AppRiver

Fake Headlines of Celebrity Death Leads to Malware Infection

Thursday, August 26, 2010 by Troy Gill

This chart represents email-borne virus and malware activity blocked by AppRiver filters during the month of August. In 2009, we saw a large spike of email-borne malware during the months of September, October and November. It looks like they are off to an early start in 2010, as we have already quarantined more than 140 million viruses during the past month alone. This is the highest level we have seen since 2009.

Early yesterday morning we began seeing a large malware campaign using fake headlines of celebrity deaths to peak interest. The message blast started at about 4am and within the first few hours were coming in at rates over 100,000 messages per hour. The messages claimed to be breaking news that a certain celebrity had died in a car crash.
Here is a look at one of the messages:

File name: CNN Hot News.zip (contains .exe by the same name)
Subject: Utilizes different celebrity names that do not always match the one in the message body

Here is a look at the traffic pattern for this campaign:

In all we have blocked 658,337 of these messages since we started seeing them on 8/25. They seem to have slowed to only a trickle at this point. Which is typical for a big virus push, typically they will blast out one campaign for 12-24 hours and after that the attack vector becomes stale and they will move on to the next one. Since we know that cybercriminals are always eager to take advantage of big news stories by sending out fake news alerts that often contain malware, it is not surprising to see them creating their own headlines.

The messages all contain CNN Hot News.zip (106 KB) (which contains the .exe file). The file attached is malicious and is a recent variant of a “downloader” that we have been seeing quite a bit lately. A downloader will simply open a backdoor on the target machine that can be used in the future to install one or multiple different types of malware.

What's What?

Tuesday, August 24, 2010 by phread Touchette

There is a lot of confusion in the AV world about what is what. This is due to the fact that there are no standards between researchers and Anti-Virus companies, or anyone else for that matter, over naming conventions for the various aspects of malware and its delivery systems. Viruses and malware are often named after their behavior, or something that was pulled from their code, or sometimes even after the way they were received such as the Storm Worm who arrived attached to an email touting large storms in Europe. Sometimes a company will play nice and adopt someone else's name for a variant, but oftentimes these researchers are working on theses things at the same time and aren't aware of it's other labels, thus resulting in the same piece of malware having 7 different names across vendors.
There is also some confusion over what actually does what in these situations. Malware infection these days is often done in stages with the actual payload not arriving until the very end. In the case of email, botnets are most often used to send messages that are designed to socially engineer the recipient into opening the attachment. These attachments are technically not the payload, but instead they are in most cases what's referred to as a "downloader". These guys simply open a portal on the target machine through which the malware author can download and install whatever final malicious payload they care to at anytime. It's at this point where Keyloggers, data stealers, and the like are placed upon the victims' machines.
This adds to the naming confusion as well, because oftentimes the downloaders will be named after what they end up downloading as opposed to their own unique name.
Below is a graphic demonstrating the flow of a very active botnet - Pushdo (or Cutwail) currently pushing down the equally as popular Zeus trojan whose primary concern is stealing login information and banking credentials.

Pushdo is also Cutwail
Bredo, Bredolab, Kryptik, Delphi
Sasfis, Gemini
Oficla
Zeus, Zbot

The industry doesn't seem to be in a rush to standardize a naming convention for these, but I think it would certainly help other researchers, or even Network Admins who are trying to figure out an infection and how to properly remove it without having to memorize what's what.

False Resumes and CVs Lead to Malware

Thursday, August 19, 2010 by phread Touchette

For the past couple of days, one of the malware infection vectors of choice has been the fake resume or Curriculum Vitae. The people who are sending these obviously couldn't be bothered with spending too much time on the email that is meant to socially engineer its recipients into falling for its ploy because it appears to lack effort at best. Instead, it looks like they were more concerned with attempts to throw analysts off track.

