Help | Contact | Forum | Affiliates | Press
Purchase
Download
Features
Screenshots
Demo
Valentine's Day may be a time for love, but spammers and malware writers are having their fun too. While reports of the percentage of spam related to Valentine's Day versus overall spam have been varying somewhat from vendor to vendor, what the security community seems to agree on is that a botnet called Waledac is at the center of the spam campaign. According to Web and e-mail security vendor Marshal8e6, at least two other botnets have joined the fray as well, however. Researchers at Marshal8e6 have seen three distinct campaigns from three different botnets, as well as spam attacks from botnets they have not yet identified. Most of the Valentine's Day-related spam is coming from Waledac, which appeared on the scene late in 2008. Security pros now believe the botnet is the work of the minds behind the infamous Storm botnet that made headlines in 2007. After being targeted by Microsoft's Malicious Software Removal Tool, Storm limped through most of 2008 before disappearing completely in September, said Patrick Murray, director of product management at Marshal8e6. In its place came Waledac, which emerged in December with a blended threat Christmas e-card campaign. Like Storm, Waledac uses a peer-to-peer connection model with fast-flux DNS (Domain Name System) hosting and encrypted communications.
According to PandaSecurity, the social news site Digg.com is among the very latest Web 2.0 services to be targeted by cybecriminals on their way to acquire legitimate traffic to their malware serving domains. The ongoing attack is far more widespread the originally stated, with +500,000 bogus comments leading to 15 currently active malware domains, where the end user is enticed to install a fake video codec in order to view the video. Once executed, the codec attempts to trick the user that they’re infected with malware, and in order to get rid of it, a rogue security software has to be purchased. Despite the obvious similarities with last month’s Google Video keywords poisoning attack, the comment-spam campaign at Digg.com is unique in the sense that it appears to have been active for over an year now. Let’s dissect the campaign, and explain how it works. The cybercriminals are taking advantage of on purposely registrated bogus accounts, in a combination with compromised legitimate accounts to not only post Digg stories directly leading to malware, but also, to heavily comment on legitimate and bogus stories by posting even more malware-serving links. So basically, you have a catchy title submitted through a bogus account, with a miltitude of bogus accounts commenting on it, and linking to more malware serving domains. Or exactly the opposite - bogus accounts commenting on legitimate stories since January, 2008. This practice of self-recommendation greatly reminds me a similar Ebay bot talk scheme back in 2006, where bogus accounts were automatically giving positive recommendation to fraudulent accounts, all operated by the same person/gang.
Cyber criminals have begun inundating the Internet with Valentine's Day-themed spam, bogus web deals and even blackmail. Controllers of the Walebec email worm are distributing spam with subject lines such as "a Valentine card from a friend" and "you have received a Valentine e-card." Two other rival spam botnets are using similar tactics: the Onbot botnet is spreading viral spam with the subject line suggesting "someone thinks you are very special and has sent you a kiss," while spam from the Pushdo botnet cajoles you to "prepare for Valentine’s Day" and "be ready." Clicking to links in such spam can lead to your computer being turned into a bot, and your sensitive data being stolen by a keystroke logger. "Don’t be fooled. Avoid clicking on Valentine's e-cards, especially prior to February 14," says Bradley Anstis, Marshal8e6's director of technology strategy. "The spammers are trying to squeeze the most out of this opportunity." Meanwhile, representatives at the Alliance Against Bait & Click caution smitten consumers shopping online for baubles to be wary of dishonest marketers spreading scam ads, called "scads." These bogus ads make unauthorized use of popular brand names -- such as Tiffany, Godiva, and Westin Hotel -- mixed with outrageous claims to lure online shoppers, especially around holidays. Check the AABC's webpage for tips on how to avoid getting scammed by a scad. The AABC also provides avenues for action, including a petition to the FTC calling for tighter controls and contacting the search engines directly to report scads and press for tighter filters.
