IT security and data protection firm Sophos has published its report on the latest trends in spam, revealing the top twelve spam-relaying countries for the second quarter of 2009. By scanning all spam messages caught in SophosLabs‘ global network of spam traps, researchers have identified the top ‘Dirty Dozen’ spam relaying nations between April and June this year.

During the second quarter of 2009, the USA continued to relay more spam than any other country – the nation’s 15.6% contribution to global spam traffic meaning that more than one in six junk e-mails were sent through compromised computers in the country.  In contrast, Russia, a former spam super-power, continues to fall down the ranks.

Russia currently resides at ninth position in the chart, relaying a mere 3.2% of spam messages.  This represents a significant reduction compared to the same time last year when the country came second only to the United States and was responsible for relaying 7.5%of all spam e-mails.

Poland has seen the biggest single increase in spam output since the last quarter, moving up from tenth to sixth place in this global ‘hall of shame’, with the country now responsible for relaying 4.2% of all the world’s electronic junk messages.  Colombia is the only nation to have left the ‘Dirty Dozen’ since Q1 2009, with Vietnam a new entry this quarter.

The top twelve countries responsible for relaying spam across the globe between April and June 2009 are as follows:

“Barack Obama’s recent speech on cybersecurity emphasised the threat posed by overseas criminals and enemy states, but these figures prove that there is a significant problem in his own back yard. If America could clean up its compromised PCs, it would be a considerable benefit to everyone around the world who uses the net,” said Graham Cluley, senior technology consultant for Sophos.  ”All Web users need to properly defend their computers from attack, and pledge to never act upon spam messages.”

Spammers exploiting new vectors of attack
Over the past year, the booming popularity of social networking – in particular, micro-blogging service Twitter – has driven growth in services such as TinyURL, bit.ly and is.gd.  The services are used to create conveniently shortened links that re-direct to Web pages with lengthier URLs.  This is being exploited by hackers that will use the services to obscure links to offensive material or malicious Web sites, and then distribute the links in spam e-mails, as well as posting them on Twitter and other networks.

Earlier this year, link-shortening service Cligs was attacked by hackers, who redirected links created with the service to a single site of their choice – demonstrating how unsuspecting Web users can find themselves visiting unexpected Web sites when clicking on shortened links.  As social networking and related online services continue to grow in popularity, Sophos experts note that poorly protected computer users could become more vulnerable to a wider range of spam attacks.

“Clearly the problem isn’t going away, as is illustrated by the large number of sprawling spam campaigns we see on a daily basis,” continued Cluley.  ”Although it may seem encouraging to see reductions in the volume of spam that certain countries are contributing, authorities, ISPs and home users across the world need to be doing more to crack down on the spam problem.”

Spam relayed by continent, April-June 2009
Overall by continent, Asia continues to be the biggest offender.  Almost a third of spam message originated in the region for the second quarter of 2009, with the nations of South Korea and China being the biggest contributors.

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at their e-mail and Web gateways to defend against viruses and spam.

Twitter is suspending the accounts of some users whose computers have fallen victim to a well-known piece of malicious software that has targeted other sites such as Facebook and MySpace.

The malware, Koobface, is designed to spread itself by checking to see if a person is logged into a social network. It will then post fraudulent messages on the person’s Twitter account trying to entice friends to click the link, which then leads to a malicious Web site that tries to infect the PC.

The popular microblogging service has had a strong impact as a new communication platform, such as providing on-the-ground insight from participants in the recent protests over the presidential election in Iran. But it is also being targeted by fraudsters and hackers, who use it as a way to infect people’s PCs with malicious software.

Twitter is the latest site to be targeted by a Koobface variant, said Rik Ferguson, senior security advisor for Trend Micro. Other sites have included Bebo, Hi5, Friendster and LiveJournal, according to the US Computer Emergency Readiness Team.

“Koobface has a long, inglorious history and has been relatively successful at infecting machines,” Ferguson said.

