More New Year Storm Waves...

It seems that four waves of New Year Ecard notification e-mails isn't enough for the Storm Worm Gang with the weekend bringing two more nice new shiny versions. Looks like the Storm Worm Gang are stuck in a rut at the moment, you can see what I mean from the screenshots I captured and have included in this posting!

Here's a screenshot of what just one of the fifth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [yet another new one], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the fifth wave of New Year themed e-mails.




Here's a screenshot of what just one of the sixth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [yes, yet another new one!], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the sixth wave of New Year themed e-mails.



The website HTML code is the same as the last three waves and still includes a JavaScript routine to obfuscate the URL to the malware file being offered as a fake New Year Ecard, in this case the real filename being offered is still 'happynewyear2008.exe' in both of the new waves seen over the weekend.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

I'm just wondering how many waves it is going to take to get the Storm Worm Gang to change their tactics once more, any offers? ;-)

UPDATE1:
More new waves have now appeared, these use the following domain names, and filenames:

Domain: happy2008toyou . com hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: hellosanta2008 . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: hohoho2008 . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: happysantacards . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Please do not go to those sites and download the files offered, as they are real, live, malware.

I've now created and put up a video on my YouTube channel here: http://www.youtube.com/momusings This shows all ten of the New Years fake e-card sites, from the start on the 26th of December 2007 until the tenth variant which arrived mid-afternoon on the 31st December 2007.

UPDATE2:
More waves were released on the 1st and 2nd of January, these use the same e-mail notifications and the website style is similar to that used in the previous waves. They are using more new domains, details below:

Domain: santapcards . com hosting the Filename: happy_2008.exe [1st Jan 2008]

Domain: parentscards . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: postcards-2008 . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: santawishes2008 . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: merrychristmasdude . com also hosting the Filename: happy_2008.exe [3rd Jan 2008]

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

November 2007 Malware Review

November was another very busy month for me as I was involved in several projects for customer accounts, as well as dealing with my usual workload. This meant that I didn't have as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 476 samples during November, which have been catalogued as just 27 distinct families and variants. In comparison during October I captured 649 samples which were catalogued as 35 distinct families/variants. As you can see the captures in November are down once more and very close to September's total.

During November I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown, once more, by November's statistics the general trend is still downwards. It still appears that social-engineering is very much the technique of choice this year. I believe that 2007 should be known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During November I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 72 percent of the samples captured in November, down from the high points of 82 percent in August and 77 percent in October.

As in both September's and October's charts there are still eight members of the Opaserv.worm family in November's chart. These are variants: AE,AC, AJ, D, A, AH, AI and AD in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is once more occupied by our old friend Netsky.P who is static in the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

We have a new pole sitter in November's chart, this being Scano.gen which is a re-entry to the top ten.

In the runner-up spot, we has another re-entry, this being Mytob.t and as you can see the top 10 from Kaspersky [above] for November Mytob.c has reversed its slide down the chart in October to climb back up from tenth to fifth place.

Netsky.q [aka P] has dropped out of the top 10 however two [down from three] other family members, these being: Netsky.t, which has continued its slide down the chart has slipped from seventh to tenth spot. Netsky.x is a re-entry, back in to the chart to snatch the final podium place; third.

One of the new entries in last months Trojan-Spy.HTML.Fraud.ay has slipped down two places from second to fourth.

The next three places, sixth, seventh and eighth are all taken by re-entries. These are; IMG-WMF.y, Warezov.pk and Lovegate.W respectively.

The final free slot in November's chart is taken by a new entry, this being another member of the Warezov family; Warezov.um in ninth place.

Kaspersky had this to say about November's chart:

"The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.
There's only one program in this month's Top Twenty which barely changed its position, and that's Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It's not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has, rather surprisingly lost the runner-up position from Octobers chart and has to make do with the final step of the podium; third. Last months pole-sitter Troj/Pushdo has managed to consolidate its hold on pole position.

Mytob has lost more ground, sliding down the chart from fifth to sixth place. W32/Zafi has suffered a similar fate sliding down from fourth to fifth place.

