Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Spam
Showing posts in English
Nicolas Falliere | 14 Sep 2007 07:00:00 GMT | 0 comments

Peacomm samples - the so-called Storm worm- started sending unusual spam yesterday. For once, the mail did notcontain a hard-coded IP address linking to fake videos, pseudo Torclients or NFL "tracker programs". The spam advertises a website,

Subject: Cold Hard Cash!

Seeking highly motivated individuals interested in a unique opportunity in financial services.

Building an exciting career where you determine your own hours and compensations.

Hmm. Already this looksvery suspicious, but let's check that link anyway. The site hostsphpbb, a popular open-source PHP-based Bulletin Board, and opensdirectly to the following...

Kelly Conley | 05 Sep 2007 07:00:00 GMT | 0 comments

The September State of Spam Report is out and includes several interesting highlights and trends seen inAugust. Some highlights in this report include an update on the stateof PDF spam, different variations that have been observed in e-cardspam tactics, including fake YouTube sites, as well as insight intosome new and novel tactics that were observed by Symantec during August.

Where did PDF spam go? Highlighted in a previous postas an emerging trend, PDF and other attachment spam reached a high inearly August but closed out the month with record lows. First seen inJune of 2007 with PDF files, attachment spam grew to encompass PDF, XLSand RAR files. By Early August, this spam type was seen in 20 percentof all...

Vikram Thakur | 21 Aug 2007 07:00:00 GMT | 0 comments

We recently analyzed a sample of Infostealer.Monstres, and our colleague Amado posted an interesting entrywith some details of its actions. As the analysis of this threatcontinued, new details emerged. We've been able to acquire some emailtemplates that the Trojan may use to send targeted spam to individuals,using stolen personal information.

The templates acquired all point to the same position. The job isthat of a 'Transfer Manager' at an investment company. The jobdescription states that the position would entail facilitatingfinancial transactions made by the clients of the investment company.The email looks very realistic and may convince many that it has beensent from or

Here are some of the email...

David McKinney | 14 Aug 2007 07:00:00 GMT | 0 comments

This month Microsoft has released nine security bulletins. All ofthese vulnerabilities could let an attacker execute arbitrary code onan affected computer. All of the issues are also classified as“client-side vulnerabilities”, meaning that they require someinteraction on the part of the user for exploitation to occur. Thiswill usually entail visiting a malicious Web page or opening amalicious file that is sent through email or other means.

Microsoft’s summary of the bulletins can be found here.

  1. MS07-042 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)

    This bulletin consists of a code execution vulnerability(CVE-2007-2223/BID 25301) affecting Microsoft XML Core Services.Attackers could exploit this issue through a malicious Web page.

    Affects: Microsoft XML Core Services 3.0/4.0/6.0 on...

Kelly Conley | 07 Aug 2007 07:00:00 GMT | 0 comments

The August State of Spam Reporthighlights the continuing decline of image spam, which reached a low inJuly from its peak in January. In addition, we observed the emergenceof a new focus - greeting card spam, PDF and other file attachmentsspam, and the rise in URLs with Chinese top-level domains (TLDs)marketing spam. This month’s spotlight includes regional spam trends inEMEA.

Though still steadily declining, what we’ve come to think of as‘image spam’ has not gone away. The preferred delivery method of thisspam type is now PDF, which emerged in June of 2007 and was discussedin a previous post. Symantec is seeing PDF spam ranging between two toeight percent of all spam. July also saw the emergence of yet moretactics focused on spamming images. These tactics include the use ofXLS and ZIP files. At this time, the volume of these spam types is lowbut Symantec is closely...

Hon Lau | 06 Aug 2007 07:00:00 GMT | 0 comments

Ok, you can substitute whatever agency name you want, but the storyis nearly always the same. A little while ago I blogged about AdvancedTDS, another Mpack-type clone and mentioned how professional some ofthe malware creators are becoming.

At the other end of the spectrum, we still have a large number ofamateurs in the game. The attempts that some of them make in theirsocial engineering trickery is abysmal, to say the least. Take thisexample of a spam email:

Dear Mr./Mrs. D####### P#######

This email was sent to inform you that your complaint case#278250765 filled with the FTC was successfully registered and postedin our Business Sentinel, a business complaint database maintained bythe U. S. Federal Trade Commission. The complaint that you have filledis now accessible to certified government law enforcement andregulatory agencies in ICPEN-member countries. Government agencies mayuse this information to investigate suspect companies and individuals,...

Orlando Padilla | 17 Jul 2007 07:00:00 GMT | 0 comments

Earlier this year, I saw some screenshots of the Zunker bot and itscontrolling interface. I became curious about the existence of othersimilar interfaces and began paying a bit more attention to the spamcoming into my inbox on a personal account. After a few weeks ofwandering through IP blocks referenced by the spam, I ran across anopen directory containing a few screen shots of what looked likeanother interface actively spamming multiple products.

The following screen shot shows a statistics screen for a botnetthey are currently using. Similar to the Zunker interface, thisinterface also has the ability to group by country. It looks like thefeature is broken though, as you can only see one bot, which isoriginating from Poland. Given that, it is tempting to presume theowner is Polish; however, the interface's text is entirely in Englishand the screen shot was found on a Russian server. It could, however,mean that the person leasing this interface is controlling it from...

Kelly Conley | 09 Jul 2007 07:00:00 GMT | 0 comments

As image spam continues its decline, the July State of Spam Report highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message.

The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam.

We have seen a few different variants of this type of spam type thus far. The first one is the newsletter variant, in which a PDF attachment is made to resemble a legitimate newsletter. The second variant is one in which the PDF attachment resembles the more familiar images...

Kelly Conley | 05 Jul 2007 07:00:00 GMT | 0 comments

Who sends greeting cards for the Fourth of July? Apparently spammers. Beware of emails with Fourth of July subject lines such as:

Subject: Celebrate Your Independence
Subject: America the Beautiful
Subject: July 4th Fireworks Show
Subject: July 4th Family Day
Subject: 4th Of July Celebration
Subject: American Pride, On The 4th

Each message contains a link to the "greeting card". The link in these cases is an exposed IP address, which is a pretty good indicator that it isn’t a greeting card from an established and reputable Ecard service . When clicked, the link delivers a downloader that accesses the Internet and downloads a Trojan onto the computer.

We've been seeing a lot of generic Ecard spam over the past month and have noted it in previous blogs. What makes this one different is that...

Hon Lau | 01 Jul 2007 07:00:00 GMT | 0 comments

Security Response has received reports of a fake email purporting to have come from the US Department of Justice. The email informs the recipient of a complaint received by the IRS against the recipient’s business. The email looks reasonably well crafted and most people would tend to treat emails from the US Department of Justice with at least a bit of urgency.

The details of the email are as follows:

Complaint Case Number: 895285164 (Note the case number may vary)

US Department of Justice []

Email Body:
The email may contain the following text. Please note that the name of the plaintiff, the date and case number may vary. Despite the message that states an attachment is included with the email, there may or may not be any attachments.

Dear citizen ,

A complaint has been filled against your company in regards to the business...