April, 2007 was a busy month in the messaging security world. In just 30 days, we saw:
- Record set for Email Viruses in one Month
- Growth of Layered Threats-Spam, Plus Social Engineering, Plus Malware
- Storm Worm, Part II: Image Spam with password protected zip file and password imbedded in image text
- Image Spam Combined with Malware Links
- Pump and Dump Spam with Links to Malware for Stealing Financial Information
- CBL Blacklist Listings Increase
The second round of the so-called Storm Worm was the driving force behind each of these themes. The Storm Worm demonstrated a new level of sophistication in malware distribution. Also known as W32/Nuwar@MM and Peacomm, Storm Worm is the most prominent example of the recent shift in tactics to layering, where spamers/hackers (spackers) combine spam, social engineering and web-based malware to spread malware, grow their botnets and make money.
The campaign evaded early detection from most virus filters by utilizing a password-protected zipfile and imbedding the password in an image-based text message. The message urged recipients to use the password to open the file for protection from a virus outbreak. Any recipient that opened the file was infected with a botnet trojan. Once infected, zombie machines are subject to commands issued by the trojan's creator via a custom peer-to-peer network, such as further trojan propagation, spamming, keystroke logging and data theft.
Image spam with imbedded malware links was a broad theme in April. Three major spam campaigns-Paris Hilton, Britney Spears and Internet Explorer 7 Update-employed this method to spread malware to unsuspecting recipients. Another twisted campaign promising camera phone footage of the Virginia Tech shooting had an image of the shooter, with an embedded link to a site that automatically downloaded a trojan designed to steal online bank account login information. This tactic highlights the growing emphasis on the use of social engineering spam emails as a vehicle to distribute web-based malware for financial data theft.
Spammers also put a new, ironic twist on the familiar "Pump and Dump" Spam campaign. Pump and Dump Spam in April combined the typical text image touting a penny stock with links to malware hosting websites. The ironic part? While the content in the message was designed to drive people to purchase a penny stock, thus driving the value up for spammers to profit, the linked malware was designed to steal login credentials for online banking and brokerage websites.
April set a new record for email viruses distributed in one month. Not surprisingly, MxToolBox, Inc. Blacklist Consultants saw a three-fold increase in CBL listings in the second half of April. The CBL, or Composite Blocking List, lists IP Addresses of mail servers known to be compromised with viruses or worms. The dramatic increase in CBL listings suggests an equally dramatic number of virus infections and illustrates a) the limitations of many anti-virus solutions employed in the market today, and, b) the continued susceptibility of email users to spam and malware campaigns.
While April saw many new tactics employed by the bad guys, the advice for defense remains the same-make sure you have an industrial grade spam and virus filter and educate your users! Let's hope that these April showers bring us May flowers.