In October we’ve seen a lot of spam carrying malware and by the speed with which the emails and the malware were detected, we all thought that it will stop soon.

Having a look in the first 3 days of November we have observed that the trend didn’t actually change. We did notice changes in the social engineering techniques used to advertise the various malware, though.

We have the good old trick with the

- notification “Attachment: no virus found” (detected as TR/Netsky.HB) ,

- “promised photos” from the last holidays (detected as TR/Crypt.ZPACK.Gen),

- boss sending a letter (detected as BDS/Small.ZO Backdoor server),

- undelivered DHL Package (detected as TR/Crypt.ZPACK.Gen),

- and of course the Facebook password change request (current versions detected as BDS/Small.ZO Backdoor server).

Except these malware emails which make up more than 60% of the spam we received so far, the trend is constant: Spam mails concerning online casinos, online pharmacies and various replicas clog up the inboxes.

If the trend from last year is going to be repeated this year, then we should start to see a lot more spam spreading malware and phishing soon. Last years November was pretty busy but we’ve recorded a very relaxed December.

All the above mails are being detected by our Antispam engine as Spam and by the Antivirus engine as already described. Avira users thus are well protected.

Sorin Mustaca
Manager International Software Development

Email malware is really getting trendy again. Now the malware authors use another social engineering scam: The spam mails claim that the password for the Facebook account has been reset. For getting the new password, the recipient of the spam is urged to open the attached ZIP file, which in turn contains the malicious .exe file.

Fig. 1: This fake email is trying to make the recipient execute the attached malware.

Such emails have been successful already a few years ago. I thought we wouldn’t see them again as the people should already know not to execute attachments from emails they didn’t request. Anyhow, the recent spam waves teach us something else.

So please, remember the drill: In case that someone sends an email with an attachment, make sure that the sender is real and that he/she really wanted to send you that file. Else it is most likely malware. In any case keep your antivirus software up to date so it can detect new malware.

Avira products detect the attached malware from that spam wave as TR/Dldr.Bredolab.AX with the vdf update to version 7.01.06.155.

Dirk Knop
Technical Editor

After posting an article about Twitter Spam recently, some people started to follow my Twitter Feed. One of these users was an obvious spammer though which probably tried to distribute malware.

Unfortunately I was too slow in checking what the account was distributing. I can only guess that an account which is called Br.it.neyF***.Vids (drdtbwcxgaho) (some characters replaced with asterisks) might distribute links to some known fake codecs which are actually malware. Also the avatar of the account was specially chosen to attract the attention to those interested in such matters (this is why I masked it out).

Immediately after I clicked on the account, I’ve seen that Twitter already blocked it, taking my pleasure to report it as spam:

Nice to see that Twitter is not completely unaware of such things. By the way, this account was falling into the spammer-category according to my proposed template in my earlier article about Twitter Spam: Zero followers, following many , only a few tweets. Definitely a spammer!

Sorin Mustaca
Manager International Software Development

After last weeks outbreak of spam mails with malware with alleged settings for mail software (which still is ongoing, we still receive a lot of those mails) our analysts see a new bunch of emails which contain a trojan as attachment. These mails come with subjects like “Conflicker.B Infection Alert” and seem to stem from someone called “Microsoft Windows Agent”.

Fig. 1: The email claims to carry a Conficker removal tool.

The mail claims that the network where the PC is located is infected with Conficker.B and that the ISP has informed Microsoft about that. The attached tool allegedly offers a free system scan.

The attachment is a FakeAV solution though; also Microsoft would never send out an executable attachment without former consent via email. Do not execute the malware in the zip file from the mail! Avira detects it as TR/Vilsel.ior with the VDF 7.01.06.127.

Dirk Knop
Technical Editor

Our spam traps received a lot of spam emails during the last night which claim to lead to or to include a new settings file for Outlook Web Access (OWA). The mails seem to be sent by the technical staff of the domain and are made up quite well. Thus they are targeted for the organisation they are sent to.

