Virus Bulletin 2008 Conference Review

As previously mentioned on this blog, I was going to attend the Virus Bulletin 2008 conference as just a delegate, for the very first time; I usually attend as a speaker. The conference was held at the Westin Ottawa, in Ottawa, Canada [surprisingly ;-)] between the 1st and 3rd of October.

However, I ended up being a speaker again, which I don't mind, but I was actually looking forward to having a more relaxed conference than I usually do, but that's life!



This posting is a quick review of the conference:

Day 1 - Wednesday 1st October 2008

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by the Keynote address "The AV industry: Quo Vadis?" presented by Alex Eckelberry of Sunbelt Software. This was a very interesting speech and contained lots of useful information, as well as a general overview of what the bad guys [and girls] are up to, as well as what the good guys [and girls] are up to.

You can find a recording of it here, along with the slides: http://sunbeltblog.blogspot.com/2008/10/virus-bulletin-2008-keynote-address.html

The final session on the Technical Stream before lunch was also interesting, a presentation by Morton Swimmer [who used to work for IBM] entitled:

• Towards integrated malware defence

It was a good presentation, however as Morton had moved to TREND just before the conference he no longer had access to all his data, which was a shame, as it seems to have been rather an effective solution.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream.

The first two presentation after lunch were:

• Your computer is now stoned (...again!). The rise of MBR rootkit - Kimmo Kasslin, F-Secure
• When the hammer falls - effects of successful widespread disinfection on malware development and direction - Matt McCormack, Microsoft

The presentation given by Kimmo was esepcially interesting as it covered the rebirth of MBR infectors; something that had almost died out when Windows NT, 2000 and XP came along [yes there have been some MBR infectors for those, but not many, and not with stealth capability].

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Applying user-mode memory scanning on Windows NT - Eric Uday Kumar, Authentium
• Packer visualisation: a fast entropy scanning algorithm that preserves local detail - Li Sun, RMIT University

I decided to sit in on the vendor presentation after the days main proceedings, this was given by my good friend David Harley, from Eset.

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

This was staged with a couple of Ice Hockey players; for those that wanted pictures, as well as a bit of fun from Ken Bechtel, who's hat did the rounds and photos were taken of those that ended up wearing it, including me. If you've ever met Ken, you'll know which hat I mean as he is rarely seen without it.

Day 2 - Thursday 2nd October 2008

Day two started early for me as I was informed when I arrived that I might be needed to present [I was the emergency reserve speaker; "in case of a missing speaker, break glass and grab Martin ;-)"], as one of the speakers for the morning session on the Technical Stream was unaccounted for; he never did turn up.

So, I had to go back to my hotel [I wasn't staying at the Westin], get changed, grab my laptop and get back to the conference by the morning tea break to check that my laptop worked fine with the projector, it did.

This meant that I effectively missed the first two presentations I had planned to attend, oh well.

To complicate matters, I was also supposed to be chairing the three sessions on the Corporate Stream between the morning tea break and lunch; which I couldn't now do, as I was presenting in the other stream at the same time. Luckily, my old friend from Nortel, John Morris, stepped into the void as the new session chair.

So after the morning tea-break I was back in the Technical Stream for the next three presentations, these were:

• The robustness of new email identification standards - Reza Rajabiun, COMDOM Software and York University
• Coordinated distributions method for tracking botnets sending out spam - Andrey Bakhmutov, Kaspersky Lab
• Malware forenscis: detecting the unknown - Martin Overton, IBM ISS

The presentation given by Andrey was extremely good, some excellent research which was well presented and explained. This led to a flurry of questions.

It seemed rather surreal when I gave my presentation, as it was designed for an audience on the Corporate Stream; so as an old English saying goes "it was like teaching my grandmother how to suck eggs". In other words the presentation was an overview of forensic techniques and tools for finding and analysing malware [known or new] on an infected system.

This was presented on the Technical Stream to about 70 or more of the worlds best malware researchers, hence my use of the saying.

The presentation was actually based on my EICAR 2008 paper which I was unable to present at the EICAR conference, ironically due to the fact I was tied up in a malware forensics case.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

I received some nice feedback from a few of those that sat in, and no awkward questions. In fact one of the guys who were running the audio-visual side of the conference said he thoroughly enjoyed my presentation and found it most useful and enlightening.

After lunch, once more I decided to sit in on the Technical Stream until the tea/coffee break, at least. The next four presentations, all last minute ones limited to 20 minutes each, were:

• VB testing - present status, future plans, John Hawes, Virus Bulletin
• Race to zero with online scanners, Boris Lau, Sophos
• There is (some) honour among South American authors of infostealer trojans!, Pedro Bueno, McAfee
• Apple iPhone programming with SDK, Marius van Oers, McAfee

This year these short technical presentation worked rather well, although it was hard for some of the presenters to keep to the 20 minute slot limit, yes, you know who you are.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Corporate Stream as I was chairing the last two presentations on that stream, these were:

• The NorTel Mailer: effective open-source spam filtering for enterprises - Chris Lewis, Nortel
• SCADA security - who is really in control of our control systems? - Peter Allor, IBM

Both of these were very interesting presentations and it was a shame that so few delegates had decided to sit in on them.

