| |
Home / Weblog / April 2009
Analyst's Diary
| Maria | April 27, 2009 | 07:50 GMT |
comment
|
It may sound strange, but the volume of spam is pretty much a constant; sharp fluctuations are usually linked to a major event – the closure of McColo meant a very noticeable drop in the amount of spam circulating. But this month the opposite seems to be true. Here’s a little graph of our spam stats for 15th – 23rd April. The fluctuations are pretty striking. 
For the last two days, though, we’ve been receiving about the average amount of spam. We couldn’t come up with a logical explanation for the sharp increase – the obvious suspect, Kido (and Iksmas, which it downloads to infected machines) hadn’t shown any unusual burst of activity. But then we remembered that over here in Russia, we celebrated Easter on 19 April. Spammers are people and have lives too – the statistics indicate that they took time off and then started sending a lot of spam to make up for missed time. Cases like this are rare, but if anything changes, and the amount of spam starts fluctuating wildly, we’ll keep you posted as to why.
| Maria | April 21, 2009 | 15:57 GMT |
comments (1)
|
If you’ve ever looked at our monthly spam reports, you’ll know that Russian spammers put quite a lot of resources into advertising their services – and the amount of e-advertising spam has increased sharply over the past few months. What with technology evolving so rapidly, you might think it’s only the most old-fashioned spammers who send their messages themselves. Far easier – and more effective - to hire a botnet to send messages. But the economic situation is affecting spammers just as it’s affecting everyone else; we’ve seen a few mass mailings recently like the ones shown below: The email seems to be the high-tech equivalent of a playground game, telling the recipient “Tag, you’re it! ☺/ Tag 10 friends so you’re not it!” And it gives contact ICQ and phone numbers just in case you want to order a mass mailing. It’s one way of trying to save money – if you don’t read the message carefully, you’re going to send it on to your friends, who may send it to their friends etc. Another similar message is the ‘Cat of Happiness’ below, which you’re told to send to five of your friends to gain prosperity. Those who aren’t into playground games, and who simply delete the message above, might be more tempted to forward this cute fluffball – all without realizing that they’re spreading spammers’ contact information. In contrast to some spam messages, the contact details aren’t hidden in any way. And although the amount of spam that can be spread like this doesn’t compare with the amount that a botnet can send, these days every little helps.
New Twitter XSS-Worm going around |
| Roel | April 17, 2009 | 22:14 GMT |
comments (1)
|
Today we've seen a new variant of Net-Worm.JS.Twettir going around on Twitter. Kaspersky products detect it as Net-Worm.JS.Twettir.h. This worm appeared right after an announcement that a security firm has hired the author of the original worm. Not wanting to stray too much from the intended topic of this blog post I'll only say that we feel very strongly that this is an extremely bad move. This new variant selects a message to tweet from a pool of choices. Some of them reference big twitter names, others simply talking about "Mikeyy", the original author. One of the messages also asserts that this XSS vulnerability only affects Internet Explorer users. At the time of writing, we can confirm only that the latest version of Firefox (3.0.8) is indeed not vulnerable to this exploit. What's interesting about this is that the XSS script is hosted on the same domain as the original worm. That would imply that Mikeyy has been at it yet again. Rather odd for someone who just landed a security job, isn't it?
On the other hand, there are rumors floating about that “Mikeyy’s” machine along with his passwords is compromised. So it might be someone else after all. For all of you tweeters out there who love to click on profiles and URL - your best bet is to use the latest version of Firefox with the noscript plugin available at noscript.net. This should provide reasonable protection from new XSS-worms which Twitter may be facing at this point in time. We'll keep monitoring the situation and keep you posted.
