MoMusings

As some of you may have noticed we are seeing a massive campaign by the ‘Bad Guys and Girls‘ who are now using social engineering techniques via fake Halloween e-card notification e-mails. The last ones used cats as the bait!

Here’s a screenshot of what just one of these look like now:

The body text can be one of a number of text strings and the link, at the moment, is one composed of numbers [IP Address].

Of course, when you click on the link you go to another site, not the one you expect to go to. Here are a couple of screenshots of one of the web pages you could end up on if you click on the link in one of these ‘fake e-card’ e-mails.

Here’s a screenshot taken last night:

Here’s a screenshot taken this morning:

Did you notice any difference?

What you don’t see happening in the background is that just by you visiting the site it is letting the Bad Guys and Girls run exploit code against your system, if your system isn’t fully patched, you’ll get infected. If that fails [because your system is fully patched, or otherwise protected] they can always use social engineering to get you to infect your own computer by clicking on the link or graphic and running the file.

The main problem with the recent waves of fake e-card e-mails we have been seeing is that the link to the ‘fake e-card‘ takes you to is often a website that contains the following payloads that can automatically infect your computer just by visiting it with a system that isn’t fully patched:

• Various Browser Exploits.
• Various Windows Exploits.
• A download [fake e-card] which is actually malware.

It also appears that the so-called Storm-Worm Gang are constantly looking for new angles and ways to get you to add your computer to their botnet. This doesn’t bode well for the upcoming festive season as that is when social engineering seems to work best. Why this is the case is not clear, it could be due to good will or a drop of the good-stuff? Maybe, it is just because people are more willing to spare a thought for others at this time of year, and in return expect them to spare a though for them?

As I’ve often mentioned here, the ‘Bad Guys and Girls‘ seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you…don’t make their job even easier.

Just to make it crystal clear, the file offered on these sites will NOT show you a dancing skeleton; the only one dancing will be you, to the tune of the botmasters! Any sinister/mad laughter you imagine you hear is the same people laughing all the way to the bank.

Have a fun but safe Halloween…

This posting discusses the findings of an online survey carried out by Sophos.

“The research shows that 31 percent of companies believe remote or mobile users expose their networks to the greatest threat, compared to 25 percent that consider guests or external contractors the greater danger. In contrast, an additional 44 percent of companies believe standard employees are actually more likely to expose the network.“

The problem is somewhat more fundamental than this survey would have you believe; the problem isn’t just that employees [whichever group they fall into] are a risk, the real root of the problem is that people are the weakest link in security[1]…let me explain how I know this:

You only have to look around to see people that are taking risks either with their personal and/or computer security.

It’s even worse when they behave the same way on their employers computers or network. Whether it is ignoring security policy/rules; opening attachments they shouldn’t, visiting websites to retrieve e-cards or view questionable or illegal material, disable security tools to speed up the computer, giving away personal or proprietary information, or possibly hacking into systems for either fun or profit.

The worst of it all is when ‘good‘ people fall for the tricks used by the bad guys and girls, such as social engineering. [I've included links to a number of the risks mentioned, in the material below.]

The bad guys and girls have long known that social engineering is the most effective way to get their malware installed on a victims computer, just as the scammers know that social engineering makes them the most money; as more victims fall for this approach than any other. I have already blogged about the ‘human element‘ in security [or should that be insecurity?;-)] a number of times before; be it ‘click-a-holics‘, e-cards, lottery/grant notifications, 419 and Phishing scams, lost friends or relatives and hoaxes, in fact the whole enchilada.

This year has seen the bad guys and girls use social engineering as their number one infection vector; rarely do they now include a coded infection routine in their malware, they just get the recipient to infect their own computer, it works very well and means they have less work to do to create new malware.

Here’s a good and timely example:
Adobe Acrobat [PDF] vulnerability which was first disclosed on September 20th, 2007. Here’s some data from Symantec about what the bad guys and girls did with it:

“One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.