Before the day was over we also had our first panel session, this was:

• The state of anti-malware testing

Later we had the "pre-dinner drinks and the Gala dinner and entertainment".

As always the food was excellent and the entertainment this year differed quite a bit, it was a quiz, which was fun but took longer than expected to complete. As one delegate was heard to say "we have travelled 3,500 miles for a pub quiz!". Personally, I enjoyed it, it just needed to be shorter.


Day 3 - Friday 3rd October 2008

The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Understanding and teaching bots and botnets - Randy Abrams, ESET

This presentation covered a topic that I had presented on back at VB2005 in Dublin, but from a high-level perspective and more focussed on how to educate staff about these threats via using robot vacum cleaners known as Roombas.

As usual Randy was both informative and entertaining.

So, another quick tea and coffee break and then back to the Technical Stream until lunch, these were the next presentations I sat in on:

• Automatic rules-based binary analysis with IDA Pro and CLIPS - Ryan Hicks, AVG
• Rebuilding testing for the future - Igor Muttik
• Samples.malware.org: sample sharing for the next decade? - Richard Ford, Florida Institute of Technology

All of these were very good and interesting talks and all generated lots of discussion and questions.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all. However, I think I can honestly say that this years photo was the quickest ever as it took less than 5 minutes to organise all the speakers and take a number of photos.

After lunch I spent the first part of the afternoon on the Corporate Stream.These were the presentations I sat in on:

• Where do your users want to go today and can you stop them? - Bruce Hughes, AVG
• The name of the dose: does malware naming still matter? - Pierre-Marc Bureau and David Harley, ESET

Both of these were interesting and prompted a number of questions from the audience.

Then it was time for the final refreshments break. Yes, it was the very last VB2008 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference, were straight after the break and I decided that I'd sit in on the last one on the Technical Stream again. This was:

• Darwin inside the machines: malware evolution and the consequences for computer security - Peter Ször, Symantec
  Dimitris Iliopoulos, Keck Graduate Institute of Applied Life Science

This was a very interesting presentation, basically saying that malcode could in theory evolve following Darwinian principles. Not sure that we will see such malware any time soon, as there are a number of things that need to happen first.

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion on:

• Security in banking forum

Finally it was time for the Conference closing session, once more led by Helen Martin, the editor of Virus Bulletin.

It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be another case of "I'm Sparticus", as a lot of people seemed to be wearing Ken Bechtel's hat, including me, and no it wasn't him in varying disguises either!

My final impressions of VB2008 are mixed; I enjoyed it, but I [and others who I chatted with] seem to think it may have lost its edge. Is this a case of becoming too commercialised or due to a lack of the usual swathe of quality research papers [which may be due to security companies cutting research budgets], or is it just a sign of the times as the marketplace has matured and that threats have now converged?

If you attended VB2008 and have an opinion, then please let me know your thoughts, thanks.

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2008/slides

The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2008/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Ottawa, here: http://picasaweb.google.com/overtonm/OttawaCanada2008?authkey=SEeottY873o#

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Geneva, Switzerland at the end of September 2009. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Don't 'Fool' For It...

Normally I do my own April Fools blog posting, using some bogus malware, anti-malware or other computer related bit of nonsense for a bit of fun, and hopefully you find them funny, or at least interesting?

However, this year I didn't need to bother, as the Bad Guys and Girls have their own; trouble is, it isn't a joke, and it certainly isn't funny!

It seems that the so-called 'Storm Worm Gang' are back playing the fool again and couldn't resist the opportunity to try and get you to infect your computer using the guise of a April Fools e-card. This new wave started late last night/early this morning [depending where you are in the world]:

The subjects of the e-mails I've seen so far include:

Surprise!
Happy April Fools!
Happy All Fool's Day
Gotcha! April Fool!
Gotcha! All Fool!
I am a Fool for your Love
Today You Can Officially Act Foolish
Join the Laugh-A-Lot
Surprise! The joke's on you

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1]

Here's a screenshot of one of the emails that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



After 5 seconds you'll see a download dialogue box, like this:



And here is the source of the web page currently in use:



However you spend the day, whatever jokes you play, or end up the victim of, don't 'Fool' for this one, as otherwise you computer will get infected and the Bad Guys and Girls will have the last laugh again, at you expense!.

At the time of posting this blog entry the detection of the offered 'funny.exe' file was rather poor, with less than half of 32 tested scanners identifying that this is a malicious file. This is the default file and is automatically offered for download [within 5 seconds of the page rendering].

You may have noticed that two other filenames appear in the HTML source; these are:

kickme.exe
foolsday.exe

If you click on the image, you get kickme.exe, and if you click on "click here" you get foolsday.exe. instead.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

Whilst I was browsing the web looking for a good basis for an April Fools blog posting, I found these:

• Unusual banking trojan found today


• RAPIL - a slap in the face for hackers and virus writers

Please let me know if you spot any more, thanks!