| Maria | April 17, 2009 | 12:33 GMT |
comments (1)
|
You see all sorts of things from all around the world if you’re a spam analyst. Today I found a German language message with a standard text (“This link was sent to you by [name]”) and a link which looks like it leads to Bild.de, a popular German tabloid site If the user clicks on this link s/he ends up on a site which looks very much like Bild.de in terms of design and content. The text of the linked ‘news’ article is quite attention grabbing: it starts by talking about the financial crisis (again!) but then moves onto something a bit more original – porn makes money! That might not sound like anything new, but the twist here is that you’re not being told where to download or watch porn for free. The links in the fake article (shown above) lead to genuine articles about the economy on the Bild.de, a standard porn site, and the site shown below. This site offers users the opportunity to “Earn money from home in lucrative area of erotica!” It’s “easy!...and FREE!” Just register a domain, set up a partner program on your page, and then advertise it! This site also includes rapturous testimonials from people who were in despair about their lack of cash, but decided to try this as a last resort…and then they just sat back and watched the money roll in. They’re even kind enough to provide instructions on what to do and how to kick start your business. With the current state of the economy, and spammers ready to offered detailed help and support, the only question left is - why not move into porn and earn millions?
Watching the Kido/Conficker P2P Network |
| Georg | April 15, 2009 | 22:10 GMT |
comments (2)
|
While analysing Kido network behaviour we’ve been able to develop an application that helped us to get an in depth insight into the peer-to-peer network communications of the malware, which have been used to distribute updates over the last week. Over a 24 hour observation period, we’ve been able to identify 200652 unique IPs participating in the network, far less then initial estimated Kido infection counts. This is mostly due to the fact that only the latest variants of Kido are participating in the peer-to-peer network and only a fraction of the nodes infected with earlier variants have been updated with new variants. In terms of global distribution, we’re seeing the picture expected from initial infection counts. Brazil and Chile clearly stand out as regions in terms of peer counts: However, there doesn’t seem to be any region spared throughout the world. The density of points in a country isn’t representative of the infection count because of the varying resolution of the IP to GeoLocation database being used: 
A closer look at the USA reveals that the eastern parts of the US have more peer-to-peer nodes running than the western part: 
An interesting fact while observing the network is that it’s possible to identify the core of the network (which is well connected) quickly due to the big peer cache maintained by each node. In the first twenty minutes, we found 10.4% of the total peer population didn’t show the exponential growth which would have been expected from smaller peer caches: It can therefore be assumed that once a node finds any other infected node that is already connected to the network, it can maintain stable connectivity and network partitions are unlikely. However, finding this first node seems to be quite difficult for some hosts – we’ve seen several nodes which weren’t connected to any other node.
Twitter worms aren’t the only threat |
| Roel | April 14, 2009 | 15:30 GMT |
comments (2)
|
Now these worms come as little surprise. Twitter has had a number of security issues recently. The worm is not particularly complex in the vulnerability it is exploiting.
The original author? A bored 17 year old who had nothing better to do over the Easter weekend. A story like this is clearly reminiscent of the malware landscape ten years ago – the malware is noisy and annoying rather than a serious threat as no user credentials are currently being stolen. Yesterday, while watching what was going on Twitter I noticed a lot of tweets about twitzap.Suspecting this was a worm I did some digging and found that it wasn't.It turned out this was a separate service with a nice "promote us" button that made a Twitter user post a status update promoting the service.
What do you have to do to activate it? Click on the button – and it sends a promotional update to your Twitter account! A quick search on the net revealed that this service only started receiving attention this Monday. Given the XSS worm, I think the promotion of this service could have been a whole lot better. Also in response to the new XSS-Worms some web services have been created to supposedly protect the user. But again, these services ask users to just click on a link – while asking their friends to do the same. So your Twitter account gets updated, but if the service happens to be malicious, you could be sending off your account details to who knows where! It's actually this part of the social networks that scares me much more than an XSS-worm. Web sites left and right that integrate with Twitter - and other networks – are asking users to use their services.Many people seem to be making use of them without too many questions, and without any proper means of verifying the integrity of these services. What does this mean? Users are basically being trained to give up their credentials just like that. XSS-Worms are not the real problem here, folks. We're basically growing a new set of (extra) vulnerable users which will be more vulnerable to attack simply because they’re not asking any questions.