Fig. 1: The spammed emails contain malware.

Different malware emails have been sent around: Some directly include the malware as attachment, others link to a web site where the malware can be downloaded (spear phishing). The Avira Risk Level indicates the phishing level 4 which acknowledges increased phishing activities.

Fig. 2: Another wave of emails is pointing to a fake web site.

While in the html email the malware link is shown as leading to the real domain, the link really points to an URL of the following form: http://EMAIL_DOMAIN.BADHOST.COM/owa/service_directory/settings.php?email=USER@EMAIL_DOMAIN&from=EMAIL_DOMAIN&fromname=USER . If the receiver of the mail is in a rush he might thus believe he is on the real OWA web site.

Fig. 3: The web site where the mail points too looks convincing, too.

While Avira Antispam detects the emails as spam and the URLs are being blacklisted, the virus lab released detections for the malware with a VDF update. The malware is detected as TR/Vilsel.iop and as TR/Spy.ZBot.9164.1, respectively, with the VDF file 7.01.06.111. The Vilsel trojan is yet another incarnation of the FakeAV plague while the ZBot is stealing information.

Anyway do not open these attachments or download the alleged setting files! They can lead to an infection of your system and put it under control of the malware authors!

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

As many other millions people, I also have a Twitter account. I never use it through the twitter.com website because I don’t really have time to tweet. But, I have created an account on a website which publishes automatically any Avira Techblog post to my Twitter account. You may see them prefixed with “Avira Techblog:”. I sometimes write things through another service which publishes whatever I write to my Facebook, LinkedIn and Flickr accounts. So, everything happens with only one click. This means that I very seldom visit these websites in order to publish something using their dedicated interface.

This weekend, however, I decided to pay Twitter a visit. This wasn’t because I had nothing to do, but I noticed that I have a couple of new followers, which I suspected to be spammers. Usually, it is very easy to detect a spam account on Twitter. It follows a lot of users and  it has 1 post and is followed only by a few persons usually. So, I took the first in the list:

Observe that this account follows 830 users and is followed by 47! And it has only one tweet, the URL pointing to an online brokerage website. If we check its followers, we see that some of them are similar accounts, but most of them are real persons who posted recently. So, it doesn’t really fit our profile.

Let’s see the next follower: 778 following, 0 followers, a single post. Ok, it fits our template. The URL is redirected to a porn website.

The other follower is following 790 users and is being followed by 3 real users. It has only one tweet, but some users, so it doesn’t really fit our template. It points to the same porn site as the one before, using a different landing URL, in order to get a different short URL from burnurl.com.

Last, but not least, is the glamorous Jaime from Seattle, with 1103 following and… record… 337 followers. “Jamie” is breaking another record as well: 727 tweets. Having a quick look at the tweets, I can clearly see that this is an industry…

Visiting that URL, we see a classical pyramid game for making money. A lot of people behind it, a strong marketing campaign, a really well done website.

Having a look on the followers list, I see only real persons, writing real tweets (no API automated posts). All of them want to make money.

As a conclusion: Teaching people how to make money sells better than sex.

We strongly advise everybody to never fall for such scams because not only you don’t gain a thing, but you will probably lose a lot of money.

We all agree that Twitter should do something to stop these spams. But what?

There is no simple algorithm to detect these spam accounts. There are real people probably desperate enough to accept and follow such information. How can an automated system decide whether an account is spammy or not ?

The spam account has followers and posts, there are real people behind those followers. The Twitter’s Terms of Service don’t prohibit anyone to post things like these.

You are no longer forced to follow your followers (as it was happening at the beginning of Twitter), so theoretically, anybody may follow you without you having to follow them.

Or should we maybe reconsider the definition of a Twitter spam? I am afraid that, slowly, the coolness of Twitter will be buried behind a huge amount of spam and the same that happened to email may happen to Twitter as well.

Sorin Mustaca
Manager International Software Development

PS: I blocked the 4 spam accounts which were following my Twitter account.