A Shocking Mobile Call...

I often receive e-mails from people who are either, just forwarding the latest chain mail, urban legend, hoax or scam e-mail, or they send them to me to ask my opinion as I have seen many of these types of e-mails over the last 15 years and can usually spot the real ones from the fake ones very quickly.

So, yesterday I was sent the following in an e-mail by someone asking me if it was a hoax or not?:



What do you think, real or hoax?

Before I give you my answer, I would like to bring to your attention the following data:

• Most phones use power adapters that step down the voltage from standard mains [usually in the range of 110-240 Volts] to significantly lower [usually in the range of 3-12 Volts], not only that these power adapters usually have very low ampage [a quick look at several of the ones I have on hand shows that 200ma is fairly typical].



• There have been a number of reports of exploding mobile phones [well actually batteries] over the last few years.



• Most phone manufacturer instruction manuals contain information which state that it is perfectly safe to use a mobile phone while it is being recharged.

My conclusion is that if this did happen then the phone and/or the power adapter were faulty or damaged and that this caused the effect allegedly witnessed, either that of the building that the person was in at the time suffered from a lightning strike which fed into the mains circuit. However, no such data is supplied and therefore it is almost impossible to corroborate or give any credence to this report. I therefore conclude that it is a hoax.

If you still think it is real and not a hoax, then I'd suggest you read the full debunk which can be found here:
http://www.snopes.com/horrors/techno/cellcharge.asp

December 2007 Malware Review

December was another busy month for me as I was writing abstracts for conferences, doing presentations and trying to take some of my holiday entitlement as well as dealing with my usual workload. This meant that I didn't have quite as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals once more during the month.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 573 samples during December, which have been catalogued as just 27 distinct families and variants. In comparison during November I captured 476 samples which were also catalogued as 27 distinct families/variants. As you can see the captures in December are up once more, but this time of year is usually quite busy.

As shown, once more, by December's statistics the general trend is still downwards. It still appears that social-engineering has been the technique of choice and that 2007 should be now known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During December I reported 65 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 80 percent of the samples captured in December, just short of the high points of 82 percent it had in August.

As in the top tens for September, October, and November there are still eight members of the Opaserv.worm family in December's chart. These are variants: AE, D, AJ, K, AC, AD, AI and I in second, third, fourth, fifth, sixth, seventh, eighth and tenth places respectively.

The final slot left is occupied by a re-entry, this being our old friend Dupator who returns to the top ten in ninth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Netsky.q [aka P] is back into the top 10, straight back in at pole position, what a comeback! It is joined by another member of the family, AA which is also a re-entry back in at eighth place.

November's pole sitter, Scano.gen has had to settle for fifth place in December's chart after falling down the chart.

In the runner-up spot, we have a new entry, this being Diehard.dc, which is not the only member of this new family, as it is joined by Diehard.db and Diehard.dd which are also new entries, straight in to the chart in fourth and seventh place respectively.

Trojan-Spy.HTML.Fraud.ay has slipped further down the chart from fourth to ninth.

This month's chart is packed with new entries, the next one is Warezov.xd, straight in to the chart and stealing the final podium place; third.

And to complete the top ten, we have two more re-entries, these being, Bagle.gt and Nyxem.e [aka MyWife.D] in to the top ten in sixth and tenth places respectively.
Kaspersky had this to say about December's chart:

"At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It's true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic - that's almost an epidemic, and it's unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

IIn the SOPHOS chart we see a different pattern; Netksy has once more regained the runner-up position it last held in October's chart. Last months pole-sitter Troj/Pushdo has further managed to consolidate its hold on pole position.

Mytob has reversed its slide down the chart, once more climbing back up from sixth to third place. W32/Zafi has continued it progress sliding further down the chart from fifth to sixth place.

Mydoom which was a re-entry in October's chart has climbed up one place from eighth to seventh place.

There are two re-entries in December's chart, these are, Troj/Dloadr, back in to the chart in eighth place, and W32/Sality back in to the chart in tenth place.

W32/Bagle is up one place from tenth to ninth and to complete the chart we have W32/Strati up from ninth to the fourth and finally Mal/Dropper is down one place from fourth to fifth place.

Here is some commentary on December from Sophos:

"Overall, 0.09 percent of emails, or one in 1111, had malicious attachments in December 2007, with Pushdo retaining its position as the most prevalent email-based malware detected in December."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is once more occupied by our old friend Dupator.

Win32.Zhelatin has managed to consolidate its hold on the final place in the chart; tenth, Win32.Agent falls a single place down from eighth to ninth, and IRC.Zapchast has bucked the trend and climbs up from ninth to fourth place.

We have three re-entries in December's chart, these are: mIRC-Based back in to the chart in fifth, Hidrag grabs sixth place and W32.Tibs takes seventh place.