| Aleks | April 10, 2009 | 15:56 GMT |
comments (1)
|
We just described what happens on Kido controlled machines when the spambot Iksmas is installed and launched. However, Kido is also downloading a fake antivirus named SpywareProtect2009. Owners of infected computers can see the effects of the SpywareProtect2009 activity. This is what happens: the fake antivirus starts to show messages every couple of minutes about purported infections as it supposedly ‘detects’ viruses, network attacks, browser issues and so forth: 
This fake AV is so annoying that there is a significant probability that innocent users will click on the offer to pay for disinfection – and thus will be defrauded of almost 50 USD. What is worse, their credit card details might also be harvested – with all sorts of nightmarish results. In addition to launching numerous messages about infections, SpywareProtect2009 attempts to install a Trjoan-Downloader.Wind32.Fraudload.ecl onto the system. This downloader is programmed to download new versions of SpywareProtect2009. Variant .ecl is downloading these versions from alsterstor.com. We have notified the registrar of this domain zone and the site was closed down within 20 minutes.
| Aleks | April 10, 2009 | 15:31 GMT |
comments (1)
|
As we wrote yesterday, the Kido botnet has installed another well-known worm – Iksmas, aka Waledac – on infected computers. Iksmas was downloaded from the server goodnewsdigital.com, a resource that researchers have known about for some time and which is currently one of the main sources used to distribute Iksmas. The variant that was downloaded by Kido was detected proactively by Kaspersky Anti-Virus as HEUR:Worm.Win32.Generic using heuristic technology. The new version of Kido (Worm.Win32.Kido.js) was also detected by the same heuristics and with the same verdict. We decided to keep tabs on the botnet to see what the spambot worm Iksmas would do once it was installed on infected computers. Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. All the spam messages sent by the botnet last night were advertising pharmaceuticals. Here are a few sample messages: Subject: A unique opportunity to live healthier life! Hot News for You http://ie.hipraputt.com/ Subject: Add power to your man's hammer
We supply porno studios since 1972. Try blue-pills and stay up with your girls! ^M
http://bv.relaxkind.com/ Subject: Hot life - our help here. Ensure your potence today!
Solution to low-sized perks http://bj.jilfawris.com/ Subject: Perfect solutions to have it hard as stone!
Your one and only online Chemist. http://zer.jilfawris.com/ Subject: She will dream of you days and nights!
Love her everywhere. http://lrmt.jilfawris.com/ In just 12 hours, one bot alone sent out 42 298 spam messages. As you will have noticed, the messages contain domain links. Virtually every email contained a unique domain. This was obviously done to prevent anti-spam filters from detecting the mass mailings using methods that analyze the frequency with which a specific domain is used. We detected the use of 40 542 third-level domains and 33 second-level domains. They all belonged to spammers and the companies that ordered these mailings. Here are a couple of screenshots from the sites: 
Here is a full list of the second-level domains used in the mailings: aromatangy.com
calmchic.com
crisppride.com
cykduhdao.com
deblanf.com
eslihos.net
fabjust.com
fadvyil.com
fadvyil.net
faynetr.com
goodcure.at
gooddoctoronline.at
gooddoctorscare.at
gooddoctorsite.at
gooddoctorworld.at
gooddruginfo.at
gooddrugonline.at
gooddrugsite.at
gooddrugworld.at
goodearthlawncare.at
gotbake.net
hereftu.net
hipraputt.com
jilfawris.com
kepiseu.com
kepiseu.net
multinew.com
plumppeak.com
relaxkind.com
uljyelsel.com
vapshei.net
yuleaware.com
zwefopcyn.com Virtually all of these sites are located in China and are registered in the names of various people, most probably invented. A simple calculation shows that one Iksmas bot sends out around 80 000 emails in 24 hours. Assuming that there are 5 million infected machines out there, the botnet could send out about 400 000 000 000 (400 billion!) spam messages over a 24-hour period.
| Aleks | April 09, 2009 | 14:18 GMT |
comment
|
Last night the Kido (aka Conficker/ Downadup) botnet kicked into action – what everyone’s been on the lookout for since 1st April. The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files. This latest Kido variant - Net-Worm.Win32.Kido.js - is very different to previous ones, with two notable points: once again it’s a worm, and it’s only functional until 3rd May. We’re still digging into the files, and we’ll post updates. Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting. One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com. 
