Symantec Messagelabs Intelligence

Spammers continue to take advantage of holidays and events

Beginning on New Year's Eve, January 1, 2012 and continuing earlier into the days following, Symantec Intelligence identified spammers taking advantage of the New Year anniversary, seemingly to entice users into clicking on spam links contained in the email messages.

Further investigation revealed that spammers were compromising legitimate Web servers, leaving the main Web site content intact (to avoid or delay detection) and simply adding a simple PHP script, typically named "HappyNewYear.php", "new-year-link.php" or "new-year.link.php". These scripts simply redirect to a spam pharmaceutical Web site.

Analysis of one of the messages we saw using these links makes the spammers' motives clearer, as can be seen in figure 1, below.

Figure 1: Example spam email containing New Year reference in spam URL

The message uses social engineering techniques to try to entice the recipient to open the link. The "friend_id" parameter in the URL could perhaps suggest that the destination is some kind of social networking Web site.

In addition, around New Year, many Web sites and blogs publish various "top ten" lists of the past year, their predictions for the coming year, so a URL containing the phrase "new year" may seem more relevant and topical, and may increase the likelihood of it being opened.

However, this is just the social engineering element, and the URL redirects (through a compromised machine) to a familiar spammer "My Canadian Pharmacy" Web site, as can be seen in figure 2, below.

Figure 2: Example spam Web site redirected from New Year spam URL

Symantec Intelligence has seen over 10,000 unique domain names compromised with this "new year link" redirect script. It is likely that files called "new-year-link.php" or similar are likely to indicate that the Web server has been compromised; perhaps serving as a timely reminder to ensure all servers are properly patched and updated.

This is just the latest example of spammers using holidays and current events to try to make their mails more appealing. In the run-up to Christmas in 2011, spammers spoofed a number of legitimate retailers, offering Christmas special offers and deals on a variety of products (typically counterfeit watches and drugs). As we've separately covered in the Symantec Intelligence Report and in some of our blogs, 419 or advance fee fraud scammers are also skilled at using notable holidays, anniversaries and current events to their advantage, for example, there was an increase in the number of scams relating to the devastating earthquake in Japan last year, and the "Arab spring" movement, as well as many others.

January 23 also sees the start of Chinese New Year (also referred to as “Spring Festival”) celebrations. With celebrations continuing for several days, it is the most important traditional Chinese holiday, and is also celebrated in many countries and territories with significant Chinese populations. The huge interest in this event (to celebrate the “Year of the Dragon”) means that spammers and malware authors are likely to try to exploit this annual festivity.
Symantec Intelligence also expects to see spammers taking advantage of the fast-approaching Valentine's Day. It is likely that pharmaceutical spammers will take advantage of the day's romantic connotations, typically to promote their erectile dysfunction drugs, while malware authors are likely to use the popular idea of having a secret admirer to lure victims into unwittingly installing malware.

Following Valentine's Day, we also expect to see plenty of spam and malware taking advantage of the upcoming UEFA Euro 2012 football tournament, jointly hosted by Ukraine and Poland. Once UEFA Euro 2012 is over, it's not long until the Summer Olympics in London. Indeed we have already seen many references to the games in 419 or advance fee fraud messages. These messages have included attachments such as "London 2012 Olympic Games.doc", "LONDON 2012 OLYMPIC GAMES RAFFLE PROGRAM.doc", "LONDON OLYMPICS LOTTERY WINNER!.doc," to name but a few examples, such as the one shown in figure 3, below.

Figure 3: Example 419 spam referencing a forthcoming major sporting event
 
By relating their mails to widely-celebrated holidays and current events with global interest, spammers and malware authors can (at first glance at least) make their messages more interesting, and increase the chance of recipients visiting spam Web sites or becoming infected.

Therefore, as major events draw closer, such as notably St. Valentine’s Day and the London Olympic Games, the social engineering employed by spammers will almost certainly be adapted to take advantage of people’s interest in these events. We expect there to be an increase not only in spam activity relating to these events, but also in scams and 419 frauds as well. With legitimate Web servers being exploited in many of these latest attacks, it is especially important to remain vigilant and ensure that businesses adhere to a best practice for patching and maintaining Web and other potentially vulnerable servers.