I don't see how they expect anyone to fall for this, even if it did end up in the hands of some unsuspecting HR department. Though I would expect that anyone of them would discount this as highly unprofessional, and just send it straight to the deleted folder. Let's also not overlook the interesting file format that this resume is supposedly in - an .HTML document, that makes sense.
Once we take a look at the source code it reveals some fairly simple obfuscation utilizing hex code and the Javascript "unescape" command.

Once this is converted to an easier to read format, it reveals the first hop on our malware journey.

So, to quickly recap, the victim receives this email and clicks open the attached HTML document, this runs the underlying Javascript which in turn redirects the recipient to a real web page, albeit malicious. At this point they would see a message at the top of the screen with the words "PLEASE WAITING 4 SECOND...". Likely not an English speaking author, just a guess. Meanwhile, two separate things are happening a 4 second refresh timer has been set, but within those four seconds a hidden iframe begins to download the actual malicious content from yet another website. This infection allows the malware's controller to further download and execute malware onto the victim's machine. Malware such as ZeuS which has been running rampant this past year due to the ease of acquisition of the ZeuS trojan creation kits on underground forums.

So, finally after the infection has occurred and the brutal 4 second wait time has passed. The refresh occurs and the victim is redirected one final time to yet another website. This one was taken down by the time I got to it, but every time in the recent past that this technique has been used, the final site has always been that of an online pharmacy hawking ED medications. This was likely meant to give the visitor a false sense of "security" leading them to believe that they were only inconvenienced with that same old spam again, and who knows, maybe the bad guys might just make a sale along with their newly infected PC.

Beauty and the Geek Malware Attack

Thursday, August 12, 2010 by Troy Gill

The Beauty and the Geek reality television show that was often publicized as the "The Ultimate Social Experiment" is being used today as the “Ultimate Social Engineering Tactic”. This morning we began seeing a massive influx of zero day virus threat being sent via email. In all we saw at least seven different new variants of the same malware. The message that was coming in at the highest rate and certainly the most interesting of the group was a message claiming to be from the folks at the “Beauty and the Geek” show. The message claims that they are looking for contestants for the show and contains an attachment that you are instructed to open. The message attachment named [flyers.zip] contains malware identified as the Zbot Trojan.

Message Body:
Hey guys
Already mentioned this to some of you and sorry about the mass email but thought I could be missing out on a good opportunity if I didn’t…
So… I’m looking for geeks all over USA. They need to be highly intelligent and shy/nervous around girls etc
All the contestants genuinely had an amazing time last year and are actively recommending it to their mates this year. They get the chance to teach hot girls a thing or two, and get the chance to win $100,000! So far – I haven’t spoken to a single geek who’s been offended that I’ve called them one. But if you’d rather – please do pass on their details to me and I’ll get in touch with them anonymously.
I’ve attached flyers in case you want to forward on, or put up in your office… Thanks so much
Hope to see you soon

In the past three hours we have quarantined over a half a million of these messages. Remember, never click on a link or attachment in an unsolicited email.

Malware On The Rise

Friday, August 6, 2010 by Troy Gill

Over the past seven days we have been seeing a massive surge in virus activity. In the past week we have quarantined an average of 11.62 million email-borne viruses per day, an increase of 600% from the previous seven day period.

One of the most prevalent messages we have seen with this virus push is the following:

We have seen these messages coming from nodes all over the world and are obviously being distributed by a botnet. The attached .zip contains an executable file (.exe) that contains some variant of malware commonly known as Bredo. This bit of malware will open a backdoor to the internet and communicate with a remote web server via HTTP and at this point your computer is their oyster. As usual our Exchange Hosting and Spam Filtering customers are protected from all known variants of this threat.

Missing custom categories & colors when creating a new profile?

Thursday, August 5, 2010 by Chris Hendricks

Microsoft Exchange in a hosted or local environment can be a complicated animal. AppRiver has taken the complications out by simplifying the proccess for all types of businesses to utilize exchange in a hosted environment.