Mydoom which was a re-entry in November's chart has once more consolidated its hold on eighth place.

There are three re-entries in November's chart, these are, W32/Flcss, back in to the chart in seventh place, W32/Strati back in to the chart in ninth and W32/Bagle grabbing the final place in tenth.

To complete the chart we have TraxG is up from ninth to the runner-up spot; second place. The final free place is occupied by Mal/Dropper in fourth place.
Here is some commentary on November from Sophos:

"Traxg hurtling into second position this month has come as a complete surprise, and the fact that unsophisticated worms are still slipping through the net at such a rate of knots is a clear indication that huge numbers of users, and potentially companies, are failing to install even basic anti-virus protection," said Graham Cluley, senior technology consultant at Sophos. "In first place, Pushdo continues to wreak havoc. A clear reason for its ongoing success is the guilty cybercriminal's ability to quickly create different variants, which are being spread voraciously in a range of spam messages. Each new piece of spam that harbours the trojan has been created to tempt users, and whether it's enticing them to watch videos of Britney or view naked pictures of Angelina, this fraudster's tactics are certainly working."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is still occupied by last months re-entry, this being Netsky.

Win32.Zhelatin falls five places to tenth, Win32.Agent falls four places down to eight and IRC.Zapchast is static in ninth place. Fifth place is occupied by W32.Funlove, which is up one place from sixth.

We have two new entries in November's chart, these are: Win32.Protoride straight in to the chart in sixth and W32.Heretic takes seventh place.

The final place in November's chart is occupied by our old friend Dupator up from seventh to fourth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of November] here. This clearly shows that November was about as active as October. As shown in the figures for November, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 349,851 at the end of November. That's a growth of 127,378 new malware strains and/or variants so far in 2007, in November the number jumped by 10,160. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 139,000. Things have certainly speeded up during the third and fourth quarters of 2007!

What's New?

Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during November 2007.

• Equifax Phish [Tuesday, 6 November 2007]


• Do You YouTube? [Monday, 12 November 2007]


• One MSUpdate You Don't Want! [Tuesday, 13 November 2007]

Conclusions:

The current trend of using social-engineering which has been widespread in January - September has continued during October and November, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during November as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays and also new targets such as Equifax, as shown above.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this report.

All in all, it looks like we could be in for a very interesting, and busy, final month of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for November 2007 [Kaspersky]


• Top ten viruses and hoaxes for November 2007 [Sophos]

Please note: December's report, which should be published in January 2008 may well be the last one I do for the forseable future due to changes in my role.

Late For Christmas, Early For New Year - TNG!

It seems that three waves of New Year Ecard notification e-mails isn't enough for the Storm Worm Gang, this morning brought me a nice new shiny version, ho hum!

Here's a screenshot of what just one of the fourth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [another new one], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the fourth wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



As I said in my posting yesterday [27th December 2007]:

"Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in these cases [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link and running the file."

It seems that they were listening, as this new wave now includes a JavaScript routine to obfuscate the URL to the malware file being offered as a fake New Year Ecard, in this case the real filename being offered is 'happynewyear2008.exe'.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

Late For Christmas, Early For New Year!

If the Storm Worm Gang left their Christmas present to all new computer users, and all exiting computer users, to the last minute, they have certainly not left their New Year gifts to suffer the same fate. In fact they couldn't even wait for Christmas day to be over before they started their next campaign.

Yet again this shows the folly of publishing your end of year reports before the end of the year, as they won't include the Storm Worm runs we've so far seen during the last two weeks and anything that may happen in the last 4-5 days until the year really does end!

So, what have the Storm Worm Gang unleashed this time? They have decided to use the old favourite of 'fake e-card notifications'.

Here's a screenshot of what just one of the first wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the first wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



However, it seems that the Storm Worm Gang weren't content with just one round of New Year wishes, and on Boxing Day [26th December], they unleashed a new version,

Wave 2:

Here's a screenshot of what just one of the second wave of New Year based emails look like:



As with the first wave version, the body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the second wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



However, it seems that they still weren't happy with two rounds of New Year wishes, and today [76th December], they unleashed another new version,

Wave 3:

Here's a screenshot of what just one of the third wave of New Year based emails look like:



As with the first and second wave version, the body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the third wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in these cases [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link and running the file.

