Our users located in the US currently are under attack from an IRS malware/spamming campaign. In the last 3 days we have constantly detected and blocked a spam outbreak containing links pointing to websites similar to IRS’, which ask the users to download an ZBOT Trojan file.

Fig. 1: The spam mail pointing to the malware site.

All Avira products detect the Trojans as TR/Spy.ZBot (in several variants). Our users of Avira AntiVir Premium, Avira Premium Security Suite and WebGate are protected because the URLs are being blocked.

The emails are having the address of the recipient in the URL in order to confirm that somebody actually clicked on the URL: http://www.irs.gov.<host>.com/fraud_application/directory/statement.php?email=ngthisleter@<email.com>&tid=ngthisleter-00000174073547US

Fig. 2: The fake IRS site with the malware.

The URLs are highly volatile, we see them only active for a couple of hours. However, the hosts which host the malware file called “tax-statement.exe” are still active. So please don’t follow those links!

Update from 30 September 2009: This spam wave now came to an end, from one day to the other there were no new malware mails!

Sorin Mustaca
Manager International Software Development

I received today what I think is the longest Nigerian Scam I have ever seen. Nothing special in the text, maybe except that it is written with only a few punctuation signs and in a terrible English.

Fig. 1: The longest Nigerian scam I've seen yet.

The special thing about it is that it has 1253 words on 50 lines. As you can imagine, on a computer with a decent resolution you have to scroll quite a lot in order to see the entire email. That’s also because Outlook is also wrapping the words and the message gets even longer.

Did you ever receive a Nigerian Scam so long? If you did, then please send it to us at antispam@avira.com.

Sorin Mustaca
Manager International Software Development

I usually sort the spams I receive in my personal email after the date I receive them. I do this once a week and then I move them to the spam archive. This time, two emails draw my attention because they were very old: 23.05.2009. Well, considering the above mentioned rule, this is simply not possible. This is a very old method to draw reader’s attention by being either post the first or the last. So, I decided to take a closer look at them.

Fig. 1: Roulette spam mail

The email seems to be the reply of someone to the request of a friend to share some tricks about playing at the roulette. The idea is simple… play the same color and raise the bet by a factor of 2.5 until you win. I wondered why exactly 2.5 and what happens if you change the ratio. Let’s have a look into the mathematics of this rule to see if it is indeed correct all the time.

I wrote a small Perl script to simulate the roulette play. Let’s see how it goes:

So, the algorithm is clear and is correct. Where is the catch ? Why 2.5 ?

Let’s simulate with a ratio of 2:

The winning is no longer so interesting when using a too small ratio. One has to play a lot in order to win something substantial in this case. The catch is that you have to play with a decent ratio of minimum 2.5 until you win. If you stop, you lose all you have invested so far.

Behind this clever way to make advertisements is an online casino website which works only if you install their software on your PC. I downloaded the software and Avira promptly detected it as GAME/Casino.Gen. Avira Antispam detects the email as Spam with probability very High. Unfortunately, Google looses again on protecting the world from its users: the spam email was sent through a Gmail account.

As usual, we advise everybody to never fall for such scams. Even if you win online, it is possible that the software you install brings some other “surprises” with it. And I am not referring to money.

Sorin Mustaca
Manager International Software Development

At the beginning of this year we were writing that Google hosts Spam on its “Google Docs” portal. Spam hosted on Google’s Groups is nothing new.

Fig. 1: Spam email pointing to Yahoo Groups.

We have received now a spam hosted on Yahoo’s Groups. The difference between Yahoo and Google is that Yahoo removed the spam website (for meds) within hours after the spams were spread in the wild.

So, one point for Yahoo.

The emails contain nothing but one single URL to the Yahoo groups directory, pointing to a random generated name. You need a Yahoo account and there is also a CAPTCHA quiz when one tries to create a group.

Fig. 2: Registration of a Yahoo Group is secured by a CAPTCHA.

Either the spammers have solved those CAPTCHAs themselves or they used tiny “games”. Those games are offered for download to unsuspecting users and usually show women getting undressed. Each time you solve a CAPTCHA in such games, the women is undressing more clothes.

Please don’t play these games, you’re helping spammers to create fake accounts at popular services that way.

Sorin Mustaca
Manager International Software Development

Dirk Knop
Technical Editor

We don’t see every day USA Visa lottery scams, but when we see them, there is a long text with many details in order to make the email very credible. This time the text is very simple because it refers to a 180KB attached JPG image. Interesting in this scam is the fact that the offer pretends to pay the flight ticket to US as well.

From: USA Visa Program
Sent: Wednesday, August 26, 2009 4:22:28 PM
Subject: Congratulations From U.S Embassy!!
Dear,

Read the attached copy of the Visa winning notification,

Reply this winning notification massages to the claim agent assigned to handle your visa documentation. He will guide you through your visa and flight ticket documents processing.

