Commtouch announced a new version of our GlobalView Mail Reputation Service, that incorporates enhanced reporting as well as enhanced logic capabilities.

From earlier posts you’ve seen that zombies (aka bots) are responsible for almost all of the unwanted mail traversing the Internet. With even a not-very-good reputation service, you should be able to cut those quantities by quite a bit. With a top-notch one (like, ahem, you-know-who’s) you should be able to eliminate the vast majority of those messages at the network perimeter - somewhere in the range 90 percent.

Why use a reputation service, when a regular email filtering solution (anti-spam, anti-virus) provides even higher detection levels than that? Well, think of all the IT resources wasted on transmitting unnecessary messages - bandwidth, storage, mail servers. Even if your mail filter identifies most of the spam/malware/phishing, it still has to touch each one of those messages - receive it, identify it, decide whether to quarantine it, delete it, deliver it, and potentially archive it until the end of time even if it was never opened.

Cut out a huge chunk of the messages entering your organization or traveling through your ISP, and you can cut down your storage needs, even reduce the number of mail servers you are using. We are talking about real, quantifiable cost savings.

Also, from the threat perspective, wouldn’t you rather deflect inbound threats at the perimeter, before they’ve even touched anything in your network?

Since this is Commtouch’s third major release of the GlobalView service, we’re now at the stage where we’re adding lots of usability features, such as improved reporting and tailorable throttling logic. The press release about the launch goes into a bit more detail on these new functions.

By the way, always one to try out a new communication method, I wrote up a Google Knol on the subject of reputation services. I encourage you to read it, comment on it, review it, even to revise it (although I will be moderating the revisions, just like we moderate comments on this blog - did you know spammers actually try to put spam links in the blog comments?!).

How ironic - malware distributors are using the vulnerabilities inherent in IE (and other browsers) to distribute malware purporting to be an Internet Explorer update!

The spammers did a few things to make the message appear to be legitimately from Microsoft, spoofing a Microsoft from address, and copy-pasting the MSN text into the bottom. Of course, Microsoft or MSN would never send out such a badly designed email, especially if it’s HTML-based (this has to be an HTML email since they used big colored fonts for the hyperlink, and you can’t see the actual URLs; in a plain text email you’d see the URLs written out with “http://….”) but some people might not realize that, and inadvertently click on the link, only to find themselves downloading paris-nude-video.avi.exe. Jeez- couldn’t they at least change the name of the file to something more Microsoft IE-related? The nude-video stuff gives it away in a second.

After distributing outlandish headlines for months, malware distributors have taken the next logical step and are starting to package them together in email newsletters, more specifically, pretending to be “CNN Daily Top 10″ headline email newsletters. Here is a sample email:

Each enticing headline in the message links to a malware site, not to CNN, of course. However the messages are serving the actual CNN graphics directly from the CNN site, to add to its appearance of legitimacy.

Since the newsletter looks real, it’s most likely specifically designed to bypass both content-based anti-spam filters, and people’s natural suspicion of unsolicited mail. Accessing the web site hyperlinked from the message will automatically download the malware file “get_flash_update.exe”. On Internet Explorer the download happens automatically.

Special thanks to our lab for sending me this screenshot of the malware site (taken in Firefox…).

During the past several months, I have met with industry thought leaders in network security products and services to discuss the growing threats of botnets, zombies and other ways to describe the issue of compromised hosts.

One of the topics of conversation: what will the bots do next? And do these swiss-army knives of badware do multiple things?

ClickForensics, an innovative group based in Austin, has just published their quarterly review of click-fraud, and declared that bots are committing >25% of the fraudulent clicks.

In our analysis at Commtouch, we see spambots distributing malware, acting as webhosts for phishing sites, and engaging in massive distributed spam campaigns. We have worked with several partners to test how our GlobalView Zombie Intelligence Database correlates with clickfraud, DDOS, spyware, and phishing.

If you would like to test out how our data matches up with yours, please contact us at: info@commtouch.com.