Categories: Spam and Incident Response Blogs

A New Zero Day PDF Exploit used in a Targeted Attack

With contributions from Manoj Venugopalan, Senior Malware Analyst, Symantec

Introduction
A new day and a new zero day PDF exploit used in a Targeted attack which our Skeptic heuristic engine stopped. This one exploits a vulnerability in the 3D engine in Adobe Reader (CVE-2011-2462 http://www.adobe.com/support/security/advisories/a...) which is often used to display a 3D wire mesh object that you can rotate and view from all angles in real time. An architect might use it to mock up a plan for a building that the customer can view from within the PDF, very cool. However, the more functions you add to your software, the more chance there is to exploit the format.

Details
The targeted attack against Adobe Reader 9.4.6 on Windows was sent in 5 emails originally on the 1st December with another 16 being sent on the 5th December. Standard fair for a targeted attack, it’s coming from a free webmail service with no spoofing involved.

There were 3 X-Originating-IP’s of the computer that connected to the webmail service that sent these attacks, all located in the United States and all appear to be compromised machines, 1 appears to be a mail server, 1 a web server and the last one is simply stated as a static IP according to the DNS lookup.

Social engineering wise, they are pretending to be a government agency sending out a new contract guide for contractors of that agency.

It’s actually quite well written, which is sometimes  rare in these kinds of attacks, although it’s lacking in any personal or departmental email signatures, with the exception of the “This email message is for the sole use of the intended recipients” disclaimer message.

The attackers have also bypassed the free webmail services own signatures that state something to the effect of “Use [name of free webmail service].com for free emails” or other advertisments that are sometimes added to the bottom of webmail emails you send.

News reports state that this exploit has been used in attacks to defence contractors, we’ve also seen other industry types being attacked too, including the following: 

Industry Sector

Number Blocked

Company 1

Telecoms

2

Company 2

Wholesale

1

Company 3

Manufacturing

7

Company 4

Computer Hardware

2

Company 5

Chemical

9

 This is a new zero day and they aren’t using it for one specific target, they are trying several while still keeping the numbers low so that it hard to spot.

Technical Analysis
Currently, the malicious PDF sample crashes after invoking A3DUtility.exe (Adobe Reader 3D Utility) as this specific PDF contains a corrupted compressed object, this means that the malware currently isn’t working. This error is also making it difficult to extract the executable the malicious PDF should drop:

The PDF contains a U3D object which is compressed using common deflate compression method:

Like many other Adobe Reader exploits, this PDF contains a Java script, which is highly obfuscated using multiple variable references and loops.  As this is U3D memory corruption vulnerability, the attacker used heap overflow by loading an array with a huge string. The string contains hex strings for padding followed by the shell code:

The exploit code worked against versions of Adobe Reader 9.x, but not against Adobe Reader X versions above 10.0. Although versions below 10.1.1 may be vulnerable according to the advisory, the exploit code used in this attack created an infinite recursive loop with versions greater than 10.0.

Adobe expects to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011.

For further information, please also read Adobe Reader Zero-day being exploited in the wild (Symantec Connect Blog).

The latest November 2011 Symantec Intelligence report (PDF) also includes additional information on targeted attacks and advanced persistent threats (APTs).
 

Categories: Spam and Incident Response Blogs

Symantec Intelligence: November sees a four-fold increase in the number of daily targeted attacks since January

Global spam is now at the lowest it has been since November 2008, when the rogue ISP McColo was closed-down. The effect on spam volumes back then were very dramatic and spam accounted for 68.0% of global emails. More recently the decline has been much slower, but spammers have also adapted to using more targeted approaches and exploiting social media as alternatives to email. Moreover, pharmaceutical spam is now at the lowest it has been since we started tracking it, accounting for 35.5% of spam, compared with 64.2% at the end of 2010.

With targeted attacks and advanced persistent threats being very much in the news this year, we thought it would be a good time as the end of the year draws closer to begin our review of targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and industries.

In November, one in 255 emails was malicious, but approximately one in 8,300 of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account for approximately one in every two million emails, still a rare incident rate. Targeted malware in general has grown in volume and complexity in recent years, but as it is designed to steal company secrets, it can be very difficult for recipients to recognize, especially when the attacker employs compelling social engineering techniques, as we highlight in this report.

A persistent threat residing inside your company’s network may be the by-product of a successful targeted attack, rather than the targeted email itself containing an APT, it is likely to contain a downloader component for the actual APT. Hence, targeted attacks of this nature can lead to an APT being deployed on your network if you don’t have the right defenses in place.

