The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction.  Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication.  What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first.  They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

The text itself is very well written, as well it should be.  It is an almost exact cut and paste of an IRS announcement from 2004.  To be precise,  IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message.  Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names.  In this case it’s irsgovnews.com  (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things.  First it displays a pop-up message saying that your browser cannot reach the site.

…which is not true.  The alert comes from the site itself!  This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit.  This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload.  The use of an exploit kit in this case means that Zeus is installed without user interaction.   Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus.   The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan.  Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies.  Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers.   One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals.  Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF.  This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program.   Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs.  Even if the sender isn’t suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload.  Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done.  The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document.   That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it’s been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they’re more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe’s Flash player can be exploited by embedding the malicious Flash file into a Word document.  This takes users who aren’t likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That’s what happens here.  If you open the attached merchant_info.doc, you can’t see the Flash control embedded in the document.  You really don’t see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Once the infection is accomplished, this Word document closes and you’re back to staring at the email and wondering what went wrong.   Meanwhile your computer is running Trojan.Zeus in the background.

Zeus quietly monitors your Internet traffic looking for username and password data.  It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse.  Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks.  We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

The iPhone 5 isn’t due to be released until fall, or even Christmas, but the spam honeypots at Barracuda Labs are already detecting malicious messages targeting anxious Apple acolytes.

Fake Phone

The image of a beautiful see-through phone is actually a concept photo that is over two years old.

All of the links in the email lead to a copy of Trojan.Zapchast, an IRC-controlled backdoor.

Fake iPhone spam

Naturally the apple.com from: address is spoofed.

If you do click on one of the links and run the offered executable, another old iPhone concept photo is displayed in order to distract you from the installation of the backdoor.

Photo distracts you from backdoor installation

In this case, if you’re curious about iPhone products, visit the Apple iPhone pages at http://www.apple.com/iphone. And never click on links in emails, especially from unknown sources.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Barracuda Labs researchers have recently seen a particularly nasty variant of Trojan.FakeAV  spreading in the wild.  We have seen this fake antivirus malware delivered both by way of  drive-by exploits and by way of direct links embedded in enticing spam emails.  The first sign of infection is the display of a very convincing copy of a Microsoft Security Essentials alert.   The malware then prevents the victim from running most programs on their desktop.

When the real Microsoft Security Essentials antivirus program  encounters malware on a computer it displays an alert such as this one:

Valid Microsoft Security Essentials alert

A computer that has been attacked by this strain of Trojan.FakAV immediately displays the following very similar alert:

Fake alert

The difference is that the second alert will continue to reappear even if the user closes it.   Any attempt to run Outlook or Internet Explorer, open a command window or even run the Task Manager will be intercepted and the alert will re-display. The inability to run most common programs on the computer leaves the uninformed user with no alternative but to explore the alert.   Choosing “Clean Computer” or “Apply Actions” brings up an interesting scan dialog:

"Online Scan" results

A large list of  antivirus product trademarks is displayed.  Unfortunately, none of the well-known products seem to be able to find any problems. Cleverly interspersed with the reputable programs are images for five bogus antivirus ‘products’ including:

AntiSpy Safeguard
Major Defense Kit
Peak Protection
Pest Detector
Red Cross

Of course, no scanning ever happened, and the programs listed above are all built directly into the malware. They all appear identical except for a name change.   If the user installs the first one, this is displayed:

Fake AV "Install" dialog

We were particularly amused by the wholesale theft of the GNU “free software” license agreement.  Behind the scenes, the installation of any of these bogus ‘products’ sends messages across the Internet to IPs  85.234.191.174 and 85.234.191.180, both of which are located in Latvia.  The first is the home of a malicious fake porn site and the second hosts a site whose main page simply reads “There is nothing here”.

Once ‘installed’ the program goes right to work fixing ‘problems’.   Unfortunately some of those problems require a missing “heuristic module”.

Fake AV "scan"

Ignoring this requirement results in an error message. Outlook, Internet Explorer, Task Manager – the most basic Windows programs still will not run. Eventually the user might be tempted to click the purchase button for that module:

FakeAV "money screen"

Fixing the Problem

While it is not possible to open many programs, it is possible to open the  file explorer.  The malware file is found in the users Application Data folder, which is hidden by default.  Once the file is renamed it will no longer be loaded on reboot, and the machine can be cleaned using a reputable antivirus program.