The final place in December's chart is occupied by our old friend Netsky, which has fallen from grace; down from third to eighth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of December] here. This clearly shows that December was busier than both October and November. As shown in the figures for December, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas; which can be seen in the What's New section of this blog postine.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 358,873 at the end of December. That's a growth of 136,400 new malware strains and/or variants for the whole of 2007. Just in December, the number of new malware found was 9,022.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during December 2007.

• Rent-a-Spammer [Wednesday, 5 December 2007]


• The Six Million Dollar Relative [Thursday, 6 December 2007]


• UPS Delivery of Over ONE MILLION US Dollars! [Wednesday, 12 December 2007]


• Don't Let Mrs. Santa Get Her Claus... [Monday, 24 December 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - November has continued during December, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer. In fact after Christmas the Storm Worm gang were working flat out producing new malware, web-sites and spam runs, but more on that, another time.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during December as they are still trying out other file formats which they hope will bypass anti-spam defences.

The phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during December, especially Natwest, Nationwide and Barclays, again.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this blog entry.

As expected December and the run up to Christmas and the New Year was a very busy time of the year for all the bad guys and girls as they took advantage of the season of goodwill to claim even more victims.

I would like to wish you all a very happy new year, stay safe!

Links:

• Virus Top Twenty for December 2007 [Kaspersky]


• Top ten viruses and hoaxes for December 2007 [Sophos]

Please note: December's report may well be the last one I do for the forseable future due to changes in my role.

Who's the Weakest Link?

This posting discusses the findings of an online survey carried out by Sophos.

"The research shows that 31 percent of companies believe remote or mobile users expose their networks to the greatest threat, compared to 25 percent that consider guests or external contractors the greater danger. In contrast, an additional 44 percent of companies believe standard employees are actually more likely to expose the network."

The problem is somewhat more fundamental than this survey would have you believe; the problem isn't just that employees [whichever group they fall into] are a risk, the real root of the problem is that people are the weakest link in security[1]...let me explain how I know this:


You only have to look around to see people that are taking risks either with their personal and/or computer security.

It's even worse when they behave the same way on their employers computers or network. Whether it is ignoring security policy/rules; opening attachments they shouldn't, visiting websites to retrieve e-cards or view questionable or illegal material, disable security tools to speed up the computer, giving away personal or proprietary information, or possibly hacking into systems for either fun or profit.

The worst of it all is when 'good' people fall for the tricks used by the bad guys and girls, such as social engineering. [I've included links to a number of the risks mentioned, in the material below.]

The bad guys and girls have long known that social engineering is the most effective way to get their malware installed on a victims computer, just as the scammers know that social engineering makes them the most money; as more victims fall for this approach than any other. I have already blogged about the 'human element' in security [or should that be insecurity?;-)] a number of times before; be it 'click-a-holics', e-cards, lottery/grant notifications, 419 and Phishing scams, lost friends or relatives and hoaxes, in fact the whole enchilada.

This year has seen the bad guys and girls use social engineering as their number one infection vector; rarely do they now include a coded infection routine in their malware, they just get the recipient to infect their own computer, it works very well and means they have less work to do to create new malware.

Here's a good and timely example:
Adobe Acrobat [PDF] vulnerability which was first disclosed on September 20th, 2007. Here's some data from Symantec about what the bad guys and girls did with it:

"One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.

The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:

- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf

If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe."

In other words, once you have been socially engineered and you've opened the PDF, the exploit code will execute and your system will get infected unless you have other mitigating technologies/methodologies in place to stop it. From then on your computer is no longer yours, it belongs to the bad guys and girls.

So, what can you do to stop this particular threat [not social engineering in general]?

You can install the 'official' patch for Acrobat Reader from here or the 'official 'Acrobat Reader update from here here. Trust me I'm a security specialist ;-)

Maybe humans need to learn from the mistakes of others; history is littered with such material, so that they are less likely to repeat them, ad nauseum. Although I wouldn't bet on it happening anytime soon!

What do you think is the best way to stop people falling for social engineering?

Links to other stories/surveys on Social Engineering:

• Firms warned they are failing to block social engineering attacks


• Office workers give away passwords for a cheap pen


• What's the greatest security risk?


• You are the Weakest Link, Goodbye! - Passwords, Malware and You


• You are the Weakest Link, Goodbye! - Malware Social Engineering Comes of Age

[1] In security, computer or otherwise, a system is only considered to be as strong as its weakest link; as that is the place where it is most likely to fail. Just like a real chain

Virus Bulletin 2007 Conference Review

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2007 conference, which was held at the Hilton Hotel in Vienna, Austria, between the 19th and 21st of September.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:


"A warm and friendly welcome to Vienna, unless you're a Kangaroo!" ;-)

Day 1 - Wednesday 19th September 2007
The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by "A road to big money: evolution of automation methods in malware development" presented by Maksym Schipka from MessageLabs on the Technical Stream. As always Maksym's talk was both interesting and contained lots of useful information.