OK the title is a lousy play on words, but the new spam tactic with hyperlinks to Flash files is actually pretty neat.  You most likely know by now that spammers will look for any way to bypass content-based anti-spam filters. And they tried a new trick today: sending spam messages whose hyperlink call to action was actually to a hosted Macromedia Flash file. In case you are not familiar with Flash, it is the software program behind many animations on the Web (see, for example, the moving text & twirly rings on Commtouch’s home page). Flash is all over the Internet, but usually people do not link to the Flash files themselves (which have an ending of .swf) but rather to a regular web page which holds the flash (which has an ending of .htm, .html, .asp, etc.) But if you link directly to a .swf page, most browsers will still play the Flash file. And if the Flash file is actually not an animation at all, and just contains a simple re-direct to a pharmacy spam site, then, well, the spammer succeeded in getting the clicker to go to the spam site. Clever, huh?

Why would most web developers and legitimate email marketers would not direct a visitor/email recipient directly to a hosted .swf (Flash) file? Because .swf files usually need to have some additional information for them to display properly, most notably the browser needs to know what size to display the file, and that information is provided by the page that it sits in. So, these spammers are exploiting non-normative behavior (would you expect anything less?) figuring that content-based anti-spam filters would not be smart enough to scan for .swf files.

Even more interesting is where the .swf files are being hosted: a free image hosting site. Any anti-spam engine that tries to solve this issue by blocking all links from that site runs the risk of blocking legitimate messages with links to pictures of the grandkids (nasty false positives).  Commtouch Recurrent Pattern Detection technology blocks these and other types of spam messages based on recurrent data patterns in the massive outbreak.

So… the question remains, will “Flash in the spam” be just a “flash in the pan”? (forgive me…I couldn’t resist) Well, this type of spam was being distributed in fairly massive quantities throughout today, and if traditional content-filters cannot find a way to block it easily, it could become another typical tactic added to spammers’ arsenals.

I may have disappeared for the last couple weeks, but the spam and malware did not, so this post is a roundup of various outbreaks that I wasn’t able to report on at the moment they happened. In parentheses is the date I would have (should’ve could’ve) reported on these items had I been truly on top of things:

“UPS” Malware (July 13)

We’ve gotten used to the “blended threat” malware that refers email recipients to an infected web site, however good old attachment malware is still around; the “UPS” malware was a traditional outbreak of emails with malware attachment. It began and was detected by Commtouch on July 13, with an outbreak of text-based messages purporting not to be able to deliver a package. If the recipient would just open the attached invoice…everything will be OK. Several sites have already reported on this malware already, and the fact that not all AV’s will catch it, but what they didn’t show is how the outbreak has come in short, massive waves or bursts. Reporting on slightly after-the-fact like this gives me the advantage of being able to show a trend over time, so below is the graph of samples per variants per day of ups_invoice.exe, the malware attached in those messages:

Seems to be slowing down, but it’s not over ’til it’s over…

More Naked Celebrities (July 18)

Will the world never tire of seeing popular film stars unclothed? Sorry, that was a rhetorical question. Here is a blended outbreak that was distributed via spam messages, and hyperlinked users to a fake movie site, to view an MP4 of their favorite movie star. In the example below, it was Demi Moore, but other stars were similarly promoted for the cause of malware.

Amero Spam (July 21)

I like this one, just because of how far-fetched it is. This outbreak is based on the long-running urban legend that North America is planning to roll out a unified currency similar to that of Europe, the Euro. This new money would, of course, be called the “Amero.” If you click on the link in the message (with subjects like “Dollar is dead”, “no dollars anymore”, and “Amero arrives” the amero.exe malware (a form of Storm worm, aka Tibs, Nuwar, or Zhelatin) will automatically download. Bear in mind that even though “Storm” keeps re-appearing, each time it is in different forms. At the time our analysts ran the malware through Virus Total, only 11 out of the 30 AVs tested identified it.

Here is a sample message:

and the web site it leads to:

Watch Free Movie - massive blended threat outbreak (July 22)

More blended threats with the movie theme. However this outbreak’s malicious web pages were inserted into otherwise legitimate web sites, most likely through hacking. The subjects and contents played on people’s macabre sense of curiosity (what is it about losing a body part that always brings an audience?):

• snake caught swallowing horse
• boy pokes fork into sister’s eye
• boy 4, pulls off sister’s ear
• man breaks arm in horror fall
• horses breaks riders skull in freak attack
• raw footage of snake swallowing horse
• kids rob elderly, police open fire
• woman loses foot in shock attack
• horse kicks harrison ford in stomach
• woman loses nose after dog attack
• police open fire on elderly in iowa
• man loses eye in fight