Once it’s run, you see the app interface, which naturally asks if you want to remove the threats it’s “detected”. Of course, this service comes at a price - $49.95. 
At the moment, the rogue antivirus comes from sites located in Ukraine (131-3.elaninet.com.78.26.179.107) although Kido is downloading it from other sites. The latest version of Kido also downloads Email-Worm.Win32.Iksmas.atz to infected systems. This email worm is also known as Waledac, and is able to steal data and send spam. When it first appeared in January 2009, a lot of IT experts noted the similarity between Kido and Iksmas. The Kido epidemic was mirrored by an email epidemic caused by Iksmas which was on just as large a scale. But up until now, there wasn’t any firm evidence of a link between the two worms. The evidence appeared last night. Both Kido and Iksmas are now present on infected machines and part of the gigantic botnet designed to conduct spam mailings. And, although there’s no confirmation of this yet, it may be that sites belonging to companies and organizations which are part of the Conficker Working Group will find themselves under attack. UPDATE: Our colleagues over at ISC have just posted saying the the CWG site is down; they're looking into it.
UPDATE 2: Wired is reporting that the outage is due to cable sabotage.
Porn dialers for smartphones |
|
Today we detected a new potentially unwanted program for smartphones running Symbian S60 2nd edition - not-a-virus:Porn-Dialer.SymbOS.Pornidal.a When a file called iPornPlayer.sis is launched, the user gets shown a standard EULA which mentions content of a pornographic nature, conditions of use etc. We detect this program as not-a-virus: Porn-Dialer and not as a Trojan-Dialer specifically because it’s got a EULA. Most importantly, the EULA states that the app will call international premium rate numbers (listed below) in order to access content.
- +43820911995
- +43810522237
- +239980254
- +3598815400096
- +22650500089
- +6744449333
- +423662690232
- +227171020
- +41773111701
- +2284260203
The files below then get installed:
- с:\system\apps\SexyVideo\SexyVideo.app
- с:\system\apps\SexyVideo\SexyVideo.rsc
- c:\system\programs\FullLengthViewer.exe
- c:\system\recogs\EZRECOG.MDL
The MDL file is used to autorun FullLengthViewer.exe and it’s this exe file that makes the calls to premium numbers. This type of threat really highlights two points. One, most users read EULAs with one eye at best, which means they have no idea what the program might actually do (in this case, call premium numbers). Second, because it contains a EULA, what Pornidal does isn’t actually illegal. But this type of program can be modified by removing the EULA or changing it so it doesn’t mention premium rate calls – this would make the program malicious, and any profits it brings in would be clearly illegal.
Kido/Conficker: a sobering thought |
| Roel | April 02, 2009 | 19:05 GMT |
comment
|
It's the second of April all over the world and the Internet still works. So far so good. :-) There's been a huge amount of attention around Kido/Conficker/Downadup this week. As the vast majority of experts anticipated nothing happened on the first of April. All the hype actually reminded me of Sober, which strangely enough didn't get mentioned in the tons of stories I've been reading over the last few days. Just over three years ago we were dealing with a big epidemic - Email-Worm.Win32.Sober.y. Costin wrote about it here. When Sober.y was ready to update the whole world was watching, just like now. And, just like now nothing happened on the first day. It will be interesting to see where and when the parallels between this side of Sober and Kido/ Conficker will end. A lot of the mainstream media have asked if the anticipated Kido update could just be a seasonal joke. The answer is a definite no. However, if you've heard rumours of the arrest of the authors - unfortunately, that was an April fool.
| |