Barracuda Web Filters and the Barracuda Web Filtering Service stop the download of this threat.

Barracuda Labs has seen an enormous increase – in fact, well over one million instances a day – of spam containing malicious HTML attachments. The attackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, with the hope that users will be curious enough to open the HTML. After all, what harm can an HTML file do?

The answer is - plenty.

For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognize, and to even be careful with unusual looking email from sources that they do trust.  Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. But many people assume that an HTML file is just a webpage and that webpages are safe. This assumption is misleading, and the examples below show why HTML attachments are just as serious of a threat as other attachment types.

On September 16, this particular campaign started with spams tied to current Google trending topics:

Attracting attention by latching on to the latest breaking news is a technique that attackers have been using for quite some time. In fact, several examples of SEO poisoning and search malware are explored throughout barracudalabs.com and this blog. Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript.  Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox.

These campaigns evolved slightly over the following days, with the subject lines changing from trend topics to more nonspecific email subjects that one might receive from a business associate:

With messages to match:

These emails are presented as something just innocent enough that a user might allow curiosity to overrule caution and click “open”.  However, once that happens, the HTMLs suddenly don’t seem so harmless.

The attachments include 100% obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it.

When opened in a browser window, this JavaScript sends the browser to a variety of destinations depending on the spam flavor of the moment. In some instances, that is fake pharmacy sites which are harmless:

In others, it may be fake codec sites which are harmless as long as the fake codec is not downloaded (note: a codec should never be downloaded in this manner):

And finally, some instances lead to fake anti-virus sites which can carry a variety of problems:

Consider the HTML behind the fake anti-virus site redirect:

The HTML that serves this redirect also contains an IFRAME element that attacks the browser and installs a backdoor, as seen below:

What makes this a real problem is that although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed.

After several days, the spammers then shifted gears and started embedding the malicious JavaScript directly in otherwise innocent looking HTML files:

This is what the email attachment looks like when viewed with JavaScript disabled.   This inclusion strategy helps disguise the JavaScript from email scanners and reassure users whose email clients preview HTML content without evaluating JavaScript.

But there is malicious JavaScript inside, just waiting for the attachment to be opened in a browser:

In a browser, this displays the seemingly legitimate attachment very briefly and then blanks out the screen.  Once the screen is blank, the malicious code is busy exploiting the browser and downloading malware culminating in the installation of a Trojan from the Zeus family.

The absence of any significant visual feedback means the user typically has no idea what has just happened or that they have contracted one of the most dangerous pieces of malware on the Internet.  Zeus Trojans are a stealthy family of malware that steal online credentials, particularly those used for online banking.

So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.

Barracuda Spam & Virus Firewalls block these emails, and Barracuda Web Filters and the Barracuda Web Filtering Service stop the malicious traffic.

Just yesterday, Barracuda Labs intercepted thousands of copies of a spammed phishing attack aimed at customers of the popular online video rental service Netflix. While phishing attacks are nothing new, especially against financial institutions, this attack is particularly well done.

Below we present the details of the attack, showing how the unsuspecting Netflix member might fall victim, as well as what to look for to avoid it.

The email is simple enough and looks convincing:

Taking a deeper look, the recipient will noitice that the email was not sent to anyone by name.  Also, mousing over the link shows that it does not go to Netflix.com. Instead, it goes to a deceptively similar domain, netflixus.com. This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US).

Netflixus.com was registered on the same day that the phishing attack began, September 13:

Clicking on the “update” link sends the user to a login page that looks like what one would expect from Netflix:

One exception is the domain in the address bar: still netflixus.com.  Additionally, the protocol used is not HTTPS, which reputable sites always use when asking for login names and passwords or for credit card information. All of the other links on this page and on the following pages point to netflix.com, so if the user mouses over this form it is extremely deceptive. The ‘Continue’ button takes the user to another part of the phishing site.

As part of this experiment, we signed in with a fake username and password:

Once signed in, there is a landslide of warnings. The first is that the user is immediately asked for credit card information:

This page is very well designed, right down to an image of the back of a credit card to help identify the security code.    Netflixus.com still displays in the address bar, and although credit card information is being requested, the HTTPS protocol is not being used.