Lets take one more kink out of the conversion to Hosted Exchange with AppRiver by showing you how to move your color coded and customized categories from one Outlook profile to another. Most people don't know that these items do not show up automatically when changing profiles or importing (.pst) files from hosted exchange or local exchange to another.

Below is a recent knowledgebase article I created and wanted to share it with exchange hosting community.

Outlook 2007 stores custom categories, labels and colors in the (.pst) file as opposed to previous versions of Outlook which stored them in the registry.

To build the new category list/colors in Outlook 2007 or to import the original category list/colors, you can right click on the top of the mailbox in the navigation menu (Mailbox - Your Name) and choose Properties. Here you’ll see a button called “Upgrade to Color Categories...”. When you press this button, Outlook will look through the entire mailbox for categories and when found, it will add them to the categories list. This also imports Follow Up Flags and Calendar Labels.

This data will be uploaded to the Hosted Exchange 07 server and will propagate down to other Outlook clients connected to the Hosted Exchange server for the user.

FAQ:

Custom Categories/Colors will show in OWA for Hosted Exchange 07 in the Contacts tab by clicking the "Single Line" view icon in the top of OWA.
- NOTE: Only available via Internet Explorer.

Custom Categories/Colors will show in OWA for Hosted Exchange 07 in the Calendar tab for any of the following views: Today, Day, Work Week, Week, Month.
- NOTE: Only available via Internet Explorer.

Faux HMRC Emails Lead to Multi-bank Phish

Tuesday, July 27, 2010 by phread Touchette

As a new tax year begins down under, Australian tax payers are likely eagerly awaiting their tax returns. Queue old faithful - The tax themed phishing campaigns. We began seeing this new wave of HMRC flavored emails last week or so, and a slightly stronger push last night with new graphics.

Once the link in the above email is clicked, recipients are first taken to one of many initial landing pages where they are immediately redirected to the target page. This redirect is done so that when the first page is shut down they can simply replace it with another without having to move the actual site where they keep all of their work. I can see why too, it looks like they've put a lot of effort into a multi-bank phishing site via a false HMRC tax return notice.

The supposed HM Revenue & Customs page where the link ends up isn't as good looking as what's to come. It appears they just weren't creative enough to come up with something of their own in order to make this page slightly more believable. The page uses a banner from the HMRC website and instructs viewers to select their bank by clicking on its respective logo. There are 10 bank logos provided, as well as 10 individual phishing pages themed specifically for each bank. Here are a couple of shots from the pages given after clicking on the above logos.

These pages look much more convincing as the graphics have been lifted from the actual bank sites themselves. The only difference is that your log-in and password are given to the criminals before you are redirected to the bank's log-out page.

This is to help explain why you aren't actually logged in to your bank's site at any point during this process. Oftentimes these will take victims back to their banking sites, but usually to the home page where they would have to log-in again if they wanted to look into their account.
Phishing sites aren't rare, but one that tries to tackle so many different banks at one time is. It certainly explains why they want to avoid moving that much around by sacrificing redirect pages instead. You can tell by the URL that they have set aside plenty of room to hide all of their malicious phishing sites.

Data File Management For Outlook

Tuesday, July 20, 2010 by Chris Hendricks

The A-Team is back with another tip for you. We're talking about Data File Management, that option in the file menu that you skip over on the way to the Archive feature. Whats great is that Data File Management is available for Microsoft Exchange users in both a local server environment as well as hosted solutions like those provided by AppRiver's Hosted Exchange. In fact most of these features are Outlook features and are available regardless of the mail server your connecting to.

