Highest Malware Spam Rate since April 2013

Since 2006, my lab at UAB, part of The Center for Information Assurance and Joint Forensics Research has been gathering spam and finding creative ways to analyze it to find new threats. Last December we licensed that technology to form Malcovery Security who have picked up the reins on the work of finding and reporting on new malicious threats in spam. Between the groups, we've evaluated nearly a billion spam messages, so when one of my analysts says they are seeing something "new" I pretty much listen to them.

This week they said "spam-delivered Malware is going through the roof!" I was traveling when I got that first report but was able to spend some time in the lab with the analysts yesterday, and they weren't kidding!

The new volume levels started on Wednesday, February 5th, with a campaign imitating Bank of America. On February 6th it changed to Visa/Mastercard, and on February 7th it was imitating FedEx. When we say it was extremely high volume, we mean it!

Date	Messages reviewed	Count	Email Subject
Feb 5	1,066,187	171,186	Bank of America Alert: Online Banking Security Measures
Feb 6	1,176,667	303,646	ATTN: Important notification for a Visa / MasterCard holder!
Feb 7	1,113,739	267,445	Some important information is missing

Those numbers indicate that for the last three days this single malware distributor was accounting for 16%, 25.8%, and 24% of all the spam we reviewed! How does that compare to normal? The previous day, February 4th, we considered the "Photos" malware campaign to be heavily spammed when it reached 5% of total spam volume for the day.

Microsoft's Security Intelligence Report (volume 15) showed spam message breakdown for the first half of 2013 like this:

Historically, we've only seen one day, either at UAB or at Malcovery, that had a higher percentage of malware-laden spam. April 17, 2013, the day following the Boston Marathon Bombing, broke all the records for heaviest spam campaign that was distributing malware as we wrote about in Boston Marathon Explosion Spam Leads to Malware. Cisco's 2014 Annual Security Report calls attention to that spam campaign as well, saying that it accounted for 40% of all the spam messages delivered worldwide that day. Their report included this caution of "Breaking News" emails ...

Because breaking news spam is so immediate, email users are more likely to believe the spam messages are legitimate. Spammers prey on people’s desire for more information in the wake of a major event. When spammers give online users what they want, it’s much easier to trick them into a desired action, such as clicking an infected link. It’s also much easier to prevent them from suspecting that something is wrong with the message.

Here are some more details about the spam messages that were seen in the past three days:

---

Computers opening this attachment would try to contact the URLs listed here. The "404.php" is an exploit kit that results in the ".exe" files being dropped: (http is changed to hYYp and spaces added to URLs for your protection)

hYYp://37.139.47.56   /srt/404.php
hYYp://37.139.47.56   /ssd/usa.exe
hYYp://37.139.47.56   /ssd/usa2.exe
hYYp://62.76.187.171   /srt/404.php
hYYp://62.76.187.171   /ssd/usa.exe
hYYp://62.76.187.171   /ssd/usa2.exe
hYYp://62.76.187.221   /ssd/usa.exe
hYYp://62.76.187.221   /ssd/usa2.exe
hYYp://62.76.187.221   /ssd/usa2.exe
hYYp://85.143.166.119   /srt/404.php
hYYp://85.143.166.119   /ssd/usa.exe

---

hYYp://37.139.47.56    /srt/404.php
hYYp://37.139.47.56    /ssd/usa.exe
hYYp://37.139.47.56    /ssd/usa2.exe
hYYp://37.139.47.56    /ssd/ust2.exe
hYYp://37.139.47.56    /ssd/ust21.exe
hYYp://62.76.179.171    /punta/gae.php
hYYp://62.76.187.171    /srt/404.php
hYYp://62.76.187.171    /ssd/usa.exe
hYYp://62.76.187.171    /ssd/usa2.exe
hYYp://62.76.187.171    /ssd/ust2.exe
hYYp://62.76.187.171    /ssd/ust21.exe
hYYp://62.76.187.221    /ssd/usa.exe
hYYp://62.76.187.221    /ssd/usa2.exe
hYYp://62.76.187.221    /ssd/ust2.exe
hYYp://62.76.187.221    /ssd/ust21.exe
hYYp://62.76.42.144    /punta/gae.php
hYYp://62.76.46.249    /punta/gae.php
hYYp://85.143.166.119    /srt/404.php
hYYp://85.143.166.119    /ssd/usa.exe
hYYp://85.143.166.119    /ssd/usa2.exe
hYYp://85.143.166.119    /ssd/ust2.exe

