For a long time we’ve been seeing spammers systematically compromising other people’s web sites to use URLs on them to redirect to the spammers landing page. This allows them to have a far greater range of call to action URLs in email spam. A recent attacker is not only using hacked web sites as redirectors, he is also putting the entire landing page on a different hacked domain. The landing page with the banner shown below, for example, was hosted in a hidden page on the web site of a school, a maker of costumes for children, a law enforcement officer, a therapist, several lawyers, several churches, and many others. The banner is the start of many screens full of hard core pornographic images, all hosted on the victims’ web sites.

In the past we have seen spammers exploiting vulnerabilities in WordPress and Joomla to allow web sites to be attacked. At the moment there are reports of a large scale attack against WordPress sites using a brute force method of trying different passwords in an attempt to find one that works. However, the compromised web sites in this attack are running various different kinds of software, or none at all. It is not WordPress accounts that are being compromised, but the hosting accounts themselves.

 I found one account which was used for file sharing only and had the directory contents exposed, so we can see the various files placed there by spammers.

Only the file names that are fuzzed were placed there by the owner of the domain. All the ones you can see were placed there by one or more spammers. In October 2012 through January 2013 a number of .php files were created or modified. Some of these redirect to landing pages elsewhere, some were intended for sending spam, and none of them worked because PHP was not active on this server. In November 2012 and again in April this year, the same approach was tried with .html files. These do indeed redirect to spam landing pages. (n2.html and r1.html redirect to pages selling fake pharmaceuticals, and the other redirect to porn.) Finally, on April 9th, 2013, the directory cookiezgm3 was created. This contains a copy of the pornographic landing page discussed above, along with all the thumbnails, images, CSS files, and scripts.

In fact these attacks date back further than that. A snapshot from the Wayback Machine taken in June of last year shows the site had been compromised back then. Note that the atf86.html and btf86.html files were present back then, but the files have been updated as the file size and date are different.

I talked to the owner of this domain to see if I could find out how it was compromised. Since PHP was not available the intruders clearly did not get in via a server side bug. My next thought was perhaps that the personal computer used to update the web page had been compromised, but it is running an up to date copy of Norton Anti-Virus. Then the owner of the domain admitted to choosing a weak password… so it looks as if the brute force attack is not limited to WordPress, but is being directed against hosting accounts as well.

So far we have seen this spammer use over 30,000 different compromised domains for call to action URLs and 528 of those to also host his pornographic landing pages. It’s likely many of those compromised hosting accounts are also being used to send spam. Over 20% of the emails from this spammer contain a X-PHP-Originating-Script: header indication that the email was created by a PHP script. This is generated by PHP 5.3 and above if you have the correct configuration variables set in your php.ini file. I recommend

mail.add_x_header = On
mail.log = /var/log/phpmail.log

This will log outgoing emails sent from PHP on your server and the Originating-Script header will tell you where they are coming from.

There is one more chapter to this story. We are seeing a disproportionate number of these hacked domains on two hosting services, one in the US, and one in Germany. Do these hosting services allow an unlimited number of login attempts? Or did a spammer get hold of their /etc/passwd/ file containing encrypted passwords and run a dictionary attack against that? Either way, simply using a strong password would have protected those accounts. Remember, folks, unless your spell checker underlines it, it’s not a password, and hackers sp33k 1337 as well.

If you are a hosting provider, here are a few things you can do to prevent account compromise:

• Make sure your clients use strong passwords both on their hosting account and WordPress accounts – especially make sure they don’t use passwords in the dictionary or on this list.
• Salt password hashes before you store them.
• Prevent unlimited login attempts, and use extra authentication if the login is from an IP address not previously seen for that account.
• Use the php.ini parameters listed above, and monitor the PHP mail log for sudden increases in volume.
• Encourage your clients to run the latest release of WordPress and Joomla.
• Hosting providers can request a free outbound spam analysis from Cloudmark. Contact Blair Bolden.

With the close of 2013’s first quarter, we’ve released our Q1 2013 Global eMessaging Threat Report detailing a myriad of SMS and IP spam statistics, trends and observations from the past three months. Paramount among them is a set of allegations leveled by the Federal Trade Commission (FTC). These filings contended that the defendants were responsible for collectively sending more than 180 million gift card themed scam SMS messages.