The Trojan will most likely arrive through email with a subject such as “invoice”, “statement” or “bill” of some description, and just containing the .pdf file. So far we have seen the following file names used:

- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf

If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe.“

In other words, once you have been socially engineered and you’ve opened the PDF, the exploit code will execute and your system will get infected unless you have other mitigating technologies/methodologies in place to stop it. From then on your computer is no longer yours, it belongs to the bad guys and girls.

So, what can you do to stop this particular threat [not social engineering in general]?

You can install the ‘official‘ patch for Acrobat Reader from here or the ‘official ‘Acrobat Reader update from here here. Trust me I’m a security specialist

Maybe humans need to learn from the mistakes of others; history is littered with such material, so that they are less likely to repeat them, ad nauseum. Although I wouldn’t bet on it happening anytime soon!

What do you think is the best way to stop people falling for social engineering?

Links to other stories/surveys on Social Engineering:

• Firms warned they are failing to block social engineering attacks
• Office workers give away passwords for a cheap pen
• What’s the greatest security risk?
• You are the Weakest Link, Goodbye! – Passwords, Malware and You
• You are the Weakest Link, Goodbye! – Malware Social Engineering Comes of Age

[1] In security, computer or otherwise, a system is only considered to be as strong as its weakest link; as that is the place where it is most likely to fail. Just like a real chain

September was a very busy month for me as I wrote and presented a paper at the Virus Bulletin conference in Vienna, Austria, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We’ve also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 457 samples during September, which have been catalogued as 27 distinct families and variants. In comparison during August I captured 566 samples which were catalogued as just 20 distinct families/variants. As you can see the captures in September are slightly down from August’s total.

During September I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by September’s statistics the general trend is still downwards. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During September I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 76 percent of the samples captured in September, down from almost 82 percent in August.

There are eight [up from seven] members of the Opaserv.worm family in September’s chart. These are variants: AI, AE, D, AJ, E, I, AD and AH in second, third, fourth, fifth, sixth, seventh, ninth and tenth places respectively.

The final slot left is taken by our old friend Dupator who is down one place from seventh to eighth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for September Mytob.c has once more started to slide back down the chart from fourth to sixth place.

Netsky.q [aka P] has consolidated its hold on pole position it managed to grab back in June. It is joined by three [same as in August] other family members, these being: Netsky.t, which has slipped down one place seventh to eighth spot. Netsky.aa continues its upward climb, up from third to the runner-up spot; second place. The final Netsky family member is Netsky.b which is static in tenth place.

Bagle.gt has reversed once more restarted its slow journey down the chart, falling from second to fourth place.

Like Bagle.gt, Worm.Win32.Feebs.gen is slipping down the chart once more, from fifth to seventh place.

The final free places in September’s chart are taken by one re-entry, this being Email-Worm.Win32.Nyxem.e [aka Mywife.D], a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l up from sixth to the final podium step; third.

Kaspersky had this to say about September’s chart:

“Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn’t extend the botnet that it builds, and as a result, there’s not a single Warezov variant in September’s Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world – indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere.”

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has consolidated its grip on third place. The runner-up spot has been taken by Troj/Pushdo which climbs up from the fourth place it held in August. Last month’s runner-up spot sitter, W32/Zafi has fallen down to fourth place.

Mydoom which was a re-entry in November’s chart has once more lost ground, falling back down to seventh from fifth.

Bagle also slipped down the chart during September, from eighth to ninth place.

There are two re-entries in September’s chart, these being Mal/IFrame and Mal/Behav in fifth and sixth place respectively.

To complete the chart we have one new entry, this being Mal/Basine and the final place is occupied by TraxG static in tenth.