We responded with a dummy credit card number as indicated below:

Once that happens the site obligingly sends the user’s browser to the real netflix.com home page:

This final step is one last step to make the user feel comfortable with the just completed transaction.

This attack serves as a great reminder to always pay attention online. Regardless of how “real” an email or site looks, users should be especially wary of those requesting the user to click on links to enter credit card information, passwords and so forth. There are several tell-all signs to check legitimacy, many of which we have outlined above.

Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.

Email worms are nothing new, but in the past they sent their executable program as an attachment to the outgoing email. Computer users have mostly absorbed the lesson that you should be very careful with any file that comes to you via email, especially any .exe and .zip files.

This “Here You Have” email worm was just different enough to persuade many users to download and run the payload. The emails offered up a type of file that people trust – an Adobe PDF – and then delivered a file type that most people are unfamiliar with – a .scr file. The .scr file type is commonly used for Windows screen savers, which are executable programs themselves. What’s more, the payload file was not directly attached to the email. A small HTML file containing a link to the payload is included instead, making it more difficult to see what was actually being offered. And making it more enticing to click.

The campaign included several different messages, with the most common one titled “Here You Have” that presented a vague “document I told you about” theme.

Careful examination of the email shows that what is being offered is not what is being delivered. Saving the file offers further evidence.

What the malware authors are hoping will happen is that the user will simply click on the link.  Doing so does display a Windows Security Warning dialog, and this dialog does indicate that the file is not a PDF – it is a Screen Saver.

The mere presence of this dialog is a dead giveaway that something is wrong. The action for a PDF file is ‘Open’ and not ‘Run’.

If ‘Run’ is clicked, the malware – named VBMania – proceeds to spam itself to everyone in that user’s address book. This can be a particular problem in large enterprises because as a rule, emails passing between users in the same organization are trusted. One infected user spams everyone in the corporate address book, and once only a few more coworkers click on those emails the spam attack snowballs exponentially.

So while email worms are nothing new and most users understand not to click on an attachment that is an .exe or .zip, the payload included here is an .html leaving unsuspecting users vulnerable.

“This outbreak was actually kind of simple,” says Chapetti. “All it did was spam itself out. They could have just as easily added a password stealer to the download list, and with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time.”

Bottom line? The attack itself is simple and could have been much more severe than it was. It is yet another example of spam containing potentially malicious content and a significant reminder to all users to not run anything received via email if the source is not trusted and the content known.

Barracuda Spam & Virus Firewalls blocked these messages throughout the attack.

By Dave Michmerhuizen, Research Scientist

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

This week, we have seen a surge in the number of spams like the one below, promising a new Social Security Number (SSN) to victims of Identity Theft.

Most people would take one look at this spam and hit the delete button, but it is worth taking a moment to understand what’s being offered.

The scam behind the spam

If you are a citizen of the United States, your SSN is a de facto personal identification number.  With your name, your SSN and a few other bits of personal information, an identity thief can ruin your credit and turn your life into a nightmare.

Since a stolen SSN is at the center of the nightmare, this scam attempts to convince identity fraud victims that a new SSN will take care of their problems and that for a fee, the company – Get New SSN – will help.  Calling the number in the spam connects you to a slick sounding recording and then a human operator who takes your personal information.

What really happens is that the victim of these scams is given a Federal Employer Identification Number (FEIN), which looks just like a SSN but serves a completely different purpose.  The victim uses this FEIN as if it were a SSN without realizing that they are committing fraud.  What’s more, by using the FEIN in place of their real SSN, they are doing permanent harm to their Social Security record since income earned when using an FEIN is not eligible for Social Security reporting.

The Social Security Administration issues new numbers only in the event of severe identity theft, and even then only rarely, and all Social Security services are offered at no cost.

As you would expect of a scam, these spams contain no valid reply information.  Not only do the scammers send out email spam, they post spam to unprotected online forums as well.  This is done automatically by ‘bots’ which are indiscriminate in their targets.  Below is an example of the “New SSN” posted to a Japanese blog:

The email mentioned in these forum spams, getnewssn@gmx.com, is hosted at a free German email service. Not quite what one would expect from a company offering to help with an American government agency.

Barracuda Spam & Virus Firewalls block these spam messages.