At least a couple hundred accounts have been infected by Koobface’s latest efforts, according to Ryan Flores, an advanced threats researcher, writing on Trend’s blog. When it made its first appearance a couple of weeks ago on Twitter, Koobface was just sending out three shortened URLs (Uniform Resource Locators) leading to malware. Flores wrote that Koobface is sending out more bad links this time around.

The use of URL shortening services on Twitter have made it difficult for people to tell what Web site they’ll end up at, Ferguson said. However, Twitter tools such as TweetDeck will show the full URL, which can help make people make a better security judgement, he said.

Some of Koobface’s bad links have advertised, for example, videos of Michael Jackson, where the malware writers are trying to pique people’s interest in current news events, said Graham Cluley, senior technology consultant for Sophos. If a person followed the link, it would lead to a Web site asking the user to download an upgrade for their Flash multimedia players but is actually Koobface, he said.

But Twitter has been fairly quick at shutting down accounts of people who are infected with Koobface and resetting their passwords, Cluley said.

Malware has also spread on Twitter via fake accounts that have been registered using automated tools. Ferguson said Twitter could somewhat guard against that by sending a verification link to an e-mail address during registration, making it more difficult to register dummy accounts en masse.

“That’s real low-hanging fruit for them to address,” Ferguson said.

Koobface gets instructions from a command-and-control server, which tells the malware which messages to send out. Koobface is dangerous on other levels, however, as it can also steal data from a PC or download other malware.

Security software suites should generally detect early versions of Koobface. However, its creators are crafting variants of the malware to try to escape detection, Ferguson said. They do that by obfuscating Koobface’s code and compressing it, which can make it more difficult for security software to spot.

Kaspersky Lab recently saw an explosion of Koobface modifications throughout the month of June, due to summer and vacations across the northern hemisphere. In just one month, the number of variants detected jumped from 324 at the end of May 2009 to almost 1000 by the end of June 2009.

Koobface, the infamous worm, was first detected by Kaspersky Lab as Net-Worm.Win32.Koobface, and it instantly became popular when it appeared almost one year ago targeting Facebook and MySpace accounts. The Koobface worm is spreading through a legitimate user’s account to their friends’ profiles. Comments and messages sent by the worm contain a link to a fake YouTube-style Web site which invites users to download a “new version of Flash Player”. The worm, rather than a media player, is then downloaded to victim machines. Once a user is infected, he or she will start spreading such messages to his or her friends. In the meantime, the functionality of the worm has been extended. Koobface is now targeting more social networking Web sites like Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and, most recently, Twitter.

As social networks such as Facebook or Twitter are becoming increasingly popular, attacks targeting them are also gaining momentum.

“This sign of increased cybercriminal activity involving social networks in the past month proves that the strategies being used by the bad guys to infect users are much more efficient when adding the social context to their attacks,” says Stefan Tanase, Malware researcher of Kaspersky Lab. “June 2009 marks an important milestone in the evolution of social networking malware — the activity we’ve seen this month exceeds by far any other month in the past.

Kaspersky Lab would like to give a few tips for Users:

• Be cautious when opening links coming through suspicious messages, even if the sender is one of your trusted Facebook friends.
• Use either Internet Explorer 7 running in protected mode or Firefox with NoScript installed.
• Divulge as little personal information as possible. Do not give out your home address, phone number or other private details.
• Keep your antivirus software updated to prevent new versions of malware from attacking your computer.

Kaspersky Lab users running any of the Company’s current anti-malware products are fully protected from all known variants of Net-Worm.Win32.Koobface. Kaspersky Lab’s global team of analysts are keeping a close eye on all threats coming from the social networking space, monitoring the malicious activity and constantly updating the protection customers receive.

IT security and control firm Sophos is today warning computer users to exercise extra caution when using email, following the discovery of a mass-mailing worm attack that is currently spreading via a malicious email campaign.

The email, which has the subject line ‘Remembering Michael Jackson’ and claims to come from ‘sarah@michaeljackson.com‘, says that an attached ZIP file – titled ‘Michael songs and pictures.zip’ contains secret songs and photos of Michael Jackson.

