Trick, But NO Treat!

As some of you may have noticed we are seeing a massive campaign by the 'Bad Guys and Girls' who are now using social engineering techniques via fake Halloween e-card notification e-mails. The last ones used cats as the bait!

Here's a screenshot of what just one of these look like now:



The body text can be one of a number of text strings and the link, at the moment, is one composed of numbers [IP Address].

Of course, when you click on the link you go to another site, not the one you expect to go to. Here are a couple of screenshots of one of the web pages you could end up on if you click on the link in one of these 'fake e-card' e-mails.

Here's a screenshot taken last night:


Here's a screenshot taken this morning:


Did you notice any difference? ;-)

What you don't see happening in the background is that just by you visiting the site it is letting the Bad Guys and Girls run exploit code against your system, if your system isn't fully patched, you'll get infected. If that fails [because your system is fully patched, or otherwise protected] they can always use social engineering to get you to infect your own computer by clicking on the link or graphic and running the file.

The main problem with the recent waves of fake e-card e-mails we have been seeing is that the link to the 'fake e-card' takes you to is often a website that contains the following payloads that can automatically infect your computer just by visiting it with a system that isn't fully patched:

• Various Browser Exploits.


• Various Windows Exploits.


• A download [fake e-card] which is actually malware.

It also appears that the so-called Storm-Worm Gang are constantly looking for new angles and ways to get you to add your computer to their botnet. This doesn't bode well for the upcoming festive season as that is when social engineering seems to work best. Why this is the case is not clear, it could be due to good will or a drop of the good-stuff? ;-) Maybe, it is just because people are more willing to spare a thought for others at this time of year, and in return expect them to spare a though for them?

As I've often mentioned here, the 'Bad Guys and Girls' seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you...don't make their job even easier.

Just to make it crystal clear, the file offered on these sites will NOT show you a dancing skeleton; the only one dancing will be you, to the tune of the botmasters! Any sinister/mad laughter you imagine you hear is the same people laughing all the way to the bank.

Have a fun but safe Halloween...

Who's the Weakest Link?

This posting discusses the findings of an online survey carried out by Sophos.

"The research shows that 31 percent of companies believe remote or mobile users expose their networks to the greatest threat, compared to 25 percent that consider guests or external contractors the greater danger. In contrast, an additional 44 percent of companies believe standard employees are actually more likely to expose the network."

The problem is somewhat more fundamental than this survey would have you believe; the problem isn't just that employees [whichever group they fall into] are a risk, the real root of the problem is that people are the weakest link in security[1]...let me explain how I know this:


You only have to look around to see people that are taking risks either with their personal and/or computer security.

It's even worse when they behave the same way on their employers computers or network. Whether it is ignoring security policy/rules; opening attachments they shouldn't, visiting websites to retrieve e-cards or view questionable or illegal material, disable security tools to speed up the computer, giving away personal or proprietary information, or possibly hacking into systems for either fun or profit.

The worst of it all is when 'good' people fall for the tricks used by the bad guys and girls, such as social engineering. [I've included links to a number of the risks mentioned, in the material below.]

The bad guys and girls have long known that social engineering is the most effective way to get their malware installed on a victims computer, just as the scammers know that social engineering makes them the most money; as more victims fall for this approach than any other. I have already blogged about the 'human element' in security [or should that be insecurity?;-)] a number of times before; be it 'click-a-holics', e-cards, lottery/grant notifications, 419 and Phishing scams, lost friends or relatives and hoaxes, in fact the whole enchilada.

This year has seen the bad guys and girls use social engineering as their number one infection vector; rarely do they now include a coded infection routine in their malware, they just get the recipient to infect their own computer, it works very well and means they have less work to do to create new malware.

Here's a good and timely example:
Adobe Acrobat [PDF] vulnerability which was first disclosed on September 20th, 2007. Here's some data from Symantec about what the bad guys and girls did with it:

"One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.

The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:

- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf

If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe."

In other words, once you have been socially engineered and you've opened the PDF, the exploit code will execute and your system will get infected unless you have other mitigating technologies/methodologies in place to stop it. From then on your computer is no longer yours, it belongs to the bad guys and girls.

So, what can you do to stop this particular threat [not social engineering in general]?

You can install the 'official' patch for Acrobat Reader from here or the 'official 'Acrobat Reader update from here here. Trust me I'm a security specialist ;-)

Maybe humans need to learn from the mistakes of others; history is littered with such material, so that they are less likely to repeat them, ad nauseum. Although I wouldn't bet on it happening anytime soon!

