What We Saw in February
Transcription
What We Saw in February
What We Saw in February It was more of the same during the month of February with spam promoting Viagra, Valentine’s Day and Beads and King Cake for Mardi Gras celebrations. The ZeuS phishing kit remained the biggest threat on the Internet and is now being utilized by all sorts of criminals employing all types of different botnets. Here are few other highlights from the month of February: Facebook users were once again targeted by malware campaigns pretending to be account update notifications. There were far less Facebook themes this month, but they were just as dangerous. An interesting tactic that we saw months ago, resurfaced in February pretending to be from Microsoft. These e-mails falsely warned users of that noisy worm that came through a while back with the subject line “Conficker.B Infection Alert”. There were many popular events in February that led to SEO poisoning, which then led to Scareware campaigns. These events included, but were not limited to: The Olympics; Nodar Kumaritashvili’s terrible luge accident; Mardi Gras Celebrations; and the disgruntled Austin Texas man who crashed his plane into his local IRS office building. There was a new botnet on the scene utilizing the ZeuS Trojan and it made people nervous. Kneber was targeting corporations and government infrastructures, and was said to be around 75,000 machines strong. Apple’s iPad release spurred plenty of spam campaigns at the beginning of February. Hackers migrated from stealing account log-ins and credit card numbers towards something more 21st century. February shed light on attackers that stole hundreds of thousands of carbon credits from industries with the plan to resell them within the system for large sums of money. Total Email Traffic Volume This chart represents both total and spam traffic throughout the month of February. Spammers were busy during the month of February. Throughout the month we blocked over 4 Billion spam messages as spam volumes saw an increase over January. Tests Failed This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will far surpass the total individual pieces of spam seen during the month of February. Regions of Origin This graph represents all email traffic by region. For the second straight month we have witnessed a sharp increase in spam originating from Europe. Top Ten Countries of Origin This chart represents the top countries from which spam originated during February. The United States was again the leading country in spam origin during February. Again Brazil managed to send less spam and at the same time spam from Russia nearly doubled. Top Email-Delivered Viral Threats These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with “X.” signify rules that were written by AppRiver Analysts. (This doesn’t mean that other anti-virus vendors didn’t eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them). Of the 20 viruses seen with the highest traffic in February, AppRiver was able to identify and block 70% of them before the majority of major AV providers were able to do so. o o o o o o o o o o o o o o o o o o o o X.W32\Kryptik.ASA_trojan W32\Bredolab.C!generic X.W32.Bredo.pak2.10 X.Trojan.W32.Bredolab X.W32\Oficla.Dbf3 X.W32.bredo.open.pak X.Troj\In-Zip.dl2 X.Troj\Invo-Zip.2e X.W32.Bredo.FacebookJRc DHLtrackerJR1-26a X.W32.Bredolab.Gen.2 W32\Kryptik.CGR_trojan W32\Kryptik.CIW_trojan X.W32\Oficla.Dbf5 W32\Kryptik.CJT_trojan X.W32.bredo.216 X.W32.bredo.con.2.21b W32\Kryptik.CFO_trojan X.W32\Trojan3.BQE2 W32\Kryptik.CCK_trojan 30 Day Virus Activity This chart represents email-borne virus and malware activity during the month of February as seen by AppRiver filters. Email-borne virus activity was strong this month boasting a 217% increase over January. In all we blocked over 52 million messages (in February) containing a virus. Image Spam The chart below represents total Image spam seen by AppRiver filters. While the total number of image spam messages we saw this month did increase slightly, the percentage does remain very insignificant. Currently image spam only accounts for less than 1 % of total spam volume. At its peak we were seeing around 10 times the current volume and though we do not expect it to reach such popularity again we do expect to see temporary shift to this technique again in the future. Conficker’s Infamy Used in New Malware Campaign As it’s been stated many times over, last year’s rapid Conficker propagation made many people stand up and take notes. That makes the probability of this month’s malware campaign pretending to be protection from the worm that much more likely to catch people off guard. The e-mail arrived in our filters with the subject line “Conficker.B Infection Alert”, and it pretended to be from Microsoft. Microsoft joined