Just to make it crystal clear, the files offered on these sites will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

I suspect we will see more waves of New Year attacks, but by then I suspect that the website used will contain graphics [as seen in the Christmas version], and possibly exploit code too. They may also shift to a new social-engineering attack, such as using news items once more, bringing their techniques full circle to where they began on the 19th of January 2007.

At the time of publishing this entry detection was still very patchy, with many of the top anti-virus products not detecting the malware laden files as infected, you have been warned.

I would like to wish you all a very happy but safe New Year...

Don't Let Mrs. Santa Get Her Claus...

...In To Your Computer This Christmas.

I knew that the so-called Storm-Worm Gang couldn't resist using Christmas as a way to get you to infect your own computers. They just left it to the last minute, knowing that most anti-virus companies have already published their 2007 end of year reports, and would have picked up on the lack of Storm Worm runs during December as part of their analysis. I suppose that will teach them to publish end of year reports before the actual year has ended?

Some odd e-mails started arriving very early this morning [UK Time]. Here's a screenshot of what just one of these look like now:



The body text can be one of a number of text strings and the link, at the moment, is unusually for the Storm Worm Gang, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very professional looking site, complete with falling snow! Here is a screenshot of the web page you could end up on if you click on the link in one of these Christmas themed e-mails.



Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in this case [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link or graphic and running the file.

As I've often mentioned here, the 'Bad Guys and Girls' seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you...don't make their job even easier.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'Strip Show'; the only one getting stripped will be your computer! It may well be stripped of any useful personal and/or financial data, and be turned in to a zombie [bot infected computer that is part of a botnet].

At the time of publishing this entry detection was still very patchy, with many of the top anti-virus products not detecting the malware laden file ['stripshow.exe'] as infected, you have been warned.

I would like to wish tou all a very happy but safe Christmas...

I will be posting the November Malware Review before the end of December, apologies that it is later than planned, but there have been other work and issues taking up my time.

A YouTube video of the site showing the full effect of the website is now available here.

Amazon Adventures - Part Deux

Finally, here is the much promised second part of my recent Amazon Adventures. I warn you now, this is going to be a long post, you have been warned! ;-)

Part one can be found here.

This part is going to cover my recent adventures when trying to sell some things which were excess to requirements using the Amazon.co.uk Marketplace, which works a bit like eBay, but without scammers and con artists popping out of the woodwork every few seconds; or so I thought. How wrong I was to believe things would be any better on Amazon.co.uk's Marketplace than eBay.

The tale unfolds below:

So, as I mentioned above I had some electronic and other goods that were excess to requirements, these were in immaculate [almost new] condition as I had treated them with respect and care at all times. So, I created a Marketplace account on the Amazon.co.uk site so that I could offer these items for sale. This step was dead easy and I had a Marketplace shop open on Amazon.co.uk within five minutes. I confirmed this by searching for one of the items on Amazon.co.uk and it appeared [along with my Marketplace seller account name] in the new and used listings.

A few hours passed and I started to receive e-mails from prospective buyers of the most expensive of the electrical items I was trying to sell, here's a screenshot of one of the e-mails:



I replied promptly and gave the prospective buyer the benefit of the doubt, even though alarm bells were already starting to go off in my head. The next morning I received the following e-mail from 'Vannessa' [screenshot below]:



Hmmm.... I thought that is most interesting, especially as I had also received another e-mail which claimed to come from Amazon.co.uk payments e-mail address, or did it? Here's a screenshot of the e-mail below, notice anything odd?:





Looks real doesn't it, but is it really from Amazon or not, yes or no? [Hint look at the e-mail address shown between the '<' and '>' characters.

Anyway, even though by now I knew it wasn't really from Amazon.co.uk as the real e-mail address it came from was 'amazoncustoms@accountant.com', which is a FREE e-mail account from 'Mail.com' in the US. I decided to check my account on Amazon.co.uk Marketplace, and as expected the item was still listed as being available, not sold. At this point I decided to do a little more detective work.

