Wednesday, April 29, 2009

Waledac Moving on to . . . Canadian Pharmacy?

After monitoring the Waledac "infection domains" for more than a month, our last "interesting" event was the change in Look & Feel to the SMS Spy Program which we wrote about back on April 15th. In that blog article we mentioned that basically ALL of the domains used by Waledac, through the Valentine's Day campaign, the Couponizer campaign, the Terror Alert campaign, and the SMS Spy campaign, were all still alive!

Here's the newest change. ALL of the Waledac infection domains have now morphed into pill sites, and MANY of the older Waledac domains have finally been terminated.

Here's where stand with live FORMER Waledac domains. Many domains from the "Terror Alert" and "SMS Spy" alert are now forwarding on a random basis to domains which are either hosting Canadian Pharmacy or Canadian Health & Care Mall.

Of the Waledac domains that we were tracking, the following are now live forwarding domains:

antiterroralliance.com
blogginhell.com
blogsitedirect.com
boarddiary.com
discountfreesms.com
downloadfreesms.com
eccellentesms
fearalert.com
freecolorsms.com
freesmsorange.com
ipersmstext.com
nuovosmsclub.com
primosmsfree.com
smsclubnet.com
smsinlinea.com
smsluogo.com
superioresms.com
terroralertstatus.com
virtualesms.com


"Canadian Health & Care mall" at arzuhuxupi.com
"Canadian Health & Care Mall" at rahtydryo.com
"Canadian Health & Care mall" at vennocvajgo.com

"Canadian Pharmacy" at earpassionate.com
"Canadian Pharmacy" at transformationforgiving.com
"Canadian Pharmacy" at giftedaglow.com
"Canadian Pharmacy" at strivingalive.com


The following Waledac domains now appear to be terminated:

adorepoem.com
adoresong.com
adoresongs.com
againstfear.com
bestadore.com
bestbreakingfree.com
bestcouponfree.com
bestgoodnews.com
bestlovehelp.com
bestlovelong.com
bluevalentineonline.com
breakingfreemichigan.com
breakinggoodnews.com
breakingkingnews.com
breakingnewsfm.com
breakingnewsltd.com
chatloveonline.com
cherishletter.com
cherishpoems.com
codecouponsite.com
funloveonline.com
funnyvalentinessite.com
goodnewsdigital.com
goodnewsreview.com
greatcouponclub.com
greatsalesgroup.com
greatsalestax.com
greatsvalentine.com
greatvalentinepoems.com
linkworldnews.com
lovecentralonline.com
lovelifeportal.com
reportradio.com
romanticsloving.com
smartsalesgroup.com
spacemynews.com
supersalesonline.com
thecoupondiscount.com
thevalentinelovers.com
tntbreakingnews.com
wapcitynews.com
whocherish.com
wirelessvalentineday.com
worldlovelife.com
worldnewsdot.com
worshiplove.com
worldtracknews.com
youradore.com
yourbreakingnews.com
yourcountycoupon.com
yourgreatlove.com
yourvalentinepoems.com

Tuesday, April 21, 2009

President Obama's CTO: Aneesh Chopra

Photo From Virginia.gov
Like so many others who were playing the guessing game regarding President Obama's new CTO, I was wrong. I take comfort in failing along with BusinessWeek, ZDNet, Forbes, TheStreet, The Wall Street Journal and others to guess who would fill the office.

We might have taken a hint from one of President Obama's recent speeches to Congress, where he said:

"Our recovery plan will invest in electronic health records and new technology that will reduce errors, bring down costs, ensure privacy, and save lives."
-- (Transcript 24FEB09

Aneesh Chopra's bio on his Virginia website points out that he chairs the "Solutions Committee of the IT Investment Board, the Effectiveness and Efficiency Committee on the Council on Virginia's Future, and co-chairs the Healthcare IT Council". He was awarded the Healthcare Information and Management Systems Society's 2007 State Leadership Advocacy Award, and was named one of the top 25 by Government Technology magazine's Doers, Dreamers, and Drivers magazine.

In 2006, ExecutiveBiz.com interviewed Mr. Chopra on his new position as Secretary of Technology for the Commonwealth of Virginia. His answer to the question "What is your background?" lines up well with President Obama's vision for secure electronic healthcare records:

ExecutiveBiz: What is your background?

