Security Watch

Keeping Track of patches and hacks in the IT security world.

Maggoty Hamburgers, Spam Assassination and Mal/Iframe, Oh My

April saw the emergence of company character assassination spam, image spam variations and the dominance of Mal/Iframe—malware that crawls legitimate sites for holes into which it can inject malicious code—according to monthly wrap-up reports from Symantec and Sophos.

Doug Bowers, senior director of anti-abuse engineering at Symantec, said that newly detected spam that libels a well-known U.S. fast food company represents a new and evolving a spam trend.

The e-mail offers $500 worth of the food from "America's most disgusting hamburger restaurant," which the spammer claimed is full of dead insects such as maggots and flies.

"Do what tastes right," the spam urged. "Grab an Old Disgusting Hamburger at X's today." Symantec blocked the fast food restaurant's name so as to limit the spread of the libel.

"This goes into a category of attacks that actively attack the brand of a given company," Bowers said.

The danger is that companies may lose control of what people perceive as their brand, Bowers said, especially with the type of spam that Symantec is seeing, the type that mimics the look and feel of a given company's communications and branding.

The motive of such spam is unclear. A URL given in the spam led directly to the fast food restaurant's site; nor did the spam include instructions on obtaining the money. Blackmail is certainly a possible motive in such cases. Threats of DoS (denial of service) attacks have long been used against online companies in attempts to extract payoffs. Here's an example that Sophos reported back in October, with Russian authorities jailing a gang who blackmailed companies through DDoS (distributed denial-of-service) attacks. In that particular case, the gang is said to have extorted over $4 million from British online casinos and betting Web sites. Financial services firms are another favorite target for online blackmailers.

As far as Web malware goes, Sophos reports that Mal/Iframe accounted for almost half of the Web-based malware seen in April. Once the Iframe-based malware has found a vulnerable site and injected malicious code into it, unwary visitors without security—or lacking patched systems—can become infected when visiting innocent but exploited sites, Sophos says.

"The Iframe-based attacks are a perfect example of a prolific Web threat that targets vulnerable sites—it doesn't care whether the site is hosting pornography or gardening tips," said Carole Theriault, senior security consultant at Sophos, in the company's report.

"This problem is not just a niggle: Sophos research shows that a whopping 70 percent of Web-based malware is being hosted on innocent but exploited Web sites. With people being lured to these innocent but compromised Webpages via cleverly worded e-mail invitations, Web security has to go beyond blocking Web sites based upon category alone. A secure Web defense will also scan pages for malicious content, regardless of whether they are on a site you would normally consider 'safe'."

China, including Hong Kong, gets the dubious distinction of hosting the most malware-infected sites in April, at 56.4 percent. The United States claims second place, at 28.3 percent. Then comes Russia (5.4 percent), Germany (4 percent), France (1.2 percent), and a host of countries each representing less than 1 percent of malware-infected sites. That's a big jump for China and Hong Kong, which hosted only 36 percent of infected sites in March.

"China's rise in the chart is primarily due to the country hosting a large proportion of unpatched sites infected with this Iframe malware," Sophos said.

As far as e-mail-based threats go, Netsky topped the chart, representing 24.7 percent. Dref was second, representing 24 percent.

Symantec also saw a new twist on image spam wherein the scrambled URL of a legitimate photo-sharing site was used to evade some anti-spam URL technologies that require a precise URL path. I chatted with Secure Computing about that last week: Here's the blog posting. Symantec isn't sweating this one too much, since any anti-spam technology that uses pattern matching in URLs can "easily" account for the level of randomization it's seeing, the company said in its May 2007 Spam Monthly Report.

Symantec also picked up on a few interesting takes on 419 spam, named after an article of the Nigerian Criminal Code that deals with fraud. This spam is the well-known type that attempts fraud by talking about African dictators, the sale of natural African reserves such as oil or gas, and the request to help the scammer to move money out of the country.

One new twist on 419 spam is attempting the scam by using the tale of a U.S. soldier in Iraq who stumbled upon $750 million in cash, inside metal boxes in a cement shed.

A second 419 spam twist involves the so-called Zenith Bank Benin that promises to issue an ATM card that can be used to withdraw $1,500 per day, up to $950,000. To get the ATM card, the user has to send personal information such as name, age, current occupation and copy of identification.