Targeted malware and advanced persistent threats (APTs) have been very prominent in the news during 2011, particularly in the wake of the Stuxnet attacks that took place in 2010, and more recently with the discovery of Duqu[1], which is was created from the same source code as Stuxnet. Although the source code for Stuxnet is not available on the Internet, this does not mean that the original authors were also the authors of Duqu; the source code may have been shared or even stolen.

Defining what is meant by targeted attacks and APT is important in order to better understand the nature of this mounting threat and to make sure that you have invested in the right kinds of defenses for your organization.

Targeted attacks have been around for a number of years now, and when they first surfaced back in 2005, Symantec.cloud would identify and block approximately one such attack in a week. Over the course of the following year, this number rose to one or two per day and over the following years it rose still further to approximately 60 per day in 2010 and 80 per day by the end of the first quarter of 2011. By November 2011, the number of attacks blocked rose to approximately 94 per day, almost four times the number in January, as shown in figure 1, below.

Figure 1. Average number of targeted attacks blocked overall by Symantec.cloud per day worldwide in 2011

The types of organizations being targeted tended to be large, well-known multi-national organizations, and were often within particular industries, including the public sector, defense, energy and pharmaceutical. In more recent years the scope has widened to include almost any organization, including smaller and medium-sized businesses. But what do we really mean by targeted attacks and advanced persistent threats? To find out more, the full report can be downloaded here (PDF).

I hope you enjoy reading this month’s edition of the report, and please feel free to contact me directly with any comments or feedback.

@paulowoody

[1]http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit

Categories: Spam and Incident Response Blogs

To Forsee the Future, We Must Consult the Past

A wise man once said, “Whoever wishes to foresee the future must consult the past; for human events ever resemble those of preceding times.” (Machiavelli). Thus, looking back at the major cyber security trends of 2011 helps us gain perspective on what we can expect in the future. So, how would you describe the past year in cyber security and what trends do you think will continue to grow in 2012? A few thoughts come to my mind.

First, perhaps 2011 will be remembered as the year we saw the foundation laid for the successor of the infamous Stuxnet. Another thought is that 2011 will go down in history as the year of the mobile threat; after all the mobile malware movement finally began in earnest. Finally, maybe we’ll look back on 2011 as the year of targeted attacks; with a concerning number of compromised legitimate digital certificates involved.

We think these key themes from 2011 will continue to grow throughout 2012. Here’s a bit deeper look at each of them:

Advanced persistent threats (APTs) continued to target industrial control-related organizations, while critical infrastructure protection program awareness and engagement waned. A recent Symantec Critical Infrastructure Protection (CIP) Survey found that companies are generally less engaged in their government’s CIP programs this year when compared to last. In fact, only 37 percent of companies are completely or significantly engaged in such programs this year, versus 56 percent in 2010. It should subsequently come as no surprise that overall CIP readiness on a global scale also fell an average of eight points (from 60 to 63 percent who said they are somewhat/extremely prepared in 2011 compared with 68 to 70 percent in 2010).

When combined with recent revelations around the Duqu threat, the findings of the CIP Survey are particularly troubling. Duqu’s purpose was to gather intelligence data and assets from organizations such as manufacturers of components commonly found in industrial control environments. The attackers behind Duqu were looking for information such as design documents that could help them mount a future attack on an industrial control facility. Thus, Duqu is essentially the precursor to a future Stuxnet.

At this point in time, there is no reason to assume the attackers behind Duqu were unable to gather the intelligence they were looking for. In addition, it is likely other similar reconnaissance-type threats exist and have simply not yet been discovered. Thus, it’s quite likely that 2011 saw the foundation for the next Stuxnet-like attack being laid.

As the use of smart mobile devices has exploded, the risks surrounding them – particularly mobile malware and data loss – have also experienced growth. According to Gartner, sales of smartphones will exceed 461 million by the end of the year, surpassing PC shipments in the process. In fact, combined sales of smartphones and tablets will be 44 percent greater than the PC market by the end of 2011.

This explosion has captured cybercriminals’ attention and as a result, 2011 saw significant real growth in the amount of mobile malware. From malware simply seeking to embarrass victims to malware exploiting premium rate number billing, to malware focused on information theft, it’s undeniable that 2011 was the first year mobile malware presented a true threat to enterprises and consumers.

