Chris Mosby at myITforum.com

Posted on behalf of Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services

Happy New Year! The uncertainty of what 2010 will bring news-wise is exactly what makes the spam landscape, well, interesting and unpredictable. Although we can predict general threat trends as we have in our 2010 Security Predictions, we can never foresee spam’s entire future which makes everyday a virtual crap-shoot – to an extent – for our MessageLabs Intelligence Team.

Let’s take a look back at the events that shaped the 2009 spam landscape:

The global credit crisis and the election of US President Barack Obama provided two major themes to much of the spam blocked in early 2009. Other events, festivities and news stories also contributed to many spam themes in 2009, including:

•    St. Valentine’s Day on 14 February

•    St. Patrick’s Day and NCAA March Madness in the US in March

•    4 July Independence Day in the US

•    Global flu pandemic of H1N1

•    Fatal crash of Air France flight 447

•    Deaths of singer Michael Jackson and actor Patrick Swayze.

Interestingly, following the death of Michael Jackson on 25 June, the topic had been quickly adopted in several spam campaigns and at the time, approximately one percent of all spam referenced Michael Jackson.

Even before Jackson’s death, news of Farrah Fawcett’s passing precipitated a spate of spam purporting to relate to her death and later when the death of Patrick Swayze was announced on 15 September it was only a matter of time before the spammers and cyber criminals used the opportunity to tailor their output accordingly.

The financial gloom has served as a popular topic for spammers and fraudsters, especially during the first half of 2009. As credit became harder to secure through traditional means and the global economic woes provided consumers with uncertainty, spammers, fraudsters and phishers added the recession to their list of themes to leverage. 

In February, spam containing hyperlinks to a number of major well-known search engines delivered much of the early recession-based spam. The hyperlinks were not using automated redirection links as had been seen previously, but using an automated search for the spammers’ website domains.  Search engine spamming techniques enable the spammers to include a hyperlink constructed from a search engine query within the body of the email. When the link is followed it leads the browser to the spammers’ websites.

Rather than watching the news and reacting by manually tweaking the subjects and content of their spam runs, MessageLabs Intelligence has tracked numerous spam runs that very strongly indicate a high level of automation in producing news-related spam campaigns.  Spammers aim to do as much as possible to attract or lure the recipient into opening the email, and reading it.  Spammers have demonstrated repeatedly that using topical or newsworthy events in subjects and in the spam message body is a very fruitful way to push up response rates.  As 2010 dawns, spam campaigns featuring a breaking news story can filter through to inboxes faster than ever before, as automated scripts scrape headlines and the text of new stories from hundreds of news sites. 

This is not a new thing, but anecdotally MessageLabs Intelligence suspects that newsworthy events are being squirted into spam campaigns more and more.  Increasingly spam campaigns are lined up very much in the style of <insert subject here>, and these automated scripts ensure that whatever the hot topic is, that internet users are reading in their lunch break, or seeing flood in to twitter or RSS feeds, is also appearing in inboxes in spam subjects.  With interest in the news event at a maximum within the first 12 hours or so of the story breaking, spammers are right there riding on the interest that the story generates.

An example of this a recent spam campaign where a news headline about a cricketer scoring a century, came through within hours of the century being scored.  The spam subject was found on a news website which suggests that some automated script picked up the headline.

Stay tuned as MessageLabs Intelligence uncovers what 2010 will bring.

For real-time updates on the threat landscape, follow us on Twitter @MessageLabs

To download the MessageLabs Intelligence Annual Report in its entirety, please visit: http://www.messagelabs.com/resources/mlireports

The car accident involving Tiger Woods last night outside his home in Windemere, Florida has been generating a lot of heat as far as Web traffic and searches go. Since the news broke, the top web searches on Google has been related to the this story. Even hours after the break of the story, six out of the top ten search items are still related to this event.  Tiger Woods is obviously a huge celebrity from a sport that has a huge worldwide following. The circumstances surrounding this accident are still as yet unclear.  

From an IT security point of view this unfortunate incident is just another fruit ripe for the picking as far as malware writers are concerned. So it comes as no surprise that the creators of rogue antivirus or misleading application software have already jumped on the bandwagon and attempted to poison web search engine results to take advantage of this spike in web search activity.

We have observed some search engine results redirecting to a few malicious domains which are:

• vir-curemypc-now.com
• egafuki.cn
• online-scanner-free.net

The sites go through the usual fake scanning activity before pointing out a whole host of serious errors and threats that needs to be cleaned from your computer. For a video of how these misleading applications generally behave you can view this video made by my colleague Benjamin Nahorney.

The files on offer on this occasion may be one of the following:

• setup_build6_195.exe (Download.MisleadApp)
• install[RANDOM NUMBER].exe (Detected as Downloader or Trojan.FakeAV)

 

As you already know, taking advantage of celebrity mishaps, major news events or disasters is nothing new. We have seen this kind of activity before in relation to Serena Williams, Farah Fawcett, Michael Jackson, Tsunamis, the list is endless. So this is just another reminder that we always have to be on our guard. When searching for information on the Web, make sure your legitimate antivirus software is updated and if you are ever feel yourself being strong-armed into buying antivirus software from any dubious online sources-Don't do it! Instead go to a trusted source such as your local physical shop.
 

And if you are interested in the real news, try one of these sources:
• Reuters

• CNN

• BBC

It's only been a couple of short weeks since the iPhone background-changing incident that took the world by storm (well, parts of Australia at least), but already a Dutch ISP has reported what would be the first malicious iPhone worm to be seen in the wild.

Unfortunate news to be sure, but not exactly surprising. Our two recent blogs relating to iPhone threats warned (and I quote) that 'the publicly released code could easily be altered so that consequences were not so benign'. In case you missed them, the first blog was about the Ikee rickroller, which wasn't really considered malicious in that it only changed the iPhone background to a picture of 80's pop singer Rick Astley and was really more of a warning from the creator that jailbroken iPhones in a certain state could be compromised. That incident was followed closely by a hacktool that ran on computers but tried to scan for and log onto vulnerable devices. In both cases the so called vulnerable devices were restricted to jailbroken iPhones running SSH and using the default password of "alpine".

The new worm, which also targets jailbroken iPhones running SSH and still using the default password, can reportedly steal data contained on the iPhone as well as connect back to the attacker giving them control over the phone including the ability to download and install malware onto it. The root password may also be changed in order to prevent the owner from accessing the device. Unlike the first iPhone worm, this one appears to cover a much broader range of IP addresses, including UPC in the Netherlands, Optus in Australia, possibly a Hungarian and a Portuguese provider, T-Mobile and potentially many others. And although this particular incarnation seems to be very similar in functionality to the hacktool we blogged about , this one supposedly runs and spreads directly from an infected iPhone, not from a computer.

We are currently attempting to source a sample for analysis and will provide more information as it comes to light. If you have been infected and/or have a sample that you can share with us please post about it on the Norton Forum here.

After all the fuss caused by the previous incidents it's hard to believe anyone would have left their jailbroken iPhone in a vulnerable state, but if you think your iPhone (or iPod Touch) may have been compromised, or if you have jailbroken your device and are worried about it, we recommend that you backup your data then restore your device to its factory settings and where applicable apply the latest firmware update from Apple.

We also highly recommend you never leave a password blank, or as the factory default.

UPDATE: Scott McIntyre at XS4ALL kindly provided us with a sample. We have added detection for it as iPhoneOS.Ikee.B.