Here is some commentary on September from Sophos:

“The figures, compiled by Sophos’s global network of monitoring stations, have shown a rise in the percentage of infected email. Overall in September, 0.12 percent of emails were carrying malicious email attachments, or 1 in every 833, compared to 1 in every 1000 during August. This is primarily due to a coordinated campaign by hackers to spam out the Pushdo Trojan horse en masse during the second half of September. The emails, which pose as naked pictures of Hollywood actresses such as Angelina Jolie and “Holly Berry” [sic], carry a malicious payload designed to give criminal hackers control over infected PCs. During a single 24-hour period in the last week of September, Sophos reports that the Pushdo Trojan accounted for almost 4 in every 5 infected emails.”

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again and the final step of the podium, third place, is occupied by Dupator which is where it was in August’s chart.

We have five re-entries in the chart in September; these are Win32.Zhelatin, Win32.Agent, Trojan.BAT.Runner, IRC.Zapchast and Win32.Tibs back in the chart in fourth, sixth, seventh, eight and ninth place respectively. Sixth place is occupied once more by W32.Funlove.

The final place in September’s chart is occupied by Lorez down from seventh to tenth.

The more astute of you may have noticed that the top ten for September, once more contains ten entries rather than the seven we had in August.

If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 – 2007 [up to the end of September] here. This clearly shows that September was quieter than the previous two months. As shown in the figures for September, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the ‘Storm Worm’ gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 329,196 at the end of September. That’s a growth of 106,723 new malware strains and/or variants so far in 2007, in September the number once more jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just almost 142,300. Things have certainly speeded up during the second and third quarters of 2007!

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• New Storm Worm Run… [6th September]
• NFL = Nuwar File Link? [9th September]
• You SPIM Me Round… [11th September]
• Oh, Vienna…Update [25th September]

Conclusions:
The current trend of using social-engineering which has been widespread in January – August has continued during September, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam seen are almost back to their usual levels after the slight drop in the level of spam during August. The spammers haven’t been idle during September as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during September. This is clearly shown in the massive jump in the percentage of phishing scams we’ve seen during both August and September.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last quarter of the year! Typically the last quarter of the year and specifically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Links:

• Virus Top Twenty for September 2007 [Kaspersky]
• Top ten viruses and hoaxes for September 2007 [Sophos]

There’s MP3 spam about!

Yes, you read that right, I started to receive spam e-mails that only have an MP3 [Audio] file attached, no body text.

At first I thought it was a new ploy by the malware authors, but after a quick check, the attachments were real MP3 files [LAME encoded].

So, I bit the bullet and played it, and lo and behold it was an audio version of the ‘Pump-n-Dump‘ scams that we have been used to seeing. The one I listened too was of poor audio quality, in fact the woman sounded a bit like a Dalek!

Although as far as I can remember there were no lady Daleks, well not in the one-eyed motorised dustbin version, that came complete with kitchen utensils [egg whisk], plumbing tools [sink plunger] and a built-in CO2 fire extinguisher anyway [see picture].

More on this later when I’m back in the office.

UPDATE:
I didn’t have anytime yesterday to follow-up on this posting as I was out all day giving a couple of guest lectures at a UK University. However, it now seems that I was the first one to report this new move by the spammers, as the other reports and news items about it didn’t start to appear until around mid-day [UK time] on the 18th.

The gangs behind these ‘pump-n-dump‘ scam spam runs have been very inventive so far, as they have already used graphical spam, animated graphical spam, subliminal animated graphical spam, Word document spam, Excel spreadsheet spam and finally PDF/FDF [Adobe Acrobat] spam. This list doesn’t include the basic ASCII [Text] and HTML spam they still use, as well as the ZIP and RAR files used as containers for many of the file formats they have used.

I wonder what they’ll try next? Video spam?

Here are some links to some of the other coverage of this move to using Audio spam:

• Kaspersky’s Blog
• McAfee Blog
• SOPHOS Blog

There are also lots of news items appearing based on information supplied from the above, especially from my friend Graham Cluley who works for Sophos.

Addendum: Here’s a link to one of the MP3 spam audio files I received, so that you can hear it yourself. However, please don’t fall for the scam, you won’t buy the stock offered will you?

For the techies out there, the file is encoded at 16Kbps. Most MP3 music files are encoded between 128-256Kbps.

As a final thought, I suppose you could call this a genuine product of a spam robot?

Here’s an interesting trick that the spammers are increasingly using to defeat not only software and hardware anti-spam defences but also “wetware” anti-spam defences; wetware is the geek/nerd term for you, dear reader, the interface between the chair and the keyboard.

Stealth is not a new idea, computer viruses and other malware have been using technique to hide since the very beginning of the problem on IBM and compatible PCs. In fact the very first virus on this platform ‘Brain‘ used stealth. Also, most of you are aware that stealth is widely used by the military, not only to make warplanes invisible [or almost] to radar and other tracking technologies, but also warships.

So, what do these ‘Stealthed‘ spam e-mails look like?

Well, to answer that question take a look at the screenshot of just three of the many I’ve so far received:

The first one claims to be from ‘Parents.com‘:

The second one claims to be from ‘Television Food Network‘:

The third and final one claims to be from ‘Charles Schwab & Co.‘:

With all of the above examples, all the URLS [web-links] used in the e-mail point to the real site, not a spammy one. All the text is real taken from real newletters/e-mails from the targeted company. These e-mails pass the tests that most of use to decide if something is spam or not, in other words they pass the ‘Eyeball‘ test fairly easily as they look like genuine e-mails from real companies. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what do they look like when I enable ‘allow remote images‘ in the e-mail program?

They look like this:

Now they all fail the ‘Eyeball‘ test with ease.

Why do I call these ‘Stealthed Spam‘? Well, simply because the spam component is hidden and not in plain view.

As they say “Keep ‘em peeled!“, which means keep your eyes open and stay alert. Or, as other might say, “don’t believe everything you see or read“, it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!

Have you been receiving e-mails stating that you have received an e-card, more precisely a Crazy Cat or Laughing Kitty or other Cat related word-play cards?

If so then there is something you should know, there is no e-card, this is a another new ‘Storm Worm’ run in progress. This one is using a new topic; Cats as the bait. Which is not one we’ve seen them use before.

This is what one of the new e-mails look like:

And here is what you’ll see if you click on the link:

What you won’t see, is that as usual with most Storm Worm sites, in the background on a vulnerable system is that your system is being compromised and infected without any need for you to click on the link in the webpage. You are fully patched, aren’t you? Even if you are fully patched do not download and run the file offered, as it is malware. Every link on the page is to the malware file, currently named ‘SuperLaugh.exe‘.

However, if you have a decent up-to-date anti-malware you will be protected, as you can see from the screenshot below:

To save you falling for this, and letting curiosity kill the cat, I have included a first for this blog. I recorded a video of the page, complete with the infectious laughter that accompanies the fake e-card.

So, if you must see what the full page looks like while not getting infected, then be a cool cat and use the video link I’ve provided.

UPDATE: I’ve now created a YouTube account and posted it there.

All anti-malware tools should detect this new ‘Storm Worm’ variant before the end of the day.

If you like the use of video to show a new threat, then please let me know and I’ll try and include them in future, where feasible.

No, this isn’t about the place you take your ‘virtual clothes‘ to be cleaned in ‘cyber-space‘ or ‘virtual worlds‘ such as ‘Second-Life‘. It is about something quite different.

I have recently been seeing e-mails claiming to be from a firm called ‘Draper Investment Company LLC‘. A screenshot of one of the many e-mails I have so far received from them appears below:

Clicking on the link in the e-mail takes you to the following very professional looking site, complete with a ‘Flash‘ [SWF] banner:

If you click on the second link in the e-mail, the one that claims to take you to the ‘application form‘, then this is what you’ll see:

If you were in need of a part-time job, to fit around your family, or if you were a starving student, you may well be tempted to apply. I mean, the rates look ‘very‘ good for very little of your time, in fact they seem almost ‘too good to be true‘, and that should be setting off little alarm-bells in your head. But, just in case it hasn’t done so, what does the ‘Site Advisor‘ from ‘McAfee‘ make of the site, let’s see:

Well, are you still tempted now? can you hear the alarm-bells now? No? Well, let’s see what ‘Netcraft‘ has to say about the site, shall we?:

Still interested? Nope, I thought not. But, just in case you were, you should be aware of the following, as you are not only aiding and abetting cyber-criminals in laundering money stolen from accounts acquired via Phishing, you may also be helping to fund ‘International Terrorists‘ too! Yes, that’s right, you could be unwittingly helping ‘Terrorist‘ groups, like ‘Al Qaeda‘ and others of their ilk.

Both the Netcraft Anti-Phishing-Toolbar and the McAfee SiteAdvisor are FREE browser plugins which work with not only IE [Internet Explorer] but also Firefox. Neither are a ‘Silver Bullet‘ for the Phishing and related Cyber-crime problem, but they are useful in the fight against the scumbags that try to either steal your identity or try and get you to work for them. In other words, these tools just might help to stop you being taken to the cleaners, or being one of the cleaners.

So, in summary, you would be working as a ‘Mule‘ and ‘Laundering‘ stolen funds, you do know what a ‘Mule‘ is don’t you?

The answer is this:
We are not talking about four legged creatures that are half horse and half donkey….think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea what what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc.

There have been a number of people who have recently been recruited as Mules by the Phishers to help process the funds stolen during the latest Phishing Trawl, but the Mule doesn’t know that they are helping criminals… They believe that they have a ‘real‘ job helping financial companies with ‘excess‘ workload or helping to test the companies security by logging in using the stolen credentials and moving money to other accounts…scary huh?

In fact, because the cyber-criminals behind the Phishing and other Identity-Theft crimes have been so successful, they have more data than they can easily deal with. This is why they are now trying so hard to recruit ‘you‘ as a money-mule or cyber-launderer.

Of course, when the authorities catch up with the Mules and they are arrested and charged, they are often shocked that they had been so naive and feel rather ‘used‘.

So next time you see a job ad on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule…

For those of you that don’t speak or read/write German, the title of this post roughly translates as: ‘Warning, I am infectious‘.

Hmmm…seems to be a rather busy day for me today!

This posting is mainly a warning for those of you out there that speak German, although if you don’t you could still give in to your curiosity with potentially disastrous results.

Here’s a screesnhot of an e-mail I started to see this morning:

This is a screenshot of the website that the link in the e-mail takes you to:

If you are curious enough to click on the hyperlink at the foot of the web page a file gets downloaded; at this time the file is called, ‘behnert.exe‘.

More data on the file can be found here: http://momusings.com/vsub/2007/10/vs0710002-possible-new-malware-bzub.html

I’ve submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

The core of the e-mail claims that ‘Anne Behnert‘ went to the same school in Germany that I attended. This might have been more believable if I had gone to school in that country, but I didn’t. However, ironically I was born there!

Here are ‘Google‘ translations of text from both the e-mail and the webpage, as you’d expect the translations are not very good:

E-Mail text:

Did you recognize me? I bin’s Anne Behnert.
I imagine in such a way, we would have with you in a school gelernt.
It is stop much time past and so can you you to me probably not more erinnern.
And I cannot forget it yet, we was best friends.
Do you remember those walks after the school? This was genuinly cool, gell?
It was however everything after the removal of my parents to end.
We pulled into another city.
I had to leave you all of the school and I felt so lonely at that time, remained completely alone and the feeling of the isolation deprimierte me riesig.
Then I have new contacts constructed and now give it again friends, am long already however completely different history!
And I remember nevertheless nearly nobody from the school, thus only you.
I would like that we further constantly communicate ourselves könnten.
Do you want to times actually see, how I look now?

Web page text:

There are you here probably because of my invitation or perhaps only that you can know me.
However I am pleased much to see you here!
I learned in several schools, because my parents from place had pulled to place. First it was very unpleasant for me, then I had resigned myself to it. I became acquainted with a great many people only volatilely. Some of it, these were not bad I directly forgot, some were o.k., with which I would maintain still gladly relations, could however because of some circumstances. And now, if I arose want I mean friendship volumes again to strengthen! Well that I must now nirgendswo him and one can make oneself after the search!
After tormenting school I began with the study and then was successfully finished I with it. Momentarily I work as a child psychologist. Whether it to be strange should:)? I feel very destined as it. From my childhood I am very much accustomed to the children. And now I help them.
That was actually everything! I am pleased to your answer!
So I am it now.

So, hopefully you can see why I entitled this blog post as I have, as she is indeed infectious?

Interestingly a similar e-mail, this time in English, is mentioned on the Sophos Blog, here: http://www.sophos.com/security/blog/2007/10/623.html

Heads-up, there is a new ‘Storm Worm’ run in progress.

This is what one of the new e-mails look like:

Yes, I’ve modified a certain ‘area’ of the screenshot as it may be considered ‘explicit’ and/or unsuitable for publishing in its original form, by many people.

The unusual thing about this version, apart from the change in subject matter to try and get you to infect your computer, is that the e-mail doesn’t link to a remote site, there is a file attached to the e-mail.

The attachment in this example is currently called ‘hent.zip’ and it contains a file called ‘hent.exe’.

More data on the file can be found here: http://momusings.com/vsub/2007/10/vs0710001-possible-new-malware-agent.html

Some other data suggests that the body may be quite variable, and in some cases also padded out with text from data stolen from other websites.

I’ve submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

Wow, look at this e-mail I’ve just been sent. According to it I’ve won FIVE HUNDRED AND TWENTY THOUSAND DOLLARS!

So, it claims to have come from ‘Yahoo‘, but on closer inspection it has actually come from a ‘Freemail.de‘ account. Obviously things are getting tough at ‘Yahoo‘ if they can’t afford to run their own mail servers and domains anymore, but they can afford to give me FIVE HUNDRED AND TWENTY THOUSAND DOLLARS as a prize? Doesn’t add up, does it?

OK, I’ll let you in to a secret, there is no such lottery, there is no ‘FIVE HUNDRED AND TWENTY THOUSAND DOLLARS‘ waiting for me (more’s the pity ) Yes, the e-mail is nothing more than another variant of the 419 Lottery scam which I’ve covered many times before on this blog.

This one isn’t as ingenious as the ones I blogged about before, but it is a good try and people will get sucked in and believe that they have won a large pile of money, so you have been warned. As I often state “If something seems too good to be true, it probably is [too good to be true]“. In other words “There ain’t no such thing as a free lunch!“

This seemed a rather timely post as a major 419 gang has been arrested in Nigeria. Here’s a snippet from the BBC news item:

“Thousands of fake cheques worth some £8m ($16.2m) have been seized in an attack on international e-mail scams.

The cheques, offered as prizes in exchange for a fee and destined for the UK, were recovered in Nigeria by the Serious Organised Crime Agency (Soca).

The month-long investigation into the fraud uncovered more than 4,500 forged and fraudulent documents.
UK officials are working with agencies in the US, the Netherlands, Canada and Spain to tackle “mass marketing fraud”.
A handful of people have been arrested in the UK with almost 70 more held overseas. “

The really interesting thing about this story is that Internet Dating sites were also being used to ‘hook’ victims. Those who were behind the scheme were pretending to be Nigerian women, when in fact they were all men. It only goes to show just how careful you have to be when chatting/e-mailing people you haven’t met in real-life. As the saying goes “On the internet, nobody knows you’re a dog.“.

On the dating theme, it appears that the picture used [of the bogus Dr. Moore] has been ‘borrowed‘ from CupidBay.com, very spooky!

Right, time for my walkies, now where’s my collar and lead