MoMusings

Those of you who read my blog from time to time, or are in the computer-security sector, will know that since the last quarter of 2006 the spammers have been converting from ASCII/HTML based spam to image based spam [*.gif, *.png, *.jpg, etc.]. This move caused many who work on anti-spam products and solutions a lot of sleepless nights trying to work out how they could add detection for such spam, without too many false positives or negatives.

Well, it seems that their prayers [the vendors and service providers] have been answered as I’m increasingly seeing a switch back to ASCII/HTML based spam, although a number of botnets used to send spam are still using images.

Here are three examples of one of the latest tricks the spammers are using:

Did you notice the lack of images in the spam itself? What these spammers have done is to host the graphical spam images at a image hosting/storage service known as ‘ImageShack‘. As you might have expected this technique only worked for a while before the anti-spam tools caught-up and ‘ImageShack‘ started to actively purge the hosted spam images.

This next one take this minimalist approach to the highest level, take a look:

Couldn’t be much more compact could it? As with the first three examples, the link takes you to a graphical spam message hosted on one of a number of sites, but not on ‘ImageShack‘.

The final one in this series is not as minimalist, in fact it is almost at the other end of the scale; being rather wordy. That is because it uses social engineering techniques ‘borrowed‘ from the malware authors. have a look and see what I mean:

Doesn’t that look rather like a rip-off of a mass-mailing worm or dropper seeding e-mail, such as those we are seeing right now [Nuwar/Zhelatin/Storm Worm]?

Now why would they want you to think you’ve bought a copy of ‘Windows Vista‘?

Well, guess what? You haven’t, and if you click on any of the hyperlinks all you are doing is confirming that the e-mail address the spam was sent to is ‘alive-and-well‘ and that a ‘real-human-being‘ is actually reading it [and clicking on links, too].

Now isn’t that sneaky?

I’ve said it before, and I’ll say it again: “Never click on anything in a spam e-mail, or you may just end up proving that your e-mail address is valid, and live. This makes that e-mail address more valuable and you’ll end up on more spammers lists, and get loads more spam.“

Also:

• Use a good anti-spam solution, such as the one built-in to Thunderbird.
• Don’t allow remote images to be loaded when the spam e-mail is rendered.
• Don’t click on any links provided in the spam, especially any ‘unsubscribe’ links offered, as this will again prove your e-mail address is valuable, and as expected you’ll end up getting more, not less, spam.
• Don’t EVER buy anything offered in a spam e-mail, you are only helping to prove that the business model that the spammers use, is still viable.

Yes, I know I repeated myself in point 3 of the above list, but that was intentional, just to drive the point home

Here’s a screenshot of one of several odd e-mails I started to receive yesterday.

If you click on the graphic in the real e-mail, or hover over it you will see a link to what appears to be a file called ‘IE7.0.exe‘. Like I’m going to click on that and let it run, no way!

It appears, from the many IE7 e-mails I have received this executable appears to be hosted on a number of sites round the world.

Here are the from and subject lines for the ones I have seen so far:

Subject: Explorer 7
From: admin@windows.com

Subject: Internet Explorer 7 Downloads
From: admin@microsoft.com

The first samples of this I saw, I downloaded the linked file and found that at that time was not an executable, but an HTML file carrying out click fraud and a click counter. However, this morning I found one of the new ones I had received at 07:45 was linked to a real executable file, details below:

FileName: IE7.0.exe
FileDateTime: 30/03/2007 08:09:09
Filesize: 33280
MD5: 8e12a8281a6c6ebdbd75c26a93e69437
CRC32: 95BCDAFB
File Type: PE Executable
It appears to be Packed using PE Pack 1.0

The Norman Sandbox failed to run it, probably because it is using anti-sandbox or anti-emulation tricks.

I also sent it off to be scanned by over 30 anti-malware tools, here are the results:

Scan report of: IE7.0.exe.4

@Proventia-VPS -
AntiVir TR/Proxy.Agent.CL
Avast! -
AVG -
BitDefender -
ClamAV Trojan.Spy-3301
Command W32/Grum.A (exact)
Dr Web Win32.Grum
eSafe -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Virus.Win32.Grum.a
F-Secure (BETA) Virus.Win32.Grum.a
Fortinet W32/Grum.A
Fortinet (BETA) W32/Grum.A
Ikarus Virus.Win32.Grum.a
Kaspersky Virus.Win32.Grum.a
McAfee -
McAfee (BETA) -
Microsoft Trojan:Win32/Grum.A
Nod32 Win32/TrojanProxy.Skopa.B trojan
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Rising -
Sophos W32/Grum-A
Symantec -
Symantec (BETA) Trojan Horse
Trend Micro -
Trend Micro (BETA) TROJ_GRUM.I
UNA -
VBA32 -
VirusBuster -
WebWasher Trojan.Proxy.Agent.CL
YY_Spybot Smitfraud-C.,,Installer

As you can see detection is still somewhat patchy, as I write this entry. Even McAfee and Symantec are behind the likes of F-Secure and Kaspersky, even Microsoft detects it!

If you look at the raw ASCII of the e-mail itself, it is padded out with lots of text grabbed from numerous web pages, news stories, etc. This is added to try and allow the e-mail with its link to possibly malicious code to bypass anti-spam and anti-malware filters.

This case, yet again shows that the Bad Guys and Girls are using social engineering to get you to infect your own computer [or your companies ones]. I gave a presentation on the growing use of social engineering just yesterday morning. A very timely warning and wake-up to those that attended.

So, don’t fall for it, and “Beware Microsoft Bearing Gifts” – Microsoft don’t send you software and just because an e-mail says it comes from Microsoft doesn’t mean that it really does. It is very easy to forge the e-mail address – you have been warned.

Oh, by the way I will post the answer to my last challenge on Monday the 2nd of April, so for those of you that still want to take a crack at solving the case, you have until then.

EICAR have informed me that my abstract has been selected for the EICAR 2007 conference to be held in Budapest, Hungary between the 3rd and the 8th of May.

The abstract for the paper appears below:

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn’t a week ago and that they can’t access the Windows ‘Task Manager’ or open a command prompt any more.

Is this caused by malware or is it a ‘user’ problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the ‘suspect’ system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for ‘odd’ system or network behaviour.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months. However, as usual they need the completed paper by the 17th of March!

I’ve several other ideas for abstracts already sketched out ready for to submit for this years Virus Bulletin conference. Any topics that you think should be covered are most welcome, just drop me a note or leave a comment.