BUCHAREST, ROMANIA - The word "EMAIL" has been identified as the top spam word in Spam Omelette 13, BitDefender's weekly review on spam and the latest industry trends. Spam Omelette is part of MalwareCity.com, which is supported by BitDefender®, an award-winning provider of antivirus software and data security solutions. In week 13 of Spam Omelette, the top spam words include: 1. EMAIL -- Ranking first in this week's Spam Omelette, the word "EMAIL" has been detected by BitDefender spam researchers in unsolicited messages promoting "the perfect Valentine's Day gift." The message contains a malicious link that when clicked attempts to infect the user's computer with the Waledoc bot. The word "EMAIL" has also been used in a classic advance-fee scam allegedly from the Australian Lottery. The scam message asks users to advance sums of money in return of large financial gains. 2. PLEASE -- Ranking second in Spam Omelette 13, the word PLEASE has been identified by BitDefender spam researchers in messages promoting a Russian dating website. The message lacks the standard unsubscribe link, although users willing to unsubscribe are advised to email the administrative staff, confirming the message arrived in their inboxes. Although the website has not been labelled as malicious at the time of posting, the advertisement method can be safely labelled as spam. 3. NEWS -- Ranking third in Spam Omelette is the word "NEWS," which has been detected in messages promoting money loans. The embedded link directs unwary users to a website that is notorious for hosting malware: www.applyadobeplayer.com. The mentioned URL has been suspended for abuse, as it has been associated with the fake Flash Player update malware scheme. 4. NEW -- The word NEW ranks fourth this week and is used in unsolicited messages advertising discounted new cars. The mail message includes an unsubscribe link that, once clicked, adds the email address to the spammer's database, then directs the user to the website's home page. 5. CLICK -- The word CLICK ranks last in Spam Omelette 13 and has been detected in messages advertising sexual enhancement pills. The message is extremely short and simple. Unlike previous medical spam campaigns, it does not contain images, just an embedded link to the online shop.
Valentine's Day has long been a gold mine for florists, candy makers, restaurateurs—and spammers. Every February, junk e-mailers send out millions of messages allegedly promoting holiday getaways or last-minute gifts for that special loved one. In the days leading up to the holiday this weekend, the amount of spam is spiking again, anti-spam experts agree. This year, however, many spammers looking for ways to score clicks are going back to basics. According to Symantec (SYMC), the anti-spam company that has been monitoring Valentine's-related spam traffic this month, the most popular type of spam this season tends to focus on one of the old favorites of the spam industries, appealing to men and their insecurities. "This year the top three types of spam tend very much to be related to what we call 'male capabilities,'" says Michael Chue, managing director for Hong Kong and Taiwan at Symantec. While he doesn't have data yet available on the amount of such spam, Chue says "in the last couple of weeks we can see this type of spam increasing." Are men, hurt by the worst global downturn since the Great Depression, more vulnerable to this sort of junk e-mail? Chue won't speculate, although he does point out spammers are typically very sensitive to the free market. "The statistics tell the spammers these are very popular," he says.
Michael Vana knew something was up when he saw the pop-up from "Antivirus 2009" in the middle of his screen. The former Northwest Airlines avionics technician guessed that the dire warning of a system infection was fake, but when he clicked on the X to close the window, it expanded to fill his screen. To get rid of it, he had to shut down his PC. Sound familiar? Dirty tricks like these, designed to get you to install and buy fake antivirus products, are more common than ever. (For advice on how to proceed if you've installed a phony antivirus on your PC, see "Antivirus 2009: How to Remove Fake AV Software.") But while you might recognize such warnings as bogus, you might not know that the fake warning could be a red alert about an underlying bot malware infection. Knowing the difference is key. "It's not something you even blink at anymore," says Christopher Boyd, senior director of malware research for communications security company FaceTime Communications, of requests for help in dealing with these warning pop-ups. The increased incidence of these pop-ups is due to more crooks going after easy money from shady affiliate programs, which pay a huge cut of the profits--up to 90 percent--for every person who mistakenly forks over money for a fake program, regardless of what induced them to pay. Often, the inducement comes from a malicious Web site that uses JavaScript tricks to toss up a bunch of pop-ups, or even resize the viewer's browser window, to create something that looks like a real antivirus scan.