in the fight to quickly create a Conficker removal tool back when the threat was at its pinnacle lending extra credibility to the guise of this e-mail. It went on to falsely explain “Starting 12/11/09 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly.” This of course was untrue seeing as though Conficker remains mostly dormant, while spurting out the occasional spam campaign once in a while. The attachment that accompanied these fake notices was supposed to be a custom Conficker infection scanner; yet it was instead another variant from ZeuS. Several different variants were used all utilizing the same basic e-mail as their social engineering attack. Another New Botnet on the Block This new botnet surfaced just a few weeks ago and it has been named Kneber, which was named after the person given to register the domains used by the botnet. The press is even saying that this botnet will put last year’s Conficker threat to shame. The likely reason for all of this hype is because where Conficker spreads really quickly but did essentially nothing; Kneber is spreading quickly and is already getting into some serious mischief. The botnet is using the flavor du jour in the ZeuS Trojan to spread itself and steal personal information from PCs, e.g., credit card numbers and bank account log-in information. It is also being said that Kneber is specifically targeting corporations and government computers as its favored targets. When the news broke about this new botnet, it was said to be 75,000 machines strong and it had already compromised information from 2,500 different corporations and government networks from 196 different countries around the world. Since Kneber is using the ZeuS Trojan that is so prevalent in today’s Cyberscape, the attacks looked very similar to others using ZeuS. They arrive as an e-mail purporting to be from a delivery company or often a security update of some kind, such as in the case of the “Conficker.B” warning campaigns. The e-mail usually contains a zipped-up, generically named attachment and a downloader rootkit, which begins the entire ordeal. Sometimes they do not use attachments and host their payload on the Web, while utilizing links in the e-mails instead. SEO Attacks Remain a Common Occurrence Search Engine Optimization (SEO) attacks are nothing new, but the frequency of this type of attack has increased rather rapidly. SEO poisoning usually happens when an attacker inserts common search terms in iframes along with scripts that send victims to malicious sites where they become infected. When a large event occurs in the news, hackers waste no time compromising related Web pages with these hidden iframes. It is not uncommon most recently during peak times after a breaking story comes out for nine out of the top ten search results to be malicious Web pages. The trick is to flood these malicious pages with terms that people will likely be searching for in order to raise the popularity of the pages and have them appear higher up in search results. This is a common marketing strategy whose technique has been degraded by the bad guys. Some of the most recent real life events that have spurred these SEO Poisoning attacks have been: Haitian earthquake, Olympics, Olympic luger accident, Mardi Gras, and the disgruntled software engineer who flew his plane into the Austin Texas IRS building. Hackers Are After More than Your Credit Cards In one of the more interesting attack vectors that came to light this month, it was discovered that a group of hackers breached computers and stole their carbon credits, which belonged to numerous companies in Europe, New Zealand and Japan. Under the cap and trade program that most countries are participating in, industries are only allowed a certain amount of CO 2 emissions. These are represented by what’s called a “Carbon Credit”. When a company runs out of these credits, they are able to buy more from an existing pool of credits. Due to reduced emissions, this happens to many companies that have an abundance of carbon credits. The hackers began their attack with spear phishing campaigns aimed at over 2,000 different companies. The e-mails pretended to be from the German Emissions Trading Authority, which is responsible for handling the implementation of emissions trading as per the Kyoto Protocol. The recipients were told that they needed to re-register their accounts with the Agency and when they did, the attackers had their accounts. Once these accounts were compromised, the attackers transferred their carbon credits out into dummy accounts they had set up, and sold them to other interested corporations who were none the wiser of their lack of legitimacy. The BBC reported that the attackers got away with 250,000 carbon credits, which they then translated into more than $4 million dollars.