Holidays are Over for Spammers

In this blog about spam volume, we discussed the virtual shutdown of three botnets including Rustock that caused the global spam volume to plummet around Christmas day. MessageLabs has indicated in their blog that those botnets have restarted, although they are sending less volume than pre-shutdown levels at the moment.

As seen in the chart below, we are indeed seeing a spike up in volume as of January 10. We will be keeping a close eye on this over the next few days to see if the increase holds up. For now, it looks like holidays are indeed over for spammers.

We saw a drop in the use of the ‘.ru’ domain URLs in spam messages around December 25.  When the spam volume spiked up on January 10, we saw a corresponding jump in the use of ‘.ru’ domain URLs in spam.  This data suggests that the new wave of spam mostly consisted of ‘.ru’ domain URL spam messages.

Some of best practices users should follow are:

· Do not open unknown email attachments. These attachments could infect your computer.

· Do not reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.

· Do not fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message).

· Do not buy products or services from spam messages.

 

Please visit State of Spam & Phishing homepage for latest news on spam threat landscape.

Microsoft Patch Tuesday – January 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is quiet month —the vendor is releasing two bulletins covering a total of three vulnerabilities. One of the issues is rated ‘Critical’ and it affects Microsoft Data Access Components (MDAC). The remaining two issues are rated ‘Important’ and affect MDAC and a previously public issue in Windows Backup Manager.

Attackers can exploit all of these issues to execute arbitrary code. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the January releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx

The following is a breakdown of the issues being addressed this month:

1. MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)

CVE-2011-0026 (BID 45695) Microsoft Data Access Components Data Source Name Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates third-party API usage. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

CVE-2011-0027 (BID 45698) Microsoft Data Access Components ActiveX Data Objects Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates memory allocation when handling internal data structures. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

2. MS11-001 Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)

CVE-2010-3145 (BID 42763) Microsoft Windows Backup 'fveapi.dll' DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A previously public (Aug 26, 2010) remote code-execution vulnerability affects Microsoft Backup Manager due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.wbcat’ file from a remote SMB or WebDAV share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Vista SP1, SP2, x64 Edition SP1, and x64 Edition SP2

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

It’s Aishwarya Rai’s Turn to Be Popular with Phishers

Phishers have used several types of bait in social networking scams in the hopes of improving their chances of harvesting user credentials. Some of the bait included offers of free mobile phone airtime, tickets to sports matches, pornography, hacking software downloads, and so on. In several instances, the displaying of an image of the fake offer gave the impression that the user can avail the benefits upon logging in to the phishing site. Such phishing Web sites typically use a template, where the image and the text is changed. Celebrities’ photographs are often displayed in an attempt to attract end users.

In this particular phishing site, the displayed image was one of the popular Indian actress, Aishwarya Rai. Symantec had earlier reported a similar phishing Web site that used another actress, Katrina Kaif, as the bait. As in the earlier example, the phishing Web site had its content altered to help it look like an adult version of a social networking site. Again, it is important to bear in mind that the legitimate social networking site being spoofed is not involved with any form of pornography or adult sex chat service. Though pornography is a common bait in social networking scams, it’s not common  to see Indian actresses being used. Clearly, phishers are choosing celebrities who have a large fan following, as they perceive that a large audience will mean more duped users.

The phishing site was hosted on a free Web-hosting site. Upon entering the login credentials, the user is redirected back to the legitimate Web site. If users fall victim to the phishing site, phishers will have succeeded in stealing their credentials for identity theft. The phishing URL contained certain keywords that gave the impression that the content was linked to pornography. Below is the phishing URL:

hxxp://www.sexhotchat.******.com/Index.html [Domain name removed]

Internet users are advised to follow best practices to avoid phishing attacks, such as:

  • Do not click on suspicious links in email messages.     
  • Avoid giving any personal information when answering an email.
  • Never enter personal information in a pop-up screen.
  • Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Thanks to the co-author of the blog, Ashish Diwakar.