July 2009 Report #31

Transcription

1 July 2009 Report #31 Spam volumes continue to fluctuate but averaged approximately 90 percent of all messages in June The recent death of Michael Jackson, and the subsequent public interest combined with the Fourth of July holiday show that spammers are willing to use any notable event as a cover to distribute their messages. Various image spam obfuscation techniques that have recently been observed demonstrate that spammers continue to invest in this particular spam threat. The following trends are highlighted in the July 2009 report: Different Faces of Michael Jackson Spam and Malware 4th of July Holiday Brings Fireworks and More Spam Campaigns Image Spam Update Mass-Mailing Worm in Fake Twitter Account Invite Spam Percentage: The model used to calculate spam percentage now factors in network layer blocking in addition to SMTP layer filtering, and as a result represents a more accurate view into the actual spam percentage on the Internet. Doug Bowers Executive Editor Antispam Engineering Dermot Harnett Editor Antispam Engineering Cory Edwards PR Contact cory_edwards@symantec.com

2 Different Faces of Michael Jackson Spam and Malware As the focus on Michael Jackson s life and death continues, it is not surprising that spammers and malicious code authors have turned their attention toward it. Since his death on June 25, 2009, several spam and malware campaigns have taken shape. The top spam subject lines containing a reference to Michael Jackson were: Who killed Michael Jackson? All M. Jackson's faces Jackson is still alive: proof Remembering Michael Jackson Michael Jackson, Farrah Fawcett and You... Tonight: Celine Dion Reflects on Michael Jackson! Remembering Michael Jackson - the King of Pop;Transformers; Jackson ordered too close Neverland The Many Fasces Of Michael Jackson. At its peak, spam related to President Obama during his first 100 days in office accounted for approximately two percent of all spam messages. At this time, less than one percent of all spam messages make reference to Michael Jackson s life and death. However, as the interest surrounding Michael Jackson s life and death continues, Internet users should expect to continue to see threats that try to play upon the emotions and curiosity of the public around this event. recipients should be extra cautious about messages that appear to be related to Jackson s death, especially any that comes from an unknown or unexpected source. The following are some notable examples of the Michael Jackson related spam and malware campaigns: Sample 1 Symantec has discovered a mass-mailing worm using Michael Jackson's death as bait. The worm sends out spam s with the subject Remembering Michael Jackson and an attachment named Michael songs and pictures.zip. The.zip file contains another file called MichaelJacksonsongsandpictures.doc.exe, which is a copy of the worm that is executed on the user s machine when the file is opened. Sample 2 A spammer, pretending to be a Michael Jackson concert ticket officer based in London, sends out a message that requests the recipient s information in order to receive reimbursement for the ticket.

3 Different Faces of Michael Jackson Spam and Malware Sample 3 Spammers hide behind a spoofed message, which appears as a rip-off of a familiar social network notification, in an attempt to entice recipients to open a malicious URL. Sample 4 Spammers disguised as a press organization attempted to lead recipients to a malicious URL.

4 Fourth of July Holiday Brings Fireworks and More Spam Campaigns For many years now, Symantec has observed that holidays and other days of remembrance such as Mother s Day and Father s Day have received particular attention from spammers as they realize these days can be used as vehicles to deliver some of their most malicious campaigns. This July 4th was no exception as spammers tried to use the spirit of Independence Day for their own benefit. Among the spam campaigns observed was a spam attack that contained a URL link. This URL claimed to contain a video of a fireworks show for the Fourth of July celebration. However, clicking on the "video" would lead to a W32.Waledac executable. The top ten spam subject lines relating to the Fourth of July holiday were: 1. America the Beautiful 2. Kick off the 4th with Free Shipping & amazing 3-day specials! 3. It's Almost Over! 4th of July Free Shipping 4. Find cheap alternative to expensive American medications. 5. American Independence Day 6. Well done 4th! 7. Bright and joyful Fourth of July 8. Fabulous Independence Day firework 9. Happy Birthday America! 10. Happy Fourth of July The Fourth of July fireworks may be over for another year, but expect to see more Independence Day spam campaigns in Spam campaigns focused on the holiday season are expected to start even earlier this year due to the current economic climate. Users will see spammers following suit and unleashing their end of year holiday campaigns during the next quarter.

5 Image Spam Update The trend of spammers using attachment images to get the attention of certain users continues to re-emerge as a top spam threat. The interesting highlight behind this spam trend is the manipulation of images by using geometric shapes and figures in the image background. In the past, Symantec has encountered background color blocks, wavy text and multi-colored blurred backgrounds. Spammers are using a combination of these tricks in the most recent wave of attachment spam attacks. The spammers have also recently mutated the image to include cartoon image comparisons of the male anatomy along with the advertised website. Below is an example of an image spam attack that emerged earlier this year. Spammers used a.gif formatted image attachment with different colored background and random lines.

6 Mass-Mailing Worm in Fake Twitter Account Invite Last month Symantec reported that spammers used Twitter as bait to lure innocent victims into a phishing trap. Currently we are observing a wave of fake Twitter invitations that come carrying a mass-mailing worm. The observed messages appear as if they have been sent from a Twitter account; however, unlike a legitimate Twitter message, there is no invitation URL present in the body. Instead, the user will see an attachment that appears as a.zip file that purportedly contains an invitation card. Invitation Card.zip is the name of the malicious attachment, and it is being identified as W32.Ackantta.B@mm, which was first discovered in an e-card virus attack in February. W32.Ackantta.B@mm is a mass-mailing worm that gathers addresses from the compromised computer and spreads by copying itself to removable drives and shared folders. As Twitter continues to gain popularity among social networkers, people are regularly receiving invitations and updates from fellow users. We expect that spammers will continue to use Twitter and other popular social networks as bait in their attacks.

7 Metrics Digest: Regions of Origin Defined: Region of origin represents the percentage of spam messages reported coming from certain regions and countries in the last 30 days.

8 Metrics Digest: URL TLD Distribution Metrics Digest: Average Spam Message Size Metrics Digest: Percent URL Spam

9 Metrics Digest: Global Spam Categories: Internet attacks specifically offering or advertising Internet or computer-related goods and services. Examples: web hosting, web design, spamware Health attacks offering or advertising health-related products and services. Examples: pharmaceuticals, medical treatments, herbal remedies Leisure attacks offering or advertising prizes, awards, or discounted leisure activities. Examples: vacation offers, online casinos Products attacks offering or advertising general goods and services. Examples: devices, investigation services, clothing, makeup Financial attacks that contain references or offers related to money, the stock market or other financial opportunities. Examples: investments, credit reports, real estate, loans Scams attacks recognized as fraudulent, intentionally misguiding, or known to result in fraudulent activity on the part of the sender. Examples: Pyramid schemes, chain letters Adult attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inap- Fraud attacks that appear to be from a well-known company, but are not. Also known as brand spoofing or phishing, these messages are often used to trick users into revealing personal information such as address, financial information and passwords. Examples: account notification, credit card verification, billing updates 419 spam attacks is named after the section of the Nigerian penal code dealing with fraud, and refers to spam that typically alerts an end user that they are entitled to a sum of money, by way of lottery, a retired government official, lottery, new job or a wealthy person that has that has passed away. This is also sometimes referred to as advance fee fraud. Political attacks Messages advertising a political candidate s campaign, offers to donate money to a political party or political cause, offers for products related to a political figure/campaign, etc. Examples: political party, elections, donations