Thanks,

Mrs. Christine Thompson
(Secretary General)
Asia-Pacific HQ.

start: 0000-00-00 end: 0000-00-00

Fig. 1: The attached image of the scam email.

And now, as usual, comes the funny part, as in any scam attempt we’ve seen.

• Despite the fact that it is mentioned in the picture the “Asia-Pacific agent” for the VISA processing, the contact email addresses are in … Europe. They belong to a free web mail system in the Czech Republic. Come on guys, be more creative…
• The text is very hard to read because it is full of grammatical mistakes and sentences which don’t make too much sense.

This scam pretends about 1000 USD for a single visa and 1500 USD for a family visa. Considering the fact that you get also a flight ticket and the accommodation is also arranged in USA, this can be considered “too good to be true”.
As all things which fit into the category “too good to be true”, this is a scam. We advise everybody not to fall for such things because you will be very disappointed.

Sorin Mustaca
Manager International Software Development

First of all, the idea is not at all new. Bill Gates talked about a method to pay a very small fee for each sent email in 2004, but the idea proved to be not realistic. Yahoo’s CentMail does nothing else than to revive this idea in a new form: each sender pays 5$ for 500 virtual stamps and the money goes to a charity organization at user’s choice (a preselected list of charity organizations will be made available). Each email sent uses a unique virtual stamp plus a signature to promote the service. CentMail guarantees that the stamps cannot be faked nor reused, practically trying to destroy the business model of the spammers by making the sending of the emails too expensive for them.

So, one may ask : where is the catch? Will this idea really be the end of spam?
Of course not.

CentMail and Yahoo acknowledge this in their FAQ by providing answers to many legitimate questions. This is just a charitable twist on the old idea of email postage stamps which is simply not realistic because it hopes that everybody will pay. Of course, this is not going to happen, so this approach fails from the start.

CentMail says that the sender will only pay if the email is being received and read by the intended recipient.

What will happen to the massive mailings sent by commercial organizations? Will they accept to pay millions of dollars per year only because they send commercial email? Or, will an email notification service or a mailing list accept to pay for every notification it sends you? Of course not. The solution to this problem is to whitelist this category of senders (as CentMail suggested in their FAQ).

This means that the same rules do not apply for all email senders. The argument for this is that people and organizations donate anyway a lot of money per year to charity, CentMail being just an intermediary for this money.

As a conclusion, I have to admit that from time to time is nice to see an idea that wants to turn the world upside down in order to make good things. I like the idea, but I do not think that any user would ever pay for something that has been from the beginning free and that is sending emails for free!

Sorin Mustaca
Manager International Software Development

When I looked into one of our spam traps, one mail caught my eye: It was promising an expensive holiday trip to Turkey nearly for free, and I could even take 3 more persons with me! The trip is allegedly worth 1256,- Euros, so that would be quite a bang for a buck.

Fig. 1: The spam mail is baiting with a cheap holiday trip.

An access code in the mail should make the “win” look more serious – win? Yes, the mail claims that my mail address got chosen at a drawing amongst several service platforms. Strange thing is though that the mail address was never used to take part at anything, to register anywhere or even to order something.

The web address given in the mail is redirecting to another web site. This is another sign that something isn’t quite right with this “win”. At least on that web site the asterisks behind some inclusive offers get resolved (they aren’t in the spam mail). For all those nice trips the entrance fees – which can sum up to a few hundred Euros very fast – are not included. Also there is an explanation that you have to pay a “booking fee” of 49 Euros per person. How much those kerosin fees and taxes are, which also aren’t included, is missing as well.

Fig. 2: Some details of the "deal" are available at the spammed web site.

Overall this isn’t a real offer. The spammers are trying to make the offer look cheap, but in the end you pay a few hundreds Euros for getting some round trips with visits at carpet factories, jewelry outlets and so on – where you are supposed to buy stuff again.

One reason not to book such a journey is that it is advertised with spam. The other reason is that the costs aren’t clear. Please don’t fall for such offers and stop your friends and relatives who want to try it anyway.

Dirk Knop
Technical Editor

If you are a German user and receive an email coming from “Virenwarndienst” with the email address <Virenwarndienst@<Abzock-Webseite>.info> do not register there for downloading the software. This site is a price trap. The users who register there are closing a contract for 2 years where they have to pay 8 euro per month.

The text of the email is:

“Achtung – Wichtige Virenwarnung:

Nach Berichten des Bundesamts für Sicherheit in der Informationstechnik (BSI) ist derzeit ein besonders gefährlicher Virus/Trojaner im Umlauf.

Ihr PC ist ungeschützt und damit potentiell gefährdet. Bitte laden Sie unbedingt in Ihrem eigenen Interesse einen aktuellen Virenscanner herunter.