The final session on the Corporate Stream before lunch was also interesting, a presentation by Abhilash Sonwane of Cyberoam entitled "Changing battleground: security against targeted, low-profile attacks ". This talk touched on cyber-crime and targeted attacks which would be mentioned throughout most of the rest of the conference presentations; from different perspectives.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream. The first two presentation after lunch were:

• DSD Tracer - implementation and experimentation - Boris Lau, Sophos


• Pimp my PE: taming malicious and malformed executables - Casey Sheehan, Sunbelt Software

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Anti-rootkit safeguards: welcome Vista - Aleksander Czarnowski, Avet


• Patching. Is it always with the best intentions? - Alex Hinchliffe, McAfee

I decided to sit in on one of the two vendor presentations after the days main proceedings, I decided to choose my good friend Larry Bridwell from Grisoft [AVG]. It was a great presentation, instead of the dry marketing material he was given, he gave a very entertaining one instead. This rounded of the day wonderfully!

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

Day 2 - Thursday 20th September 2007
Day two started early for me as I was the first speaker to present on the Corporate Stream, so I had to get there early to check that my laptop worked fine with the projector, it did.

So, promptly at 09:00 I gave my own presentation based on my paper entitled "The journey so far: trends, graphs and statistics". Instead of trying to cover everything in the paper, all 30,000 words of it. I decided to just cover the key statistics, trends and a few examples, such as Brain, Casino and Ambulance.A, as well as some e-mail worms, such as Sircam, Loveletter and MyParty. When I was researching the paper I noticed that quite a few myths existed about the early days of malware, so I covered a number of these too.

I even finished on time and got asked several questions.

Next up, straight after me was the following presentation:

• What a waste - the AV community DoS-ing itself - Joe Telafici, Dmitry Gryaznov, McAfee

This was an interesting look at sample sharing between security companies and researchers, the end result is often lots of duplicated samples and sets; these can easily be in excess of 500GB. In fact the guys from McAfee are seriously looking at drives that have a larger capacity than 1TB.

The it was time for a quick tea/coffee break. During this I received quite a lot of very positive feedback on my presentation, as well as discussing several issues that I had mentioned with some of the original researchers who were there when the events I covered happened. The results from these discussions have enabled me to update my paper to be more accurate and to offer yet another set of first-hand witnesses to those events.

After the break I decided to stay on the Corporate Stream for the rest of the morning. These were the next batch of presentations:

• The WildList is dead, long live the WildList! - Andreas Marx, Frank Dessmann, AV-Test.org


• Have you got anything without spam in it? - Tim Ebringer, CA


• A testing methodology for rootkit removal effectiveness - Josh Harriman, Symantec
  

Although all of these were interesting I found the presentation by Josh Harriman very interesting and engaging. He covered the results of tests with rootkits against cleaning/removal tools and showed that fairly often they don't remove all the components of the rootkit and/or the other system changes made by them.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

After lunch, once more I decided to sit in on the Corporate Stream until the tea/coffee break, at least. The next two presentations were:

• Transforming victims into cyber-border guards: education as a defence strategy - Jeannette Jarvis, Microsoft


• Phish phodder: is user education helping or hindering? - Andrew Lee, Eset David Harley, Small Blue-Green World

Both of these were interesting, and in the case of the latter one also quite amusing as David and Andy's presentation included a 'Game Show'.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Technical Stream as I was chairing the next two 'Last-minute' presentations, these were:

• Andrew Walenstein, University of Louisiana at Lafayette


• Erik Wu and Feike Hacquebord, Trend Micro

This is a new section of the conference, and it seemed to work reasonably well, although in some cases the presenters appeared to have submitted presentations that were originally meant for the normal 40 minute slots, rather than the 20 minute slots they tried to shoe-horn their longer presentation into. I think this area still needs a little tweaking. In fact, although this was only being tried out on the Technical Stream it may well be better suited to the Corporate Stream instead.

After these, I made a quick dash back to the final presentation on the Corporate Stream. This was:

• Pump-n-dump for fun & profit: an in-depth look into stock spam and brokerage account compromise operations - Dmitri Alperovitch, Secure Computing

This was a very interesting presentation as it suggested that the so-called Pump-n-Dump scams didn't work the way many of us had imagined. It was less Pump-n-Dump and more just dump the stock they had acquired by creating an artificial market for it.

As on the first day of the conference, I decided to sit in on a vendor presentations after the days main proceedings. This time is was Vinny Gulloto from Microsoft, as with Larry's it was an entertaining one with very little marketing. Vinny also let slip that he had a waiting list of malware/anti-malware researchers who wanted to join him at Microsoft. This immediately put me in mind of the song "As some day it may happen" from Gilbert and Sullivan's "The Mikado" where the song is sung by Ko-Ko (The Lord High Executioner) as he goes through an imaginary list. So much so, that I found it hard not to whistle the tune! ;-)

Later we had the "pre-dinner drinks and the Gala dinner and cabaret". As always the food was excellent and the entertainment was typically Viennese; two couples performing various types of waltzes. This was followed up after desert, by our own private casino.



