Some spams also contain URLs pointing to highly reputable websites like msn.com, Microsoft.com and others. This technique is used to confuse the spam filters by poisoning the spam content. Basically, we have some suspicious URLs (or should I call them malicious?) which can be blacklisted without any problem.

The spammers are, of course, aware of this functionality and have found long time ago different vectors of advertising their URLs: Through various groups (Yahoo, Google, etc.), Blogs, Social Networking sites like Twitter, Google Docs, search engine redirects, and so on.

Another method, which was not so much used until recently, is Google Notebook. Some days ago I stumbled upon a spam email which has nothing else inside than a single URL pointing to Google Notebook: http://google.com/notebook/public/<large-number>/<large-text>.

After clicking on the picture, the user gets redirected to an intermediary page for a couple of seconds. This intermediate site then redirects the user to a pharmacy site.

This looks like a “usual” meds advertisement for German customers. But before closing the website, the link “More by >>” caught my eye so I followed it:

Obviously, this “campaign” started out already in February this year and it is still ongoing. All of the notes were still active except the two from February.

As this spam method has a little new twist, we took a closer look on it: In the first image of this article we see that Google assumes no responsibility for the content in Notebook entries. This is expected – but how can I report this as spam? It is not possible, as we’re talking about a major service like Google here.

Out of interest I tried to reproduce how they added a picture into the Note. This seems to be not supported by Google Notebook.

The first link in my test note goes to www.avira.com, the second one goes to a picture from the TechBlog. As you can see, there is no image appearing, even though I activated the option to include miniature previews that Google Notebook offers.

How did they manage to show that picture automatically and with a link on it? Looking at the source code of the note, we see something exactly like the example at the beginning of the article: <a href=”http://spam-site.com”><img src=”http://picture-site.com/picture.jpg></a>

In this case, http://picture-site.com is pointing to http://www.google.com/base_media?hl=en&amp;fact=12e&amp;size=3&amp;q=<url> and the URL is pointing to the picture hosted somewhere.

Maybe it is just a delay from Google or a hick-up that in my tests no image or preview showed up in my note. I will continue to investigate this and post the results then. If you know how to add such a linked image to a note, please let me know!

Sorin Mustaca
Manager International Software Development

The mails have this text in their body:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly.Microsoft has been advised by your Internetprovider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,

Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The subject of the mails is “Conflicker.B Infection Alert”. Don’t open the malware attachment of this email and just delete the email altogether. Users of Avira solutions are protected: The attached file is detected generically as TR/Crypt.ZPACK.Gen – without an update.

Dirk Knop
Technical Editor

E-mail spam, also known as junk e-mail, is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk.

The keywords here are: “identical messages”, “unsolicited bulk email”. What if you manage to simulate that the users have requested the spams by subscribing their email addresses to an email list and automatically approve their membership?

Usually, when someone subscribes to a list, an email is sent to the subscriber to ask him/her to validate the submission of the email address to the list. Make something to skip this step and you have the perfect form of spamming.

Send them an email as this one and you might be surprised to see how many are curious enough to check what does the membership mean. If the user clicks the link, he is prompted to login or register in order to see what this is all about.

But – why register? The address is already registered. The user only has to click on “Forgot password” to receive the password.

If the amount of users which recover the password is not big enough, then make them even more curious by sending them a message:

If still not enough curious people have recovered their password, send them a password reset notification. They are registered after all!

If this still doesn’t work, then just keep spamming them every day until they get their password and try to cancel the membership.

This method of creating a list on a reputable server for social networking like ning.com is not new. All renowned sites are getting abused to send spam: LinkedIn, Orkut, Twitter, live.com, and so on. This technique is very effective. The email is 100% valid and cannot be simply marked as spam because the server has a good reputation.

The From field is not a real person but an automated bot running on the server (mail@<list>.ning.com). In order to subscribe to a list hosted on ning.com one needs an account registered at ning.com. This means that our spam trap was automatically subscribed to ning.com without having to confirm the account. There is, of course, the possibility that the account was hacked and somebody was actually able to confirm the subscription in our account. But this is very unlikely.

In order to check this, I have actually retrieved the password from ning.com and set a new one.

Immediately after this, I tried to leave the group for which the account was automatically subscribed. It wasn’t possible though. Of course, I will try again in the next few days. If it still won’t work, I will contact ning.com to see what’s going on. So this article ends with “to be continued…”.

Sorin Mustaca
Manager International Software Development

Having a look in the first 3 days of November we have observed that the trend didn’t actually change. We did notice changes in the social engineering techniques used to advertise the various malware, though.

We have the good old trick with the

- notification “Attachment: no virus found” (detected as TR/Netsky.HB) ,

- “promised photos” from the last holidays (detected as TR/Crypt.ZPACK.Gen),

- boss sending a letter (detected as BDS/Small.ZO Backdoor server),

- undelivered DHL Package (detected as TR/Crypt.ZPACK.Gen),

- and of course the Facebook password change request (current versions detected as BDS/Small.ZO Backdoor server).

Except these malware emails which make up more than 60% of the spam we received so far, the trend is constant: Spam mails concerning online casinos, online pharmacies and various replicas clog up the inboxes.

If the trend from last year is going to be repeated this year, then we should start to see a lot more spam spreading malware and phishing soon. Last years November was pretty busy but we’ve recorded a very relaxed December.

All the above mails are being detected by our Antispam engine as Spam and by the Antivirus engine as already described. Avira users thus are well protected.

Sorin Mustaca
Manager International Software Development

Fig. 1: This fake email is trying to make the recipient execute the attached malware.

Such emails have been successful already a few years ago. I thought we wouldn’t see them again as the people should already know not to execute attachments from emails they didn’t request. Anyhow, the recent spam waves teach us something else.