What do you think is the best way to stop people falling for social engineering?

Links to other stories/surveys on Social Engineering:

• Firms warned they are failing to block social engineering attacks


• Office workers give away passwords for a cheap pen


• What's the greatest security risk?


• You are the Weakest Link, Goodbye! - Passwords, Malware and You


• You are the Weakest Link, Goodbye! - Malware Social Engineering Comes of Age

[1] In security, computer or otherwise, a system is only considered to be as strong as its weakest link; as that is the place where it is most likely to fail. Just like a real chain

September 2007 Malware Review

September was a very busy month for me as I wrote and presented a paper at the Virus Bulletin conference in Vienna, Austria, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 457 samples during September, which have been catalogued as 27 distinct families and variants. In comparison during August I captured 566 samples which were catalogued as just 20 distinct families/variants. As you can see the captures in September are slightly down from August's total.

During September I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by September's statistics the general trend is still downwards. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During September I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 76 percent of the samples captured in September, down from almost 82 percent in August.

There are eight [up from seven] members of the Opaserv.worm family in September's chart. These are variants: AI, AE, D, AJ, E, I, AD and AH in second, third, fourth, fifth, sixth, seventh, ninth and tenth places respectively.

The final slot left is taken by our old friend Dupator who is down one place from seventh to eighth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for September Mytob.c has once more started to slide back down the chart from fourth to sixth place.

Netsky.q [aka P] has consolidated its hold on pole position it managed to grab back in June. It is joined by three [same as in August] other family members, these being: Netsky.t, which has slipped down one place seventh to eighth spot. Netsky.aa continues its upward climb, up from third to the runner-up spot; second place. The final Netsky family member is Netsky.b which is static in tenth place.

Bagle.gt has reversed once more restarted its slow journey down the chart, falling from second to fourth place.

Like Bagle.gt, Worm.Win32.Feebs.gen is slipping down the chart once more, from fifth to seventh place.

The final free places in September's chart are taken by one re-entry, this being Email-Worm.Win32.Nyxem.e [aka Mywife.D], a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l up from sixth to the final podium step; third.

Kaspersky had this to say about September's chart:

"Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn't extend the botnet that it builds, and as a result, there's not a single Warezov variant in September's Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world - indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has consolidated its grip on third place. The runner-up spot has been taken by Troj/Pushdo which climbs up from the fourth place it held in August. Last month's runner-up spot sitter, W32/Zafi has fallen down to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to seventh from fifth.

Bagle also slipped down the chart during September, from eighth to ninth place.

There are two re-entries in September's chart, these being Mal/IFrame and Mal/Behav in fifth and sixth place respectively.

To complete the chart we have one new entry, this being Mal/Basine and the final place is occupied by TraxG static in tenth.

Here is some commentary on September from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, have shown a rise in the percentage of infected email. Overall in September, 0.12 percent of emails were carrying malicious email attachments, or 1 in every 833, compared to 1 in every 1000 during August. This is primarily due to a coordinated campaign by hackers to spam out the Pushdo Trojan horse en masse during the second half of September. The emails, which pose as naked pictures of Hollywood actresses such as Angelina Jolie and "Holly Berry" [sic], carry a malicious payload designed to give criminal hackers control over infected PCs. During a single 24-hour period in the last week of September, Sophos reports that the Pushdo Trojan accounted for almost 4 in every 5 infected emails."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again and the final step of the podium, third place, is occupied by Dupator which is where it was in August's chart.

We have five re-entries in the chart in September; these are Win32.Zhelatin, Win32.Agent, Trojan.BAT.Runner, IRC.Zapchast and Win32.Tibs back in the chart in fourth, sixth, seventh, eight and ninth place respectively. Sixth place is occupied once more by W32.Funlove.

The final place in September's chart is occupied by Lorez down from seventh to tenth.