Day 3 - Friday 21st September 2007
The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Menace 2 the wires: advances in the business models of cybercriminals - Guillaume Lovet, Fortinet

This presentation expanded on the one that Guillaume had given last year; which included a quote that claimed that "Cyber-crime was now more profitable than running drugs". Once more he had some very interesting material to share. Including a fax from the CEO of e-Gold.

So, another quick tea and coffee break and then more from the Corporate Stream:

• The trojan money spinner - Mika Ståhlberg, F-Secure


• Once upon a time a trojan... - Luis Corrons, Panda


• New approaches to categorising economically-motivated digital threats - Anthony Arrott, David Perry, Trend Micro

All of these were very good and interesting talks and all covered cyber-crime in one form or another.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all, especially by those who were trying to trick Jeanette Jarvis of Microsoft.

After lunch I spent the first part of the afternoon on the Technical Stream.These were the presentations I sat in on:

• A deeper look at malware - the whole story - Bryan Lu, Fortinet


• Malware removal - beyond content and context scanning - Tom Brosch, Maik Morgenstern, AV-Test.org

Both of these were interesting if a little obscure in parts. Both talks prompted a number of questions from the audience. Then it was time for the final refreshments break. Yes, it was the very last VB2007 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference were straight after the break and I decided that I'd sit in on the last one on the Corporate Stream. This was:

• Future threats - John Aycock, Department of Computer Science, University of Calgary Alana Maurushat, Faculty of Law, University of New South Wales

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion:

• The fight against international cyber crime - enforcing the law - David Thomas, FBI, Stacy Arruda, FBI, Kevin Zuccato, Australian Federal Police, Mark Oram, CPNI

Finally it was time for the Conference closing session, once more led by Helen martin, the editor of Virus Bulletin. It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be a case of "I'm Sparticus", as a lot of people seemed to be wearing Dr. Vesselin Bontchev's name badge and no it wasn't him in varying disguises either!

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2007/slides/index.xml The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2007/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Vienna, here: http://www.flickr.com/photos/14178057@N07/sets/72157602179472057/detail/

Yes, the pictures include the "welcoming statue", along with details on where in Vienna the picture was taken.

Oh yes, before I sign off, I really ought to own up that I, rather ironically, caught a virus whilst attending the Virus Bulletin conference! No, not a computer virus, a cold/flu variant. At least it waited for me to get back home before it knocked me off my feet and left me sounding like Barry White (after gargling bricks and broken glass). Back in Chicago [VB2004] I wasn't so lucky, I went down with almost the same thing whilst travelling to Chicago and tortured everyone that came to my presentation with my 'interesting' vocal range; from deep-bass, to Kermit-the-frog-a-like, to loss-of-signal. I don't know who suffered more, the audience or me ;-)

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Ottawa, Canada at the start of October 2008. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Asked By A Reader...

The following question was asked by a reader of this blog, and I informed the reader that as it was a good question and that the answer is quite involved, that I'd cover it later as a separate blog entry, so here we go.

Here's the question:

"Since you are discussing Spam I will ask a question that I've had for some time. Why can't email vendors (google, AOL, MSN, etc.) setup on one of their gateways to return emails as undeliverable, if their customer puts the mail in a Spam folder. Won't that result in the Spammer removing the email from their distribution list after a few undeliverable messages?"

And here's the answer:

Nice idea, if the vast majority of spammers:

• Didn't fake [spoof] the address that the e-mail appears to be from, so the real spammer rarely sees any bounces as all bounced mail ends up going to the e-mail address that the spammers stole, this type of attack is known as a 'Joe Job'. In some cases this is intentional to try and discredit a company or individual.


• Didn't totally ignore unsubscribe requests, in fact this only makes the e-mail address you try and unsubscribe more valuable to the spammers as it means it is active. You will get more, not less spam if you insist on using them.


• Weren't criminals using botnets to send 90 percent of their 'crud' and as these criminals are using computers that they have infected with malware to allow them to send their 'crud' through, they have little to fear from their own ISPs.


• So, the bottom line is, nice idea, but it is completely unworkable using the current SMTP standards. SMTP2 anyone?

A quick update on my latest anti-spam experiment:

Since my last posting I've received just 12 spam/malware e-mails which managed to sidestep the new defences. To put this in context , before I put these new techniques in place I usually received around 1,000 e-mails a day, of those about 90 percent was spam, so instead of around 900 spam e-mails a day, I'm now getting about 6!

So, does anyone have any other questions they would like me to try and answer, or have anything to say about this one?

* I'll cover this in detail in another posting.

Experiments In Spam

No. This doesn't mean I've been dabbling in creating or sending spam...Quite the opposite, in fact.

Last night I took a step into the unknown, I made major changes to the way I deal with spam arriving at my personal mail server. Why?

Well, at the moment I use a mix of Bayesian filtering, custom filtering rules and a DNS Blacklist to tag known spam. This works well, as I still get to see the spam so that I can analyse it, generate statistics, etc. which I use for trend analysis, in reports [such as my Monthly Malware Reviews], presentations and so on.