So, to start my digging, I did a lookup on the UK Post Code given by the 'buyer', this being 'BL2 1LW' which resolved as the following address:

13 ST AUBINS ROAD
BOLTON
LANCASHIRE

Now, if you noticed the 'buyer' claimed her address was '13 st aubin road', notice not only the lower case, but also the missing 's' off the end of 'aubin'. By now I was fully convinced that this was a scammer trying to defraud me of my electronic device. So, I replied to her, see the screenshot below:



And 'Vanessa' replied thus:



In between the various e-mails, I did a bit more digging and found out that the address was the registered office for a company which has now been 'dissolved'. So, to turn the screw a little tighter I sent a reply which you can see below:



And 'Vanessa' replied thus:



And thus, about 15 minutes later
:


By now I think that 'Vanessa' knew that I had rumbled that this was a scam, or that she was getting desperate, so to try and string her along a little longer and see if I could extract a telephone number from 'her'. Here's the e-mail I sent:



I never expected to hear anything more from 'Vanessa', so I was rather surprised when I got the following reply:



Those of you that live in or know the phone number system in the UK will have immediately noticed that the phone number I had been given, was not in Bolton, or indeed anywhere near there. It was in fact a London telephone number, and a quick bit of digging unearthed the fact that it was a BT Pay Phone! Game, Set and Match to me, I think.

Further digging, seemed to indicate that the phone was on the West side of Lambeth Bridge, in Horseferry Road, which ironically, is less than 300m from New Scotland Yard!

My next move was to send all the data onto the fraud department of the London Metropolitan Police, as far as I was concerned, my job was now done, it was now down to the Police to apprehend the fraudster(s).

Over the next week, I received four other similar fake Amazon payments notices, needless to say, I played them along the same way and then sent the data onto the authorities to act on[*]. However, I'm not holding my breath, as these frauds are small fry in a world of sharks.

Needless to say, I finally decided that using Amazon.co.uk's Marketplace was not a good way to sell expensive electronic items, in fact I'd go as far as to say that it is only marginally better than eBay in this respect. I must make it clear that my comments are only about my personal experience of using the Marketplace feature of Amazon.co.uk, I have found all my other dealings with Amazon.co.uk to be safe and reliable and I generally trust them far more than other online stores. In fact they are one of the stores I use the most when I'm thinking of buying things, be it CDs, Books, Electronic Items or whatever.

[*] I also e-mailed and spoke to Amazon.co.uk's fraud team a number of times while these adventures unfolded, they were polite and efficient, but I was left feeling that they were not at all surprised about this level of fraud on their site, and seemed to have no answer to the problem. The problem seems to be worse when selling high value electronic items, such as phones, pdas or game consoles.

More Seasonal Fare and a Carol Too!

Here's a follow-up to a blog post last week. This offers more Christmas fare from our friends the spammers, enjoy! Yes, these are screenshots of real spam e-mails I have received, they are not made up ones, cross my heart.



No, one of the women shown above isn't called Carol, and the other isn't Mrs Claus either! ;-) Yes, I have supplied a modesty filter, so not to offend anyone that may be upset by the nature of the picture.

Here's one with Santa [Mr Claus] as you have probably never seen him before, or want to see him again. It's enough to put you off your mince pies! ;-)



For those wondering where Carol is, then wait no longer:

As I'm in a ‘festive’ frame of mind, and just for a bit of fun, here's a modified version of the last verse of ‘The Twelve Days of Christmas‘, Please feel free to sing along, yes and that means you in the back - stop hiding, I can see you:

On the twelfth day of Christmas,
my true love sent to me
Twelve phishers phishing,
Eleven bot-nets,
Ten data stealers,
Nine storm worms,
Eight spyware a-spying,
Seven spammers a-spamming,
Six password stealers,
Five lottery stings,
Four new exploits,
Three BlueTooth worms,
Two Web 2.0 worms,
And a scam from e-Bay!