A sample of the Michael Jackson-themed e-mail  borne out of the latest malware ( click image for a larger view )

However, by opening the attachment, computer users are exposed to infection.  Once infected, a computer will begin automatically spreading the worm onto other internet users.  Besides spreading via email, Sophos experts note that the malware is also capable of spreading as an Autorun component on USB memory sticks – an increasingly common trend for malware, as use of these devices becomes more and more popular.

“In light of the huge interest in Jackson since his sudden death, there are likely to be many computer users who are tempted into opening the attachment,” said Graham Cluley, senior technology consultant at Sophos. “But sensible computer users should by now be well aware that cybercriminals will be quick to exploit news events to spread malware and spam.  Anyone who receives this email should delete it immediately to save themselves the embarrassment of infecting their email contacts.”

Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated.

Earlier today Rik Ferguson at the Countermeasures blog posted about a new malware threat that came from Twitter. The details are at his post but the short version is as follows: Somehow, the Twitter account of noted venture capitalist, Guy Kawasaki, was compromised and a malicious tweet was posted. It came with a link that claimed to connect to a free download of the latest Hollywood sex tape, one belonging to the actress from the TV series Gossip Girl, Leighton Meester. While the tape may be real and quite timely, the link wasn’t, as after making the user jump through a few hoops, he/she ends up being asked to download… what else (?) but a malicious file.

If this all sounds a little familiar, it should be. It has been said that sex sells, and, in this case, it does so particularly well. In addition, because it was seen on the Twitter feed of a fairly reputable person-Guy Kawasaki-people would think it wasn’t necessarily malicious.

Somewhat uniquely, both Mac and Windows users are affected by this threat. Mac users automatically download OSX_JAHLAV.B while visiting malicious sites. This arrives as cold-live7000.dmg, a disk image file that contains anINSTALL.PKG file, which contains the preinstall and preupgrade files, both detected as UNIX_JAHLAV.A. Executing theINSTALL.PKG file displays a message, prompting the user to click Continue to finish installing the software or, rather, malware while connecting to the IP address, {BLOCKED}.102.{BLOCKED}.106 to download and execute additional components in the background.

Windows users, on the other hand, download TROJ_JAHLAV.B. As with its OS X counterpart, this can be unknowingly downloaded by users while visiting malicious sites. And like the former, it also displays a graphical user interface (GUI) to hide its execution, which can be triggered by clicking any button. It then connects to a site where it downloadsTROJ_ALLUREON.AME, which exhibits malicious routines on the affected system.

Fortunately, through the Trend Micro Smart Protection Network, all malicious sites are blocked and all related malware are detected. Thus, users need not worry about being infected.

Users should always take be careful about the sites they visit, even if the link comes from a safe source, lest they suffer the same fate as the proverbial curious cat.

It finally happened to Twitter.

Spammers really ride on the latest trend, and just recently they have turned their attention to micro-blogs such as Twitter. As everyone logs in to Twitter, spammers too, log on to tweet– this time about various weight-loss products/drugs and other tidbits on how to lose weight.

Capitalizing on people’s obsession over the topic of weight, spammers infiltrate users’ accounts to post messages with links connecting to weight-loss drugs. Spam tweets even use TinyURL so that their posts look like the usual harmless tweets, only to redirect victims to spam sites.

According to the Trend Micro Malware Blog, “Hacked Twitter accounts are being used to post messages that promote weight-loss drugs. The messages vary in the stated text, but generally states the same message and are all followed by a link that leads to websites where the drugs are being sold. Searches through Twitter for “$5 acai” yields the posts of users whose accounts were hacked.”

Trend Micro‘s Smart Protection Network blocks these sorts of spams and keeps you safe against these cybercriminals. Trend Micro leverages patent-pending technology to correlate the threat data gathered through a network of proactive e-mail, Web, and file reputation technologies, Web Crawlers, honeypots and global threat sensors of customers, partners, and threat research and support centers to combat even the most sophisticated sequential and blended threats. Built-in feedback loops and communication between Trend Micro products and services ensure automatic and immediate protection against the latest threats and provide “better together” security-much like the neighborhood watch crime-fighting systems that exist today in many communities.