The more astute of you may have noticed that the top ten for September, once more contains ten entries rather than the seven we had in August.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of September] here. This clearly shows that September was quieter than the previous two months. As shown in the figures for September, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 329,196 at the end of September. That's a growth of 106,723 new malware strains and/or variants so far in 2007, in September the number once more jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just almost 142,300. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• New Storm Worm Run... [6th September]


• NFL = Nuwar File Link? [9th September]


• You SPIM Me Round... [11th September]


• Oh, Vienna...Update [25th September]

Conclusions:
The current trend of using social-engineering which has been widespread in January - August has continued during September, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam seen are almost back to their usual levels after the slight drop in the level of spam during August. The spammers haven't been idle during September as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during September. This is clearly shown in the massive jump in the percentage of phishing scams we've seen during both August and September.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last quarter of the year! Typically the last quarter of the year and specifically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Links:

• Virus Top Twenty for September 2007 [Kaspersky]


• Top ten viruses and hoaxes for September 2007 [Sophos]
  

Watch Out, Watch Out...

There's MP3 spam about!

Yes, you read that right, I started to receive spam e-mails that only have an MP3 [Audio] file attached, no body text.

At first I thought it was a new ploy by the malware authors, but after a quick check, the attachments were real MP3 files [LAME encoded].

So, I bit the bullet and played it, and lo and behold it was an audio version of the 'Pump-n-Dump' scams that we have been used to seeing. The one I listened too was of poor audio quality, in fact the woman sounded a bit like a Dalek! ;-)

Although as far as I can remember there were no lady Daleks, well not in the one-eyed motorised dustbin version, that came complete with kitchen utensils [egg whisk], plumbing tools [sink plunger] and a built-in CO2 fire extinguisher anyway [see picture].

More on this later when I'm back in the office.

UPDATE:
I didn't have anytime yesterday to follow-up on this posting as I was out all day giving a couple of guest lectures at a UK University. However, it now seems that I was the first one to report this new move by the spammers, as the other reports and news items about it didn't start to appear until around mid-day [UK time] on the 18th.

The gangs behind these 'pump-n-dump' scam spam runs have been very inventive so far, as they have already used graphical spam, animated graphical spam, subliminal animated graphical spam, Word document spam, Excel spreadsheet spam and finally PDF/FDF [Adobe Acrobat] spam. This list doesn't include the basic ASCII [Text] and HTML spam they still use, as well as the ZIP and RAR files used as containers for many of the file formats they have used.

I wonder what they'll try next? Video spam?

Here are some links to some of the other coverage of this move to using Audio spam:

• Kaspersky's Blog


• McAfee Blog


• SOPHOS Blog

There are also lots of news items appearing based on information supplied from the above, especially from my friend Graham Cluley who works for Sophos.

Addendum: Here's a link to one of the MP3 spam audio files I received, so that you can hear it yourself. However, please don't fall for the scam, you won't buy the stock offered will you?

For the techies out there, the file is encoded at 16Kbps. Most MP3 music files are encoded between 128-256Kbps.

As a final thought, I suppose you could call this a genuine product of a spam robot? ;-)

Stealthed Spam

Here's an interesting trick that the spammers are increasingly using to defeat not only software and hardware anti-spam defences but also "wetware" anti-spam defences; wetware is the geek/nerd term for you, dear reader, the interface between the chair and the keyboard. ;-)

Stealth is not a new idea, computer viruses and other malware have been using technique to hide since the very beginning of the problem on IBM and compatible PCs. In fact the very first virus on this platform 'Brain' used stealth. Also, most of you are aware that stealth is widely used by the military, not only to make warplanes invisible [or almost] to radar and other tracking technologies, but also warships.

So, what do these 'Stealthed' spam e-mails look like?

Well, to answer that question take a look at the screenshot of just three of the many I've so far received:

The first one claims to be from 'Parents.com':



The second one claims to be from 'Television Food Network':



The third and final one claims to be from 'Charles Schwab & Co.':



With all of the above examples, all the URLS [web-links] used in the e-mail point to the real site, not a spammy one. All the text is real taken from real newletters/e-mails from the targeted company. These e-mails pass the tests that most of use to decide if something is spam or not, in other words they pass the 'Eyeball' test fairly easily as they look like genuine e-mails from real companies. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what do they look like when I enable 'allow remote images' in the e-mail program?

They look like this:







Now they all fail the 'Eyeball' test with ease.

Why do I call these 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!

Catastrophic Infector

Have you been receiving e-mails stating that you have received an e-card, more precisely a Crazy Cat or Laughing Kitty or other Cat related word-play cards?

If so then there is something you should know, there is no e-card, this is a another new 'Storm Worm' run in progress. This one is using a new topic; Cats as the bait. Which is not one we've seen them use before.