However, I just don't have the spare capacity to manage this at the moment as I have other commitments that need to be given 90 percent or more of my time so that I can complete them.

To this end I thought I'd try a different approach to spam.

What I put in place last night are a number of techniques which I'm using to no longer just flag [tag with custom headers] spam [so they can be filtered out and analysed later]. Instead I'm actively rejecting it at my mail server using a mixture of custom Content Control/Compliance rules, DNS blacklists [such as Spamhaus and Spamcop], and Graylisting.

My Bayesian classifier will still be used to deal with anything that gets through. I estimate that using Graylisting and aggressive DNS blacklisting will drop the amount of spam I have to process down to around 10 percent, rather than the 90 percent it stands at now, as you can see from the following graph:



Early results seem to confirm my estimates, as overnight my usual haul of spam* has dropped from the typical 400-600 to just 12, quite an effect!

Furthermore it appears from these early results that several spammers, scammers and malware authors have already adapted their tools/techniques to handle Graylisting. This can be seen as instead of the mail being sent, being rejected [temporarily], and never being seen again [as happens with most spam/scams/malware distributed via e-mail]. The 'Bad Guys and Girls' appear to have added a 'retry' feature to enable them to slip past Graylisting as if they were a real 'mail server' which fully supports the relevant RFCs [SMTP standards].

To check this, I have investigated the raw e-mail headers and I can confirm that not one of these 'spammy' e-mails that managed to get past the Graylisting tool used a third party MX, they ALL came directly from the infected [bot controlled] system or spammers own system, usually a DSL connected PC.

So, it looks like Graylisting may only be useful for a while, as usual I suspect it will be my usual approach that will cope best, this being Defence in Depth.

No doubt I'll make some changes to the current configuration, tweaking it, maybe adding/removing things, either way, I'll keep you posted...In the meantime, a question for you:
"How do you deal with spam?"

On the spam front there have been a couple of new developments, but that's another posting ;-)

* In this case spam refers to not only UCE [Unsolicited Commercial E-mail], but also Malware and Scams [Phishing and 419s] too.

June 2007 Malware Review

'Flaming June' has come and gone, however in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from flash or prolonged flooding for parts of the month.
We are now past the halfway point of 2007 and I'll include some comments on trends, etc. that have occurred during the first half of the year.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured only 209 samples during June, which have been catalogued as 31 distinct families and variants. In comparison during May I captured 800 samples which were catalogued as 35 distinct families/variants. As you can see the captures in June are significantly down from May's total.

During June I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The June statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During June I reported just 26 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are just four [down from five] members of the Opaserv.worm family in June's chart. These are variants: AE, D, I and AC in second, seventh, eighth and tenth places respectively.

The Netsky family is back in the top ten again after dropping out of the chart completely in May. We have a trio of family members in June's chart, these are: Q [aka P] back in at fourth place, Y back in in fifth and finally X back in at sixth place. Looks a bit like the London Bus affect, wait for ages for one to appear, and then three appear at the same time!

As with Netsky, we have one final re-entry in June's top ten, this being Zapchast which has managed to steal the final podium position coming back in to the third spot.

The final slot left is taken by Dupator, which is up one place from tenth to ninth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for June once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has climbed up from the runner-up spot it held in March and lost in April to snatch pole position in June's chart. It is joined by three other family members, these being: Netsky.t, February's pole sitter which slipped down to fourth during March and the pole sitter in first place in May, has fallen two places to occupy the final step of the podium; third place and to mirror that change, Netsky.aa, has gained two places, up from sixth to fourth place.

Bagle.gt has further reversed its slow journey down the chart, climbing back up the chart one more place from third to take the runner-up spot; second.

Worm.Win32.Feebs.gen has fallen back down one place from fifth to sixth effectively reversing its progress from May.

We have three new entries in June's chart, these are all members of the same family, this being Warezov. We have variant OZ straight in to the chart in fifth place, variant OV occupying the eight spot, and finally variant OP in ninth place.

To complete the top ten, we have a re-entry, this being an oldie; Mydoom-L which takes the final slot in tenth place.

Kaspersky had this to say about June's chart:

"After a long break, first place was again taken by the all-time leader of 2004 and 2005: the NetSky.q worm. Right on its heels is a worm from an equally old family, Bagle.gt. Meanwhile, NetSky.t, the leader in May, slipped very slightly down the table, ending up in third place.

Probably the most noteworthy event this month was the disappearance of May's rabble-rouser, Sober.aa. This virus appeared after a six-month stint in the shadows, suddenly taking fourth place before disappearing again. Will we be seeing this family in our reports again? I suspect not".

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has regained its grip on pole position which it lost during May, and is back as the pole sitter. May's pole sitter, Sober, has once more dropped out of the top ten.

Mytob has managed to climb up the chart one place, to steal the runners-up place on the podium after being static in third place back in April and May.

The final step of the podium; third, is taken by a new entry which has only appeared in SOPHOS's web threat chart before. This new entry is Mal/Iframe.