Aneesh Chopra: Professionally, I am a managing director at a think tank with a focus for the health care industry, but a big portion of my professional background has been studying ways that technology can fundamentally transform the healthcare industry in particular. Also, I internally helped launched the Advisory Board's first software-based membership business. So not only have I been researching technology and how I can benefit the healthcare industry, I have been business development wise active in the use of technology to grow our own business.


It was clear from his work in the job though that Health Care was not his only focus. Here were some answers regarding educational technology, another area on which the Secretary turned his attention while in office in Virginia, from one of the 46 Podcasts his office put out during his time there: (03/25/09 - Secretary Chopra discusses technology in the classroom --


We have an innovation imperative in the Commonwealth, and frankly for the country, and it requires us to think anew about how we produce students who are globally competitive. There are three basic questions we have to ask:
What are we actually teaching our kids?
How are we teaching our kids?
What are the tools with which we can allow the sharing ideas and the process of learning how to teach our kids?
In each of these areas there is a place for technology to play a role, in some cases a direct role, and in other cases more of an indirect role.


In his 2007 Accomplishments podcast (January 9, 2008) he stressed three Public/Private Partnerships, including:

a Google partnership to produce Google SiteMaps of 55 government websites, mapping more than 200,000 state webpages to increase their ability

Microsoft Virtual Earth helped create Campus Safety maps to help identify resources and plans for various emergencies on campus as a reaction to school shootings.

Cox and Comcast Cable began offering "GED On Demand" for free to more than 1 million broadband subscribers in Virginia.

1 of 3 new jobs created in Virginia came from high-tech jobs, and 30% of all wage-earners in Virginia received their pay from a technology related job.

5 innovators in HealthCare IT, 3 of which provided an 8-fold return on the investment. The Virginia HealthCare Exchange Network was created as part of the initiative.

Many other initiatives were described, making this podcast well worth listening to in order to learn more about how our nation's new CTO thinks about Technology. Many of these initiatives were grant-generated, by placing challenges into the community and asking for innovators who have solutions to step forward to address government productivity, broadband, and government IT.

To summarize what I see about Aneesh Chopra - he's proven that he knows how to solicit ideas from innovators, shape them into actual solutions, and roll them out as successful products. He did it in the business world, he did it in his HealthCare IT think tank, and he did it for the State of Virginia. I look forward to seeing what he can do for our nation.

I'm especially interested to see what types of reforms a technology thinker can bring to our Criminal Justice systems! At UAB Computer Forensics our partnership between Computer Science and Justice Science is based on the concept that when Computer Scientists are presented with Criminal Justice problems, good technology things can happen. Hopefully this will be one of our new CTO's priority areas as well.

Wednesday, April 15, 2009

Waledac shifts to SMS Spy program

We've known that Waledac spreads itself via Social Engineering - convincing users that they WANT to download a program. Recently we've seen Waledac acting as a Valentine's Day E-Card, a Couponizer program, and a Fake News Story about a Dirty Bomb.

Today the UAB Spam Data Mine began to get spam messages for a new Social Engineering trick. Here are some of the email subjects we're seeing:

Subjects
-----------
Read his SMS
The world's most advanced sms reading program
Now, It's possible to read other people's SMS
Read other people's SMS online
You can read anyone's SMS

The email bodies point to the websites with lines like these:

Do you trust her? http://smsclubnet.com/
You can read anyone's SMS http://virtualesms.com
Do you really trust her? http://www.freecolorsms.com
Do you really trust him? http://downloadfreesms.com/
Are you ready to know the truth? http://smsclubnet.com
Are you sure you want to know? http://smsclubnet.com

The webpage you visit looks like this:



The malware which you can download from the page is recognized by 13 of the 39 Anti-Virus products tested according to this VirusTotal Report.


File size: 419840 bytes
MD5...: 8623f18666be9d480710b29eab3b796a

The root problem with Waledac's long-lived domains is they are using a Chinese domain name registrar who won't cooperate with anyone on shutdowns. We have sent shutdown requests to their abuse contact, in both English and Chinese, and have received no cooperation whatsoever. If you have good contact information for "Ename.com", we really could use an introduction, thank you! No one answers their "1000@ename.com" email address, but perhaps a Chinese speaker might call them at +86.5922669769 ? ? ?

