The Storm Worm is proving to be among the most resilient, persistent pieces of malware ever. If you don’t remember, the Storm Worm first burst onto the IT Security scene in January 2007. The worm got it’s name because the first wave of propogtion spam that flooded inboxes had subject lines referencing a large storm that was pounding Europe at the time. Since then, the Storm Worm has morphed again and again, bringing an estimated 1.7 Million PCs into its Botnet in the process. Bot Herders have generally pushed the worm via a combination of emails containing links to worm infected websites. This of course means that IT must filter the worm at the email level and the browser level. Herders have also used infected zip file and excell file attachments to push the worm. Campaigns have varied: Virginia Tech Massacre, Greeting Card Spam, Password Protected Zip Files are just a few examples.
Currently, the Storm Worm herders are using emails with subject lines suggesting that the recipient is in a You Tube video. Anyone unsuspecting enough to click the link is taken to a malicious web page where they are attacked (and most likely infected) by the worm. Herders have also infected hundreds, possibly thousands, of Blogger Blogs with the malware.
This Storm just keeps on raging. An organization needs three elements to fight it: Robust email filtering. Robust web filtering. Security Conscious Employees that are trained to spot scams and not click on links or open attachments in suspect emails (the hardest part).
The PDF Spam Spike appears to be over…at least for now. But the Storm Worm Continues to rage across multiple vectors.
Email is the top choice for business communication. A Datamonitor poll found that 100% of workers in the US and Pacific Asia use Email to perform their jobs, while only 80% use fixed line Telephones (76% also use Mobile Phones). 66% of those surveyed use IM.
The PDF Spam Spike marks an escalation in the spam war. Spam rates, which have seen triple digit annual growth rates over the past two years, spiked dramatically last week. Spammers are sending larger and larger batches of spam and using ever-evolving cloaking techniques to evade email security filters. The latest spike is a strong example of the latest layered threat.
A sustained flood of emails with PDF attachments and either no subject line, or a vague but widely applicable business term in the subject line, and no text in the email body was unleashed last week and continues to date. The difficulty with the PDF Spam is that it mimics a common business email practice, which is to send an email with no subject line or a vague subject line, no body text, and a PDF attachment.
When fighting any spam tactic, one must always choose the right balance between stoping bad email and not stopping good email. In other words, you can stop all of the spam and accept a high number of false positives (when legitimate message is caught in spam filter), or you can stop most of the spam with few or no false positives.
Security filters will adjust to the PDF spam (just as they did with Image Spam earlier this year) and will then be challenged again by something new. The name of the game is to stop the known stuff and withstand heavy barrages of the new stuff, without losing legitmate email in the process.
Last week’s spam spike, marked by the single biggest one day jump ever (445%), put a new twist on an ever-evolving combination of spam and scam campaigns. A massive flood of PDF Spam was used to propogate a Pump and Dump Stock Scheme. The scam-paign lifted the share price of Prime Time Limited, a small Florida Company, a whopping 57% (from $.07 to $.11) through last Wednesday. The stock tumbled below $.07 in trading Thursday but fluttered up and down on Friday and this past Monday.
Prime Time denies involvemet in the scam and is working to identify shareholders who held “Naked Short” positions in the company. A Naked Short is:
- A short selling tactic where a seller sells stock they don’t own and bet that the stock price will drop in the few days before the sold stock must be delivered so that the delivered stock cost substantially less that the sold stock.
- An ironic way for spammer-scammers to monitize their spam
Mobile Entertainment Inc and CYTV were two other penny stocks touted in the campagins. CYTV is a regular feature on the pump and dump circuit.
As always, the most astonishing fact of the case is that several thousand people, at least, took the bait (but hey, we know that Pump and Dump works).
The campaign used a large botnet to unleash a flood of relatively new attachment spam that fooled some defenses and simply overwhelmed others. It is also the first Pump and Dump Campaign to provoke a sustained elevation in trading volume.
A Consumer Reports study found that US Consumers lost a total of $7 Billion during 2005 and 2006. Roughly $2 Billion is attributed to Phising Scam losses and the remaing $5 Billion was spent to replace virus and spyware infected computers.
Spammers and Hackers have been busier than ever this summer. June set the record for all time high in spam messages, and spam rates continue to hover at around 90% of all messages sent. The Spackers (Spammer/Hacker) continue to hone their techniques in this constant game of cat and mouse. The latest trend is a shift to attachment spam, where the payload is delivered via an attached file. Attachment spam now represents a very significant portion of all spam sent. The bad guys have turned to PDF, Excell and Zip File Atachments to deliver spam. This means that spam will continue to eat up bandwidth and will likely lead to an increase in false positives, as anti-spam vendors adjust filters to account for the shift in spamming techniques. The good news? Image spam is on the decline.
July has seen the largest sustained virus attack in over two years, with a flood of storm worm like malware delivered by Botnet Machines via fake greeting cards and spam messages with links to malware carrying web site.
And, speaking of Botnets, despite a crackdown effort by the FBI early in the summer, it looks like the overall number of Botnet Zombie computers continues to grow.
If you’ve seen more spam getting through your filters this summer, it’s probably not because the developers and technicians that build and maintain your anti-spam / anti-virus decided to hang out at the pool until Fall. It’s likely because the overall volume of spam and viruses continues to push boundaries never before seen. Couple this with the myriad of new techniques and tactics and, well, the security community has to scramble to keep up.
As for MxToolBox, we’ve worked hard to make sure our FlexBox Email Security Service has provided the highest possible level of protection for our customers mailbox’s though this summer spam season.