Here is some commentary on it from Sophos:

"Interestingly, Mal/Iframe's appearance in the email-based chart demonstrates that it is not limited to only infecting via the web. Hackers can embed the malware into emails using HTML to exploit users".

Mydoom which was a re-entry in November's chart has recovered more ground during June after falling to seventh place in April and climbing to fifth in May, it is now up one more place to fourth.

November's new entry, Sality has reversed its slide down the chart, jumping up three places from effectively eighth place in May to fifth in June.

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April has now halted its slide, and is sitting in sixth place as it was in May.

Bagle is up a single place in June's chart from eighth to seventh place. Meanwhile Nyxem.D [aka MyWife] is likewise static in tenth place.

To complete the chart we have two re-entries, these are: Mal/DownLdr in eighth and W32/Stratio in ninth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is not headed up by the September 2005 leader, Tenga. Its crown has been stolen once more, this time by Opaserv. Tenga has been forced to accept the runners-up spot; second in June.

The final step of the podium, third place, has been occupied by Netsky which is up from the fifth place it held in May.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March then suffered a setback, slipping down to eighth place in April and to ninth in May, has experienced a major turn around, storming back up the chart and taking fourth place in June.

W32.Dupator has moved up one place in June from sixth to fifth place.

The rest of June's chart is made up by re-entries, these are: Tibs, Spaces, MyDoom, Small and finally Funlove, in sixth, seventh, eighth, ninth and tenth places respectively.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of June] here. This clearly shows that June was busier than May which was the quietest month since I started keeping these statistics. As shown in the figures for June, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 275,995 at the end of June. That's a growth of 53,522 new malware strains and/or variants in the first half of 2007, in June the number jumped by over 10,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 107,044. Things have certainly speeded up during the second quarter of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• Marks and Spencer Vouchers Hoax [5th June]


• Can you spot the difference? [8th June]


• Father's Day Surprise! [19th June]

Conclusions:
The current trend of using social-engineering which has been widespread in January - May has continued in June, if anything it has accelerated.

We have seen another rise in the level of spam during June and this may have dented the figures for both 419s, Phishes and Malware arriving via e-mail, only time will tell.

The Phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity [as can be seen in the article I have included in this months report]. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Another trend which has made itself very obvious during the first half of the year is that of the malware authors relying on social engineering to get victims to infect their computers, rather than having to use exploit code or include mass-mailing or other infection routines into their creations.

The final trend I wish to mention that has become prevalent this year, and ties up with the social engineering comments above, is that the malware authors and cyber-criminals are increasing their use of web sites to hold their malware and sending e-mails that contain nothing more than a link to it. In many cases this is not just a single web site, but can be as many as 10,000.

Looks like we could be in for a very interesting second half of the year!

Links:

• Virus Top Twenty for June 2007 [Kaspersky]


• Top ten viruses and hoaxes for June 2007 [Sophos]

Marks & Spencer Vouchers Hoax

Oh dear, someone obviously has a grudge against either Marks and Spencer or Persimmon Homes, or both, as some nice person has created a new 'forward e-mail for money/prizes' hoax.

Here's the version that is currently clogging up inboxes and mail systems all over the UK.

Fw: Free M&S vouchers
Marks & Spencer's, in conjunction with Persimmon Homes, are giving away free vouchers. Marks & Spencer's are trying word-of-mouth advertising to introduce its products and the reward you receive for advertising for them is free non-refundable vouchers to be used in any M&S store.

To receive your free vouchers by e-mail all you have to do is to send this email out to 8 people (for £100 of free vouchers) or 20 people(for £500 of free vouchers).

Within 2 weeks you will receive an e-mail with your vouchers attached. They will contact you through your e-mail address.

Please mark a copy to:[email address removed]

How do I know this is a hoax? Well, for one I have spoken to Persimmon Homes and they are aware of the hoax, their e-mail systems are in meltdown because of it, and they will be putting a warning about this hoax on their website later today.

Secondly, it seems that the person behind it has simply taken an existing hoax aimed at Sony Ericsson, which is based on an even older hoax which targeted Nokia.

Just to sum up; this e-mail is both a hoax and a chain e-mail. You will not get any vouchers but you will annoy lots of people if you insist on sending this to 8-20 people, so just say NO and don't forward it.

If you want to see more of these sorts of debunks of scams, hoaxes, urban legends, etc. then take a look at my site dedicated to these things: cluestick.info.

UPDATE:

Persimmon have now added a note to one of their webpages about this, screenshot below:



Quite why they tucked it away there instead of on one of the front pages of their sites; seems they don't want to help themselves?

It appears that anyone now sending an e-mail to the address in the hoax will get an auto-response stating:

A hoax e-mail is being circulated offering a promotion of free Marks and Spencer vouchers for forwarding the e-mail to colleagues and friends.

Neither Marks and Spencer or Persimmon Homes have made any such promotional offer.

Please delete the hoax e-mail and notify the people to whom you have sent it that it is a hoax.

'Nuff said!