Kaspersky Lab, a developer of secure content management systems, has responded to the latest phishing attack on Facebook with a practical guide for all Internet users on how to stay safe online from the threats of cybercrime. The Internet security vendor advises that malicious code distributed via social networking sites is 10 times more effective, in terms of successful infection, than malware spread via email.

On May 15, Facebook was hit by another phishing attack, a tactic designed by cybercriminals to steal a person’s identity, gather personal data and use this to defraud the victim of their money.

David Emm, a member of the Global Research and Analysis Team at Kaspersky Lab explains,  “Given the phenomenal success of Facebook, Twitter and other popular social networking sites, it should come as no surprise that it has attracted the attention of cybercriminals and the threat shows no signs of abating.”

“Phishing scams succeed by luring in their victims under the pretense of something that at first glance may appear legitimate. Remaining vigilant and taking the right precautions is the key to not falling into their trap,” he added. 

Malicious code distributed via social networking sites is suggested to be 10 times more effective in terms of successful infection than malware spread via email. Internet users are far more likely to click on a link received from a trusted friend, rather than a link in a random spam message. Kaspersky Lab has recently seen a massive increase in phishing attacks on the Facebook login page. Cybercriminals have been using the site’sinternal message system to send short messages that direct visitors to a website purposely designed to clone Facebook’s log-in screen.

Kaspersky Lab’s top tips for protecting against phishing attacks

•            For sites such as Facebook, create a bookmark for the login page, or type the URL directly into the browser address bar.
•            Don’t click on links in e-mail messages.
•            Only type in confidential data on a secure web site.
•            Check your bank account(s) regularly and report anything suspicious to your bank.
•            Look for giveaway signs of phishing e-mails:

-       If it’s not addressed to you personally.

-       If you’re not the only recipient.

-       If there are spelling mistakes, poor grammar or syntax or other clumsy use of language.

•            Install Internet security software and keep anti-virus updated.
•            Install security patches.
•            Be wary of unsolicited e-mail or IM messages.
•            Be careful about logging in with Administrator rights.
•            Backup your data.

Emm provides a final word of warning: “High profile reports of scams such as the latest Facebook attempt raise awareness of the risk of cybercrime, but it is important to make clear that it is not an isolated incident as we are detecting over 17,000 new Internet threats everyday.”

IT security and control firm Sophos has revealed that a new Web-based attack, JSRedir-R, has blown all previous Web-based malware out of the water, and is currently being found six times more often than its nearest rival.

During the last seven days, almost half of all malicious infections found on Websites were caused by Troj/JSRedir-R.  Mal/Iframe-F, which has been the most widespread Web-based threat for more than a year, accounted for just seven percent of infections this week.  Overall, Sophos sees one new infected Webpage every 4.5 seconds – three times more than in 2007.

“No one should be in any doubt that the Web is still the main vector of attack for cybercriminals, and this new threat suggests this situation isn’t going to change anytime soon,” said Graham Cluley, senior technology consultant at Sophos.  ”The problem is that too many computer users still think there’s no danger in surfing the Web, but with legitimate sites often falling victim to these attacks, it’s time to wake up.  Hackers won’t stop targeting the Web as it’s proving a successful way for them to spread their infections.  To combat this, it’s essential to scan every Website for malicious code before visiting it.”

JSRedir-R, which has been found on high traffic legitimate Websites, loads malicious content from third-party sites (including one called Gumblar.cn, inspiring some security vendors to dub the threat ‘Gumblar’) without users’ knowledge.  The malware can then be used to steal sensitive information for financial gain, to commit identity theft or to meddle with search engine results.

Sophos customers are already protected against this threat.  Sophos advises users of other anti-malware solutions to check their products are updated and offering protection.

For more information, including a chart showing JSRedir-R’s dominance over other malware infections, please visit Graham Cluley’s blog at http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir

Around five to six million computers are currently believed to be infected by Kido (aka Conficker, Downadup), one of the most notorious malicious software programs to hit the Internet recently, according to security company Kaspersky Lab.

