Boutique Malware: Custom-Made for the Executive Suite
A malware spam scheme that started in early June surfaced as an apparent e-mail from the Better Business Bureau. The message appeared to be legitimate and differed from previous types of e-mail scams. For instance, the spammers sent the message on a much smaller scale in an attempt to fly under the radar of most service providers. It was sent primarily to executive-level company managers.
06/23/07 1:30 AM PT
A sophisticated group of spammers has been targeting since late May high-salaried workers at selective corporations in a spam attack using e-mail disguised as messages from the Better Business Bureau (BBB), the Internal Revenue Service (IRS) and the Federal Trade Commission (FTC).
A fourth variation of the spam attack surfaced the second week of June as an e-mail invoice from a variety of companies seeking payment for services rendered.
"The Trojan is unusually capable. It sits in the compromised computer and captures specific types of sensitive personal data before it gets encrypted through the SSL socket. It gathers names, passwords, account numbers, etc.," Paul Henry, vice president for technology evangelism at Secure Computing, told TechNewsWorld.
The continuing attacks appear to be from the same group. The wording, data location and Trojan are the same. The only thing changed in each new appearance is the attack vector, according to several security experts who spoke with TechNewsWorld.
The Scam Framework
The malware spam that started in early June surfaced as an apparent e-mail from the BBB. The message appeared to be legitimate and differed from previous types of e-mail scams.
For instance, the spammers sent the message on a much smaller scale in an attempt to fly under the radar of most service providers. It was sent primarily to executive-level company managers.
When recipients clicked on a link in the message to respond, a keylogger installed, defeating SSL capabilities of Web sites. The keystrokes were captured directly from the users' keyboards, not from the elements in the SSL encrypted session.
Someone had located the gathered data stored in a massive file around May 25, said Henry. This was a depository with all the captured information.
"The Trojan was gathering about 70 MB of captured data per day, approximately. That data size was growing exponentially when the attack target changed from the BBB to the IRS."
By early June, spammers started sending the same structured message as correspondence from the IRS. The only real difference this time was the lack of a link to download and install the Trojan that activated the key logger malware. Instead, the spammers attached a Rich Text Format (RTF) document capable of being opened by any word processor.
"The RTF file contained hidden executable file which installed the same key logger software that invalidates SSL encryption," Sam Masiello, director of MX Logic's threat research team, told TechNewsWorld. "That was discovered around June 12."
Security experts believe both e-mail attacks were perpetrated by the same team of scammers. However, the IRS version shows some issues not found in the BBB version.
For instance, there are some grammatical errors and the verbiage does not follow standard English as closely. Generally, the IRS version is a bit sloppier, Masiello explained.
"Maybe different people in the same group did the IRS attack. Maybe they used an online translation Web site, he said.
Two new instances of the e-mail scam began appearing over the last few weeks. One of these new attacks use an address allegedly from the FTC. The other appeared in the second week of June as a generic message from random companies presenting an invoice for purchased services.
Both of these latest attack variations use the same Trojan embedded in the attached word document
"It is very customized by name, title and company details. It does not appear to be automated because of the amount of customization. So it probably isn't from a zombie," Dmitri Alperovitch, principal scientist for Secure Computing, told TechNewsWorld.
A zombie is a network of thousands of infected computers that spammers access remotely to send spam.
Both Masiello and Henry agree that the continuing e-mail attacks are being done by the same group of criminals.
The spammers are using an interesting attach methodology with refined targets. The e-mail is aimed at business executives earning US$130,000 per year, noted Henry. Those executives have a 50 percent or higher chance of getting the message.
"Victims earning less than $130,000 typically lost $1,500. Victims earning more typically lost $5,700, according to a report from Gartner Research," said Henry. "Anything in a lower salary range is just noise on the Internet to these scammers."
Security experts do not expect to see an end to this type of spam attack anytime soon because the spammers appear to be making big profits.
"I expect to see similar morphings as the phishing scam bounces around. The spammers are very effective in making the message look legitimate," said Alperovitch.
Hard to Prevent
Short of education, little can be done to detect these scams. As long as recipients of the messages continue to click on the attached files, the only thing left to save them from becoming victims is having up-to-date antivirus protection installed.
"Education is the weak link in the chain," cautioned Masiello.
Even most existing security technology is not effective in preventing the Trojan from infecting a computer to install the key logger malware.
"This will not be solved through user awareness training," Henry said.
The only real way to fight this type of attack is with behavior-based technology. What most security solutions offer is a negative security model that blocks recognized attacks. However, that is only as good as the last signature database update.
"This method is a failure now. We need real-time detection, not pegged to signature scans," Alperovitch said.
Two new technologies that avoid the negative security model are reputation-based security methods that rank the reliability of the sender and DKIM or Domain Key Identified Mail. DKIM requires a legitimate key. If a bad guy or a botnet sends mail, it is discarded.