A decade after Melissa, infected email messages are still rampant.
Despite spam and malware filters, email-borne Trojans and exploits continue to thrive, propagated by file attachments and embedded URLs. According to the Sophos Mid-Year 2010 Security Threat Report, websites have eclipsed email as the biggest malware vector. Nonetheless, Kaspersky reports that malicious files were detected in less than one percent of all mail traffic scanned during 1Q10.
Indeed, the overall proportion of spam in mail traffic appears to have stabilized, fluctuating between 84 and 87 percent. But Sophos spotted a significant spike in Bredo-infected attachments in 2H09 that continue to this day. Between Bredo, FakeAV, and JSRedirector, we seem to be experiencing a resurgence of mail-borne malware.
So where are anti-spam and anti-malware falling short? How are infected mail messages bypassing traditional desktop, server, and gateway defenses? Let’s peruse Sophos’ mid-year list of mail-borne malware.
#10: Over 90 percent of malicious mail attachments fell into this top ten, starting with TibsPk (1.03%). TibsPk is a polymorphic Trojan that evades signature detection by using a custom packer to hide inside randomly-named executables (e.g., rhc70^8Bredo9^7.exe). Upon execution, TibsPk plants itself in the Windows system folder, creates an auto-Run key, and disables the Windows Task Manager. TibsPk then downloads other malware, letting attackers gather data from infected PCs or turn them into bots. Scrubbing away all TibsPk remnants can be tough – one more reason why it is important to detect polymorphic Trojans before implantation.
#9: In ninth place is the popular social networking worm Koobface (1.28%). An anagram of Facebook, Koobface preys upon Bebo, Facebook, Friendster, Hi5, LiveJournal, MySpace, and Twitter users. Infections start by clicking on a URL in an email invitation from a social network “friend.” Phished users are taken to a third-party site where a “funny video” is posted. Upon attempting to view the video, users are prompted to install malicious code masquerading as an Adobe Flash Player update. Koobface shows how contemporary malware exploits trust among social network members.
#8: Next is Trojan Agent (1.39%), a malware family that uses HTTP to reach a remote server, taking advantage of firewalls that permit any outbound Web traffic. Trojan Agents use packers to evade signature detection, install themselves using randomly-generated filenames, and add auto-Run keys to the Windows registry. Mail attachments used to deliver Trojan Agents can vary – for example, Troj/Agent-MJJ is carried by a fake Anti-Virus, while Troj/Agent-OHV poses as résumés, pictures, or forms. Trojan Agents can be recognized by their HTTP back-channels to known-malicious server IP addresses. The catch? Those IPs can change frequently.
#7: Popular around the holidays, but surprisingly prevalent during 1H10 has been Trojan ZipCard (3.07%). This malware arrives on a message claiming to be a “new greeting” from a family member or “someone who cares about you.” The attached zip file (e.g., Greeting_Card.zip) is not a greeting card, but a malicious Win32 program like Bredo. You might think this social engineering ruse would be well-recognized by now – but clearly it is not. ZipCard’s success also suggests that mail filters are not routinely stripping or flagging compressed file attachments often used to propagate malware.
#6: Coming in sixth is FakeVirPk (3.3%) – fake anti-virus software propagated by search engine optimization and domain name typo-squatting. FakeVirPk implants itself in the user’s Application Data folder, creating a randomly-named folder and auto-Run executable. Like Trojan Agent, this program “phones home” by sending HTTP to a designated IP. One interesting characteristic of FakeVirPk is its use of Multi-Media Instructions (MMX) to evade detection by behavior-based anti-malware emulators that don’t support MMX. Behavior-based methods can overcome signature-based limitations, but must still keep pace with new technologies and malware that exploit it.
#5: In the middle of the pack is Trojan Invo (5.26%), usually received with a failed UPS package delivery notice. The notice carries a zipped “invoice” that actually contains a new variant of Koobface (see #9). Another Invo variant warns that your Facebook password has been changed, inviting you to open a zipped password file that actually contains FakeAV (see #2). The common thread? Invo campaigns start with compromised social networking accounts that are used to seed target email addresses.
#4: Taking fourth place is EncPk (7.02%), an old family of mail-borne downloaders currently enjoying a resurgence. Like Invo, EncPk often starts with a phony DHL package delivery notice or a Facebook password change notice. However, the body of an EncPk-infected message contains only a warning that the recipient’s anti-virus is outdated, along with a zipped attachment like dhl_viewer.zip or print_label_IDnnn.zip. When opened, these files contact a remote server to infect the PC with downloaded malware, such as Bredo, FakeAV, or Zbot. Recent variant EncPk-NS carries a curriculum vitae (CV) – a minor variation on this otherwise well-worn scheme.
#2: FakeAV (11.33%) nudged out JS Redirector as the second most prevalent mail-borne malware of 1H10. Numerous FakeAV variants have surfaced during the past year, using scareware to exploit end-user fears. For example, FakeAV-EI spam carries a Trojan posing as a 30-day-free trial of McAfee VirusScan. Users who fall for this increasingly-common ruse are warned that their PC is infected – and prompted to purchase a clean-up program. Users should of course beware of security programs delivered by unsolicited mail. However, one reason that spam has been successful in spreading FakeAV is that users have grown accustomed to receiving virus warnings in mail messages, generated by legitimate desktop, server, and gateway AV programs. Perhaps silent AV is not only less intrusive but ultimately more effective?
#1: At 45.97% of all mail-born malware in 1H10, first place by an overwhelming margin goes to BredoZp. Bredo spam is generated by bots to recruit additional bots. For example, BredoZp-L poses as a money order notice from Western Union. That notice carries a zipped executable containing Bredo-A, which is implanted in the PC’s temp folder as a randomly-named auto-Run file. BredoZp-S poses as a UPS or DHL delivery problem notice, carrying a zipped executable containing several malware programs, such as Bredo-A, Bredo-E, EncPk, FakeAV, or FakeVirPk. Spotting a trend yet?
In fact, this top ten list shows how tightly-coupled mail-borne malware has become. Virtually all of these malicious payloads arrive in unsolicited spam, taking the form of executable or .zip file attachments.
Users can be educated to recognize common phishes – but new mail-borne malware will just surface with different subject lines and phony payloads. Stripping executable and zip attachments (including those that evade signature detection) could neutralize quite a few of these threats. But malware writers have already started hiding JS Redirector inside infected PDFs – blocking based on file type is always a game of cat and mouse.
Cloud-based mail defenses may hold the greatest promise. There are clear advantages to applying spam and malware filters at easily-updated, relatively-powerful central locations. Clouds are also a good place to apply reputation-based filters to efficiently deflect botnet-generated spam. Finally, cloud defenses should be complemented by robust mail client configurations that stop HTML redirection and script execution. In the end, some of these malware-laden messages are going to reach users – but paring these down to a precious few will help those users be more prudent.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
Follow eSecurityPlanet on Twitter @eSecurityP.