Segmenting and Localizing Spam Campaigns

One-to-many or one-to-one communication channel? That's the questions from a spammer's perspective. Given that spammers have long embraced basic segmentation in their harvested email databases, enforcing localization in each of their multinational campaigns, thereby increasing the probability for a higher response, was a logical trend to come, one that we're currently witnessing on a large scale. Outsourcing the localization process by using translation services on demand, for anything starting from phishing emails and spam, and going to malware campaigns, is starting to accelerate, due to the fact that these parties now know about the email address than they used to in the past.

A Chinese user will never receive a spam message in German, and exactly the opposite, as spammers are getting more ROI conscious in everything they do, and therefore in the long term, the emphasis on the processing of sending the spam, may in fact shift to higher expectations from bother masters with spammers requiring hosts with clean IP reputations in the very same fashion spammers want email databases of emails that still haven't been spammed - well at least by them.

And just like in any other market out there, the managed spamming appliance providers would inevitably vertically integrate to start offering database filtering and verification of delivery services. With so many malware infected hosts, spamming is getting cheaper, given the increasing number of market participants each of them consciously or subconsciously engaging in permanent penetration pricing to end up undercutting those positioning spamming as a exclusive service. And when the process of sending, and providing huge lists of harvested emails is already a commodity, the competitions is shifting to the quality of the campaign.

The attached screenshot represents a spamming provider's "inventory" of emails per country, and price for a number of already harvested emails, clearly demonstrating that when competition increases even in the underground market, the serious sellers start differentiating their propositions, taking spam in general a step beyond.

Testing Signature-based Antivirus Products Contest

This is both interesting, yet irrelevant and outdated as well :

"The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008. The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses."

What are the reactions of security vendors, AVs in particular? The best remark - "Security vendors began panning it immediately, saying it will simply help the bad guys learn some new tricks."

The bad guys will learn new tricks from the good guys modifying binaries to prove that anti virus signature scanning isn't working? There's no shortage of creativity and innovation on behalf of malware authors, and in reality,the good guys are supposed to learn from the bad guys in the sense of the techniques, tools and tactics they use to achieve such a high-level degree of now automated polymorphism. Moreover, the only thing the bad guys can learn from the good guys are the techniques the good guys use to make the bad guys' living a pain, in fact obtain the tools and see their malware through the eyes of a good guy.

Moreover, as I've already pointed out in a previous post, undetected malware or malware with the lowest possible detection rate is no longer created, it's being generated thanks to :

"DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle."

Nowadays, even a script kiddies' favorite Remote Administration Tool is empowered with such advanced point'n'click DIY type of features such as anti-sandboxing and anti-reverse engineering, either through the use of built-in such features, or outsourcing the process to someone who's excelling at the process. Undetected malware isn't just coming as a product these days, it's also getting pitched as a managed service on a per obfuscated binary basis.

Thankfully, signature based malware scanning is slowly becoming just one of the many other alternative malware and behaviour detection approaches available within antivirus solutions these days, given the possibilities for artificially messing up the industry's count for malware variants.

Detection Rates for Malware in the Wild

Yet another Early Warning Security Event System has been made available to the public, earlier this month. The Malware Threat Center is currently generating automated tracking reports in the following sections :

- Most Aggressive Malware Attack Source and Filters
- Most Effective Malware-Related Snort Signatures
- Most Prolific BotNet Command and Control Servers and Filters
- Most Observed Malware-Related DNS Names
- Most Effective Antivirus Tools Against New Malware Binaries
- Most Aggressively Spreading Malware Binaries

I was particularly interested in the rankings in the "Most Effective Antivirus Tools Against New Malware Binaries" section, especially its emphasis on malware that's currently in the wild. Furthermore, to prove my point, you can see the top 10 list of Anti virus vendors as it were on the 20th, and the top 10 list of anti virus vendors as it were yesterday? Can you find the differences? Grisoft, Avira, Secure Computing and Quick Heal remain on the same
positions, whereas the rest of the vendors are in a different rank, although on the 20th they were exposed to 1030 binaries only, and on the 29th to 1759.

So what? In respect to signatures based malware scanning, every vendor has its 15 minutes of fame, however, as I pointed out two years ago :

"Avoid the signatures hype and start rethinking the concept of malware on demand, open source malware, and the growing trend of malicious software to disable an anti virus scanner, or its ability to actually obtain the latest signatures available."

What has changed? The DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle. Moreover, with malware authors waging tactical warfare on the vendors infrastructure by supplying more malware variants than then can timely analyze, this tactical warfare on behalf of the malicious parties is only going to get more efficient.