And if anyone can do better, and I’m sure you can, then please post them as comments. The same goes for any other Christmas carol you feel you can be creative with; the only rule is you must use computer security and malware terms.

UPS Delivery of Over ONE MILLION US Dollars!

This posting is in the same vein as the last one [on this subject], as it seems to be a new tactic from the bad guys and girls from Lagos [aka the 419ers], take a look and let me know what you think:



Nice twist eh?

Instead of telling you that they want you to help them move trapped funds and you will get a percentage, or that you have won the lottery, that you didn't enter, this one simply states that you will need to pay $100 US Dollars up front. At least that bit is honest!

The trick here is that the victim who received the e-mail is going to think "Wow, if I pay $100 now, then I get over $1 MILLION US Dollars back in the box!" and "All the sender wants is $100 up front and my contact details, what can possibly go wrong?"

• Well, firstly, there is no money, so they will end up at least $100 out of pocket.


• Next, the data they send will be placed on a so-called 'suckers' list.


• Then, the victim will receive either more e-mails requesting more money to pay taxes, bribes, and so on, or they will get phone calls from the bad guys and girls behind this will try and get other personal details from them, such as bank account details, credit/debit card information, and so on.

Before they realise, the victims bank account or credit/debit card details are being used/mis-used to pay for things or to take out new loans, credit cards, or create a new bank account using the stolen data.

It does seem that the 419 scammers are once more trying out new techniques, I wonder what they will try next? Any suggestions ;-)

A Seasonal Selection...

No, not cheeses, nor sweets, nor hymns or other music, nor vegetables, fruits, nuts or meats. Give up yet? ;-)

Well, I suppose you could call some of the selection spam, and the other fake ecard e-mails bearing malware gifts. So, let's have a look at a small selection of some seasonal spam and related scummery.

The spammers started early this year, as far as seasonal themed spam goes. This first one is dated the 17th of November!:



I though that this next one was rather clever, as on the Christmas tree, we don't have the usual baubles or other hanging decorations, no we have a Christmas tree with 'pills' instead:



This next one was quite clever, although I have no idea what the text in the spam says*. The use of a figure dressed as Santa checking his stock is quite clever:



This final spam email is more restrained, just a few references to Christmas, as well as urging you to buy their knock-off [fake] watches and other crud:



The text below the spamvertised goods/services seen in the first and fourth spam example is what is sometimes called a 'Hashbuster'. The text is only there to try and fool anti-spam filters, especially those that use Bayesian or other similar techniques. However, this doesn't fool the Bayesian filters I use!

This final one, which is a fake e-card notification, arrived on the 1st of December, and if you click on the link provided in it [which doesn't take you to www.123greetings.com], this will download an executable file called 'x-mas.exe' which is NOT an e-card at all, it is malware, in this case it is a self-extracting RAR file.



The end result of running this file [x-mas.exe] is that your system will be infected by a variant of Zapchast [also known as a IRC.Flood.dr variant]. As part of the installation routine this malware installs an IRC client and then signs into a Command and Control channel and awaits new orders. At this point the computer no longer belongs to you, it is now a so-called 'Zombie' or 'Bot' in one of the many bad guys and girls 'Botnets'.

So, be careful out there, just because it is getting close to Christmas doesn't mean that it isn't a jungle out there. Don't give the bad guys and girls a present this year by falling for their scams, malware or buying anything they peddle in their spam. Remember, Santa only gives gifts to good boys and girls, not naughty ones!

On this note, I'd like to wish all the readers of this blog [which numbers at least 2 ;-)] a very Happy Christmas and a Prosperous New Year. Although, if you are a bad guy or girl who does any of the nasty things I blog about here, I hope that you finally see sense and get a real 'useful' job, before you finally get caught and prosecuted. Maybe next year you will then get a gift from Santa, who knows, and maybe hell will freeze over too? ;-)

* If anyone out there is willing to translate the remaining text on this spam, then please contact me, thanks.

PS I haven't forgotten about my promised 'Amazon Adventures - Part Deux' posting, it is coming, honest.