Data File Management lets you do a couple of things, the most important - yep you guessed it, manage data. From Outlook 2007 forward, you have a direct connection to various types of data that is visible via this management interface. The Data File Management view allows you to add, modify and delete files under each of the following headings that are available:

Email - Allows a user to view all account connections. Including hosted and local exchange connections, POP, IMAP or HTTP server connections.
Data Files - Allows a user to view multiple offline .pst files that have been archived local or on a network server. By adding the .pst files here, a user will have direct control of the data via the Outlook client navigation menu just like any other mailbox.
RSS Feeds - Allows a user to add multiple RSS Feeds they have subscribed to via their Outlook client.
SharePoint Lists - If your office has SharePoint available you can integrate Outlook into multiple directories of SharePoint. This allows visibility to new data and modifications that others have made in SharePoint to be visible in your Outlook client. This also provides you the ability to update SharePoint directly from Outlook.
Internet Calendars - An underutilized feature that is great for users sharing calendar and scheduling information across multiple domains. This is especially useful for Hosted Exchange users wanting to share free/busy information across domains that are not on the same hosted exchange server.
Published Calendars - The other side of Internet Calendars, this shows all the calendars that you have local within your mailbox that have been published to the Internet for others to subscribe to.
Address Books - Allows you to connect to a LDAP server and verify email addresses and other information about users.

Now let’s talk about how these features can be utilized within your business model. I’ll provide some examples of how each of these can be used. Remember one size does not fit all, so call AppRiver today to setup a Hosted Exchange Trail and the A-Team will customize a solution strategy to compliment or enhance your business model.

Email – For those business owners with more than one domain, combined with Outlook 2010, you can connect 3 separate Exchange servers to one Outlook profile now.

Data Files – This view will allow you to archive mail offline to unclog your mailbox, speed up your connection time and still allow you to view old email that was created before there was an Internet.

RSS Feeds – Instead of subscribing to an email list, subscribe to a websites’s RSS Feed. This will keep all your news and information from all your favorites’ sites in once location without giving away your email address. This allows you to unsubscribe websites news and information feeds without worry of being spammed.

SharePoint Lists – With an in house or hosted SharePoint, you will be able to directly connect with company-wide events, tasks and updates without ever leaving your Outlook client. That’s because Outlook can directly connect to a SharePoint server and allow you to create and modify information.

Internet Calendars – Deal with a lot of appointments and scheduling conflicts? When your clients or vendors publish their free/busy data, you will be able to schedule with confidence because you know exactly when they will be available and will be able to avoid conflicts easily.

Published Calendars – Just as your clients and vendors have published their calendars, you can do the same with AppRivers Hosted Exchange service. Sharing and collaboration across domains on different servers has never been this easy.

Address Books – Own more than one company or domain, but can’t seem to synchronize data between them. Look no further, allow AppRiver to Host Exchange mail services for your domains and you will be able tto share data across them, but allow them to operate as separate entities.

WOW! That was a lot of information. Call AppRiver today to start a 30 day trail of our Hosted Exchange, Secure Email, Spam Filtering or many other services. Additionally our Sales Engineering team will guide you through a migration to the AppRiver Hosted services and create a custom solution for your company to succeed. Visit our website for more details about these and other services! http://www.appriver.com

Chris Hendricks
Sales Engineer

AppRiver

850-932-5338
chendricks@appriver.com
www.appriver.com

EMAIL & WEB SECURITY
EASY, EFFECTIVE, AFFORDABLE^TM
______________________________________
SecureTide^TM – Spam & Virus Protection
Exchange Hosting – Secure Microsoft Exchange
MessageSniffer^TM – Spam Detection
Phenomenal Customer Care^TM

Where Malware Meets Phishing

Monday, July 19, 2010 by Troy Gill

Since spammers have no “Rules of Engagement” they are always free to utilize any social engineering tactic that tickles their fancy. Despite the fact that 2009/2010 income tax year is fading away in the rearview mirror for most US citizens, cybercriminals are still [in mid-July] attempting to impersonate the IRS in order to infect your PC with malware.

