With a newly discovered spam messages including a dangerous malware infection, identified as Mal/Dropper-PQ, came the following proposition:

Dear Sir
I am able to complete the funds transfer late night
$1,850 was sent via western union with MTCN VALUE 754 061 9934
Copies of the payment is being attached and sent to the attorney
I anticipate further correspondent as regards
Peter

Upon receiving such an e-mail, you will most likely first notice the poor grammar and spelling, but on closer inspection you may discover that this message has also come with an attachment named “WU Money Sent.exe.”

Now I’m certain we can all agree that typically we might delete such an e-mail message almost immediately and go about our lives, but for those of you that are perhaps too perplexed, scared or tired enough to actually execute the attached file, you will be greeted with this notification:

Bar. Mate
Here is the final transfer of $3,000
$1,850 was sent via western union with MTCN VALUE 035 461 7793
Copies of the payment is being attached and sent to the governor
I anticipate further correspondent as regards
Peter

While this is nothing more threatening than a text file, the real danger comes with the self-extracting .rar file, named Mal/Dropper-PQ, running malware designed to terminate specific antivirus programs and secretly install a keylogger that will record your keystrokes and then transmit this information to a remote server.
This will no doubt lead to identity theft and the loss of your well-earned money, which by this time will be transferred from your account and into the scheming hands of the hacker who infected your computer.

According to MessageLabs, a security research firm, spam levels have remained the same since the month of May which is said to be 90% of all email traffic for the month of June. The majority of the spam messages are a result of botnets which accounts for about 83% of the spam messages. The remainder portion of spam remains to be sourced from compromised mail servers or hacked webmail accounts.

Spam messages are basically a serious epidemic when you take into consideration the number of botnets that perform automated tasks in such a manor to account for 90% of all email traffic. Botnets from the Conficker worm to Mebroot, which was designed to steal personal data, have seriously plagued the internet through their ability to run uninterrupted automated tasks. Using such automated tools puts hackers in a position to spread malware via spam messages like never before.

The ultimate goal of a spammer is to gain some type of monetary gain for his or her efforts. Recent spam messages are known to take advantage of popular news stores, offer a computer user some type of bogus software or even exploit the death of Michael Jackson. Just recently the release of the new iPhone and Iran were used as subjects for spammers to cash-in on.

Image spam is now being blamed for a considerable rise in spam activities since the month of May. An image spam message is one that comes with an attached image instead of one hosted remotely. Many of these messages include background noise patters which are automatically generated. Computer users are usually totally unaware of such an attachment which could lead to the installation of malware or redirecting them to a malicious site.

Spammers and cyber attackers will always find new ways of spreading their malicious files and applications through bogus email messages. What ways have you found to combat the massive amounts of spam messages sent through email lately?

In recent activities discovered by security researchers, spammers are using the popular Iran election stores and news about Apple’s newest iPhone 3.0 software or iPhone 3GS release to flood Twitter with misleading tweets.

No doubt that Twitter and the iPhone are some of the most talked about “things” of this year. Many times cyber criminals will uses these “popular items” to their advantage and that is just what they are doing.

Spammers are sending out a slew of Twitter messages that say things like, “iPhone OS 3.0 Just Launched. Here are 20 Things To Do With It”. In addition, Twitter messages similar to this, are being posted by hacked Twitter accounts. The messages are apparently popping up when the popular search terms related to the iPhone is entered. Then they message may redirect you to a malicious site that may ultimately prompt the download of a .Zip file that contains malware.

Not only is the iPhone topic raiding Twitter messages by hackers, but the spammers are using the Iranian election as a popular topic to gain attention and increase the chances that unsuspecting computer users clicking on their tweet.

Is this anything new?

Nothing about these tactics is really new except for the new news topics used by the spammers lately. The use of social media sites such as Twitter and Facebook have risen to unprecedented levels even so to the point of abuse by hackers and spammers is common nature. Even so, some companies are restricting or banning the use of popular social networks such as Twitter and Facebook due to the fact that they are the culprit of spreading new viruses which could harm corporate networks.

To top it off, fake invitations to join Twitter are being sent out by spammers as well. The possibilities are almost endless for these hackers if something isn’t done very soon. Both Twitter and Facebook are aware of various threats that could spread malware and they have already advised users to use caution and have provided a page to report spam messages or senders on.

Have you been the victim of a spam message on Twitter of Facebook that used a popular new story to get your attention?

