Because of the prevalence of the campaign, we decided to share a copy of the T3 Report with anyone who wanted it, rather than reserving it for our paying customers. You can still get a copy by following this link:
Click Logo for your Free T3 Report
Today, our analysts have uncovered the newest update to the threat ... more than 18,000 emails already received this morning with subjects related to the Texas Fertilizer Plant explosion.
count | subject -------+----------------------------------------------------- 3263 | Fertilizer Plant Explosion Near Waco, Texas 2110 | Raw: Texas Explosion Injures Dozens 2074 | CAUGHT ON CAMERA: Fertilizer Plant Explosion 2045 | Texas Plant Explosion 2014 | Texas Explosion Injures Dozens 1943 | CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas 1609 | Texas plant explosion 1572 | Video footage of Texas explosion 1542 | Plant Explosion Near Waco, TexasThe Boston Explosion spam subjects are still an active part of the campaign as well, with nearly 10,000 additional messages coming from that group!
count | subject -------+----------------------------------------------------- 1315 | 2 Explosions at Boston Marathon 1197 | Explosions at the Boston Marathon 1104 | Boston Explosion Caught on Video 1100 | Video of Explosion at the Boston Marathon 2013 1034 | Explosions at Boston Marathon 1032 | Aftermath to explosion at Boston Marathon 1027 | BREAKING - Boston Marathon Explosion 999 | Explosion at the Boston Marathon 958 | Explosion at Boston MarathonThe "count" tells how many samples we have received in the UAB Spam Data Mine, which powers the Malcovery T3 offering. The UAB Spam Data Mine was created as part of UAB's initiatives to create new tools, techniques, and training to fight cyber crime! In December of 2012, UAB launched Malcovery Security to enable our Spam and Phishing efforts to protect more businesses.
To prove that yesterday's campaign and today's campaign are actually one and the same, we traced the URLs being advertised, and found many of the emails that linked to certain IP addresses yesterday with a URL ending in "/boston.html" or "/news.html" are now being advertised in spam with a "/texas.html" link that is being used in the new messages today.
Despite the fact that there are DOZENS of malicious URLs that can be seen in the emails above, we have so far only identified seven "exploit addresses" that are hidden in those malicious websites.
hxxp://auris.comlu.com/ozsr.html hxxp://bestdoghouseplans.com/azsq.html hxxp://emucoupons.com/amiq.html hxxp://nlln.org/aeir.html hxxp://sambocombat.us/hwsr.html hxxp://your360solutions.com/emsr.html hxxp://zendeux.com/wzsq.htmlToday's Top Threat subscribers are notified of this type of information each day in their daily T3 reports. By knowing the danger points in top spam campaigns, they are able to use this information either PROACTIVELY, by putting rules into their network security devices and software to block these destination addresses, or REACTIVELY, by scanning their log files to determine if any computer on their network visited one of those sites.
Just like yesterday, any Windows computer that visits one of the links in their email will be shown several YouTube videos, while one of the exploit sites listed above is used to interrogate their computer, infect it with appropriate malware, and add it to their spamming botnet.
Yesterday we clocked individual infected computers as sending approximately 400 emails per minute. 400 * 60 minutes per hour * 24 hours per day == 576,000 emails per day per infected computer! Each computer that clicks this link adds the ability for the spammer to grow their spamming rate by a half million emails per day!
We call this the "Growth Stage" of a botnet. When the objective of a spam message is to cause more computers to also send spam, the botmaster (the criminal who runs the botnet) is trying to enlarge his infrastructure. At some point, the botmaster can issue a command to cause any portion or all of his new collection of "bots" to perform new actions.
These actions could include:
- sending spam that earns money for the criminal, such as Pharmaceutical spam.
- infection with a new malware that steals personal financial information, such as the Zeus or Cridex malware.
- infection with a new malware that causes your computer to attack company websites as part of a "Distributed Denial of Service" (DDOS) Attack, such as the attacks that have been going on against large banks and other companies.
- infection with a new malware that can steal documents, or allow remote control of your company computer to use as a base of infiltration into your organization, such as what happened to the South Carolina Tax Office
- infection with a new malware that can delete data or cause your machine to be unbootable such as the Dark Seoul Attacks in South Korea last month.