Messages hitting our spam filters today may appear to be legitimate, as they pretend to be sent from “The Internal Revenue Service”. The body instructs the person that they are late in “updating your W-2”. There is also a glaring mistake in that the email contains a due date of 01/07/2010, which is likely an error on the sender’s part. The alleged “form” that is attached is a word document named W2form.doc. Within the .doc is a .pdf which if opened will run a .exe. The .exe would then infect your computer with a certain piece of malware contained within Trojan.Dropper.

At first glance this would appear to be a simple phishing message which may lull some people into a false sense of security, perhaps thinking that if [they] don’t give their information then [they] will not be at risk. However simply clicking and opening this attachment can cause infection. This is a good example of a growing trend that we have been seeing lately were spammers would have you think a message is one thing when in fact it is something different entirely. This technique has been seen most recently in malware posing as run of the mill Canadian pharmacy spam. Remember, the IRS will never request personal information in an email. Here is a look at the message in its entirety.

Here is a look inside the document:

Appers Aboard the AppU Brain Train... Choo Choo!

Wednesday, July 14, 2010 by Gretchen Clarke

Well, after six successful months of the AppRiver BrainTrain Program, we are still going strong with more certified Appers, volunteer Appers, and winning Appers!

During the past two quarters, we have lived the AppU motto to educate, develop, and inspire each other! A few of these feats came on June 25th when AppRiver hosted a Blood Drive where 31 Appers donated the ultimate gift (and saving 90 lives)! On June 12th, seven Appers volunteered their time to get certified in Child and Infant CPR! And... Throughout the quarter, Appers organized a charity fundraiser for local food banks.

Wait! There's more... We've certified more Appers, notably in the areas of: Microsoft technology, ethical hacking, project management, software testing, executive coaching, and the list goes on...!! Also, Appers with the most points this quarter have earned a real treat... (may I have a drum roll please)... An exclusive lunch with AppRiver's Co-Founders Michael, CEO and Joel, CTO! WOW, what an opportunity!

2010 has been an amazing year so far and we still have 6 months left... So, what's next for Brain Train in Q3?

The AppRiver Training Team has been busy designing the Q3 Program and BrainTrain Q3 will be more engaging than ever with delivering training classes that target professional and personal development initiatives ranging from technical competencies and Phenomenal Customer Care to establishing AppRiver's inaugural Toastmasters Club (officers and club name announcement coming soon). Then, we'll end the quarter with an AppU cook-off in the first ever AppU Top Chef-Appers event! "Whose cuisine will reign supreme?" Logon to the next post to find out!

S.O.S - Save Our Smartphones

Monday, July 12, 2010 by ChukBerry

Hi Again,

ChukBerry here from AppRiver, and I work with our mobile Hosted Exchange clients. Many clients have to switch out their mobile device due to water damage. I am here today to give you another option - a tip from science class that will help you save your Smartphone from water damage.

Note: Salt water is different in this case. Remove the battery, SIM, SD and dip into fresh water promptly. When salt water dries it leaves behind mineral deposits that will cause rapid corrosion.

After your Smartphone has taken a swan dive into a small or large body of water, you must act quickly to retract it. Once the Smartphone is back in your possession, do not turn the phone on and/or place under heat as that will corrode the motherboard and circuits. Instead, follow these simple steps.

Step 1. Remove the battery quickly from the device (leaving the battery in will not help it dry and cause corrosion throughout the motherboard).

Step 2. Hand dry the device with a clean cloth. Do not use paper towels. And, don’t worry about the LCD screen during this time.

Step 3. Pour some uncooked white rice into a bowl about half full, submerge the Smartphone without the battery, SIM , and SD Card into the rice. Leave the device in the bowl for about 12-24 hours. The rice will evaporate all the water from inside the device.

Step 4. Remove the device after 24 hours and with a small soft bristle paint brush sweep away any rice dust that may remain on the device. Wipe down the outside of the device and place the battery back into the Smartphone. It should power up and now you may feel free to clean the LCD screen with a microfiber cloth to remove streaks and finger smudges.