This is what one of the new e-mails look like:



And here is what you'll see if you click on the link:



What you won't see, is that as usual with most Storm Worm sites, in the background on a vulnerable system is that your system is being compromised and infected without any need for you to click on the link in the webpage. You are fully patched, aren't you? Even if you are fully patched do not download and run the file offered, as it is malware. Every link on the page is to the malware file, currently named 'SuperLaugh.exe'.

However, if you have a decent up-to-date anti-malware you will be protected, as you can see from the screenshot below:



To save you falling for this, and letting curiosity kill the cat, I have included a first for this blog. I recorded a video of the page, complete with the infectious laughter that accompanies the fake e-card.

So, if you must see what the full page looks like while not getting infected, then be a cool cat and use the video link I've provided.

UPDATE: I've now created a YouTube account and posted it there.



All anti-malware tools should detect this new 'Storm Worm' variant before the end of the day.

If you like the use of video to show a new threat, then please let me know and I'll try and include them in future, where feasible.

Cyber-Laundry?

No, this isn't about the place you take your 'virtual clothes' to be cleaned in 'cyber-space' or 'virtual worlds' such as 'Second-Life'. It is about something quite different.

I have recently been seeing e-mails claiming to be from a firm called 'Draper Investment Company LLC'. A screenshot of one of the many e-mails I have so far received from them appears below:



Clicking on the link in the e-mail takes you to the following very professional looking site, complete with a 'Flash' [SWF] banner:



If you click on the second link in the e-mail, the one that claims to take you to the 'application form', then this is what you'll see:



If you were in need of a part-time job, to fit around your family, or if you were a starving student, you may well be tempted to apply. I mean, the rates look 'very' good for very little of your time, in fact they seem almost 'too good to be true', and that should be setting off little alarm-bells in your head. But, just in case it hasn't done so, what does the 'Site Advisor' from 'McAfee' make of the site, let's see:



Well, are you still tempted now? can you hear the alarm-bells now? No? Well, let's see what 'Netcraft' has to say about the site, shall we?:



Still interested? Nope, I thought not. But, just in case you were, you should be aware of the following, as you are not only aiding and abetting cyber-criminals in laundering money stolen from accounts acquired via Phishing, you may also be helping to fund 'International Terrorists' too! Yes, that's right, you could be unwittingly helping 'Terrorist' groups, like 'Al Qaeda' and others of their ilk.

Both the Netcraft Anti-Phishing-Toolbar and the McAfee SiteAdvisor are FREE browser plugins which work with not only IE [Internet Explorer] but also Firefox. Neither are a 'Silver Bullet' for the Phishing and related Cyber-crime problem, but they are useful in the fight against the scumbags that try to either steal your identity or try and get you to work for them. In other words, these tools just might help to stop you being taken to the cleaners, or being one of the cleaners.

So, in summary, you would be working as a 'Mule' and 'Laundering' stolen funds, you do know what a 'Mule' is don't you?

The answer is this:
We are not talking about four legged creatures that are half horse and half donkey....think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea what what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc.

There have been a number of people who have recently been recruited as Mules by the Phishers to help process the funds stolen during the latest Phishing Trawl, but the Mule doesn't know that they are helping criminals... They believe that they have a 'real' job helping financial companies with 'excess' workload or helping to test the companies security by logging in using the stolen credentials and moving money to other accounts...scary huh?

In fact, because the cyber-criminals behind the Phishing and other Identity-Theft crimes have been so successful, they have more data than they can easily deal with. This is why they are now trying so hard to recruit 'you' as a money-mule or cyber-launderer.

Of course, when the authorities catch up with the Mules and they are arrested and charged, they are often shocked that they had been so naive and feel rather 'used'.

So next time you see a job ad on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule...

Warnen, Bin Ich Ansteckend

For those of you that don't speak or read/write German, the title of this post roughly translates as: 'Warning, I am infectious'.

Hmmm...seems to be a rather busy day for me today!

This posting is mainly a warning for those of you out there that speak German, although if you don't you could still give in to your curiosity with potentially disastrous results.

Here's a screesnhot of an e-mail I started to see this morning:



This is a screenshot of the website that the link in the e-mail takes you to:



If you are curious enough to click on the hyperlink at the foot of the web page a file gets downloaded; at this time the file is called, 'behnert.exe'.

More data on the file can be found here: http://momusings.com/vsub/2007/10/vs0710002-possible-new-malware-bzub.html

I've submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

The core of the e-mail claims that 'Anne Behnert' went to the same school in Germany that I attended. This might have been more believable if I had gone to school in that country, but I didn't. However, ironically I was born there!