Die aktuellste Version erhalten Sie direkt hier:

http://www.<Abzock-Webseite>.info/

Mit freundlichen Grüßen

Ihr Virenwarndienst”

It says that the German government authority for IT Security has issued a warning because a dangerous Virus/Trojan is in the wild. It then advises all users to download a security solution (note: Avira AntiVir isn’t mentioned there) in order not to endanger their computer. Once following the link in the mail and trying to download the software, the unsuspecting users are forced to register:

Fig. 1: The fraudsters need the address data in order to send bills for downloading the free software.

Almost nobody reads the AGB (EULA) which specifies somewhere that you are signing a contract for two years, for 8 euro per Month.

The users who want to obtain the free version of Avira AntiVir, called Avira AntiVir Personal, can visit the website www.free-av.com and download the software for free.

Sorin Mustaca
Manager International Software Development

The Risk Level describes the current phishing- and malware threats that we receive in real time from our sources in Internet. These threats are valid and can be accessed by any user in the Internet.

The levels are computed by comparing the amount of threats (malware and phishing separately) received in the last 24 h (called 24h threat value) to the average value from the last 30 days (called average threat value). These levels are computed every 15 minutes.

This is how the graphs with the values per day for the last 30 days looks like:

Fig. 1: Statistics per day, last 30 days

The graph with the values per hour for the last 24h:

Fig. 2: Statistics per hour, last 24h

Level 1 – Normal (Green)

Risk: Low – there is much less activity than the average we have seen in the last 30 days. This condition corresponds to no discernible malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings.

Level 2 – Average (Yellow-Green)

Risk: Low to Moderate - there is relatively less activity than the average we have seen in the last 30 days. This condition corresponds to some malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings. This risk level is usually “the calm before the storm”, so we advise our customers to keep an eye on our website for information and updates.

Level 3 – Suspicious (Yellow)

Risk: Moderate – there is the same activity as the average we have seen in the last 30 days. This condition corresponds to clear signs of malicious activity for the type of threat for which the risk level is issued. The Avira products should function with heuristics and generic settings enabled because it might be possible that there is a new variant of a known malware. This risk level means that some unknown malware might be starting to spread, so we advise our customers to keep an eye on our website for information and updates. Please keep the logfiles of the security products under careful observation.

Level 4 – Alert (Orange)

Risk: High – there is the more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update both the signatures and the engine. This risk level means that known malware are spreading, and we strongly advise to keep the logfiles of the security products under careful observation.

Level 5 – Outbreak (Red)

Risk: Very High – there is much more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update the signatures, the engine and the products. This risk level means that known malware are currently active, creating a severe risk to the infrastructure and normal operations. We strongly advise to keep the logfiles of the security products under careful observation.

Sorin Mustaca
Manager International Software Development

A few days ago we posted about Nigerian scam that is trying to get smarter. I was saying that they are trying without success to avoid common mistakes which are being done by the other scam authors. Well, it happened sooner than I imagined: I’ve seen two emails today, both overcoming these problems in different ways.

1. Scam with text and image

Usually, the scam emails do not contain images because they are just too expensive to be sent. This is why most of the filters have a kind of whitelisting system in place which reduces the spam score if they encounter large pictures (for example >= 200KB) attached to a message.

In the plain text part they still make use of some known words, like “Dear sir”, “seek your assistance”, “business opportunity”, etc. So, this text is easier to detect as a scam but not trivial. Still even so, there is no “story”, which makes the email useless. The real story behind the scam is attached in a JPG picture with the size of exactly 200KB. Did the scammers know about this limit? Of course they knew because there are a lot of antispam tools which can be downloaded and they can test with them.

Fig. 1: The scam mails try to circumvent email filters by using image attachments with the "hole story".

The text in the picture is a typical scam-text with references to real facts and so on. The email is sent via Gmail. Again, it is very unfortunate that Google doesn’t scan outgoing emails against spam, as they do for malware.

2. Bilingual Scam

This email is a 3K plain text message using the UTF-8 character set. Because of this, it comes encoded in base64. There are two text paragraphs in the body, the first one written in French and the second in English. They are different formulated, but basically they express the same idea: transfer of money to your account. There are some important differences between the two texts.

The English text is

• making use of the word “millions” while the French one is writing the sum in numbers
• not telling the story of the money, specifying a simple “lying dormant for eight years” when the French one is specifying that the money belongs to a dead relative of a customer of the bank.
• using the first name of the women when the French one is using the formal addressing with the full name.

The subject of the email is written only in French. I assume that the reason for this is the fact that the email has been sent from a free email provider from France (ifrance.com).

Fig. 2: Another twist is sending bilingual scam mails.

Both messages show a very clear trend in the Nigerian scam business: They are adapting to the fast changing rules of the game. They have to do this because we are in a deep economic crisis and now is the perfect moment for them to recruit new “customers”. In such hard economic times people are more susceptible to this kind of methods of gaining easy money.

Never respond to such requests no matter if they are written in your language or not, how credible and how well documented they are presented.

Sorin Mustaca
Manager International Software Development