I hope this helps. Please be on the lookout for more mobility tips on my AppRiver blog.

Until next time ... try to keep dry.

-ChukBerry

Scammers Posing as ShopNBC

Monday, July 12, 2010 by phread Touchette

In an ongoing malware campaign, the authors are using many different themes in order to push their malicious code on their victims. The most recent attempts included fake emails from ICANN and fake NDR messages as well as many others. This afternoon they have deviated from the false payment invoice technique where they were trying to make recipients believe that they were being charged for something they did not purchase thereby causing them to want to investigate it further. This time they used what appears to be an email flyer for ShopNBC.com. In fact it looks like they just simply took one of these flyers and replaced every link with a single link that led to their malicious javascript. It also looks as though they've forged a portion of the email headers so that it appears to have NBC.com's domain key signatures. It seems as though most people may just delete this as junk mail, but it just may appeal to some people, and others might want to attempt to "unsubscribe" from this unwanted circular, and in these cases they will instantly transform from being a simple recipient of junk mail to being a victim with an infected computer. One way to have avoided this type of scam would be to hover over the links with your mouse to see where they actually led before clicking on them. You would be very quick to note that none of these led anywhere near an NBC website. Always avoid unsolicited emails.

Save your BlackBerry battery power

Thursday, July 8, 2010 by ChukBerry

Hi ChukBerry... here, no not the singer…. I am the guy who solves BlackBerry (and other smartphone device) mobility issues at AppRiver, and then passes along the tips to the public. About a month ago, my Blackberry 8530 -which is WiFi capable- started to drain my brand new battery down past the half way mark even though I hadn’t talked on it all day. Well, I started to check things such as hardware pin connections and applications on the device and came up with nothing. That’s when I started to remove applications and change configurations. After a few more tests, presto!! I found the issue. The WiFi profile I had set up a few weeks prior was eating my battery like PacMan eating a ghost. Anyway, I created an AppRiver document titled, “Turn WiFi Settings Off” to help you fix this issue. It is enclosed for your consideration. Enjoy and save the life of your lithium ion BlackBerry Battery.

TURN WIFI SETTINGS OFF

Overview: During an activation certain BlackBerry device models have WIFI capabilities of connecting the device without the use of cellular provider towers. This can cause an activation issue, because the RIM data services for activations requires OTA (over –the-air ) key generation or Blackberry Desktop Manager generation for an activation.

Where to find and turn off WIFI settings:

On the Home Screen of the BlackBerry scroll down the full menu on icons until you see Manage Connections.

When you click the trackball you will see the screen below display.

Click the trackball on box to the left of Wi-Fi leaving the box empty and turning off the setting.

Your mission is complete : )

How Twitter helped me land this job

Saturday, July 3, 2010 by Shane Rice

Here's the story of how a social media nobody (I don't have 10,000 Twitter followers...yet) used Twitter to get the job he always wanted...

Flashback two years and I was listening to TWiT dreaming of what it would be like to work at a tech startup. I was checking out the Google cafeteria pictures on Flickr, wondering what other perks were available for this wonderland of opportunity.

Around this time everyone I followed in the tech community started buzzing about Twitter and how it was going to revolutionize communication, replace email and signaled the ascendency of 140-character communication. I created a Twitter account in March 2008. I wish I could tell you that I immediately recognized that the revolution was at hand and that I literally saw the communication landscape morph before my very eyes.

Instead, here's what really happened: I spent about 5 minutes following a few people and waiting for the magic to happen. When that aha moment failed to appear I logged out and went about my normal interweb business. Over the next 6 months I would login every few weeks, take a look around and wonder what I was missing that caused so many people to marvel at the potential of the "twitterverse."

I slowly started to follow a collection of people who I thought were cool: hosts of my favorite podcasts, tech pundits, a few friends, and people with the coolest links. As the number of people I followed grew I started to see breaking news stories first on Twitter and slowly found that I was checking in on my Twitter stream more frequently.