In the last week, we have observed a high number of new URLs pointing to Malware files and Phishing websites. It is the first time this year when the Risk Level for both types of URLs is 5 (Very High) for 4 days continuously.

Fig. 1: There are increased activities in the phishing- and malware scene.

This has most probably to do with the fact that a lot of accounts from Yahoo, Google, Hotmail and AOL have been “phished” and are now being used in malicious activities.

Also the amount of spams received in our spam traps is very high. We have received in the first 8 days of October 36% of the spams we received during the entire September. If the trend continues like this, we will have a 44% increase in the spam received, compared to September.

If you have any doubts that your email hosted at one of the above providers may have been compromised, please change your password as soon as possible.

Sorin Mustaca
Manager International Software Development

Our users located in the US currently are under attack from an IRS malware/spamming campaign. In the last 3 days we have constantly detected and blocked a spam outbreak containing links pointing to websites similar to IRS’, which ask the users to download an ZBOT Trojan file.

Fig. 1: The spam mail pointing to the malware site.

All Avira products detect the Trojans as TR/Spy.ZBot (in several variants). Our users of Avira AntiVir Premium, Avira Premium Security Suite and WebGate are protected because the URLs are being blocked.

The emails are having the address of the recipient in the URL in order to confirm that somebody actually clicked on the URL: http://www.irs.gov.<host>.com/fraud_application/directory/statement.php?email=ngthisleter@<email.com>&tid=ngthisleter-00000174073547US

Fig. 2: The fake IRS site with the malware.

The URLs are highly volatile, we see them only active for a couple of hours. However, the hosts which host the malware file called “tax-statement.exe” are still active. So please don’t follow those links!

Update from 30 September 2009: This spam wave now came to an end, from one day to the other there were no new malware mails!

Sorin Mustaca
Manager International Software Development

I received today what I think is the longest Nigerian Scam I have ever seen. Nothing special in the text, maybe except that it is written with only a few punctuation signs and in a terrible English.

Fig. 1: The longest Nigerian scam I've seen yet.

The special thing about it is that it has 1253 words on 50 lines. As you can imagine, on a computer with a decent resolution you have to scroll quite a lot in order to see the entire email. That’s also because Outlook is also wrapping the words and the message gets even longer.

Did you ever receive a Nigerian Scam so long? If you did, then please send it to us at antispam@avira.com.

Sorin Mustaca
Manager International Software Development

I usually sort the spams I receive in my personal email after the date I receive them. I do this once a week and then I move them to the spam archive. This time, two emails draw my attention because they were very old: 23.05.2009. Well, considering the above mentioned rule, this is simply not possible. This is a very old method to draw reader’s attention by being either post the first or the last. So, I decided to take a closer look at them.

Fig. 1: Roulette spam mail

The email seems to be the reply of someone to the request of a friend to share some tricks about playing at the roulette. The idea is simple… play the same color and raise the bet by a factor of 2.5 until you win. I wondered why exactly 2.5 and what happens if you change the ratio. Let’s have a look into the mathematics of this rule to see if it is indeed correct all the time.

I wrote a small Perl script to simulate the roulette play. Let’s see how it goes:

So, the algorithm is clear and is correct. Where is the catch ? Why 2.5 ?

Let’s simulate with a ratio of 2:

The winning is no longer so interesting when using a too small ratio. One has to play a lot in order to win something substantial in this case. The catch is that you have to play with a decent ratio of minimum 2.5 until you win. If you stop, you lose all you have invested so far.

Behind this clever way to make advertisements is an online casino website which works only if you install their software on your PC. I downloaded the software and Avira promptly detected it as GAME/Casino.Gen. Avira Antispam detects the email as Spam with probability very High. Unfortunately, Google looses again on protecting the world from its users: the spam email was sent through a Gmail account.

As usual, we advise everybody to never fall for such scams. Even if you win online, it is possible that the software you install brings some other “surprises” with it. And I am not referring to money.

Sorin Mustaca
Manager International Software Development