The complete list of NEW domain names created for this round of Waledac are:

smspianeta.com
miosmsclub.com
downloadfreesms.com
virtualesms.com
chinamobilesms.com
freeservesms.com
freecolorsms.com
smsclubnet.com

But a great number of the previous domains are also still live, and still serving Waledac, including:

adoresongs.com
antiterroris.com
bestadore.com
bestcouponfree.com
bestjournalguide.com
bestlifeblog.com
bestlovehelp.com
bestlovelong.com
bestusablog.com
bluevalentineonline.com
breakingnewsltd.com
chatloveonline.com
cherishletter.com
codecouponsite.com
easyworldnews.com
funloveonline.com
funnyvalentinessite.com
goodnewsdigital.com
goodnewsreview.com
greatcouponclub.com
greatsalesgroup.com
greatsvalentine.com
lovecentralonline.com
lovelifeportal.com
mobilephotoblog.com
photoblogsite.com
romanticsloving.com
spacemynews.com
thecoupondiscount.com
thevalentinelovers.com
tntbreakingnews.com
urbanfear.com
usabreakingnews.com
wirelessvalentineday.com
worldlovelife.com
worshiplove.com
youradore.com
yourgreatlove.com
yourvalentineday.com
yourvalnetinepoems.com

If you have contact at Ename.com, these ALL need killed, thank you! They are all now distributing the new "SMS Spy" version of Waledac.

Monday, April 13, 2009

New Drug sites avoid Visa and MasterCard, Sell Hydrocodone

Those who research Pharmaceutical spam have learned that there are basically two major classes of drugs. Those which the Feds care about stopping (Controlled substances monitored by the DEA) and those the Feds are happy to ignore, and which they call dismissingly "Lifestyle Drugs".

Its quite frustrating in light of the fact that, as Microsoft pointed out recently in their semi-annual report on Internet safety, 97% of the email on the Internet is spam, and HALF of that email is pharmaceutical spam. For someone to decide that its not worth investigating lifestyle drugs (by which they mean Viagra, Cialis, and other sexual-experience related drugs) as vigorously as we investigate "Controlled Substances" has lead to our current status on the Internet as a world flooded with absolutely uncontrolled drug spam.

Nevertheless, knowing that there is a two-tiered system of investigation related to pharmaceutical spam, we've all learned that the way to get action is to point out sites that are selling things that are on the Class I, Class II, Class III, or Class IV Controlled Substance List.

Side Note - if you are looking for a Computer Forensics Research program interested in making an impact on pharmaceutical spam, that has as partners in its "Computer Science/Justice Science Working Group" forensic criminologists with their own Gas Chromotography Mass Spectrometer (GS/MS), and faculty and grad students trained in its use, please look no further than the University of Alabama at Birmingham.

That's one of the two reasons why this new spam cluster is especially interesting to me. We have more than 1450 spam emails in the UAB Spam Data Mine during March and another 1,069 so far during April that contain the word "Hydrocodone" in either the body or the subject. The subject line in today's case actually says "Hydrocodone For You", and pointed to a pharmacy site here:

http://show-advanced-individual.com/



which leads with Hydrocodone, Vicodin, Phentermine, Ambien, Valium, and Levitra. They have quite a few alternate payment methods, but most notably they do NOT accept Visa or Mastercard:






By accepting electronic checks, direct bank transfers, and Western Union payments, these dealers in fake drugs can move their money even faster than they move their drugs. The world of money laundering possibilities opens wide once you get Visa and MasterCard off the option list. That should also make it pretty clear to the potential buyers. This vendor wants to move your money Quickly, Untraceably, and most importantly Irreversibly. They want to make sure they get your money NOW, even though you may (or may not) get your drugs later, and that even if you do NOT got your drugs, there is no way your going to get your money back, or even figure out where your money went.


This particular domain was registered on March 20th via XIN NET Technology.

The IP is at 116.125.56.218 - Hanaro telecom, Korea

This is not a new IP address to us at the UAB Spam Data Mine.