Just in the past few days, security researchers have noticed a high volume of Casino related spam emails that are designed to trick computer users into subscribing or joining Casino websites. After the user joins the Casino site they are asked to download an executable program that is identified as RoyalClubCasino.exe, which is recognized as a malicious file by many antivirus and antispyware detection tools.

The emails identified as spam messages related to Casinos, use attractive subjects promising money to the computer user if they play an online Casino game. Included in the spam email messages are links to various websites that may be associated with the creators of this scam. Below is a list of the malicious links noted on the novirusthanks.org website.

• wonderfuloasiscasino.com
• wonderfuloasiscasino.com/it
• planetparadisecasino.com/it
• planetparadisecasino.com
• cazingmonster.com
• cavinomonster.com

At least two of the websites above will redirect you to another site, colocationcasino.com, to initiate the download of RoyalClubCasino.exe. Further research of the RoyalClubCasino.exe malicious file will reveal that it is a downloader application that has the ability to download and install other unknown software from the Casino website that could be harmful to your system.

Have you ever received spam email related to a Casino website? Did you click on any links within the Casino email and it later downloaded an application onto your computer?

Spam Tips:

You must remember that spam messages use aggressive techniques to pursued computer users to download a malicious file, disclose personal information or unjustifiably spend their money on something. The Casino spam messages are just one example of a catchy subject used to get computer users to download a malicious program that may later ask for your hard earned money after it promises a service to you. Usually you never get your money’s worth just like in the case of many rogue anti-spyware programs. It is suggested that you use an up-to-date spam filter and keep a running antivirus or antispyware application at all times.

According to Dave Marcus, director of security research at McAfee Inc., the number of spam messages related to Swine Flu has been spreading rapidly accounting for about 2% of all spam messages today. Spam message with the subject lines, “Madonna caught swine flu!” and “First US swine flu victims!”, have increased just recently. Security researchers believe that spammers are using related spam messages to lead users to online drug sites or to harvest credit card numbers from gullible consumers.

The swine flu, or the newest influenza strain, has been making headlines since last week. Sophos Labs has also witnessed an influx of spam campaigns that includes messages containing a link that redirects users to a Canadian Pharmacy site.

McAfee researcher, Chris Barton, said to expect the pharmaceutical web sites to start pushing Oseltamivir, which is the prescription antiviral drug marketed under the trade name Tamiflu.

Are Malware makers taking advantage of the swine flu pandemic also?

Currently there is no evidence supporting that malware makers have started to capitalize on the swine flu bandwagon, but we should not be surprised if it happens soon. It is very possible that we may see viral videos related to swine flu, that ask users to “click here” and then it prompts the download of a fake Adobe Flash Player, leading to the installation of malware.

Why exploit something as serious as swine flu?

Whenever there is a popular story or even happening around the world, we see a major spike in the amount of spam messages directly or indirectly related to the same subject matter. Hackers know how to exploit these situations, mainly for monitory gain. We should not be surprised to see even more spam messages related to swine flu as the cases increase. Unfortunately the swine flu pandemic has already caused panic and death around the world. The last thing we need is to add fuel to the fire with bogus messages or spam emails exploiting the swine flu scare. Computer users are urged to be cautions when opening messages related to swine flu.

Have you received any swine flu email messages yet? Did they contain a link that redirected you to a suspicious website?

This message comes as if it was sent from a random generated user email address, not the typical CNN.com address. The spam or malspam email comes from the email address Harjinder-lkpn@321facets.com. By the email address alone, it should raise a red flag but with a catchy title like “CNN.com Daily Top 10″, many computer users may over-look the domain that it comes from. CNN would never use some unprofessional email address such as the one listed above. Obviously they would use a CNN.com domain or variation of CNN.com.

The website that you may be redirected to from this malicious email looks like it attempts to load a flash video. It stops you dead in your tracks only to display a notification that you have an incorrect version of the Flash player through a message that says “Video ActiveX Object Error. Your browser cannot play this video file.” The error prompts you to download and install a new version of Flash if it is clicked on. This is where it gets exciting. The so-called “flash download” is a malicious Trojan downloader called Trojan-Downloader.Agent.EL. This file first comes as a harmless get_flash_update.exe executable file until it is accessed.

Trojan-Downloader.Agent.EL Details

The Trojan-Downloader.Agent.EL infection has the ability to install other malware onto an infected machine such as the rogue anti-spyware program Antivirus XP 2008. It may go onto create executable files found in the directory %System%\cbevtsvc.exe while creating a new service CbEvtSvc file. The registry of the infected system is also modified in addition to a direct IP address connection is made to a report host via TCP/IP for port number 443. The MD5 is defined as “dabb5a9b431c88c77281bcf1158a9879″ for this specific infection.