In addition, despite 2011 being a year of external hacks, CISOs have already begun to shift their focus on insiders once again. The reason is once again the proliferation of mobile devices, especially personal mobile devices. Tablets in particular have become a major concern as employees are bringing them into corporate infrastructures at a rate that outpaces many an organization’s ability to secure and manage them and protect the information the employees can access via the tablets.

Organizations are seeing an increase in employee productivity and happiness that tablets bring to the business culture. But, such rapid adoption of tablets can leave organizations vulnerable to data loss from insiders, both malicious and well-meaning. With tablets in hand, the concern has become insiders that fly under the radar of IT to access and send sensitive data, and in the case of the malicious insider, steal highly confidential intellectual property.

Cybercrime’s spread from the criminal underground to the business mainstream was highlighted by a surge in targeted attacks. Symantec’s November Intelligence Report shows that targeted attacks are becoming more prevalent in 2011. Large enterprises, with more than 2,500 employees, received the greatest number of attacks, with 36.7 targeted attacks being blocked each day during 2011.

By contrast, small-to-medium sized businesses, with less than 250 employees, had 11.6 targeted attacks blocked daily during the same period.

The increasing number of targeted attacks is being driven at least in part by competitive advantage as companies exploit digital espionage to acquire sensitive, proprietary data from competitors. For example, imagine an organization preparing to invest billions of dollars in a new chemical manufacturing facility that uses a targeted attack against its competitors to gather intelligence and ensure a competitive advantage. Just such a scenario may have recently unfolded.

Symantec recently discovered a series of attacks, codenamed “Nitro,” that primarily targeted private companies involved in the research, development and manufacture of chemicals and advanced materials. A total of 29 companies in the chemical sector and another 19 in various other sectors, primarily the defense sector, were confirmed to be targeted in this attack. The goal of these attacks appears to have been to collect intellectual property such as design documents, formulas and manufacturing processes.

High-profile hacks of Secure Sockets Layer (SSL) Certificate providers and malware threats that misuse SSL certificates became an issue in 2011, driving SSL Certificate Authorities (CAs) and website owners to take stricter security measures to protect themselves and their customers. Publicity and public ire about SSL-related breaches such as DigiNotar and Comodo reached an all-time high in 2011. Malware threats increasingly came from sources using SSL Certificates that cyber criminals either stole or fraudulently acquired.

All this has caused enterprise and consumer customers alike to begin demanding better SSL security, which started pushing CAs and website owners to further implement protections against social engineering, malware and malvertising. The popularity of mobile device use and the proliferation of cloud services within the enterprise further exacerbated potential vulnerabilities and showed the increased need for reliable, strong authentication. SSL-based authentication solutions for mobile and cloud deployments also began growing in popularity as customers’ awareness around the safety of their online transactions has increased. All this stoked discussion on whether too many organizations are issuing SSL certificates without sufficient security to back them up.

A persistent topic in 2011 was also whether high-profile SSL breaches signified the impending demise of SSL technologies, and even online trust itself. Data indicates that both claims are overblown. SSL technology wasn’t the weak link in DigiNotar and similar hacks; instead, these attacks highlight the need for organizations to harden security infrastructures and reinforces that CAs must implement standards for stronger security around business operations and authentication processes. Furthermore, if online trust were dead, no one would go online, which obviously isn’t the case.

There you have it, a look back at Symantec’s top cyber security trends from 2011. We expect to see continued growth in these areas in 2012.

Categories: Spam and Incident Response Blogs

ProofPoint Comparison

Recently ProofPoint posted a blog with a chart detailing some of the differences between Symantec.cloud (formerly MessageLabs) and ProofPoint technologies.  Several of the side-by-side comparisons are inaccurate, so we are posting this blog to address the factual inaccuracies.

In the section entitled “Content filtering of email attachments” a more accurate representation would look like this:

In the section entitled “End User Functionality” a more accurate representation would look like this:

And finally, in the section entitled “Reporting and Log Search” a more accurate representation would look like this:

The section “Phishing detection” inaccurately represents differences in technology. This is a more accurate representation:

Thank you for taking the time to read this blog and allowing us to set the record straight. Feel free to use the comment section below to ask any questions or add to the discussion.

Categories: Spam and Incident Response Blogs