March 23 - 116.125.56.218 (1 spammed domain)
March 24 - 116.125.56.218 (13 spammed domains)
March 25 - 116.125.56.218 (16 spammed domains)
March 26 - 116.125.56.218 (50 spammed domains)
March 27 - 116.125.56.218 (42 spammed domains)
March 28 - 116.125.56.218 (42 spammed domains)
March 29 - 116.125.56.218 (42 spammed domains)
March 30 - 116.125.56.218 (64 spammed domains)
March 31 - 116.125.56.218 (75 spammed domains)

(I'll update those stats with April data once its been caught up...)

The Hotmail address in the whois data is = na506@hotmail.com

Two hundred other hyphenated domain names are on the same Hanaro IP address, according to DomainTools:

Approach-amazing-day.com
Approach-amazing-year.com
Approach-coming-human.com
Approach-delightful-2009.com
Approach-delightful-memory.com
Approach-delightful-species.com
Approach-emotive-creature.com
Approach-emotive-kind.com
Approach-fresh-month.com
Approach-hopeful-second.com
Approach-hot-blooded-2009.com
Approach-hot-blooded-year.com
Approach-new-2009.com
Approach-nice-2009.com
Approach-pretty-hour.com
Approach-touched-second.com
Approachamazinghour.com
Approachdelightfulhour.com
Approachhopeful2009.com
Approachmysteriousspecies.com
Approachprettyyear.com
Approachsucessfulcreature.com
Cherish-coming-creature.com
Cherish-eminent-species.com
Cherish-emotive-species.com
Cherish-fresh-day.com
Cherish-hot-blooded-minute.com
Cherish-hot-blooded-year.com
Cherish-mysterious-month.com
Cherish-nice-creature.com
Cherish-pretty-second.com
Cherish-sucessful-kind.com
Cherishamazingminute.com
Cherishcomingmemory.com
Cherisheminenthuman.com
Cherishemotive2009.com
Cherishemotivebeing.com
Cherishfreshbeing.com
Cherishhopefulhuman.com
Cherishmysteriouskind.com
Cherishprettysecond.com
Cherishsurprisingkind.com
Enjoy-beautiful-second.com
Enjoy-coming-month.com
Enjoy-delightful-species.com
Enjoy-eminent-human.com
Enjoy-exciting-month.com
Enjoy-hot-blooded-human.com
Enjoy-pretty-memory.com
Enjoyaffectingsecond.com
Enjoybeautifulsecond.com
Enjoydelightfulsecond.com
Enjoyfreshyear.com
Enjoyhot-bloodedmonth.com
Enjoyniceyear.com
Enjoysucessful2009.com
Feel-sucessful-day.com
Feel-sucessful-hour.com
Feel-surprising-second.com
Feelhopefulmemory.com
Feelhopefulminute.com
Feelsucessfulsecond.com
Feelsurprisingmemory.com
Greet-amazing-human.com
Greet-amazing-kind.com
Greet-delightful-species.com
Greet-delightful-year.com
Greet-fresh-creature.com
Greet-nice-creature.com
Greet-nice-memory.com
Greet-sucessful-being.com
Greetamazingmemory.com
Greeteminentsecond.com
Greethot-bloodedcreature.com
Greethot-bloodedkind.com
Greethot-bloodedmemory.com
Greetnewspecies.com
Guide-developping-block.com
Guide-developping-corporation.com
Guide-developping-urban-area.com
Guide-incorruptible-institution.com
Guide-upright-individual.com
Guide-well-behaved-street.com
Guidedeveloppingblock.com
Guidedeveloppingcompany.com
Guidedeveloppinglane.com
Guideincorruptiblesquare.com
Guideopenstreet.com
Guidereliableinstitution.com
Guidewell-behavedcountry.com
Guidewell-behavedurban-area.com
Meet-amazing-minute.com
Meet-exciting-kind.com
Meet-fresh-being.com
Meet-hot-blooded-minute.com
Meet-pretty-being.com
Meetamazingmonth.com
Meetamazingsecond.com
Meetcomingbeing.com
Meetcomingcreature.com
Meetdelightfulhour.com
Meetemotivecreature.com
Meetexciting2009.com
Meethot-bloodedbeing.com
Meetsucessfulcreature.com
Meetsucessfulday.com
Meetsurprisingcreature.com
Meetsurprisingsecond.com
Reveal-advanced-corporation.com
Reveal-advanced-lane.com
Reveal-advanced-street.com
Reveal-civilized-country.com
Reveal-civilized-urban-area.com
Reveal-clean-institution.com
Reveal-developping-lane.com
Reveal-educational-unit.com
Reveal-frugal-alley.com
Reveal-neat-entreprise.com
Reveal-neat-institution.com
Reveal-peaceful-country.com
Reveal-spiritual-lane.com
Reveal-spiritual-street.com
Reveal-upright-organization.com
Reveal-upright-street.com
Reveal-well-behaved-corporation.com
Reveal-well-behaved-urban-area.com
Revealadvancedcompany.com
Revealadvancedindividual.com
Revealadvancedunit.com
Revealcivilizedentreprise.com
Revealcivilizedindividual.com
Revealculturalcity.com
Revealculturalstreet.com
Revealculturalunit.com
Revealdeveloppingcity.com
Revealincorruptibleindividual.com
Revealpeacefulunit.com
Revealreliableinstitution.com
Revealspiritualblock.com
Revealspiritualdistrict.com
Revealspiritualentreprise.com
Revealspiritualurban-area.com
Share-affecting-year.com
Share-amazing-species.com
Share-amazing-year.com
Share-beautiful-species.com
Share-beautiful-year.com
Share-coming-year.com
Share-delightful-kind.com
Share-eminent-being.com
Share-eminent-hour.com
Share-emotive-being.com
Share-emotive-minute.com
Share-fresh-2009.com
Share-pretty-creature.com
Share-sucessful-human.com
Share-surprising-2009.com
Share-surprising-year.com
Share-touched-year.com
Shareaffectingcreature.com
Shareaffectingmemory.com
Sharehopefulmonth.com
Sharemysterious2009.com
Shareprettycreature.com
Sharesucessfulday.com
Sharesurprisingminute.com
Show-advanced-individual.com
Show-civilized-entreprise.com
Show-civilized-organization.com
Show-civilized-square.com
Show-clean-block.com
Show-educational-citizen.com
Show-educational-corporation.com
Show-harmonious-mechanism.com
Show-harmonious-organization.com
Show-neat-urban-area.com
Show-spiritual-block.com
Show-tidy-lane.com
Show-upright-urban-area.com
Showadvancedurban-area.com
Showcleanentreprise.com
Showincorruptiblecountry.com
Showpeacefulorganization.com
Showtidyorganization.com
Showwell-behavedsquare.com
Treat-affecting-being.com
Treat-amazing-2009.com
Treat-beautiful-creature.com
Treat-exciting-year.com
Treat-fresh-memory.com
Treat-hot-blooded-second.com
Treat-mysterious-minute.com
Treat-surprising-memory.com
Treat-touched-kind.com
Treat-touched-month.com
Treathopefulday.com
Treathot-bloodedhour.com
Treatsucessful2009.com
Uideharmoniousalley.com
Welove-supersale.com