So please, remember the drill: In case that someone sends an email with an attachment, make sure that the sender is real and that he/she really wanted to send you that file. Else it is most likely malware. In any case keep your antivirus software up to date so it can detect new malware.

Avira products detect the attached malware from that spam wave as TR/Dldr.Bredolab.AX with the vdf update to version 7.01.06.155.

Dirk Knop
Technical Editor

Unfortunately I was too slow in checking what the account was distributing. I can only guess that an account which is called Br.it.neyF***.Vids (drdtbwcxgaho) (some characters replaced with asterisks) might distribute links to some known fake codecs which are actually malware. Also the avatar of the account was specially chosen to attract the attention to those interested in such matters (this is why I masked it out).

Immediately after I clicked on the account, I’ve seen that Twitter already blocked it, taking my pleasure to report it as spam:

Nice to see that Twitter is not completely unaware of such things. By the way, this account was falling into the spammer-category according to my proposed template in my earlier article about Twitter Spam: Zero followers, following many , only a few tweets. Definitely a spammer!

Sorin Mustaca
Manager International Software Development

Fig. 1: The email claims to carry a Conficker removal tool.

The mail claims that the network where the PC is located is infected with Conficker.B and that the ISP has informed Microsoft about that. The attached tool allegedly offers a free system scan.

The attachment is a FakeAV solution though; also Microsoft would never send out an executable attachment without former consent via email. Do not execute the malware in the zip file from the mail! Avira detects it as TR/Vilsel.ior with the VDF 7.01.06.127.

Dirk Knop
Technical Editor

Fig. 1: The spammed emails contain malware.

Different malware emails have been sent around: Some directly include the malware as attachment, others link to a web site where the malware can be downloaded (spear phishing). The Avira Risk Level indicates the phishing level 4 which acknowledges increased phishing activities.

Fig. 2: Another wave of emails is pointing to a fake web site.

While in the html email the malware link is shown as leading to the real domain, the link really points to an URL of the following form: http://EMAIL_DOMAIN.BADHOST.COM/owa/service_directory/settings.php?email=USER@EMAIL_DOMAIN&amp;amp;from=EMAIL_DOMAIN&amp;amp;fromname=USER . If the receiver of the mail is in a rush he might thus believe he is on the real OWA web site.

Fig. 3: The web site where the mail points too looks convincing, too.

While Avira Antispam detects the emails as spam and the URLs are being blacklisted, the virus lab released detections for the malware with a VDF update. The malware is detected as TR/Vilsel.iop and as TR/Spy.ZBot.9164.1, respectively, with the VDF file 7.01.06.111. The Vilsel trojan is yet another incarnation of the FakeAV plague while the ZBot is stealing information.

Anyway do not open these attachments or download the alleged setting files! They can lead to an infection of your system and put it under control of the malware authors!

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

This weekend, however, I decided to pay Twitter a visit. This wasn’t because I had nothing to do, but I noticed that I have a couple of new followers, which I suspected to be spammers. Usually, it is very easy to detect a spam account on Twitter. It follows a lot of users and  it has 1 post and is followed only by a few persons usually. So, I took the first in the list:

Observe that this account follows 830 users and is followed by 47! And it has only one tweet, the URL pointing to an online brokerage website. If we check its followers, we see that some of them are similar accounts, but most of them are real persons who posted recently. So, it doesn’t really fit our profile.

Let’s see the next follower: 778 following, 0 followers, a single post. Ok, it fits our template. The URL is redirected to a porn website.

The other follower is following 790 users and is being followed by 3 real users. It has only one tweet, but some users, so it doesn’t really fit our template. It points to the same porn site as the one before, using a different landing URL, in order to get a different short URL from burnurl.com.

Last, but not least, is the glamorous Jaime from Seattle, with 1103 following and… record… 337 followers. “Jamie” is breaking another record as well: 727 tweets. Having a quick look at the tweets, I can clearly see that this is an industry…

Visiting that URL, we see a classical pyramid game for making money. A lot of people behind it, a strong marketing campaign, a really well done website.

Having a look on the followers list, I see only real persons, writing real tweets (no API automated posts). All of them want to make money.

As a conclusion: Teaching people how to make money sells better than sex.

We strongly advise everybody to never fall for such scams because not only you don’t gain a thing, but you will probably lose a lot of money.

We all agree that Twitter should do something to stop these spams. But what?

There is no simple algorithm to detect these spam accounts. There are real people probably desperate enough to accept and follow such information. How can an automated system decide whether an account is spammy or not ?

The spam account has followers and posts, there are real people behind those followers. The Twitter’s Terms of Service don’t prohibit anyone to post things like these.

You are no longer forced to follow your followers (as it was happening at the beginning of Twitter), so theoretically, anybody may follow you without you having to follow them.

Or should we maybe reconsider the definition of a Twitter spam? I am afraid that, slowly, the coolness of Twitter will be buried behind a huge amount of spam and the same that happened to email may happen to Twitter as well.

Sorin Mustaca
Manager International Software Development

PS: I blocked the 4 spam accounts which were following my Twitter account.

Fig. 1: There are increased activities in the phishing- and malware scene.

This has most probably to do with the fact that a lot of accounts from Yahoo, Google, Hotmail and AOL have been “phished” and are now being used in malicious activities.

Also the amount of spams received in our spam traps is very high. We have received in the first 8 days of October 36% of the spams we received during the entire September. If the trend continues like this, we will have a 44% increase in the spam received, compared to September.

If you have any doubts that your email hosted at one of the above providers may have been compromised, please change your password as soon as possible.

Sorin Mustaca
Manager International Software Development