Srizbi Spam Bot is Nastier than we Thought

According to Symantec's Kaoru Hayashi, last month's Srizbi Trojan is nastier than it at first appeared. It could be a peek at things to come in the world of spam-sending bots.

Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":

Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
...
We think this sample is still in a “beta” stage and it’s not finished yet.

The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.

I especially liked this bit:

[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.

Classy.

Weird Story in Computerworld

Greetings from Vegas.

My chums at Computerworld have put up a very oddly-written story today. It seems that Kingfisher Bay, an Australian resort, was using an "aging" version of Symantec's spam filter. Surprise-surprise, old versions of spam filters don't work very well, letting through a lot of spam.

In fact, it turns out that the resort wasn't using the Symantec Brightmail technology at all. It was still using the old, pre-Brightmail engine. Oddly, Symantec still sells this -- can't see why that's a good idea.

Anyway, it sounds to me like the company decided it wanted to use a managed service, rather than an in-house solution. Many smaller organizations are making this choice. Their obvious targets are MessageLabs, Postini, Microsoft (née FrontBridge), or a bunch of smaller/regional providers.

In the end, they chose MessageLabs. Naturally, MessageLabs is crowing to the press about how it's gained a customer from Symantec.

But hang on, doesn't MessageLabs use Symantec Brightmail anti-spam for its service? How ironic...

Zulfikar Ramzan is Correct About Phishing

Zully is right on in his demolition of Mikko Hypponen's idea for a ".bank" TLD.

Writing on Symantec's Security Response weblog, he basically urinates all over Mikko's plan (although he's a lot more diplomatic than that). Some choice cuts:

Phishers don’t have to use the .bank extension and most users will fail to notice ... if you look at almost every phishing site these days, the URL itself is a blatant giveaway that you’re not at an authentic site
...
The proposal will also lull users into a false sense of security for a number of reasons ... The bad guys may still be able to get .bank domains ... won’t stop phishing attacks that exploit cross-site scripting vulnerabilities ... Browsers are sometimes susceptible to address-bar overlay vulnerabilities. [read more]

Or, to put it another way, the problem with this proposal is that roughly half the population have below-average intelligence (hat tip: APHC).

Sure, it's easy to be a critic, but such ideas just waste energy that could be ploughed into useful furrows, such as DKIM and domain-level reputation.

See also: BofA Sitekey, Yahoo! Signin Seal, etc., etc.

Flies, Maggots, and Russian Brides

Symantec has its latest monthly "State of the Spam Union" report out. A couple of things caught my eye:

1. [REDACTED] is America's most disgusting hamburger restaurant ... food is full of dead insects, such as flies and maggots -- delightful little anti-brand spam this. Must be pretty low volume though, 'cos I've not seen one in my traps.
2. A new use for tweaked images, where each spam message has a slightly different image -- oft-used in stock kiting spam, they're now being used to spamvertise Russian brides! Is nothing sacred?

Symantec's Internet Security Threat Report

Symantec has just released its twice-yearly Internet Security Threat Report. This contains plenty of interesting data from the perspective of Symantec's Security Response team. Well, "interesting" if you're interested in that sort of thing...

Here are some highlights (percentage changes are over a six month period):

• About half of identity thefts are caused by loss or theft of laptops and other hardware containing personal data
• Denial of Service attacks are down about 20%
• Botnet activity is up by about 10% (in terms of number of active zombies)
  • China hosted about one quarter of these zombies -- more than any other single country
  • The U.S. hosted about 40% of the botnet command-and-control nodes
• New vulnerabilities (e.g. in Windows or Web applications) were up about 10%
  • Operating system vendors are taking "longer" to patch vulnerabilities (no quantitative data disclosed)
• The Stration family of worms was the most widely-reported
• Email is still the most-used vector for propagating viruses and other malware -- at about 75%
• Phishing is up 5% in terms of numbers of campaigns, and about 20% in terms of volume
  • Phishing attacks are more likely to be sent on a weekday than at the weekend
• Stock kiting and other financial services spam represented about a third of all spam

Drop Everything and Patch Symantec Mail Security for SMTP

Running Symantec Mail Security for SMTP? Stop what you're doing and download the patch (patch 176 at the time or writing).

Seems like a craftily-crafted incoming message can cause a buffer overrun. This may lead to code execution. [Update: Symantec now confirms that they see no chance of arbitrary code execution, merely denial of service.]

Currently being exploited. The code in question tries to infiltrate a Microsoft SQL Server, presumably in order to steal passwords. Another good reason to segment your servers so that they each have a single role; perhaps using virtualization.

Of course, a patch for this bug has been available for eight months, but that doesn't seem to have stopped exploits causing some trouble over at Turner Broadcasting System.

So run: don't walk. More at US-CERT.

Symantec: Spammers Forge Phony Newsletters, Trying to Fool Filters

It seems that spammers have a new tactic in their war to get their unwanted... uhhh... content through our spam filters: forged newsletters.

What they're doing is sending messages that look like legitimate newsletters. Nasty. Examples seen so far appear to be from well-known brands such as 1-800-Flowers, Kohl, U.S. Airways, and "a fantasy football league" [Statto the spammer?].

There's no suggestion that the spammers have broken into the sending systems used by these brands. They just seem to be cloning legitimate content and modifying it. In the same way that phishers modify a bank's legitimate transactional messages to link to their own site, these spammers are taking copies of legitimate newsletters and tweaking them to include their spamvertisements.

But why go to all that trouble?

The idea is to take advantage of people's abhorrence of false positives. Spam filters will be carefully programmed, trained, or whitelisted to let legitimate newsletters through. If a spammer can make their spam look like one of these newsletters -- especially a widely-read newsletter -- they can get through the filter and in front of the user's eyes.

The spammers only seem to be testing the tactic right now -- it's at a very low level, but the theory is that if they find this is an effective trick, we'll see it a lot more.

I've not seen the test runs in my overflowing spam traps -- credit for discovering the phony newsletters goes to Symantec. I guess it takes a large organization, with 24x7, follow-the-sun labs to really keep on top of new developments in spam tactics. It's the speed of identifying these sort of early indications that separates the men from the boys, as it were.

Update: Symantec sent a picture to illustrate. Wasn't that kind?

More coverage:

• David Utter: Spammers Target Email Newsletters
  
• Richard M. Georges: New spam trick
• Anick Jesdanun: New spam trick
• Kelly Jackson Higgins: Spam Hidden in Email Newsletters
• Frank Washkuch: Spammers hijacking legit newsletters
• SecGuru/Nov1: Newsletter creators aren't the only ones hoping their products don't get caught in spam filters