Over the weekend, a new Hydrocodone cluster emerged, distinct from the one above.

The new cluster used the following domain names in more than 1500 emails just over the last weekend:

aoisiis.com
aposoos.com
apsppew.com
blotbump.com
blotcare.com
blotcool.com
bumpflow.com
bumpfold.com
candark.com
canword.com
celitrre.com
dealrise.com
debaiteo.com
domefast.com
domerests.com
dometake.com
esperros.com
fecioos.com
felippie.com
fullmage.com
fullmeed.com
fullmend.com
fullruse.com
kaiffelt.com
lungsse.com
macrsoku.com
maghiarr.com
mailldeo.com
maingive.com
maltfame.com
maltfire.com
maltflip.com
maltlike.com
maltmain.com
maltmalts.com
maltplay.com
malttall.com
malttilts.com
marnarq.com
masciake.com
naryneat.com
nowdark.com
nowwall.com
pionname.com
pionnary.com
pionpick.com
pionrise.com
pollsies.com
ppoleiw.com
qalsibbe.com
qaselict.com
realpin.com
riennsi.com
ropeww.com
rpeusw.com
spoeii.com
tehsui.com
wallmay.com
wallrise.com
wallsdeals.com
wesleos.com
wposlles.com
yehsuue.com

The new cluster looks like another Viagra site at first:



but scrolling down, we see it really is selling Hydrocodone and other Class II and Class III Controlled Substances:



As with the first cluster we mention, Visa and MasterCard are conspicuously missing from this site. It now accepts ONLY American Express:



Fortunately, they are concerned about the High Incidence of Fraud. 8-) Haha!

