | 0 comments

This month Microsoft has released nine security bulletins. All ofthese vulnerabilities could let an attacker execute arbitrary code onan affected computer. All of the issues are also classified as“client-side vulnerabilities”, meaning that they require someinteraction on the part of the user for exploitation to occur. Thiswill usually entail visiting a malicious Web page or opening amalicious file that is sent through email or other means.

Microsoft’s summary of the bulletins can be found here.

  1. MS07-042 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)

    This bulletin consists of a code execution vulnerability(CVE-2007-2223/BID 25301) affecting Microsoft XML Core Services.Attackers could exploit this issue through a malicious Web page.

    Affects: Microsoft XML Core Services 3.0/4.0/6.0 on...

Kelly Conley | 07 Aug 2007 07:00:00 GMT | 0 comments

The August State of Spam Reporthighlights the continuing decline of image spam, which reached a low inJuly from its peak in January. In addition, we observed the emergenceof a new focus - greeting card spam, PDF and other file attachmentsspam, and the rise in URLs with Chinese top-level domains (TLDs)marketing spam. This month’s spotlight includes regional spam trends inEMEA.

Though still steadily declining, what we’ve come to think of as‘image spam’ has not gone away. The preferred delivery method of thisspam type is now PDF, which emerged in June of 2007 and was discussedin a previous post. Symantec is seeing PDF spam ranging between two toeight percent of all spam. July also saw the emergence of yet moretactics focused on spamming images. These tactics include the use ofXLS and ZIP files. At this time, the volume of these spam types is lowbut Symantec is closely...

Hon Lau | 06 Aug 2007 07:00:00 GMT | 0 comments

Ok, you can substitute whatever agency name you want, but the storyis nearly always the same. A little while ago I blogged about AdvancedTDS, another Mpack-type clone and mentioned how professional some ofthe malware creators are becoming.

At the other end of the spectrum, we still have a large number ofamateurs in the game. The attempts that some of them make in theirsocial engineering trickery is abysmal, to say the least. Take thisexample of a spam email:

Dear Mr./Mrs. D####### P#######

This email was sent to inform you that your complaint case#278250765 filled with the FTC was successfully registered and postedin our Business Sentinel, a business complaint database maintained bythe U. S. Federal Trade Commission. The complaint that you have filledis now accessible to certified government law enforcement andregulatory agencies in ICPEN-member countries. Government agencies mayuse this information to investigate suspect companies and individuals,...

Orlando Padilla | 17 Jul 2007 07:00:00 GMT | 0 comments

Earlier this year, I saw some screenshots of the Zunker bot and itscontrolling interface. I became curious about the existence of othersimilar interfaces and began paying a bit more attention to the spamcoming into my inbox on a personal account. After a few weeks ofwandering through IP blocks referenced by the spam, I ran across anopen directory containing a few screen shots of what looked likeanother interface actively spamming multiple products.

The following screen shot shows a statistics screen for a botnetthey are currently using. Similar to the Zunker interface, thisinterface also has the ability to group by country. It looks like thefeature is broken though, as you can only see one bot, which isoriginating from Poland. Given that, it is tempting to presume theowner is Polish; however, the interface's text is entirely in Englishand the screen shot was found on a Russian server. It could, however,mean that the person leasing this interface is controlling it from...

Kelly Conley | 09 Jul 2007 07:00:00 GMT | 0 comments

As image spam continues its decline, the July State of Spam Report highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message.

The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam.

We have seen a few different variants of this type of spam type thus far. The first one is the newsletter variant, in which a PDF attachment is made to resemble a legitimate newsletter. The second variant is one in which the PDF attachment resembles the more familiar images...

Kelly Conley | 05 Jul 2007 07:00:00 GMT | 0 comments

Who sends greeting cards for the Fourth of July? Apparently spammers. Beware of emails with Fourth of July subject lines such as:

Subject: Celebrate Your Independence
Subject: America the Beautiful
Subject: July 4th Fireworks Show
Subject: July 4th Family Day
Subject: 4th Of July Celebration
Subject: American Pride, On The 4th

Each message contains a link to the "greeting card". The link in these cases is an exposed IP address, which is a pretty good indicator that it isn’t a greeting card from an established and reputable Ecard service . When clicked, the link delivers a downloader that accesses the Internet and downloads a Trojan onto the computer.

We've been seeing a lot of generic Ecard spam over the past month and have noted it in previous blogs. What makes this one different is that...

Hon Lau | 01 Jul 2007 07:00:00 GMT | 0 comments

Security Response has received reports of a fake email purporting to have come from the US Department of Justice. The email informs the recipient of a complaint received by the IRS against the recipient’s business. The email looks reasonably well crafted and most people would tend to treat emails from the US Department of Justice with at least a bit of urgency.

The details of the email are as follows:

Complaint Case Number: 895285164 (Note the case number may vary)

US Department of Justice []

Email Body:
The email may contain the following text. Please note that the name of the plaintiff, the date and case number may vary. Despite the message that states an attachment is included with the email, there may or may not be any attachments.

Dear citizen ,

A complaint has been filled against your company in regards to the business...

Kelly Conley | 27 Jun 2007 07:00:00 GMT | 0 comments

Hey, you put your Trojan in my spam!

A Trojan in my spam? True. The most recent version of malicious code that we are seeing being delivered by spam is a Trojan in greeting card spam. Malicious code in spam has been around off and on for some time. We’ve even blogged about it in the past; here (from January 2007) and it appears that at least one more spammer thinks it is a novel tactic.

We’ve observed over 18 million of these spam messages in the past few days and have successfully blocked the ones we have seen. Each of the messages we’ve seen so far has a Hong Kong domain (.hk ) in the subject line. Messages containing this Trojan are easy to spot, carrying subject lines such as:

Subject: Mima sent you a .hk! Greeting
Subject: Martha sent you a! Greeting

The body of the message appears to be a greeting...

Ollie Whitehouse | 20 Jun 2007 07:00:00 GMT | 0 comments

In the words of the Ghost Busters, “We’ve got one…” We’ve got what?, I hear you ask. We now have an example of alleged SMS spam with some real statistics rather than the usual conjecture. We know SMS spam has been growing through the monitoring of such sites as Grumble Text [1] however we’ve never had true insight into the scale of a professional SMS spamming operation.

Well recently that changed - TelecomWeb broke the story [2] that,

“Verizon Wireless filed a lawsuit against Nev.-based I-VEST Global Corporation and various "John Does," alleging they sent unsolicited commercial electronic messages (wireless spam) to its customers.” and that “The lawsuit, filed in U.S. District Court in Trenton, N.J., alleges that, beginning in April, I-VEST attempted to send more than 12 million text messages to Verizon Wireless handsets, offering information about buying stocks or real estate. However, the carrier says spam filtering and network monitoring...