Then I got an iPhone. I downloaded a Twitter app and I was glued to my stream. I used the GPS enabled local user feature to see who was tweeting in my area. There was one person who published consistently good links so I started following him, @ChrisMBarr. I noticed that Chris worked at AppRiver. While cruising the AppRiver site I noticed that they were hiring a Hosted Exchange Technician. About a year or two earlier I applied for a similar position and, unfortunately, never secured an interview. Since this was an open door to my dream job at a tech startup I submitted my resume again and crossed my fingers.

In my Tweet stream I noticed Chris was having a conversation with @appbrian about a company bowling event. When I checked out Brian's profile I saw that he was the Director of Customer Care for AppRiver, so I sent him a message asking what training it would take to land the Hosted Exchange job. He sent me a DM (Direct Message) with his email address and asked that I send him my resume.

Since you're reading this post, you know I got the job. It has been an exciting and fulfilling few years. This week, I started a new job at AppRiver as our Services Evangelist. You can count on me for updates on new and existing products (keep an eye out for news on our updated Web Filtering product, SecureSurf 2.0) and to expand our social media presence.

If you haven't already, we'd really like it if you followed us on Twitter (@appriver) and liked us on Facebook.

If you see this in RSS, it's for Digg.com verification. Thanks for noticing.

Tenacity 1 Grammar 0

Friday, July 2, 2010 by phread Touchette

Mr. David Ventre is really excited about "the clerk position", so excited in fact that he sent out well over 1 million fake resumes for it in the past 12 hours. These CVs were of course not resumes at all, but instead an attempt to infect recipient machines. I'm not so sure I'd even hire this guy for writing malware either because 99% of these files were malformed and wouldn't open anyway. Thank you Mr Ventre for your interest in our company, we have your resume on file.

ICANN Haz Malicious Javascript?

Thursday, July 1, 2010 by phread Touchette

ICANN 38 just ended this past week in Brussels Belgium, and several rather big announcements were made. Among those was the controversial decision to allow the .XXX TLD as a potential community site for the adult entertainment industry. As well as the addition of a new set of Chinese language internationalized domain names. The countries approved were China, Taiwan and Hong Kong. IDNs allow these countries access to the internet utilizing their own native Chinese script instead of having to use a Latin based character set which the Domain Name System was originally written in. This has brought about the new associated organizations - CCNIC (China Internet Network Information Center), HKIRC (Hong Kong Internet Registration Corporation Limited), and TWNIC (Taiwan Network Information Center).

Apparently the malware authors behind this week's campaigns found this event big enough, or interesting enough to want to pose as ICANN themselves in an attempt to infect computers with their malicious code. These people are the same ones who have been bringing the fake Amazon.com purchase order receipts, the Buy.com purchase order receipts, as well as several variations on personalized "You must change your password", or "Your account is locked out" campaigns that have been filling up our filters this week.
This campaign is actually pretty weak, not in size, but in appearance as you can see below.

It appears as though the senders attempted to add convincing logos and graphics to make the emails more believable but failed as all of the links are broken once they arrive in our filters.
The links operate the same as with their other campaigns first leading you to site where malicious, obfuscated javascript is pulled down from yet another site before you're finally redirected to a Canadian Pharmacy site. The javascript is meant to open a backdoor on the victim machine from which more malicious code can be downloaded onto the machine. AppRiver has seen more than 20 million pieces of mail from these campaigns. Here are a few of its former costumes.