Thursday, April 09, 2009

Is There a Conficker E? Waledac makes a move...

At UAB Computer Forensics, we have been tracking the spam bot, Waledac, since March 19th, by checking every so often (like 4 times a minute) all of the domain names that we now are being used to distribute Waledac. We've been making a list of the infected nodes, with the timestamp that we see them distributing Waledac, and offering that list to various network providers. (If you are a network provider/ISP, send me an email to get a pointer to the list, there are around 4,000 US-based IPs on it so far.)

This morning, Packet Ninja Dan Clemens gave me a call asking if I had seen Trend Micro's claim that Conficker was updating. I hadn't seen that, but I had seen emails on one of my secret squirrel mailing lists that Conficker was updating from "goodnewsdigital.com". That didn't make any sense at all to me! We've seen 2,821 IP addresses serving up "plain ole' Waledac" from GND, so far. (See http://www.cis.uab.edu/forensics/blog/gnd.list.txt)

Just to make sure, I went ahead and fetched the current Waledac binary from one of the GoodNewsDigital.com websites, and sure enough, it was Plain Ole Waledac.

MD5: 20ac8daf84c022ef10bc042128ccace6

Currently detected by only 9 of 40 products at VirusTotal

Here's the VirusTotal Link, but the details are here:

AntiVir - TR/Crypt.ZPACK.Gen
CAT-QuickHeal - DNAScan
F-Secure - Packed:W32/Waledac.gen!I
Fortinet - W32/PackWaledac.C
McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen
Microsoft - Trojan:Win32/Waledac.gen!A
NOD32 - Variant of Win32/Kryptic.LP
Panda - Suspicious file
Sophos - Mal/WaledPak-A

A sad statement of the current state of anti-virus, that a KNOWN MALWARE DISTRIBUTION POINT that has been serving up viruses since mid-March for a large spam botnet is still entirely undetected by 3/4ths of the AV products!

But it gets worse.

I went and read Trend Micro's assertions on their blog . . .

According to Trend Micro they saw new malware arrive on one of their conficker boxes, being dropped not via a website update, as we've all been expecting, but via a Peer 2 Peer connection from other Conficker machines. The new malware arrived via P2P on their box and began attempting to propagate in worm-like fashion looking for MS08-067 vulnerabilities (the same as previous versions of Conficker), as well as opening a webserver on port 5114, and making connections to Myspace, MSN, eBay, CNN, and AOL. After this, the machine downloaded a file from GoodNewsDigital.com, which is, as I mentioned above, a Waledac distribution point.

The file that it downloads though IS NOT THE PRIMARY WALEDAC MALWARE. We retrieved the same file in our labs at UAB (forgive me, but the file is named "fuck4.exe"), and scanned it with VirusTotal as well. This is NOT the file you receive if you visit the Waledac host, as we decribed above, via a normal spam-referred website visit.

Here's what we got from "fuck4.exe" at VirusTotal:

ZERO products detect this as malware. NONE of the 40 sites thought the 418kb executable file was a virus.

VirusTotal Report

Trend is calling the new variant WORM_DOWNAD.E (DownAdUp is an alias for Conficker).

The Trend article certainly has caused some deep thinking here this morning! Thanks to Ivan Macalintal at Trend, and because he thanks Joseph Cepe and Paul Ferguson, we thank them as well!

Wait, why are we thanking Paul Ferguson? I had to go find out. Its because of his excellent documentation on the Peer2Peer nature of Conficker in the Trend Blog on April 4th. While the entire world began watching on April 1st for Conficker to be updated via new malware that was placed on one of the 50,500 domain names that began to be searched on April 1, the bad guys have snuck in the back door and updated Conficker via P2P instead.

Paul got a head start on his Peer to Peer research from the excellent malware researchers at CERT-LEXI in their Blog at CERT-LEXSI.


We'll be contacting more Conficker researchers as the day goes on and trying to determine if ALL the Conficker nodes have just merged with Waledac, or if something else is occurring here.

Wednesday, April 08, 2009

Microsoft Security Intelligence Report 2H08

The Microsoft Security Intelligence Report for the second half of 2008 has been released (the 184 PDF version, available from http://microsoft.com/sir/ is timestamped the evening of April 6th). We reported on the last SIR report back on November 11, 2008 - please see Microsoft Reveals Malware and Spam Trends for our coverage of that report.

Number of Security Vulnerabilities



52% of the Security Vulnerability announced throughout the industry, via the Common Vulnerability Scoring System were of "High" criticality, while 56% of them were "Easy to exploit". 90% of the industry vulnerability announcements related to applications or browsers. Only 10% dealt with Operating Systems.

Microsoft released 42 Security patches during the 2H08 period.

Spam



More than 97% of the email sent across the Internet during 2H08 was unwanted! They have malicious attachments, they are phishing emails, or they are just plain spam. As all of us already suspected 48.6% of all the spam observed during 2H08 was for pharmaceutical products. Another 23% were for non-pharmacy product advertisements.



Notice that the Stock Pump & Dump spam almost disappeared. What would they sell if we could do the same thing to pharmacy spam?

The report also calls attention to the demise of McColo as being the big enforcement action of the year. This section of their report is called "Spam Volume Drops 46 Percent When Hosting Provider Goes Offline". The spam level at the end of December was still lower than the pre-McColo action on November 11th.

Browser Drive-By-Infections


About 1 in 1500 websites (more than 1 million) indexed by Live Search (Microsoft's answer to the Google search engine, available at live.com) contained a drive-by-download page. More than 1% of websites with a ".cn" country code hosted drive-by-download exploits. When they looked at the products that were being exploited in these driver exploits, #1 and #2 were Adobe Flash and RealPlayer.



(from p.48 of the Microsoft SIR report for 2H08)

On Windows XP machines, browser exploits targeted a Microsoft product 40.9% of the time. On Windows Vista machines, successful browser exploits targeted a Microsoft product only 5.5% of the time. This is one of many places throughout the document that Microsoft reminds us that Vista is a more secure operating system than XP.

In the first half of 2008, most compromised browsers were running Chinese language set (zh-CN = 25.6%). In the second half of 2008, American English language browsers easily passed them (en-US = 32.4%).

Social Engineering



The SIR report makes a point that the criminals today are having great success with social engineering targeting Fear, Trust, and Desire. Rogue Security Software did so well, because people are afraid of viruses.

Of the Social Engineering attacks that were based on an infected Microsoft Office File program, 91.3% of the attacks used the more than two year old exploit, CVE-2006-2492 MS06-027 to infect users via a Microsoft Word document. Curiously only 32.5% of these infected Word documents targeted en-US machines. 15.7% targeted Taiwanese machines, 12% Russian, 11.1% other Chinese machines, and 2.6% Iraqi machines.

Two Adobe PDF reader exploits also became popular in 2H08, spreading strongly and increasingly from October until the end of the year. 57% of the Adobe attacks targeted en-US machines. China didn't make the top ten on that list.

One important note regarding corrupt Office documents. Microsoft's SIR report recommends that users *NOT* run "Windows Update", but rather run "Microsoft Update". Applying Windows Update will never prompt you to install Microsoft Office patches, which may be why so many machines are still vulnerable to two year old malware. The report recommends that users read this entry:

How Is Windows Update Different Than Microsoft Update?, and make the appropriate changes on their machines.

Security Breaches



The report also makes clear that the trend has continued - most security breaches are accomplished not through "hacking" (though more than 15% are), but through stolen or lost equipment, usually laptops.

Geographic Trends



In 2H08, 13.2Million US computers were cleaned by Microsoft's anti-malware desktop products.


(source: SIR report p. 69)

For more details, please see the full SIR report.

Tuesday, April 07, 2009

Conficker Fears spread fake AV products

April 1st came with a big round of noise about the Conficker worm as media sources lit up to discuss what users should expect when Conficker "C" went live. Conficker came to international attention back in January, when F-Secure announced that 8.9 million computers were infected. We wrote about their announcement as well, Downadup / Conflicker Worm: 8? 9? 10 Million Infected?, discussing the interesting situation of "Collision domains". At the time, the infected Conficker nodes would each calculate possible places, based on the current date, where the bad guy may have left instructions to tell the Conficker domains what to do next. A "Collision domain" is a website which is randomly calculated by the conficker machines, but actually already belongs to a real company.