---

hYYp://37.139.47.56    /srt/404.php
hYYp://37.139.47.56    /ssd/ust12.exe
hYYp://62.76.187.171    /srt/404.php
hYYp://62.76.187.171    /ssd/ust12.exe
hYYp://85.143.166.119    /srt/404.php
hYYp://85.143.166.175    /ssd/ust12.exe

---

The IP addresses that would be most critical to block to protect your network would be these. Most of these addresses are on a Cloud hosting service in Russia, "clodo.ru", some on the ASN - St. Petersburg, Russia (clodo.ru) - AS48172 OVERSUN and others on AS56534 PIRIX-INET-AS PIRIX, ltd.

37.139.47.56 
62.76.179.171
62.76.187.171
62.76.187.221
62.76.42.144
62.76.46.249
85.143.166.119
85.143.166.175

The .exe that gets dropped is ZeuS, though current detection would make that a bit hard to tell. The main file being dropped this morning has the MD5 hash = b32e5922c82208b5fdf6d60503d458f9. Here is the VirusTotal report for that URL as of this timestamp, which is showing greatly improved detection over my original run. ESET, Kaspersky, and Microsoft are all agreeing this is Zeus, while 9 other vendors list some form of "Generic" as the detection name.

Spamming Computers analysis

How often were the same computers used to send these campaigns? We first created three lists of IP addresses used to deliver the spam on each day. I called them ss5ip, ss6ip, and ss7ip for the three days. ss5ip was a list of the 47,380 IP addresses we saw deliver the Bank of America spam on February 5. ss6ip was a list of the 58,532 IP addresses we saw deliver the Visa/MasterCard spam on February 6. ss7ip was a list of the 51,883 IP addresses we saw deliver the FedEx spam on February 7.

5 Intersection 6 = 22,500 shared IPs
6 Intersection 7 = 25,405 shared IPs
5 Intersection 7 = 18,261 shared IPs
16,255 IPs were seen in all three campaign.

107,987 unique IPs were seen if we combine all three campaigns.

Those 107,987 IP addresses sent Malcovery's spam accounts an average of 6.8 emails each and a median of 4 emails each. The two top spamming IP addresses were 86.64.142.28 (France, 158 messages) and 200.123.8.123 (Peru, 142 messages).

I geo-coded those IP addresses that sent more than 10 emails to us, which was a total of 21,955 IP addresses from 141 countries. A very unusual number of IP addresses, more than 45%, are from Spanish-speaking countries, . At some point this botnet probably enlarged itself on Spanish-language spam- or website-based malware

 ES  3052 - Spain
 AR  2148 - Argentina
 US  1841 - United States
 CO  1387 - Colombia
 MX  1374 - Mexico
 IT  1263 - Italy
 DE  1025 - Germany 
 PE  915  - Peru
 RO  876  - Romania
 BR  833  - Brazil
 GB  666  - Great Britain
 CL  634  - Chile
 FR  537  - France
 IL  489  - Israel 
 CA   379  - Canada
 PL  342  - Poland
 TR  325  - Turkey
 BG  267  - Bulgaria
 PT  259  - Portugal
 GR  238  - Greece
 VE  238  - Venezuela
 AT  183  - Austria
 RS  180  - Republic of Serbia
 EC  131  - Ecuador
 CH  118  - Switzerland
 IN  116  - India
 CZ  104  - Czech Republic
 PA  104  - Panama