What We Saw in February

What We Saw in February
It was more of the same during the month of February with spam promoting Viagra, Valentine’s
Day and Beads and King Cake for Mardi Gras celebrations. The ZeuS phishing kit remained the
biggest threat on the Internet and is now being utilized by all sorts of criminals employing all
types of different botnets. Here are few other highlights from the month of February:
Facebook users were once again targeted by malware campaigns pretending to be
account update notifications. There were far less Facebook themes this month, but they
were just as dangerous.
An interesting tactic that we saw months ago, resurfaced in February pretending to be
from Microsoft. These e-mails falsely warned users of that noisy worm that came
through a while back with the subject line “Conficker.B Infection Alert”.
There were many popular events in February that led to SEO poisoning, which then led
to Scareware campaigns. These events included, but were not limited to: The Olympics;
Nodar Kumaritashvili’s terrible luge accident; Mardi Gras Celebrations; and the
disgruntled Austin Texas man who crashed his plane into his local IRS office building.
There was a new botnet on the scene utilizing the ZeuS Trojan and it made people
nervous. Kneber was targeting corporations and government infrastructures, and was
said to be around 75,000 machines strong.
Apple’s iPad release spurred plenty of spam campaigns at the beginning of February.
Hackers migrated from stealing account log-ins and credit card numbers towards
something more 21st century. February shed light on attackers that stole hundreds of
thousands of carbon credits from industries with the plan to resell them within the
system for large sums of money.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of February. Spammers were
busy during the month of February. Throughout the month we blocked over 4 Billion spam messages as
spam volumes saw an increase over January.
Tests Failed
This chart represents the number of times messages failed various tests over the past month. Keep in
mind that many messages failed multiple tests; hence the total from these charts will far surpass the
total individual pieces of spam seen during the month of February.
Regions of Origin
This graph represents all email traffic by region. For the second straight month we have witnessed a
sharp increase in spam originating from Europe.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated during February. The United States
was again the leading country in spam origin during February. Again Brazil managed to send less spam
and at the same time spam from Russia nearly doubled.
Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent
appearing in the top position. The virus names that begin with “X.” signify rules that were written by
AppRiver Analysts. (This doesn’t mean that other anti-virus vendors didn’t eventually have definitions in
place for these viruses; it simply means that AppRiver often had protection in place before many of
them). Of the 20 viruses seen with the highest traffic in February, AppRiver was able to identify and
block 70% of them before the majority of major AV providers were able to do so.
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
X.W32\Kryptik.ASA_trojan
W32\Bredolab.C!generic
X.W32.Bredo.pak2.10
X.Trojan.W32.Bredolab
X.W32\Oficla.Dbf3
X.W32.bredo.open.pak
X.Troj\In-Zip.dl2
X.Troj\Invo-Zip.2e
X.W32.Bredo.FacebookJRc
DHLtrackerJR1-26a
X.W32.Bredolab.Gen.2
W32\Kryptik.CGR_trojan
W32\Kryptik.CIW_trojan
X.W32\Oficla.Dbf5
W32\Kryptik.CJT_trojan
X.W32.bredo.216
X.W32.bredo.con.2.21b
W32\Kryptik.CFO_trojan
X.W32\Trojan3.BQE2
W32\Kryptik.CCK_trojan
30 Day Virus Activity
This chart represents email-borne virus and malware activity during the month of February as seen by
AppRiver filters. Email-borne virus activity was strong this month boasting a 217% increase over January.
In all we blocked over 52 million messages (in February) containing a virus.
Image Spam
The chart below represents total Image spam seen by AppRiver filters. While the total number of image
spam messages we saw this month did increase slightly, the percentage does remain very insignificant.
Currently image spam only accounts for less than 1 % of total spam volume. At its peak we were seeing
around 10 times the current volume and though we do not expect it to reach such popularity again we
do expect to see temporary shift to this technique again in the future.