Having 500 possible "mutation vectors" each day turned out to be a threat that was controlled by the security community as various White Hats stepped up to register the domains BEFORE the Conficker authors could use them to control.

The newsworthy event of April 1st was that Conficker had changed, and beginning on April 1st, there would be 50,000 domain in addition to the 500. So, each day there were 50,500 possible places that the criminals could place a message, and the infected computers would go find it. Each infected computer would still only look for updates on 500 of the possible infected computers, but it still meant that when the criminal placed an update on even one domain, a very large number of machines would become infected. How many machines would be infected can be solved using something akin to the classic Birthday problem, and that has already been addressed very nicely in another blog by Dan Nicolescu over at Microsoft's Malware Protection Center. The short answer though is that if the criminals successfully registered even 50 domains, they would successfully update 39.5% of all their infected machines. So, if even 50 of the 50,500 possible domains are put into effect by the criminals on any given day, more than 1/3rd of the Conficker bots have the ability to radically alter their behavior.

At UAB we are monitoring the 50,500 domains and making a list of all of those that actually have been registered. Most days its between 12,000 and 20,000, and the vast majority of those have been registered by "the good guys". That still leaves between 100 and 200 that are not registered by the good guys which need to be checked out to determine if the criminals are using them. In almost every case so far, its been easy to prove that the domains are "real" domains that have a history and have been kept in proper control. I'm not aware of any "Conficker update" domains that have been seen so far, although one funny thing is that at least one domain belonging to a DIFFERENT criminal has come under scrutiny because Conficker named it as a possible update domain.

That doesn't mean the criminals aren't capitalizing on Conficker. One way they are doing so is by praying on the fear that has been spread about Conficker. Here's one example of what we are discussing:



In this email, which claims to be from Microsoft the reader is told he that "Microsoft was notified by your Internet company that your network is showing signs of being infected" and than offers "a free computer checkup in order to clean any files infected by the virus."

The link, which claims to go to a "Microsoft System Safety Scan website" actually takes you to a fake AV download site that looks like this. Despite the look and feel, this really is just a website:



Another interesting thing about the copy that I reviewed from the UAB Spam Data Mine is that the email was received from a computer that was part of the "Amazon Web Services Elastic Compute Cloud". IP address 79.125.59.137 - ec2-79-125-59-137.eu-west-1.compute.amazonaws.com. I'll have to dig into that later to see if we are getting other "cloud computer" generated spam.

The domain names used in these spam messages are all sharing a nameserver called "ns1.mojavetech.com" and include:
secureserver1.cc
secureserver2.cc
secureserver3.cc
secureserver5.cc

The WHOIS data for these domains, which were registered at "ruler-domains.com" is:

domainadmin@offshorecdn.com
+1.6192988599
150 W Broadway, Mailbox #3
San Diego, 92123
UNITED STATES OF AMERICA

Mr. OffshoreCDN was unavailable for comment at the time this story was filed. The domains were created on March 22, 2009.

WHOIS for the nameserver domain lists:

Company: Mojave Tech Inc.
Address:
9701 Wilshire Boulevard
Beverly Hills, California 90210
United States
Phone: +13103623150
Email: contact@mojavetech.com

The nameserver boxes themselves, 208.85.178.154 and 218.93.205.141, have some interesting aliases as well:

darksideddl.com
do-stepscan.com
prioridns.com
e-securetechnology.com

and my favorite:
www.deloitteandtouche.net

The exact URL in the spam message shown above was:

http://MScustsupport.microsoft.com.custsupport.microsoft5.client5.secureserver3.cc

If you are running an insecure browser, its pretty easy to cause that to download "setup.exe" which is the actual malware.

The good news is that if you do have anti-virus software loaded, there are plenty of products that are detecting this one. The VirusTotal report shows that this malware has been known at VirusTotal since March 31st, and is currently detected by 30 of the 40 anti-virus products it uses to check.

Curiously AVG, F-Prot, and TrendMicro, are currently NOT detecting this malware.

Here's a link to the VirusTotal Report.