A Trick to Avoid “CNN.com Daily Top 10″ Message for Outlook Users

Some email messages in Outlook and other web-based mail clients messages initially show up as a series of broken images such as in the “CNN.com Daily Top 10″ message. Many times you will choose to load the images which will enable the website link for when you click on the image. In other words, it will redirect you to the designated site automatically once an image is clicked on. If you choose to bypass or disable image loading, then it will prevent the web links from being active. In this case the “CNN.com Daily Top 10″ message would not be very effective in spreading malware because the embedded image link is not followed.

Recommended Outlook Rule

We know that Outlook cannot block every spam message or send bogus messages to your junk mail folder every time so we suggest manually creating an Outlook rule to help catch messages like the “CNN.com Daily Top 10″. You can simply create an Outlook rule to look for the specific text in the senders name and move the message containing it to your junk email folder.

To create an Outlook Rule, you must access the “Rules and Alerts” option within Outlook and add the proper text needed so that it may send emails that meet your criteria to the junk email folder. The image below is an example of this rule being created.

Outlook 2007 recommended rule

Because the current “CNN.com Daily Top 10″ bogus message has been effective in creating havoc over the Internet, we look for other variations of this message to strike again. Creating an Outlook Rule may only go so far in protecting you but it is one step in the right direction to help keep you safe from malicious messages. There is no guarantee that an Outlook rule will block all future emails that are variations of “CNN.com Daily Top 10″ spam email. Also, you may end up blocking legitimate emails from CNN.com in some instances.

Please Note: CNN is not a part of or affiliated with this particular threat nor does CNN operate the website in question. The malicious messages are being sent from random email accounts from infected computers. It is advisable that you keep this infection in mind if you encounter CNN emails.

Trend Micro, a security company, has already identified the spam messages as having an April Fool’s image which was taken from a simple Google image search using the keyword “April Fool’s Day”. The image is not original in the since that the spammer did not created it.

Contained within the spam message image that was so cleverly stolen from a Google image search is an embedded hyperlink to a malicious website that downloads executable files so appropriately named foolsday.exe, funny.exe and Kickme.exe. The names of the executable files are known to change to other names so detection may be difficult. Trend Micro has already taken action to block the website or websites that download the harmful executable files for their customers.

The spam message image resembles below.

This threat may not be as intense as others that spring up during other popular holidays but it proves how sneaky spammers and hackers are with the use of a holiday for their malicious acts. Internet users should always educate themselves of the newest threats especially around a holiday when spam messages utilize the name of the holiday to infiltrate computers on the internet for self gain and malicious intent.

• “Current Australia’s Prime Minister survived a hear attack”
• “The life of the Prime Minister is in grave danger”
• “Prime Minister survived a heard attack”

Usually Spam emails spread Trojan infections onto user’s computers. The purpose of the emails with the above phrases in the subject line is a focused attack against the Australian computer community. This is just one example of many other spam email subject lines. Other spam messages have used similar subject lines to gain the attention of computer users throughout the world.

The email messages using the above subject lines contain links to malicious URL’s or websites. Once the source of the URL’s are identified they will be blocked by a URL Filtering Service as reported by Trend Micro. Upon further examination of the URL’s in these spam email messages it seems the links lead to a site that contains 2 iFrames. By using iFrames, a website can presents itself in a way where one legitimate site is visible while the malicious website in the second iFrame is not visible. The malicious iFrame portion of the page may access another site that downloads infected files.

The files that the malicious site downloads are identified as update.exe which was detected by Trend Micro as TROJ_Small.GHI, a Trojan infection. Once this update.exe file is executed it downloads 4 additional files, 1.exe, 2.exe, 3.exe and 4.exe. The first file, 1.exe is identified as TROJ_VB.BLV which is another harmful Trojan infection that is known to install an array of malicious files onto an infected computer.

Currently all of the related URL’s from this particular spam email are now blocked by the URL Filtering Service according to Trend Micro.

Below is a representation of the actual spam email message from the Australian Computer Emergency Response Team – AusCert. The message contains malicious links. Do not under any circumstances visit the URL’s listed on this email message.