Subscriber reports to the GSMA Spam Reporting Service, 7726, shed a clear light on the potency of this regulatory move as daily volume rates for these scams plummeted. Below is a daily tracker illustrating the impact of the FTC regulations on the daily volume of SMS gift card scams. Earlier in the quarter, we were seeing gift card scam volumes peaking above 50% of all reports in a given day. Soon after the FTC announcement, the same scams plummeted below 10% of each day’s volume.  A similar trend was seen more macroscopically. In 2012, these scams constituted 44% of all SMS spam reported during the year. This has fallen dramatically in 2013 with only 6% of the March’s volume being gift card scams.

We saw growth in other attack categories over this quarter.  The figure below shows Job Listing Scam’s monthly volume share rose by 400% over the quarter. Similarly, Adult Content Spam doubled its share from 8% to 16%.

Meanwhile, the SpamSoldier Android botnet and other older botnets were linked to several Panamanian services. These services provided registration mechanisms for rogue online pharmacies, domains for the SpamSoldier botnet, and anonymous hosting for botnet Command and Control servers. More details about these Panamanian services along with further analysis of SMS and email spam trends in Q1 2013, can be found in our quarterly report.

Every so often the command and control servers for a botnet get taken down, and we are told breathlessly by the more extravagant security experts that this botnet was responsible for a quarter (or a half or a third) or all the world’s spam, and that we can expect to see a big reduction in spam volumes. However, here at Cloudmark, where we’re actually filtering a big chunk of the world’s spam, we don’t see much long term difference in spam volumes before and after these botnet take downs. After each botnet take down occurs, spammers simply switch their spam campaign traffic to a different botnet. There are only a few hundred large scale spam operations and maybe a few dozen botnet herders around that cater to spammers. Many of them are in touch with one another on various underground forums. Spammers may already be operating on multiple botnets, and when one is out of service, they can simply increase the volume on the others.

That’s not to say that taking botnets down is unimportant. Anything we can do to make spamming more difficult and expensive is a win as long term it will result in fewer spammers and less spam. However, there is another factor at work here. While the total number of machines under control of the bot herders has some impact on spam volumes, the rate of infection of new machines is more important. I believe we could take down the command and control servers for every botnet in the world at the same time, and within a few months spam levels would be back to where they were before the take down. Let’s talk about why.

First of all, it’s very hard to estimate botnet size. Most estimates are based on the number of IP addresses accessing the Command and Control servers, or sending spam. However, the relationship between IP addresses and infected devices is not one to one. Networks with a limited IP address space may use NAT to support multiple infected machines with a single outbound IP address, and conversely, some networks may reassign dynamic IP addresses frequently, causing a single infected machine to be counted more than once as it shows up in botnet trackers as multiple IP address entries.

Nevertheless, once an infected machine has been sending spam for any length of time, all the IP addresses it appears on will get blacklisted on the various lists maintained by Cloudmark and other anti-spam organizations. An infected machine has a useful life to the spammer of anywhere from a few minutes to a few weeks depending on the volume of spam that they are sending from it. The machines that have been infected for a while may still be active and trying to send spam, but in most cases they will be blocked as soon as they try to make an SMTP connection, and will rarely get to send messages successfully. While botnets can be useful for other purposes (setting up fake webmail accounts, data mining social networks, DDOS attacks, etc.) for spamming they have a limited useful life. The spammer needs a constant supply of fresh IP addresses to stay in business.

Most large scale malware infections happen due to exploits that already have a fix available. A device which is running the latest patches to the operating system and a current anti-virus package is less likely to get infected. We see most botnet spam originate from regions where there are many pirated and out of date copies of Windows, and far less from countries where users are more scrupulous about running security software and applying application and operating system updates. So long as operating systems and users fall short of perfection we are going to see machines on the Internet that are exploitable by spammers. While we applaud botnet take downs we feel that it is also necessary for ISPs to limit the amount of spam that can be sent by compromised devices and have active prevention, detection and remediation programs in place to reduce the economic value of bots and thus make spam less profitable. Coordinated activities, such as the voluntary “U.S. Anti-Bot Code of Conduct” organized by the FCC’s Communications, Security, Reliability and Interoperability Council (CSRIC), are useful frameworks for ISPs to conform to, encouraging greater education of consumers who may not be well educated in computer security matters as well as encouraging botnet remediation through data sharing amongst operators and the security community.

It’s great to see Twitter taking the lead on the URL shortener security. Twitter acquired Dasient earlier in the year and it’s refreshing to see them being put into action securing the t.co linkage and what’s more t.co is now going to front more and more links seen in the service.

Further reading:
http://www.telegraph.co.uk/technology/twitter/9883076/Twitter-shortens-tweets-by-two-characters.html

Since miscreants often “wash” malicious links through URL shortening services, it’s going to interesting to see how this situation swings as my usual stance on shorteners shortening shorteners is simple DON’T!

I had the pleasure of meeting Neil Daswani yesterday and got a real sense that they’ve got the right guy for the job.

By breaking the norms of shortening and taking their duty of care much more seriously Twitter are really raising the bar for the other URL shorteners.

Yesterday we told you about an Android trojan used to send SMS spam. Currently, the versions of this malware being distributed by the spammer are:

• angrybirds.apk MD5 = a0e7a47c6b3582f9c9a4c5166eb0eace
• gtavicecity.apk MD5 = a8de900d9ff269455f4344b8e8409699
• needforspeed.apk MD5  = c18bc53d74e8a6926453a8c86355501a

The Command and Control server has moved to pinktrash.mobi, though imperialistic.mobi is still functional for the handsets infected with the older versions of the trojan.

Lookout Mobile Security have published an interesting blog post on this attack, which they call SpamSoldier. They discuss the techniques used to escape detection. Firstly the app attempts to remove its icon, so that you will not be aware that it is even there. It also attempts to block incoming messages unless they are from someone on your contacts list. This prevents the people your phone is spamming from complaining to you about the spam they received.

So, if you do get SMS spam, don’t bother replying  STOP to the sender, just forward that message to 7726 (that’s S-P-A-M on your keypad). Replying STOP will only work for commercial contacts from legitimate companies.

We’re continuing to monitor this attack, so watch the blog, or add it to your RSS feed, if you want to keep up to date.

A new crop of trojan mobile applications are demonstrating simple mobile botnet behavior, leveraging infected handsets to spread spam and invitations for other users to download the infected apps. This new evolution of malicious mobile applications is presently being monitored by the Cloudmark mobile security research team who had been investigating a strong uptick in mobile originated spam over the past week.

A random invitation received via SMS to download a free version of a popular Android game like The Need for Speed Most Wanted or Angry Birds Star Wars may seem enticing, but as your intuition may hint the offer is often times too good to be true.   If you do download this “spamvertised” application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author.  In the case of this latest batch of SMS sending malware that the Cloudmark Research team has been monitoring, your phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.  You better have an unlimited message plan or your phone bill may come as a bit of a shock.

The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games including the ones I mentioned.

Don’t do it!

Of course you have to jump through some hoops to install an Android app from a random web site rather than Google Play.

Don’t do this, either

Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages, but not many people read the fine print when installing Android applications.

Once installed, the trojan initiates a connection to a command and control server. The C&C server replies with both a list of spam target phone numbers as well as the message payload to deliver.  After the payload is retrieved the application would duly start SMS spamming, reporting back to the C&C server on each message sent.

The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers. The application reloads automatically after a reboot as it installs itself as a service on the handset.

We first saw this spammer on October 26th, when the trojan claimed to be anti SMS spam software!

Tired of SMS Spam? Download our free SMS Blocker today to finally rid yourself of unwanted messages! Download now at http://[redacted].com

That attack only lasted one day. Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell. The spammer came back on November 10th, with the free games scam which simply attempts to get the botnet to spread:

Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at http://[redacted].mobi for next 24hrs only!

On November 28 the spammer decided to start monetizing. The free game messages continued, but there were also free gift card scam messages mixed in. This is a fairly common sort of SMS spam:

You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!

Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programs and sometimes identity theft.

This stayed as a fairly low volume attack until the end of the week before last, when the spammer decided to ramp up his activities. For a couple of days we saw growth rates of 80% per day, with a peak rate of over half a million SMS messages per day.

To date, the following Trojan apps have been identified:

• needforspeed.apk MD5 = 2e78f497c3b21eed5f303f3bc6740c17
• needforspeed.apk MD5 = bb5cf7c1d7708611fa4a4c5d5b7de9ba
• maxpayne.apk MD5 = 916ae10046bb3c2867ea8bf7da3277bc
• angrybirdstarwarshd.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• gta3game.apk MD5 = 86baa16d3e564874fce8546ed02adc67
• grandtheftauto.apk MD5 = 220a24a3f48f5e4897fa4a089df7c284
• angrybirdstarwarsl.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• grandtheftauto3l.apk MD5 = 74a87681a0941764f178dc651ee58646
• grandtheftautovicecityl.apk MD5 = 989c0a24f7a2a8153c6cef6061a975c9
• needforspeedl.apk.zip MD5 = cb212a715b6887610bc08c2ff203cd84

These URLs have been used for malware distribution:

• newestgames.mobi
• gamerpalace.mobi
• trendingoffers.com
• holyoffers.com
• gamehaven.mobi
• game-haven.mobi
• freshoffers.mobi

These URLs have been used by the C&C server

• l0rdzs0ldierz.com
• imperialistic.mobi

Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more more complex attacks that are harder to take down. Please help prevent this from becoming a major problem:

• Only install Android apps from Google Play
• When you receive SMS spam, forward it to 7726

Share this with your friends and family, and together we can prevent Android botnets.

We’re continuing to monitor this attack and will update the blog with any breaking news.

A couple of weeks ago the Grum botnet was taken down. There were some extravagant claims made about the impact this would have, but in practice there was nothing that would be noticed by end users. Although Grum had about a hundred thousand zombies sending spam, all of those zombies quickly found themselves on IP address blacklists like  Cloudmark Sender Intelligence, or blocked by local policy thresholds for sending emails too frequently. This would block them at connection time, so in many cases their pernicious outpourings did not even make it through to a spam folder.

IP filtering is fast and cheap, and as such it makes a good first line of defense against spam.  But if it is the only defense you have then you will soon be inundated by snowshoe spam, and spam from free webmail services whose IPs you cannot block without risking false positives (legitimate messages which are incorrectly identified as spam).

IP addresses are just one of the many identifying characteristics that Cloudmark targets in detecting and filtering spam. What’s more, IP filtering is going to get a lot harder in the next few years, as the five hundred pound gorilla that is IPv6 knuckle-walks onto the Internet landscape.

“The IPv6 address space is big. You just won’t believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it’s a long way down the road to the chemist’s, but that’s just peanuts to IPv6.“^[1]

There are 4,294,967,296 IPv4 addresses (though some are reserved for special purposes), and 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses (ditto). An IPv6 address is split into two parts, 64 bits for the network and 64 bits for the individual computers, but since an individual computer can use as many different ephemeral addresses as it wants within the network, that still leaves potentially 18,446,744,073,709,551,616 addresses for each machine. If spam stays at its current daily volumes that’s enough addresses available to a single machine to give each piece of spam it’s own address… for the next half a million years. Multiply that by the number of different networks that Grum zombies were on at the height of the infection and you will see that the IP address filtering that was so effective against Grum will simply not be feasible in an IPv6 world.

My colleagues at Cloudmark have already written about the challenges of IPv6 and published a white paper of recommendations but the bottom line is that traditional IP address filtering will no longer be effective in the IPv6 world, and the broader based filtering and validation techniques used by Cloudmark will become even more important against spammers and rogue ISPs.

[1] From The Hitchhikers Guide to IPv6

More fun that the Wimbledon finals is the tit-for-tat finger pointing going on right now between Microsoft and Google. It started when a Microsoft researcher claimed he had found spam coming from an Android botnet. This was based on the MessageID header, which was identical to that generated from the Yahoo! Android app, and the IP addresses these messages were coming from. These were from mobile carriers in countries outside North America and Western Europe, where Android malware is more common. Advantage Microsoft…

Google replied that this was more likely from a Windows botnet pretending to be a Droid botnet by spoofing the protocol the Yahoo! Droid app uses to talk to the Yahoo! servers, or by forging headers. Advantage Google…

Microsoft replied, yes, that might be true, but they still think the Droid botnet is more likely. Advantage Microsoft…

At this point each company is challenging the other to come up with the hard evidence to back up their claims by exhibiting the malware (either Droid or Windows) that is sending the spam. For companies with the resources of Google and Microsoft, this probably won’t take long. We know the IP addresses originating the spam, and it should be possible to track at least one guilty device. Reputations are at stake. Like I said, this is more fun than Wimbledon.

It turns out that this Yahoo! Android mobile header is nothing new in the spam world. We’ve been filtering spam containing it for over five months now. We did see a significant increase in new attack volume starting on June 28th, which is why it’s getting all this attention now. Here’s the graph

So, is there Droid malware that has been sending out spam for five months or more without anybody noticing? Five months is a very long time in the Android world. If the spammer is clever enough to avoid detection on the Droid platform for that long, they are also clever enough to reverse engineer the communications from Yahoo! Droid app and spoof it from a PC botnet. Deuce…

So, is Google or Microsoft going to be left with egg (or spam) on their face? If you force me to choose a winner, I think I’ll go with Roger Federer.