Microsoft has beefed up the Malicious Software Removal Tool (MSRT) that ships with its Windows operating system so that it will detect and root out the notorious Srizbi botnet code. "This month's MSRT takes on one of the largest botnets currently active worldwide," wrote Microsoft spokesman Vincent Tiu in a blog posting Tuesday, the day the update to the software removal tool was released. "Win32/Srizbi has been accused of being responsible for a huge chunk of spam e-mail messages sent in the years after its discovery," he added. "We hope to make a positive impact with the addition of Win32/Srizbi into MSRT." Because Microsoft's detection software runs on hundreds of millions of computers worldwide, including many that are not running up-to-date antivirus software, a move like this can bring a botnet to its knees. That's what happened in September 2007, when Microsoft added detection for the Storm Worm botnet. Within 24 hours it had removed about 91,000 Storm infections, and soon the botnet was a shadow of its former self, experts say. However, the results may not be so dramatic this time around. Srizbi was effectively knocked out of action last November when operators of the McColo Internet service provider in San Jose, California, were kicked off the Internet. That takedown knocked the Srizbi command-and-control servers out of operation, and only about 1 percent of the botnet is still active. There are, however, several hundred thousand Srizbi-infected PCs out there, all of which are quietly waiting for new instructions, should criminals ever discover a way to reach them now that McColo is out of commission.
Spending a little time on Facebook and other social networking sites is a ritual for many of us every morning. And afternoon. And evening. But, hey, it's nice, harmless fun-isn't it? It isn't as if you were putting your identity or your computer at risk. Are you? Well, ask anyone who was whacked by the recent Koobface worm. According to the folks at anti-malware vendor Kaspersky Lab, the social networking world is a veritable minefield of places where a misstep can mean dire consequences for the unfortunate user. The aforementioned Koobface, for example, invited recipients to click on a link in their Facebook in-box, apparently from someone they know, which supposedly plays a funny video (a real hazard at some times of year-how much eggnog did you have at that holiday bash?). Those who fell for that part of the scam were then told that they needed an update to their Flash player to view the video, and were provided with an executable of said update. With me so far? This alleged Flash update actually downloads a proxy server, which it loads when the computer is restarted. This lets it redirect traffic to sites of its choosing; it may, for example, hijack a search request and send it to a different engine where hits make money for the perpetrator. It also adds a sneaky little program that can be instructed to download other malware at some point. Like magic, your computer is now a zombie, under the control of unknown villains. Of such are botnets created. To add to the fun, there's a version of Koobface for MySpace as well, and the Facebook and MySpace versions cross-pollinate. Are you hearing the X-Files theme music yet? Trust no-one!
Virus authors are attempting to hoodwink unwary and lovestruck internet users with malware that poses as Valentine's Day-related games and email greetings. The hacker tactic is a familiar companion to annual holidays, such as Christmas, New Year's Day and Valentine's Day. McAfee reports that the Valentine’s Day spam links to URLs pushing the Waledac Trojan, a strain of malware that has copied many of its techniques and features from the infamous Storm Trojan. Previous incidents of Waledac have included attempts to trick the credulous into running malware via 'Obama quits' spam. Surfers and sysadmins need to be wary of email with such gooey subject lines as "Deeply in love with you", "I Knew I Loved You" and "I Love Being In Love With You". The body text of the malicious emails varies, but generally includes a heart-shaped graphic followed by a link to a website offering up Windows malware in the guise of loved-up applications. McAfee reports that one in 40 spam emails contain the word "Valentine", way up on background levels and a possible sign that the annual shower of Valentine's Day-related malware could be much heavier this year. An advisory by net security firm, containing more details and screengrabs, can be found here. ®
Cybercriminals behind the Waledac botnet are trying to capture more victims by using Valentine's Day-themed exploits, researchers from McAfee Avert Labs warned Monday. Users are being spammed emails containing a link that when followed brings up a Valentines' Day-themed page with malicious executables. For example, one such page has a picture of two puppies holding a heart that says “Happy Valentine's Day.” The website reminds users that Valentine's Day is nearing and they should get their significant others a present. The site offers a “Valentine's Devkit” download to get started," but it actually is malware. Micha Pekrul, author of an Avert Labs blog post on the attack, warned users not to click on the link in the spammed email, and also not to click on the executable contained on the website.