Here are 'Google' translations of text from both the e-mail and the webpage, as you'd expect the translations are not very good:

E-Mail text:

Did you recognize me? I bin's Anne Behnert.
I imagine in such a way, we would have with you in a school gelernt.
It is stop much time past and so can you you to me probably not more erinnern.
And I cannot forget it yet, we was best friends.
Do you remember those walks after the school? This was genuinly cool, gell?
It was however everything after the removal of my parents to end.
We pulled into another city.
I had to leave you all of the school and I felt so lonely at that time, remained completely alone and the feeling of the isolation deprimierte me riesig.
Then I have new contacts constructed and now give it again friends, am long already however completely different history!
And I remember nevertheless nearly nobody from the school, thus only you.
I would like that we further constantly communicate ourselves könnten.
Do you want to times actually see, how I look now?

Web page text:

There are you here probably because of my invitation or perhaps only that you can know me.
However I am pleased much to see you here!
I learned in several schools, because my parents from place had pulled to place. First it was very unpleasant for me, then I had resigned myself to it. I became acquainted with a great many people only volatilely. Some of it, these were not bad I directly forgot, some were o.k., with which I would maintain still gladly relations, could however because of some circumstances. And now, if I arose want I mean friendship volumes again to strengthen! Well that I must now nirgendswo him and one can make oneself after the search!
After tormenting school I began with the study and then was successfully finished I with it. Momentarily I work as a child psychologist. Whether it to be strange should:)? I feel very destined as it. From my childhood I am very much accustomed to the children. And now I help them.
That was actually everything! I am pleased to your answer!
So I am it now.

So, hopefully you can see why I entitled this blog post as I have, as she is indeed infectious?

Interestingly a similar e-mail, this time in English, is mentioned on the Sophos Blog, here: http://www.sophos.com/security/blog/2007/10/623.html

Hentai Malware E-Mail

Heads-up, there is a new 'Storm Worm' run in progress.

This is what one of the new e-mails look like:



Yes, I've modified a certain 'area' of the screenshot as it may be considered 'explicit' and/or unsuitable for publishing in its original form, by many people.

The unusual thing about this version, apart from the change in subject matter to try and get you to infect your computer, is that the e-mail doesn't link to a remote site, there is a file attached to the e-mail.

The attachment in this example is currently called 'hent.zip' and it contains a file called 'hent.exe'.

More data on the file can be found here: http://momusings.com/vsub/2007/10/vs0710001-possible-new-malware-agent.html

Some other data suggests that the body may be quite variable, and in some cases also padded out with text from data stolen from other websites.

I've submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

Yahoo Mail Lottery Win!

Wow, look at this e-mail I've just been sent. According to it I've won FIVE HUNDRED AND TWENTY THOUSAND DOLLARS!




So, it claims to have come from 'Yahoo', but on closer inspection it has actually come from a 'Freemail.de' account. Obviously things are getting tough at 'Yahoo' if they can't afford to run their own mail servers and domains anymore, but they can afford to give me FIVE HUNDRED AND TWENTY THOUSAND DOLLARS as a prize? Doesn't add up, does it?

OK, I'll let you in to a secret, there is no such lottery, there is no 'FIVE HUNDRED AND TWENTY THOUSAND DOLLARS' waiting for me (more's the pity ;-)) Yes, the e-mail is nothing more than another variant of the 419 Lottery scam which I've covered many times before on this blog.

This one isn't as ingenious as the ones I blogged about before, but it is a good try and people will get sucked in and believe that they have won a large pile of money, so you have been warned. As I often state "If something seems too good to be true, it probably is [too good to be true]". In other words "There ain't no such thing as a free lunch!"

This seemed a rather timely post as a major 419 gang has been arrested in Nigeria. Here's a snippet from the BBC news item:

"Thousands of fake cheques worth some £8m ($16.2m) have been seized in an attack on international e-mail scams.

The cheques, offered as prizes in exchange for a fee and destined for the UK, were recovered in Nigeria by the Serious Organised Crime Agency (Soca).

The month-long investigation into the fraud uncovered more than 4,500 forged and fraudulent documents.
UK officials are working with agencies in the US, the Netherlands, Canada and Spain to tackle "mass marketing fraud".
A handful of people have been arrested in the UK with almost 70 more held overseas. "

The really interesting thing about this story is that Internet Dating sites were also being used to 'hook' victims. Those who were behind the scheme were pretending to be Nigerian women, when in fact they were all men. It only goes to show just how careful you have to be when chatting/e-mailing people you haven't met in real-life. As the saying goes "On the internet, nobody knows you're a dog.".

