The Deadly Duo: Spam and Viruses, May and June 2007

Through an Italian police investigation, the Guardia di Finanza uncovered and apprehended 18 Italian citizens and eight foreign nationals from Eastern Europe running phishing campaigns targeting Internet users of Poste Italiane’s home-banking services. The criminal investigation was called “Phish & Chip.” The legal action was followed by Internet security firm Sophos, which also observed a surge of spam posing as greeting cards around the July 4th holiday. It appeared to be a “widespread e-mail spam campaign that poses as a 4th of July greeting card, but is really an attempt to lure innocent computer users to being infected by a Trojan horse and attacked by hackers,” a company report said. The greeting card tactic continued beyond the holiday.

In advance of the recently released “Harry Potter and the Deathly Hallows” novel, a worm called W32/Hairy-A was distributed with the intention of infecting users’ PCs via a USB drive. A file was distributed with the claim of being an advance of the seventh and final book in the series. Users executed the file on a USB drive to find a file with the text, “Harry Potter is dead.” Sophos claims the activated virus created new user accounts named after the book’s characters on the computer, and delivered messages such as “read and repent,” and “the end is near.” The malware appears not to have created financial reward for its authors. Sophos claims it may have been written to show off the platform rather than steal log-ins for bank accounts and obtain other financial information.

The FBI launched Operation: Bot Roast to go after spammers and other criminals who deploy distributed computing (define) to use zombie computers (define) on a botnet (define). The FBI made three arrests of U.S.-based bot-herders, and investigations to find additional perpetrators is ongoing.

An emerging tactic to grow botnets is discussed in the Q2 2007 report released by Finjan. One new strategy used by hackers and cyber-criminals is to implement ad networks in order to serve ads containing malicious code.

Finjan and other security firms observed the recent shift from malicious attacks spread by e-mail to Web-based attack vectors. “Hackers find [users] no longer click on an executable in e-mail,” said Finjan CTO Yuval Ben-Itzhak. “The attack vector is on the Web, but the URL can come from ads, e-mail, and other sources.”

Exploit Prevention Labs gathered some of the most dangerous search terms known for serving sites laden with malware. Search for “go karts,” “texas tea slots online,” or “Insurance australia,” at your own risk.

Kaspersky observed trends in online statistics. E-mail worms are most prevalent of all classes of malicious programs with four different families and six variants in May’s Online Scanner top 20. The online security firm noted virus writers creating Trojan downloaders are actively varying the type of files downloaded to include Trojans and adware.

Related reading