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

===========================================================================
A U S C E R T A L E R T

AL-2007.0026 — AUSCERT ALERT
[Win]
“Prime Minister heart attack” trojan
19 February 2007

===========================================================================

AusCERT Alert Summary
———————

Product: Microsoft Windows
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated

OVERVIEW:

AusCERT has received reports, and has observed malicious emails
currently in circulation with a variety of subject lines,
including:

“Current Australia’s Prime Minister survived a hear attack”
“The life of the Prime Minister is in grave danger”
“Prime Minister survived a heard attack”

with a link to malicious websites, including:

h**p://www,austr-news,com/
h**p://www,theaunews,com/
h**p://www,theau-news,org/

IMPACT:

AusCERT is in the process of analysing this trojan and no conclusive
information about payload is available at this time. However,
similar incidents have been known to install code designed to steal
online credentials and modify security settings.

MITIGATION:

Users should avoid clicking on any links in email, unless the email
was already expected. Unsolicited e-mail should always be treated
with suspicion. Additional countermeasures for protecting Windows
systems can be found on the AusCERT web site[1].

System administrators may wish to consider monitoring their proxy
logs for access to the following URLs, or blocking them completely:

h**p://www,austr-news,com/
h**p://www,theaunews,com/
h**p://www.theau-news.org/

(redirecting to)

h**p://apicesnn,net/

Please note that the above urls have been intentionally modified.

At the time of publication, the malware payload is not widely
detected by most popular Anti-virus software.

DETAILS:

The malicious email is HTML with content similar to:

— BEGIN EMAIL SAMPLE —

SYDNEY, February 18, 2007 08:56pm (AEDT) – The Prime Minister of
Australia, John Howard have survived a heart attack. Mr Howard, 67
years old, was at Kirribilli House in Sydney, his prime residence,
when he was suddenly stricken. Mr Howard was taken to the Royal
North Shore Hospital where the best surgeons of Australia are
struggling for his life.

Click on the link below to get the latest information on the health
of the Prime Minister:

The Australian – keeping the nation informed

John Howard was born on the 26th of July, 1939. Howard is Australia’s
second longest serving Prime Minister and leader of the Liberal Party
in Australia.

…

— END EMAIL SAMPLE —

REFERENCES:

[1] Protecting your computer from malicious code
http://www.auscert.org.au/3352

AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation’s site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================

—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRdlA8Sh9+71yA2DNAQIvpAQAmE4naKOlw6olkAyZh/H+dehy+tFBPv5j
OaqOkpdimkndJwJchZHJqOKmu4lOHQ4nu+HuuXSZjEfDyx3FS/aGrO4WadxA9wPL
zgdYZraf3z7meDmNdYgc2idfSEm4Y2OhbhyERAa1v3Fgw3u2tEehhpk6mmxeKBpb
z0hwKXaZv5M=
=w6Ri
—–END PGP SIGNATURE—–

According to Postini, an e-mail security company, their average 700,000 daily viral emails has increased to 35 million per day. Since July 2, Postini has seen about 275 million greeting card e-mails scam.

What does a greeting card e-mail scam do?

E-mail spammers send you an e-mail with the subject line saying you’ve received a greeting card from a “colleague,” “friend,” “family member,” “mate”, “neighbour,” or “whorshipper”. When you open the greeting card e-mail, there’s a link that points to a website that secretly installs drive-by downloads of Trojans or malware on your computer.

Recently it was found out that the downloaded malicious file is called ecard.exe and is a Trojan (known as Trojan.Tibs or Trojan.Small) that seeks to download other malware components from the web.

Notice that the exploit starts installing malware immediately when you open the link and after only a few seconds first threats may appear on your system. After an hour or two there might be hundreds of dangerous parasites and this is a serious risk to your personal and financial data, as well as to your PC performance and stability.

CAUTION: If you receive a greeting card via e-mail and you don’t recognize the sender, do not click on the link and it is advised you delete the e-mail immediately.

Subjects that appear on the greeting card e-mails:

You’ve received a greeting card from a admirer!
You’ve received a greeting card from a class mate!
You’ve received a greeting card from a colleague!
You’ve received a greeting card from a family member!
You’ve received a greeting card from a friend!
You’ve received a greeting card from a mate!
You’ve received a greeting card from a neighbor!
You’ve received a greeting card from a partner!
You’ve received a greeting card from a school friend!
You’ve received a postcard from a school mate!
You’ve received a postcard from a school-mate!
You’ve received a postcard from a worshipper!

A sample of the greeting card spam message: