George Bush and Microsoft Exploited By Spammers as Malicious Spam Surges to Record High

Published 28th July 2008

LONDON, 25 July 2008 – According to experts from Marshal’s TRACE team, emails with exploitive headlines mentioning George Bush, Microsoft and Al Qaeda in their subject lines are part of a co-ordinated malicious spam campaign from criminals controlling the Rustock botnet, .

The recent, large-scale campaign is designed to infect computers with malware and convert them into part of the Rustock botnet - and it is succeeding says Marshal. Over the last month, Rustock has grown to claim second place amongst the largest spam producing botnets behind the Srizbi botnet in first place. Rustock has increased is share of global spam volumes from 10 percent in mid June to 21.5 percent last week according to Marshal’s TRACE statistics.

Malicious spam, which is designed to infect computers with malware rather than promoting a product, leapt to an all-time high of almost 19 percent of spam last week. In June 2008, malware spam surged to its previous highest level of 10 percent, up from 3 percent where it had been steady since February 2008.

“This newest malicious spam campaign from Rustock stands out for two reasons,” said Phil Hay, Lead Threat Analyst for Marshal’s TRACE Team. “Firstly, it is a particularly good example of an arrangement of social engineering methods designed to get you to lower your guard and infect yourself – it is easy to be taken in by it. Secondly, the scale of the campaign is significant. In terms of volume, this is one of the biggest malicious spam campaigns we have ever seen.”

Rustock’s latest campaign exhibits a broader trend where spammers hack into legitimate web sites to host their malware. Numerous small businesses and private web sites have been targeted in this campaign including a badminton club in China and a hypnotherapist’s site in the United States. Hijacking legitimate websites and using them to host malware makes the spammers harder to track and shut down with less evidence linking the spammers to the malware.

There is a range of messages being sent as part of the campaign, each with a different news headline. Examples include:

• “Bush Down to 8 Friends on Myspace”
• “Yahoo sold to Microsoft, record price”
• “Al Qaeda Reports Declining Revenues in Fiscal ‘08”
• “Martian Soil Fantastic for Growing Weed Says Nasa”
• “Obama Is Anorexic Over-Exerciser”

“Some of the headlines are hard to take seriously and some of them are believably enticing. The Rustock spammers appear to be experimenting to see which types of headlines solicit the most hits from recipients. A common theme seems to be sensationalising recent prominent events such as Microsoft’s bid to acquire Yahoo. Celebrities like Pamela Anderson and Paris Hilton also feature as subjects,” explained Hay.

The body of the messages contains more sensational headlines – usually on a topic unrelated to the subject line – and a URL link. The links typically end with ‘/viewmovie.html’, ‘/stream.html’ or ‘/r.html’. If a recipient clicks on one of these links a webpage opens showing a fake web video attempting to load and a popup window appears prompting the user to install a file called ‘codecinst.exe’. The file is malware. If it is downloaded and installed it fetches a fake Windows XP anti-virus program as well as the Rustock spambot itself.

In addition to this threat, the webpage opened by the link also contains JavaScript components designed to exploit vulnerabilities in Internet Explorer and download the malware automatically.

“The spammers appear to realise that recipients are wary of the dangers of executable files in spam messages. They are trying to disguise the installation of the executable under a believable pretext. It is quite common today for people to receive news forwarded to them as links in email. It is also quite common for those links to be related to hosted web videos and for video players to require codec updates before they will work. Even for security conscious users it is easy to fall for this one and it appears that many have,” said Hay.

“Rustock is not a name many people are familiar with but it is well known within the security industry. Today it is one of the most established spambots. Rustock has been operating in various forms for more than two years. Rustock is estimated to comprise over 150,000 infected PCs and distributes close to 30 billion spam messages daily. Based on the way the volume of spam from Rustock has grown over the past month it is reasonable to conclude that the criminals behind it have had great success infecting more PCs with this latest campaign,”

More information and examples of the offending message can be found on Marshal’s TRACE Centre website - http://www.marshal.com/trace/traceitem.asp?article=719.

About Marshal
Marshal is a global leader in content security across multiple protocols, enabling organisations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal is headquartered in London (UK) with offices in Atlanta (USA), Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at www.marshal.com.

About the Marshal TRACE Team
TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyses spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides “Zero Day” security protection against new email and virus exploits the day they emerge.

Contacts:
Melanie Johnson - éclat Marketing
The Old Stables
Rectory Farm
Broadway Road
Lightwater
Surrey
GU18 5SH

Tel : 01276 486 000