UPDATE 7/7/2012: My colleague Mary Landesman has pointed out that there are in fact two spam attacks going on that contain the Yahoo! Android Mobile header. One has been going on for over a year and uses hacked Yahoo! accounts, and one that has started recently in higher volume, that uses fake Yahoo! accounts created for spamming. Could it be that both Microsoft and Google are right, but are talking about different attacks? Is this match going to go to a tie breaker? Stay tuned…

Many service providers, network providers, and corporations plan to launch additional IPv6 networks and on-line services during this year’s World IPv6 Day, which falls on June 6th, 2012.

IPv6 promises to enable deployment of a seemingly endless number of networks and devices.  IPv6 provides 128-bits of addressable space, while IPv4 only provides 32-bits.  This means that both home users and corporations will have control over publicly addressable IPv6 networks, each of which can be orders of magnitude larger than the entire IPv4 space.

There are potential pitfalls with the much greater address space in IPv6 as compared to the address space available with IPv4.  In SMTP in particular, many presently deployed anti-abuse reputation tracking systems would be overwhelmed as the same reputation tracking methods that worked on IPv4 sending addresses are no longer feasible with IPv6 IP addresses.  Long term reputation tracking, IP blacklisting, and traffic shaping have all relied on the ability to track the quality of traffic emanating from a tangible number of IPv4 IP addresses associated with message-sending MTA clients and spammer controlled botnet clients alike.  Due to the much larger address space in IPv6, brute force reputation tracking of individual IPv6 addresses associated with client behavior presents data storage and processing challenges.

Cloudmark has published a white paper on the best practices associated with handling protocol-level SMTP anti-abuse protection in an IPv6 network.

Rather than searching for individual bad actors, of which there will be too many to track at the single IP address level, Cloudmark is proposing a different approach:  one where legitimate senders must first prove themselves eligible to be tracked based on several possible authentication methods.

The proposed methodology takes advantage of the fact that there will be far fewer legitimate senders versus bad senders.   Presented below are general features of this approach:

1. By default, all unknown senders are assigned to a default class of service (CoS) that permits access to a very narrow slice of a shared resource pool within a receiving MTA.
   1. This prevents bad actors from impacting the messaging system even if all messages were classified as spam.
2. Senders with an established identity graduate to a per-identity CoS and the system will track the sender’s behavior.
   1. Initially, the per-identity CoS will have low limits on throughput.
   2. With continued good behavior, the limits are increased quickly.
   3. In the steady state, a good sender’s limits will be proportional to the expected sending volumes while bad senders’ limits will remain very low.
3. The ability to establish sender identity is based on the ability to authenticate sender identity via one of the following methods:  Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM).
   1. Both of these domain-based identity methods can be leveraged to develop knowledge of sending SMTP client IP ranges over time.
   2. In cases where a domain-based identity cannot be established, the use of “known sender lists” or lookups in WHOIS, or similar protocols, such as those being developed in the IETF’s WEIRDS working group can yield IP address ranges that can be attributed to specific legitimate messaging systems.

This approach evolves beyond the current IP address blacklisting model often used in IPv4 networks.  Rather than attempting to continue tracking reputation of bad senders, of which there are potentially vast quantities, this method seeks to track reputation of the comparatively small number of legitimate senders.

Additionally, we’ve already received feedback from customers who have enabled IPv6 that some of their first messages were spam. Jason Livingood with Comcast noted the following, “We are proud to have been one of the first large email domains to enable IPv6 for inbound email, and to be on the leading edge of native IPv6 deployment more generally. While our first message after going live was spam, Cloudmark immediately blocked it.”

Additional information on this topic is included in a white paper, which can be found at: http://www.cloudmark.com/en/whitepapers/smtp-abuse-prevention-in-ipv6-networks.

Within the last few hours, Cloudmark has seen a marked increase in messages claiming that the recipient’s AIM account is about to be closed and that, to prevent that from happening, the recipient must download and install a new update to the AIM software.

Subject lines include:

• AIM critical update
• Your AOL Instant Messenger will be deleted
• AOL Instant Messenger critical update

Kaspersky identifies the downloaded file as an installer for the Zeus bot, which has been used both for spamming and for stealing personal information and was most recently in the news for having made a home within the Amazon cloud.

As always, practicing safe computing will help you. Be wary of ‘security alerts’ that ask you to download files, pay attention to those URLs (www.aim.com/download is not the same as www.aim.com.download.botdomain.com), and keep your anti-virus and anti-malware programs up-to-date.