iPhone 4.0 OS patch to fix Exchange ActiveSync problems

Monday, June 28, 2010 by James Dean

Since the release of the new Apple 4.0 OS we received numerous calls from customers experiencing calendar sync issues; at the same time we noticed large spikes to RPC Operations on our Exchange servers. After some quick troubleshooting we were able to narrow the problem down to users that updated to the new 4.0 OS with excessive amounts of calendar items. We have been vigorously working to isolate these devices and limit the impact to our Hosted Exchange 2007 servers. Apple has now released a patch for Exchange ActiveSync on the new 4.0 OS. I have tested this patch on mailboxes with ~25,000 calendar items and so far it seems to be working great. If you are thinking of updating or already have, please use the Apple support link below to patch your new Apple OS. The KB article applies to the following: iPod Touch, iPhone 3G, iPhone 3S and iPhone 4.

http://support.apple.com/kb/TS3398

James Dean
Senior Exchange Engineer
AppRiver

www.appriver.com

EMAIL & WEB SECURITY
EASY, EFFECTIVE, AFFORDABLE^TM

______________________________________

SecureTide^TM – Spam & Virus Protection
Exchange Hosting – Secure Microsoft Exchange
SecureSurf^TM – Hassle-free Web Filtering
MessageSniffer^TM – Spam Detection
Phenomenal Customer Care^TM

Malware Uses Spam as a Disguise

Thursday, June 24, 2010 by phread Touchette

The past few days have brought us a couple of different campaigns using multiple tricks in order to infect its victims with malware. The two most recent have disguised themselves as emailed purchase receipts. Yesterday it was Amazon.com, and today from Buy.com. The emails utilized graphics and looked better than most attempts. The fact that they do indeed look more believable may be enough to snare the reader into investigating their mystery purchase further. This would lead the recipient to one of several links in the email which all led to the same place, a domain hosted in Korea. After pausing at this page for a few seconds, the victim's browser would be redirected to another page where they would find themselves at the same old Canadian Pharmacy site. What they didn't see is that the miscreants were actually multi-tasking. While at the first domain, they were fed a malicious iframe that would attempt to download malware from yet a third site. The fact that the victim eventually ends up at the spam site could act as a clever cover tricking them into thinking that that's all that had happened. The malicious payloads recently have been specially crafted documents that attempt to exploit vulnerabilities in Adobe Acrobat and Java. Today I was unable to pull down any files from the site. Either they weren't there at the time or they are able to track what they deem to be excessive hits from one source to their site in order to prevent security professionals from seeing too much.

Phishing In The Oil Spill

Wednesday, June 23, 2010 by Troy Gill

Because nothing says opportunity like your fellow human beings in distress… I bring you just one example of millions of messages with less than admirable intentions that we have been seeing throughout the days following the Gulf of Mexico Oil spill.

Online scammers are ever lying in wait to take advantage of any and all headline events, even more so when they may be able to gain access to people who are in a state of vulnerability. Of course the Gulf Oil Spill is just such a situation. With millions of people having their livelihoods affected by this incident, most people feel compassion toward those affected but scammers see dollar signs.

Since the incident we have been seeing spam, phishing and virus messages all attempting to utilize national interest in the oil spill to gain entry to people’s inboxes. Among the worst of these are the messages that are specifically targeting the victims of the spill (those who have suffered loss of income). The message [below] is just one of the millions that we have been seeing daily. This particular message is suspected to be a Phishing ploy. The links in these messages vary greatly as they are using hundreds if not thousands of domains in the URLs in an attempt to bypass spam and virus filters. The link directs you to a web form that requests you enter some personal information.

Stay clear of oil related scams by getting your news updates from know publications and ignoring links in email. As usual our customers are currently protected from all known variants of these messages.

Skype Used as Bait for Spammers

Tuesday, June 15, 2010 by phread Touchette

There's a spam campaign running into our filters this morning masquerading as Skype password reset notifications. This password reset ploy is obviously very effective, because it won't seem to go away. It seems that the word isn't quite out yet even though this technique has been used constantly for a couple of years now. These Skype links actually lead to the old standby the fake pharma pages. I wonder how many times the Brooklyn Bridge was sold? That one was a scam too, but not the swamp land I have for sale in South Florida, it's going cheap, first come first serve.