Fake Directory Listings Acquiring Traffic to Serve Malware

Malicious parties are known to deliver what the unsuspecting and unaware end user is searching for, by persistently innovating at the infection vector level in order to serve malware or redirect to live exploit URLs in an internal ecosystem that not even a search engine's crawlers would bother crawling. What's the trick in here? Using image files as bites to malware binaries, and acquiring traffic by generating fake directory indexes with hundreds of thousands of popular or segment specific keywords in the filenames, while attempting to trick the impulsive leecher by forcing a direct loading of anything malicious? Creative, at least according to someone who's released such a fake directory listing, and is what looks like planning to come up with an automated approach for doing this.

Inside a non-malicious download.php file :

$file = "sexy.gif"; header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-Disposition: attachment; filename=\"".basename($file)."\""); readfile("$file"); ?>

Spammers, phishers, malware authors, and of course, black hat search engine optimizers, are known to have been using technique for enforcing downloads, loading live exploit URls, or plain simple redirection to a place where the malicious magic happens.

A fake directory listing of images, where the images themselves load image files of the icon to make themselves look like images - trying saying this again, and consider this attack tactic as SEO 1.0, where the 2.0 stage has long embraced GUIs and all-in-one anti-doorway detection techniques for blackhat SEO-ers to take advantage of.

Response Rate for an IM Malware Attack

Remember the MSN Spamming Bot in action? Consider this screenshot not just as a real-example of IM spamming in action, but also, pay attention to the response rate with the number of messages sent, and response in the form of new malware infected hosts joining an IRC channel. Keeping it Simple Stupid to directly spam the binary locations is still surprisingly working, taking Stormy Wormy's last several campaigns, but with the recent spamming of live exploit URls and malware using Google ads as redirector, for instance :

- google.com/pagead/iclk?sa=l&ai=dhobOez&num=57486&adurl=http://mpharm.hr/video_233.php
- google.com/pagead/iclk?sa=l&ai=YQdWjxe&num=81899&adurl=http://www.1-pltnicka.sk/lib_vid.php
- google.com/pagead/iclk?sa=l&ai=MKRCVFW&adurl=//bestsslscripts.com/goog/online-casino-gambling.html
- google.com/pagead/iclk?sa=l&ai=Hydrocodone&num=001&adurl=http://hydrocodone.7-site.info

the response rate for the campaign can change in a minute. Go through a related post on "Statistics from a Malware Embedded Attack" taking another perspective into consideration.

New DIY Malware in the Wild

Yet another do-it-yourself malware is getting pitched as one with low detection rate due to its proprietary nature, following the logic that based on the fact that few people will have it, it would somehow remain undetected for a longer period of time. The applied logic is however, excluding the possibility of used to recently purchased good as a bargain to obtain or improve the chances of obtaining access to another good or a service in the face of access to a closed for the public forum where exclusive tools and incidents are actively discussed.

How is a seller of yet another DIY malware going to differentiate her market proposition? Adding a service in the form of managing and verifying the buyer's undetected binaries is slowly maturing into what 24/7 customer support service is for most market propositions - a commodity and something that's often taken for granted. In the case of this DIY malware, the author is aiming to differentiate the proposition by also offering the source code of the malware, thus, embracing the open source mentality just like many other malware authors are, believing that innovation will come on behalf of those adding extra features and fixing bugs within the malware - and they are sadly right about the innovation belief. Some features of this malware :

- Stealing an Uploading to a specific FTP ( ICQ, FireFox, WinXP Keys, CD Keys )
- HTTP Get Flooding
- Syn Flooding and IP Spoofing
- Process Hiding without Register Service
- Hides from any kind of Taskmanager : Windows Taskmanager, Security Taskmanager )
- Settings can be changed all time. ( in running bots as well )
- Melting
- Mutexes Checking
- Anti VMware, Anti VPC, Anti Sandboxing, Anti Norman Sandbox
- Settings encrypted with RC-4
- Doesn't need .ocx
- Killing Windows Firewall

It looks and sounds, as a novice malware coder integrating publicly obtainble malware modules, hoping to cash in. Moreover, in regard to open source malware, questioning "Which is the latest version of the MPack web exploitation kit?" is slowly becoming pointless mainly because of the kits' open source nature, and besides localizing them to different languages, their effectiveness is also acting as the foundation for malware kits to come.

Related posts:
DIY Exploit Embedding Tool - A Proprietary Release
DIY Exploits Embedding Tools - a Retrospective
DIY German Malware Dropper
DIY Fake MSN Client Stealing Passwords
A Malware Loader for Sale
Yet Another Malware Cryptor In the Wild
DIY Malware Droppers in the Wild
More Malware Crypters for Sale
A Multi-Feature Malware Crypter