In a videoconference dubbed, “Presenting the truth about malware speculation,” Kaspersky Lab said the huge botnet formed by computers infected by Kido potentially provides cybercriminals with the means to conduct devastating DDoS (distributed denial-of-service) attacks on any Internet resource, to steal confidential data from  both  home users and corporate networks and to distribute unsolicited content (e.g. mass spam mailings).

Vitaly Kamluk, director of Kaspersky Lab’s Global Research and Analysis Team (GReAT), said there are 126,594 PCs in the Philippines infected by the Conficker virus as of March 2009. Kaspersky Lab’s data showed the Philippines ranked 19th globally among countries with the most Conficker infections topped by China with 2,649,674, Brazil with 1,017,825 and Russia 835,970. In the South East Asian region, the Philippines trailed fourth following Malaysia 212,477, Thailand 165,080 and Indonesia 164,794.

Citing figures from research firm Consumer Economics, Kaspersky Lab says the annual global financial damages from malware attacks on businesses exceeded US$ 13 billion in 2007.

The videoconference was participated by six countries across South-East Asia, namely, the Philippines, Malaysia, Singapore, Indonesia, Thailand and Vietnam.

“There is no definite amount on how much damage the Conficker virus has made on businesses so far because it continues to spread at a phenomenal rate and cybercriminals have become more sophisticated in creating difficult to detect malwares such as Conficker to steal important data from our devices, ” said Suk Ling Gun, managing director of Kaspersky Lab South-East Asia.

“As a preventive measure against future malware attacks such as Conficker, Kaspersky Lab advises PC owners and IT managers of companies to treat this issue seriously and not remain complacent — Internet users need to constantly educate themselves and update their security software,” said Gun.

Kaspersky Lab has implemented detection and treatment for a new variant of a unique MBR rootkit.

The new variant of Sinowal, a malicious program that is capable of hiding its presence in the system by infecting the Master Boot Record (MBR) on the hard drive, was detected by the company’s experts at the end of March 2009.

Throughout 2008, Kaspersky Lab’s analysts provided detailed reports about other variants of this rootkit: in the first quarterly report on malware evolution and in the article “Bootkit: the challenge of 2008”. However, the new variant has come as a surprise for researchers. Unlike earlier versions, the new modification, Backdoor.Win32.Sinowal, penetrates much deeper into the system to avoid being detected. The stealth method used in this variant hooks device objects at the operating system’s lowest level. This is the first time cybercriminals have used such sophisticated technologies. This explains why no antivirus products could treat computers infected with the new Sinowal modification or even detect it when it first appeared. Once the bootkit penetrates the system, it conceals the payload’s activities, which are designed to steal user data and various account details.

According to Kaspersky Lab’s experts, over the last month the bootkit has been actively spreading from a number of malicious sites that exploit Neosploit vulnerabilities. In particular, it can penetrate a system via a vulnerability in Adobe Acrobat Reader that allows a malicious PDF file to be downloaded without the user’s knowledge.

Implementing detection and treatment for the bootkit, which is still spreading throughout the Internet, is the most difficult task that antivirus specialists have faced for a number of years. Kaspersky Lab was one of the first major antivirus vendors to incorporate both detection and successful treatment for the new Sinowal modification in its personal antivirus solutions.

To check whether the bootkit has infected a computer, users must update their antivirus databases and perform a complete system scan. If the bootkit is detected, the computer will need to be rebooted during the treatment process.

Kaspersky Lab specialists also recommend users to install all the necessary patches to close vulnerabilities in Acrobat Reader and any browsers that they use.

About Kaspersky Lab

Kaspersky Lab delivers the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. Kaspersky Lab products provide superior detection rates and the industry’s fastest outbreak response time for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. For further information, please visit www.kaspersky.com. For the latest on anti-virus, anti-spyware, anti-spam and other IT security issues and trends, please visit www.viruslist.com.