Today, I feel like telling you a true story that happened at Fortinet, the story of Jane Doe.

Jane Doe works for Human Resources at the reception desk, so she is used to receiving lots of mail, UPS or DHL parcels for the company. Some time ago, Jane received an e-mail from DHL, notifying her they had been unable to deliver a parcel (see figure below). She does handle plenty of DHL parcels every day, consequently, she did not give this e-mail any particular attention and, quite absent-mindedly, tried to open the attachment. Fortunately, she did not manage to unzip anything because the attachment had been removed by FortiMail. Only then did Jane realize there was something strange about the e-mail.

Figure 1. Bredolab spam example. Apart from the sender, they look real. Click on the image to enlarge.

Apart from covert advertisement for FortiMail ;) this example just perfectly illustrates the efficiency of targeted spamming. Forge a plausible e-mail (as a matter of fact, UPS or DHL often include attachments in their e-mails to track this or that parcel) and send it to the right mailbox (a person expecting DHL parcels): this is close to guaranteed infection. Proof: it would have worked even at Fortinet where employees are particularly well-aware of the dangers of viruses. So, spammers, please don’t do this: it is an unfair blow.

Incidentally, we had a look at the stats of our scanning system. There was a large spike of DHL spam, October 13th being the largest (around 3,000 spam mails collected by our system), and recently tapered off. This increased from about 50-100 spam mails per day in mid-late September. This spam campaign infects victims with Bredolab.

Guillaume Lovet, Derek Manky, Doug McDonald, Alexandre Aumoine and Jane Doe are the main contributors to this blog entry. Many thanks !

I don’t know if you encounter the same problem as I, but I keep on receiving spam from people I however do like (friends, family, etc). You know, the kind of awfully nice people that nonetheless strangely feels compelled to forward their own rubbish: hoaxes, chain letters, petitions, jokes and, of course, a full load of lengthy attachments.

This is a real nuisance, yet I cannot report them to online spam fighting websites, nor simply black list them: from time to time, among other mails, they do send interesting stuff (personal news, cool invitations), and also, they mean no harm, it’s just most of the time they are so convinced their e-mail will actually save an endangered specie they feel they have to forward it… Of course, I *did* try to educate them, telling them all of this was fake, providing URLs to check whether a mail is a hoax or not, explaining their Happy New Year message would be as fine in pure text rather than in a flashy PowerPoint slideshow. Let’s face it: I failed. So, I now decided to move on to another solution: the Friendly Automatic Filter and Answering Machine.

The idea is very simple: for all friends/families,
1. Filter out e-mails with banned extensions (in my case: pps, doc, exe, ppt)
2. Also filter e-mails which are too long (ex: people sending images they forget to scale down)
3. Automatically send an e-mail to the sender, telling him part of his message has been blocked and I will not be reading the attachment.

Actually, I spent a long time searching for such a tool on the Internet, but I could not find anything: mail clients such as Thunderbird or Alpine do not support customization of automatic answers (for example, message body containing sender’s name and time and date of his email), Gmail filters only detect whether there is an attachment or not, but not which kind, and anti-spam tools are designed to delete the filtered message, not to answer it (indeed, in most cases, you must not answer to spam!) nor to filter out only attachments. I finally started writing a very simple Perl script to handle the case. It’s really basic, but it already saves me time.

Interested in trying this yourself? Get the script here.

Our sensors (i.e. our digital media person, a rabid fan of Facebook) caught today some interesting Facebook private messages. One of such, sent by a “Friend” to about 100 contacts of hers, merely consisted in a domain name, as can be seen below:

Fortunately for Daniel, he did not know what to do with it (or he knew, but did not want to); yet other recipients may have recognized a domain name, and entered it in their browser’s address bar, out of curiosity. After all, that’s from Martha, and she usually sends rather funny links.