The really amusing part of this outbreak is that the subject line of the email message didn’t necessarily have anything to do with the internal message. For example, in one sample I saw, the subject was “Woman loses foot in shock attack,” and the internal message says: “Boy gouges teacher’s eye out in class,” followed by a link to http://…..viewmovie.html. I guess this was a case of over-randomization on the part of the spammers. BTW do you think they meant “shark attack”? Hmmmmm…

Because the malware was placed on otherwise non-malicious web sites, it raises the issue for web security scanners of how deep into a web site do you go when looking for malware? If the site is legitimate, can you assume that all of the content on that site is legitimate? As this case has proven, you cannot. Let’s say your AV doesn’t block this malware file that automatically downloads, codecinst.exe (and at the time the outbreak peaked, more than half of them did not identify it). Wouldn’t you feel more comfortable having a web security solution that could tell you the likelihood of this site being hacked?

More Love Blended Threats/ Postcard (July 25)

Tried and true methods for infecting new computers with bots will probably never go away, and love is one of those methods.  More love spam/malware outbreaks with links to web sites that automatically download “postcard.exe”. Yawn. We’ve seen this before, a few times, certainly more than once, and I’m sure we’ll see it again. More Tibs/Nuwar/Zhelatin (aka Storm Worm). As boring as it is, it’s still happening, and still infecting people’s computers! And in this case a whopping 16 out of 35 AVs could identify it.

That’s all for now

Thanks for indulging me this long catch-up post. I’ll try not to fall behind any more, but won’t promise since I don’t like to promise something I’m not 100% sure i can keep.

Sawadika (that’s hello in Thai)…

What could be better than fresh pineapple juice? The answer is fresh pineapple juice in the morning on one of the beautiful Andaman ocean beaches in Phuket, Thailand. Well, I had to make do with the fresh pineapple juice and a walk down to the OPSEC pavilion, but still not that bad when you come to think of it…

Checkpoint was having its Asian CPX (“Check Point Experience”) this year on one of Thai islands – Phuket. Indeed it was challenging to get oneself to go to the CPX rather than to the beach, but it was worth it.
Just to keep you all in the picture, Commtouch technology is behind 3 of the 6 dimensions of Messaging Security, which is the new (well, new as of a few months ago….) module within the Check Point UTM-1 line of products.

One of the nicest surprises for me was Gil Shwed’s (Check Point’s CEO) opening session, where he mentioned Messaging Security more than once, as one of the great benefits Checkpoint has now to offer. I was positively beaming with pride during this keynote.

CPX was a great opportunity to meet many of Checkpoint’s resellers and distributors of the region, some of whom have already started selling UTM-1 with Messaging Security, and some who are just starting to become aware of the new product line. There was a lot of interest in what and how Commtouch does (unbelievable, but we catch spam without any content filtering engine!), not only in the already published services, but also in the upcoming new service of Web Security. I also enjoyed meeting up with some of Checkpoint’s country managers.

All in all, there is no doubt that Check Point knows how to organize a great event, making sure everyone leaves with new technical knowledge as well as a big smile (good food and drink always help). And just to prove how security-oriented the whole atmosphere was at the Hilton Phuket, on last Monday they held Tsunami evacuation exercises for their teams while we were starting the conference.  So we were treated to calls of “Tsunami Tsunami” over the loudspeakers (luckily we had been informed in advance that it was a drill).

Here are some pictures to share the good mood of the event:

Juggling the Commtouch stress balls with colleagues from Crossbeam and Secure Passage.

These are the stress balls, by the way, which were a big hit with the attendees (but how could you be stressed in Phuket?):

Congratulations to the winner of our lottery, Mr. Paul Dumindin of Globe Telecom, the Philippines (that’s me on the left):

And just to make you all jealous, a single picture of the gorgeous beach:

Luckily for both the organizers and the participants, the weather during the event was only so-so, but the few days before and afterward were fantastic, so we got a perfect combination of work and pleasure.

Looking forward to next year’s event.

I know some people get excited about the prospect of a new video of Angelina Jolie (with or without her new twins), but it’s not recommended to download one that ends in “.exe” since it’s most likely malware

Building on the trend from the past few months of using standard MSN messages (links and all) to embed spam communication, now malware distributors are doing the same thing, only using the messages to distribute malware.

Below is a sample message, which looks almost exactly the same as previous “MSN-type” outbreaks.