Conficker’s Infamy Used in New Malware Campaign
As it’s been stated many times over, last year’s rapid Conficker propagation made many people stand up
and take notes. That makes the probability of this month’s malware campaign pretending to be
protection from the worm that much more likely to catch people off guard. The e-mail arrived in our
filters with the subject line “Conficker.B Infection Alert”, and it pretended to be from Microsoft.
Microsoft joined in the fight to quickly create a Conficker removal tool back when the threat was at its
pinnacle lending extra credibility to the guise of this e-mail. It went on to falsely explain “Starting
12/11/09 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly.” This of course
was untrue seeing as though Conficker remains mostly dormant, while spurting out the occasional spam
campaign once in a while. The attachment that accompanied these fake notices was supposed to be a
custom Conficker infection scanner; yet it was instead another variant from ZeuS. Several different
variants were used all utilizing the same basic e-mail as their social engineering attack.
Another New Botnet on the Block
This new botnet surfaced just a few weeks ago and it has been named Kneber,
which was named after the person given to register the domains used by the
botnet. The press is even saying that this botnet will put last year’s Conficker
threat to shame. The likely reason for all of this hype is because where Conficker
spreads really quickly but did essentially nothing; Kneber is spreading quickly and
is already getting into some serious mischief. The botnet is using the flavor du
jour in the ZeuS Trojan to spread itself and steal personal information from PCs, e.g., credit card
numbers and bank account log-in information. It is also being said that Kneber is specifically targeting
corporations and government computers as its favored targets. When the news broke about this new
botnet, it was said to be 75,000 machines strong and it had already compromised information from
2,500 different corporations and government networks from 196 different countries around the world.
Since Kneber is using the ZeuS Trojan that is so prevalent in today’s Cyberscape, the attacks looked very
similar to others using ZeuS. They arrive as an e-mail purporting to be from a delivery company or often
a security update of some kind, such as in the case of the “Conficker.B” warning campaigns. The e-mail
usually contains a zipped-up, generically named attachment and a downloader rootkit, which begins the
entire ordeal. Sometimes they do not use attachments and host their payload on the Web, while
utilizing links in the e-mails instead.
SEO Attacks Remain a Common Occurrence
Search Engine Optimization (SEO) attacks are nothing new, but the
frequency of this type of attack has increased rather rapidly. SEO
poisoning usually happens when an attacker inserts common search terms
in iframes along with scripts that send victims to malicious sites where
they become infected. When a large event occurs in the news, hackers
waste no time compromising related Web pages with these hidden iframes. It is not uncommon most
recently during peak times after a breaking story comes out for nine out of the top ten search results to
be malicious Web pages. The trick is to flood these malicious pages with terms that people will likely be
searching for in order to raise the popularity of the pages and have them appear higher up in search
results. This is a common marketing strategy whose technique has been degraded by the bad guys.
Some of the most recent real life events that have spurred these SEO Poisoning attacks have been:
Haitian earthquake, Olympics, Olympic luger accident, Mardi Gras, and the disgruntled software
engineer who flew his plane into the Austin Texas IRS building.
Hackers Are After More than Your Credit Cards
In one of the more interesting attack vectors that came to light this month, it was discovered that a
group of hackers breached computers and stole their carbon credits, which belonged to numerous
companies in Europe, New Zealand and Japan. Under the cap and trade program that most countries are
participating in, industries are only allowed a certain amount of CO 2 emissions. These are represented
by what’s called a “Carbon Credit”. When a company runs out of these credits, they are able to buy
more from an existing pool of credits. Due to reduced emissions, this happens to many companies that
have an abundance of carbon credits.
The hackers began their attack with spear phishing campaigns aimed at over 2,000 different companies.
The e-mails pretended to be from the German Emissions Trading Authority, which is responsible for
handling the implementation of emissions trading as per the Kyoto Protocol. The recipients were told
that they needed to re-register their accounts with the Agency and when they did, the attackers had
their accounts. Once these accounts were compromised, the attackers transferred their carbon credits
out into dummy accounts they had set up, and sold them to other interested corporations who were
none the wiser of their lack of legitimacy.
The BBC reported that the attackers got away with 250,000 carbon credits, which they then translated
into more than $4 million dollars.