Of course, the link was not actually from Martha, but rather from a cyber criminal having compromised her account. Fortunately, unlike Martha feared (but one is never too careful, and Martha is wise), the link did not lead to a virus-loaded page, but to a “pharmacy shop” belonging to the infamous “Canadian Pharmacy Ring“, and registered at “Directi Internet Solutions” (the new name of the infamous EST Domains registrar). In a nutshell, a typical case of spam 2.0. But while spamvertizement has happened before on Facebook Walls, and worms such as Koobface did leverage Facebook Private Messages to propagate, to our knowledge it’s the first instance of spam being distributed via Facebook Messages.

Another point worth mentioning is that while to Daniel’s eyes (if we assume his reply was ironic), junglemix.in was obviously a domain name, it was not at all the case to Facebook filters. We have shown in a previous post how Facebook wraps all urls featured in messages, so as to retain control on the “clicks” performed by recipients, even if those recipients read the message from their regular email account. This one obviously went under the radar, most likely because it did not feature ‘http://’, ‘www’, and used a domain extension (.in) that is also a (very) common word.

The consequence is that although Facebook did react fast, deleting the messages in the Facebook boxes, those which have already reached the regular mailboxes of recipients (most people do have the “forward messages to my email” option enabled), are still there, unwrapped, so Facebook cannot deny access to the link. The downside for criminals, of course, is that it is not clickable.

With February’s Threatscape Report out, it’s time to highlight some of the most interesting movement happening from late January 2009 to now:

New vulnerabilities (NVC) were up nearly three fold, with 117 posted in comparison to 43 from January’s edition; 25.6% of these new vulnerabilities were detected to be actively exploited. Two new high-profile zero-day exploits (CVE-2009-0238 and CVE-2009-0658) affecting MS Excel (XLS) and Adobe Reader (PDF) have since been disclosed. Given these facts, and Conficker’s success, there is no better time than now to underscore patch management and effective security to battle these threats.

Conficker is still running strong. Our systems showed exploitation of the well known MS08-067 vulnerability displayed the highest recorded activity to date on February 14th, 2009. As of writing, volume levels are still quite high; a new variant has been discovered in the wild that allows malicious payload transfers through a backdoor port opened on an infected machine – without relying on the domain generation algorithm. Since the algorithm that generates the list of domains Conficker contacts to download code has been reversed/put in the spotlight, this latest functionality can be seen as a counter move by Conficker’s authors.

Waledac, a relatively new botnet in town, went on a long run using a Valentine’s Day campaign to dupe users into downloading a malicious executable which was, to no surprise, a copy of the Waledac trojan. The campaign used a variety of domain/sub domain names, safe-haven registrars, and fast flux. As a result, the domains are still resolving to malicious servers hosting the sites and executables. Sadly, this proves how durable and effective such campaigns can still be using not-so-new methodologies such as fast flux. As of writing, the campaign is still alive but is using a different theme dubbed as the ‘Couponizer’. This social engineering hook offers online “coupons” to the victim. One thing we noticed with Waledac is that, aside from coming in the usual shifting variants (server side polymorphic), the served malicious executable’s filename shifted frequently as well. Names such as ‘reader.exe’, ’start.exe’, and ‘lovekit.exe’ were used.

Movement on the mobile front: After new variants of Flocker surfaced in January, targeting accounts with Indonesian operators, we reported on Yxes.A in February — the latest and greatest SymbianOS threat — aka “Sexy View”. While mobile threats are certainly low profile in terms of prevalence (compared to non-mobile threats), this is an area to keep a close eye on. The biggest threat posed by SymbOS/Yxes.A is its ground-breaking propagation function; with the capability to spread through SMS by providing malicious URLs, a bridge is created from mobile telecommunications to the the Internet as we know it. In turn, this opens up a range of possibilities, effectively allowing the authors more control over their creation. With more control and functionality added, Yxes.A proved that we may not be far away from a mobile botnet.

Spam levels remained consistent after crawling back from a sharp decrease late 2008 thanks, largely in part, to the McColo take-down in November 2008.  Phishing and scam emails are popular as ever in play with the economic crisis, as our spam traps harvested loan and job scams showing up in localized languages to various regions.