However the image in this case is not for pharmaceutical spam, but a topless Angelina Jolie (or lookalike) which I’ll spare you. The message contains a hyperlink to download the malware file video-nude-anjelina.avi.exe. (Although if the .exe suffix wasn’t enough of a clue, perhaps the misspelling of the actress’s first name would tip you off…)

Commtouch recently announced our Q2 email threat trend report, which indicated, among other things:

• Spam levels throughout the second quarter averaged 77%, ranging from a low of 64% to a peak of 94% of all email towards the end of the quarter
• 10 million zombie IP addresses were active each day, on average
• Pharmaceutical spam was the most popular topic in Q2, comprising 46% of all spam

Are these bullets different than previous quarters? Well, yes, just like the weather changes from day to day, and season to season. Last quarter may have been a bit colder and more rainy than this quarter; similarly we had more “enhancer” spam in the previous quarter than this quarter. But for some reason this quarter’s trend report generated much more provocative headlines than earlier reports, for example “Botnets Winning Spam Wars” by John E. Dunn in Techworld (and syndicated to dozens of other publications). I’m trying to figure out why our fairly staid report — one that has appeared in similar format for a couple of years already — got such… dare I say… sensational coverage?

In this post I’d like to respond to a few of the comments that came up in articles and other blogs about the report. First of all, Commtouch does not think that the botnets are winning the spam wars. What the report does state, however, is that botnets are wily and dynamic, and can outsmart traditional filtering methods, like content filters or black lists. There are several solutions out there - Commtouch’s included - that are fighting botnets and winning, in our case, simply by blocking their activity, or providing datafeeds of botnet IP addresses to partners that incorporate that information into their anti-botnet undertakings.

Joel Hruska of Ars Technica, a blog which I really enjoy and respect, also goes for the zinger headline, “Botnets Continue to Defy Containment Attempts.” He says a few things I’d like to respond to:

Commtouch steps through the various types of attacks it saw in the second quarter, but virtually all of them would be familiar to anyone who regularly follows security topics.

Yup, I agree, and like I said, it’s like the weather. One day a “blizzard” of Chinese earthquake spam, another day a new type of blended threat. And who doesn’t like to read the weather report from time to time? On the other hand, we do provide certain statistics that are not necessarily familiar from simple observation of your spam quarantine (or inbox, depending on how successful your email filter is), unless one is tracking the Commtouch stats on an ongoing basis.

Next quote:

Commtouch has two postulates: that anti-malware companies are running up a mountain that’s collapsing beneath them when it comes to keeping up with malware variations, and that it’s easy for a malware company to switch from botnet to botnet as a means of delivering their product. These could form the basis of a discussion of whether or not current anti-malware “best practices” will ever be able to address the crisis at hand.

Well, I agree and thanks for writing it much better and more succinctly than we could have written it ourselves And we’d be happy to discuss this in more depth, which we have in other more malware-specific reports. Of course we believe that we have a solution for blocking multiple malware variations, but that leads us to his next statement:

Instead, Commtouch chooses to leverage its report as an advertisement for its own product line. Despite the company’s promising verbiage, it seems less and less likely that any single company will ever stumble on the magic combination of filters and heuristics to force malware authors to radically change their methods.

Ouch. It’s funny, I review every report we publish and always think to myself - should we be pushing more Commtouch product-specific messages in there? and I usually hold myself back because the reports are well-read and (I’d like to think) respected in the industry precisely because they donot read like a product pitch. If we’re starting to get too commercial in these reports, then I guess that’s a warning sign that we need to tone it down a bit and go back to our more research-oriented report roots. On the other hand, Commtouch does not pretend to be anything but what we are - a company that profits by selling email filtering software and services. So if a product pitch somehow slipped into one of our reports, I can understand how it could conceivably happen.

As for the second part of that statement, I tend to agree that there is probably no one single magic combination to block all the bad stuff out there, however as our licensing partners have found, (watch out, here comes the product pitch) combining Commtouch technology as part of defense in depth does work, and our 100 licensing partners and their tens of thousands of end-customers will attest to it.

Something about the “rockets red glare” of July 4th must have gotten the Storm Wormers in the mood for aggressive action, and the next outbreak has been a faux invasion of Iran, with the following malware web site:

Based on a quick scan of the iran_occupation.exe malware file by VirusTotal, the results show that only 14 out of the 33 engines tested identify and protect against the malware.