The Six Million Dollar Relative

This is a rather interesting e-mail which arrived in my inbox early this morning. It is interesting for a number of reasons, take a look at the screenshot below and see if you can spot the reasons I found it rather entertaining?:



OK, so what did you spot?

These are the points that caught my interest:

• Used part of my name, in this case my Surname.


• Used the name of someone who might be related to me.


• Used a Microsoft Word document attachment rather than the usual ASCII text or HTML body.

Right, let's now have a look at what the Word document contains [opened in OpenOffice, not Word, for security reasons]:



Here's a close-up of the text in the word document:



As you can see this is a missing-relative 419 scam, they want me to pose as a relative to the alleged deceased person, so that 'we' can claim the 32 MILLION US Dollars for ourselves instead of, and I quote "funds of this nature end up in the greedy pockets of some politicians due to our corrupt society". I get 20 percent, which they esitmate is almost 6.5 MILLION Us Dollars.

So, you heard it straight from the horses mouth [or at least one of the horses orifices] that these scams have nothing to do with corrupt and ethically bankrupt scammers like the one behind this version, it's all the politician and goverment officials who are to the 'bad guys'! Yeah, right! Although, this quote from Alfred E Newman, might swing your vote:

"Crime does not pay... as well as politics."

Sometimes these 419 scams contain links to real news stories or tragedies that have occurred, the scammers believe that you will be more willing to fall for their scam if some of the data can be verified.

There is no money, as usual, this is a scam which has been around in one format or another for many years, the names of the intended victim, deceased and scammer change frequently, but all that happens if you get caught up with these scammers is that you will lose money, not gain any.

Just because they use your name and link it with an allegedly deceased person with the same surname, doesn't mean that participating in this scheme [even if the money actually existed, which it doesn't] isn't fraud; it most definitely is!

Rent-a-Spammer

We are all used to seeing spam, usually lots of it, even if you have good anti-spam defences in place, some still gets through, as it is a game of cat and mouse between the spammers and anti-spam solutions. The spammers try a new technique which works for a while, the anti-spam brigade adapts and blocks it, and round-and-round we go, ad infinitum ;-)

Here's a spam e-mail that is actually offering "mass dispatch of electronic letters" also known to most of us as Spam or UCE.



The spammer(s) offering their services here are almost certainly using one or more botnets to send out the spam, this means that the chances of him/her/them getting caught and prosecuted is quite slim. As you can see the pickings [as far as the spammer is concerned] are far from slim!

To a potential spammer customer the costs are miniscule*, as shown below. These are the prices per e-mail:

• 1 Million = 0.012 cents each


• 5 Million = 0.01 cents each


• 10 Million = 0.008 cents each

No wonder that businesses who are desperate for new customers, or sales [or both] are tempted to use these types of services!

Although the fiscal [monetary] costs are small from the perspective of a customer of this type of spamming service, the potential cost in loss of business if you are a well known and previously respected company or brand can be immense.

Luckily these sort of companies/brands don't tend to use these sorts of services, this means that the companies/brands that do use them are, shall we say, not as ethical or concerned about alienating/annoying their customers, as the wares they offer tend to be considered to be somewhat grey; fake, illegal, stolen, of dubious quality, or just an outright scam to get you to part with your credit/debit card details. This often results in your data being mis-used or sold on to others to mis-use.

The really worrying thing about this, aside from the data theft/ID theft side of the coin, is that according to some sources, around 10 percent of people who receive spam, actually buy the goods offered. Even if they have been conned/scammed before! Talk about failing to learn from your mistakes!

So, if the 10 percent of people that do buy from spam would kindly refrain from doing so, then the spammers business model would quickly become unprofitable; the end result would be that spam would drop to levels that we can currently only dream about. It could get to the point where we see levels of less than 10 percent, compared to the 90+ percent we have today!

More details on the survey results can be found here.

