Thursday, April 18, 2013

Boston Explosion Spammer shifts to Texas Fertilizer Plant Explosion

Yesterday recipients of the Malcovery Today's Top Threat report were among the first to get a detailed analysis of the new spam campaign offering videos of the Boston Explosion. Our normal practice is to report on any email campaign that sends us at least 1,000 malware attachments or at least 1,000 malicious links that would lead to a malware infection if the link was to be followed. By mid-afternoon, we had already seen 80,000 copies of this spam!

Because of the prevalence of the campaign, we decided to share a copy of the T3 Report with anyone who wanted it, rather than reserving it for our paying customers. You can still get a copy by following this link:

Free Malcovery T3 Report: Boston Marathon Explosion Spam.
Click Logo for your Free T3 Report

Today, our analysts have uncovered the newest update to the threat ... more than 18,000 emails already received this morning with subjects related to the Texas Fertilizer Plant explosion.

 count |                subject                                             
-------+-----------------------------------------------------
  3263 | Fertilizer Plant Explosion Near Waco, Texas
  2110 | Raw: Texas Explosion Injures Dozens
  2074 | CAUGHT ON CAMERA: Fertilizer Plant Explosion
  2045 | Texas Plant Explosion
  2014 | Texas Explosion Injures Dozens
  1943 | CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
  1609 | Texas plant explosion
  1572 | Video footage of Texas explosion
  1542 | Plant Explosion Near Waco, Texas
The Boston Explosion spam subjects are still an active part of the campaign as well, with nearly 10,000 additional messages coming from that group!
 count |                subject                                             
-------+-----------------------------------------------------
  1315 | 2 Explosions at Boston Marathon
  1197 | Explosions at the Boston Marathon
  1104 | Boston Explosion Caught on Video
  1100 | Video of Explosion at the Boston Marathon 2013
  1034 | Explosions at Boston Marathon
  1032 | Aftermath to explosion at Boston Marathon
  1027 | BREAKING - Boston Marathon Explosion
   999 | Explosion at the Boston Marathon
   958 | Explosion at Boston Marathon
The "count" tells how many samples we have received in the UAB Spam Data Mine, which powers the Malcovery T3 offering. The UAB Spam Data Mine was created as part of UAB's initiatives to create new tools, techniques, and training to fight cyber crime! In December of 2012, UAB launched Malcovery Security to enable our Spam and Phishing efforts to protect more businesses.

To prove that yesterday's campaign and today's campaign are actually one and the same, we traced the URLs being advertised, and found many of the emails that linked to certain IP addresses yesterday with a URL ending in "/boston.html" or "/news.html" are now being advertised in spam with a "/texas.html" link that is being used in the new messages today.

Despite the fact that there are DOZENS of malicious URLs that can be seen in the emails above, we have so far only identified seven "exploit addresses" that are hidden in those malicious websites.

hxxp://auris.comlu.com/ozsr.html
hxxp://bestdoghouseplans.com/azsq.html
hxxp://emucoupons.com/amiq.html
hxxp://nlln.org/aeir.html
hxxp://sambocombat.us/hwsr.html
hxxp://your360solutions.com/emsr.html
hxxp://zendeux.com/wzsq.html
Today's Top Threat subscribers are notified of this type of information each day in their daily T3 reports. By knowing the danger points in top spam campaigns, they are able to use this information either PROACTIVELY, by putting rules into their network security devices and software to block these destination addresses, or REACTIVELY, by scanning their log files to determine if any computer on their network visited one of those sites.

Just like yesterday, any Windows computer that visits one of the links in their email will be shown several YouTube videos, while one of the exploit sites listed above is used to interrogate their computer, infect it with appropriate malware, and add it to their spamming botnet.

Yesterday we clocked individual infected computers as sending approximately 400 emails per minute. 400 * 60 minutes per hour * 24 hours per day == 576,000 emails per day per infected computer! Each computer that clicks this link adds the ability for the spammer to grow their spamming rate by a half million emails per day!

We call this the "Growth Stage" of a botnet. When the objective of a spam message is to cause more computers to also send spam, the botmaster (the criminal who runs the botnet) is trying to enlarge his infrastructure. At some point, the botmaster can issue a command to cause any portion or all of his new collection of "bots" to perform new actions.

These actions could include:

  • sending spam that earns money for the criminal, such as Pharmaceutical spam.
  • infection with a new malware that steals personal financial information, such as the Zeus or Cridex malware.
  • infection with a new malware that causes your computer to attack company websites as part of a "Distributed Denial of Service" (DDOS) Attack, such as the attacks that have been going on against large banks and other companies.
  • infection with a new malware that can steal documents, or allow remote control of your company computer to use as a base of infiltration into your organization, such as what happened to the South Carolina Tax Office
  • infection with a new malware that can delete data or cause your machine to be unbootable such as the Dark Seoul Attacks in South Korea last month.