On the dating theme, it appears that the picture used [of the bogus Dr. Moore] has been 'borrowed' from CupidBay.com, very spooky!

Right, time for my walkies, now where's my collar and lead ;-)

Virus Bulletin 2007 Conference Review

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2007 conference, which was held at the Hilton Hotel in Vienna, Austria, between the 19th and 21st of September.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:


"A warm and friendly welcome to Vienna, unless you're a Kangaroo!" ;-)

Day 1 - Wednesday 19th September 2007
The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by "A road to big money: evolution of automation methods in malware development" presented by Maksym Schipka from MessageLabs on the Technical Stream. As always Maksym's talk was both interesting and contained lots of useful information.

The final session on the Corporate Stream before lunch was also interesting, a presentation by Abhilash Sonwane of Cyberoam entitled "Changing battleground: security against targeted, low-profile attacks ". This talk touched on cyber-crime and targeted attacks which would be mentioned throughout most of the rest of the conference presentations; from different perspectives.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream. The first two presentation after lunch were:

• DSD Tracer - implementation and experimentation - Boris Lau, Sophos


• Pimp my PE: taming malicious and malformed executables - Casey Sheehan, Sunbelt Software

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Anti-rootkit safeguards: welcome Vista - Aleksander Czarnowski, Avet


• Patching. Is it always with the best intentions? - Alex Hinchliffe, McAfee

I decided to sit in on one of the two vendor presentations after the days main proceedings, I decided to choose my good friend Larry Bridwell from Grisoft [AVG]. It was a great presentation, instead of the dry marketing material he was given, he gave a very entertaining one instead. This rounded of the day wonderfully!

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

Day 2 - Thursday 20th September 2007
Day two started early for me as I was the first speaker to present on the Corporate Stream, so I had to get there early to check that my laptop worked fine with the projector, it did.

So, promptly at 09:00 I gave my own presentation based on my paper entitled "The journey so far: trends, graphs and statistics". Instead of trying to cover everything in the paper, all 30,000 words of it. I decided to just cover the key statistics, trends and a few examples, such as Brain, Casino and Ambulance.A, as well as some e-mail worms, such as Sircam, Loveletter and MyParty. When I was researching the paper I noticed that quite a few myths existed about the early days of malware, so I covered a number of these too.

I even finished on time and got asked several questions.

Next up, straight after me was the following presentation:

• What a waste - the AV community DoS-ing itself - Joe Telafici, Dmitry Gryaznov, McAfee

This was an interesting look at sample sharing between security companies and researchers, the end result is often lots of duplicated samples and sets; these can easily be in excess of 500GB. In fact the guys from McAfee are seriously looking at drives that have a larger capacity than 1TB.

The it was time for a quick tea/coffee break. During this I received quite a lot of very positive feedback on my presentation, as well as discussing several issues that I had mentioned with some of the original researchers who were there when the events I covered happened. The results from these discussions have enabled me to update my paper to be more accurate and to offer yet another set of first-hand witnesses to those events.

After the break I decided to stay on the Corporate Stream for the rest of the morning. These were the next batch of presentations:

• The WildList is dead, long live the WildList! - Andreas Marx, Frank Dessmann, AV-Test.org


• Have you got anything without spam in it? - Tim Ebringer, CA


• A testing methodology for rootkit removal effectiveness - Josh Harriman, Symantec
  

Although all of these were interesting I found the presentation by Josh Harriman very interesting and engaging. He covered the results of tests with rootkits against cleaning/removal tools and showed that fairly often they don't remove all the components of the rootkit and/or the other system changes made by them.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

After lunch, once more I decided to sit in on the Corporate Stream until the tea/coffee break, at least. The next two presentations were:

• Transforming victims into cyber-border guards: education as a defence strategy - Jeannette Jarvis, Microsoft


• Phish phodder: is user education helping or hindering? - Andrew Lee, Eset David Harley, Small Blue-Green World

Both of these were interesting, and in the case of the latter one also quite amusing as David and Andy's presentation included a 'Game Show'.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Technical Stream as I was chairing the next two 'Last-minute' presentations, these were:

• Andrew Walenstein, University of Louisiana at Lafayette


• Erik Wu and Feike Hacquebord, Trend Micro

This is a new section of the conference, and it seemed to work reasonably well, although in some cases the presenters appeared to have submitted presentations that were originally meant for the normal 40 minute slots, rather than the 20 minute slots they tried to shoe-horn their longer presentation into. I think this area still needs a little tweaking. In fact, although this was only being tried out on the Technical Stream it may well be better suited to the Corporate Stream instead.

After these, I made a quick dash back to the final presentation on the Corporate Stream. This was:

• Pump-n-dump for fun & profit: an in-depth look into stock spam and brokerage account compromise operations - Dmitri Alperovitch, Secure Computing

This was a very interesting presentation as it suggested that the so-called Pump-n-Dump scams didn't work the way many of us had imagined. It was less Pump-n-Dump and more just dump the stock they had acquired by creating an artificial market for it.

As on the first day of the conference, I decided to sit in on a vendor presentations after the days main proceedings. This time is was Vinny Gulloto from Microsoft, as with Larry's it was an entertaining one with very little marketing. Vinny also let slip that he had a waiting list of malware/anti-malware researchers who wanted to join him at Microsoft. This immediately put me in mind of the song "As some day it may happen" from Gilbert and Sullivan's "The Mikado" where the song is sung by Ko-Ko (The Lord High Executioner) as he goes through an imaginary list. So much so, that I found it hard not to whistle the tune! ;-)

Later we had the "pre-dinner drinks and the Gala dinner and cabaret". As always the food was excellent and the entertainment was typically Viennese; two couples performing various types of waltzes. This was followed up after desert, by our own private casino.



Day 3 - Friday 21st September 2007
The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Menace 2 the wires: advances in the business models of cybercriminals - Guillaume Lovet, Fortinet

This presentation expanded on the one that Guillaume had given last year; which included a quote that claimed that "Cyber-crime was now more profitable than running drugs". Once more he had some very interesting material to share. Including a fax from the CEO of e-Gold.

So, another quick tea and coffee break and then more from the Corporate Stream:

• The trojan money spinner - Mika Ståhlberg, F-Secure


• Once upon a time a trojan... - Luis Corrons, Panda


• New approaches to categorising economically-motivated digital threats - Anthony Arrott, David Perry, Trend Micro

All of these were very good and interesting talks and all covered cyber-crime in one form or another.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all, especially by those who were trying to trick Jeanette Jarvis of Microsoft.

After lunch I spent the first part of the afternoon on the Technical Stream.These were the presentations I sat in on:

• A deeper look at malware - the whole story - Bryan Lu, Fortinet


• Malware removal - beyond content and context scanning - Tom Brosch, Maik Morgenstern, AV-Test.org

Both of these were interesting if a little obscure in parts. Both talks prompted a number of questions from the audience. Then it was time for the final refreshments break. Yes, it was the very last VB2007 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference were straight after the break and I decided that I'd sit in on the last one on the Corporate Stream. This was:

• Future threats - John Aycock, Department of Computer Science, University of Calgary Alana Maurushat, Faculty of Law, University of New South Wales

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion:

• The fight against international cyber crime - enforcing the law - David Thomas, FBI, Stacy Arruda, FBI, Kevin Zuccato, Australian Federal Police, Mark Oram, CPNI

Finally it was time for the Conference closing session, once more led by Helen martin, the editor of Virus Bulletin. It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be a case of "I'm Sparticus", as a lot of people seemed to be wearing Dr. Vesselin Bontchev's name badge and no it wasn't him in varying disguises either!

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2007/slides/index.xml The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2007/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Vienna, here: http://www.flickr.com/photos/14178057@N07/sets/72157602179472057/detail/

Yes, the pictures include the "welcoming statue", along with details on where in Vienna the picture was taken.

Oh yes, before I sign off, I really ought to own up that I, rather ironically, caught a virus whilst attending the Virus Bulletin conference! No, not a computer virus, a cold/flu variant. At least it waited for me to get back home before it knocked me off my feet and left me sounding like Barry White (after gargling bricks and broken glass). Back in Chicago [VB2004] I wasn't so lucky, I went down with almost the same thing whilst travelling to Chicago and tortured everyone that came to my presentation with my 'interesting' vocal range; from deep-bass, to Kermit-the-frog-a-like, to loss-of-signal. I don't know who suffered more, the audience or me ;-)

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Ottawa, Canada at the start of October 2008. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?