I've also just found another survey, which claims, amongst other things that: "One in five Brits 'buy software from spam'"

Here's another that claims: "Spam Prompts 11 Percent of Computer Users to Buy"

My original posting on the survey mentioned above, was back in July of 2005, here's a link to it: 'Do You Like Spam?' It even contains details on how the name came about. Here's a link to the video mentioned...enjoy!

So, go on own up, have you ever bought anything from a spam e-mail, are you in the 10-25 percent of those that do? ;-)

* Assuming my maths are correct?

Footnote: Hormel [creators of the tinned meat product known as SPAM] have just lost a court case [another one] in which they tried to stop an anti-spam company using the word 'Spam' in their product name, as they claim that this is their trademark.

Birds of a Feather...

No this isn't about either the feathered sort of 'Birds', or anything to do with the fairer sex [colloquially known as 'Birds' in some parts of the world], nor am I going to blog about the famous Alfred Hitchcock movie. This posting is about a recent book I reviewed for Virus Bulletin which was written by members of AVIEN* [do you get the 'Birds' reference now? ;-)]

Here's a snippet from the review I wrote:

"The AVIEN Malware Defense Guide has been written by members of the AVIEN/AVIEWS online communities with the aim of passing on knowledge that they believe will be both interesting and useful to those involved in the real-world battle against malware in organizations.

The cover of the book claims that it will 'stop the stalkers on your desktop' and also provide:

• Complete coverage of the relationship between enterprise security professionals, customers, vendors and researchers.


• In-depth consideration of key areas of the 21st century threat landscape.


• System security and DIY defence using a range of specialist detection and forensic techniques and tools.

Meanwhile, the back cover states: 'AVIEN members represent the best-protected large organizations in the world, and millions of users. When they talk, security vendors listen: so should you.' So, after making such a bold statement, does the book deliver on the promises it makes?"

And here's another snippet:

"My overriding impression is that this book is very well written; the whole book comes together and flows very well – which can be a difficult feat when a book has several different contributors.

The book eases the reader in gently, starting with non-technical chapters and building to some very technical ones towards the end of the book.

The pedigree and diversity of the contributors involved in this book makes it a very readable, informative, and accurate reference guide for all interested parties, be they new to the fight or old hands.

The book delivers on many of the promises it made. In fact, I would say that this is the best general malware/anti-malware book currently available, and it should be a mandatory read for anyone new to computer security in general, and anti-malware specifically."

Here's a link to the complete book review I wrote: [PDF format]

So, if you are hunting for a perfect present for the security professional in your life, or just for yourself, then this book may be just what you/they always wanted...

If you want to buy the book or to see other reviews, then feel free to click on the relevant link below:

UK LINK US LINK

As usual all my other published articles and papers can be found here or here.

* Yes, I know that this isn't spelt the same way as AVIAN, but please let me have a little poetic license ;-)

Barclays FIVE MILLION US Dollar Transfer

According to the e-mail I received today [3rd of December 2007] from Barclays Bank PLC I have over 5 Million US Dollars waiting to be transferred into my bank account. Here's a screenshot of the e-mail, so that you can see it for yourself:



Wow!!! Five Million, Two Hundred Thousand Dollars are all mine!

All I need to do is to obtain and complete a 'Non-Residential Clearance Form' and then contact 'Mrs.Nancy Webster' who heads-up the 'International Banking Division' at 'Barclays Bank PLC in London' and she will send me the release forms to fill in and Bingo, I will get the money, right?

Anyone smell a rat yet? Any alarm bells going off in your head? Do you actually believe a word written in the e-mail shown above?

Since when did Barclays outsource their e-mail servers to 'Google'?

If you do believe it, then if you followed up with 'Nancy' at 'Barclays', using her business e-mail account at 'Googlemail', then you would be entering into a relationship where you wouldn't end up with more money, you would actually lose money [at the very least], as this is nothing more than a 419 scam [also known as an Advance Fee Fraud].

I've written about these extensively over the years, and if you are interested in reading more on the subject then take a a look at my published papers and articles, which can be found here.

Just because it is coming up to the season of goodwill, don't lower your guard, as that is only playing straight into the hands of these fraudsters...

I have a number of things to share this week, so check back each day.