The types of spam have drastically shifted over the past few weeks. Last week and several weeks before, Casino spam led the pack by a long shot (pun). These are scams asking you to download a suspicious executable to play their crappy games and lose your money and bank card details. Apparently, these scams are being shut down and what remains is small potatoes compared to two weeks ago.

The new leader in junk email is (...drum roll...) Fake/Replica Watches. These knockoffs are sold on Russian domains and websites hosted on compromised computers. The spam affiliates are about to learn that their primary spam portal for counterfeit goods is closing. Doh!

Interestingly, spam containing links to malware was way down, with just three email messages using URL shortener services to deliver payloads disguised as free tickets, vouchers and iPhones.

The following is my analysis of spam for the week of January 30, through February 5, 2012.

My total email received this week is up by 81 from last week. But, the volume of spam only increased by 28 messages. I noticed a big increase (pardon the pun) in Male Enhancement pill scams and a slight increase in the amount of the phony "ClubVIP" Casino spam.

Happily, there was a significant drop in the number of spam messages containing links to malware. These scams typically pretend to be failed or pending ACH transaction notices from NACHA, or a bank. There have been some very significant arrests and naming of suspects who are behind many of the top botnets, including the KoobFace gang. Many of the persons named or arrested, or on the run, are Russian, Romanian and Ukrainian citizens who are responsible for installing banking Trojans onto victim's computers. My guess is that the remaining active bot masters are laying low right now, until the heat dies down.

The following is my analysis of spam for the week of January 22, through 29, 2012.

In addition to the percentage drop, there was also a large drop in the actual number of messages classified as spam. In fact, I saw about 50% fewer spam email messages this week as compared to the previous week.

The email threats this week were mostly BBB Fraud, with links to fake complaint reports, which redirected to malware servers. There were also several miscellaneous scams with fake query strings appended to .htm files. These links lead to compromised websites and redirected to the Russian Blackhole Exploit Kit. People with JavaScript enabled and out-dated versions of the Java Virtual Machine installed would be exploited silently. Their PCs would become members of a botnet and begin spewing out spam and DDoS attacks. Some of these exploits also install bank account stealing Trojans.

The following is my analysis of spam for the week of January 16, through 22, 2012.

The leading category by a long shot was for the fake ClubVIP Casino. There is no website with such a name, just a bunch of various recently registered domain names that all point to fake casino pages. As was the case last week, these casino pages display an image that is wrapped in a hyperlink, which leads to the downloading of a suspicious executable. Once you install that file, you will part with a lot more money than if you shot craps at a real casino.

The second highest spam category was for fake (replica) watches, followed by counterfeit Cialis and Viagra. All other categories had smaller percentages, as outlined in my extended comments.

These spam statistics are derived from MailWasher Pro, which is a POP3 email screening program that runs on a Windows desktop. It intercepts all incoming email and analyzes it, based upon several factors, the most prominent of which are my own custom spam filters.

Total incoming email from January 9 through 16 (4 PM EDT): 516
Good mail: 308
Classified as spam: 208
Percentage rated spam: 40.3%

For the last couple of weeks there has been a huge amount of spam for the ClubVIP Casino. The links in the email messages spamvertising this currently Romanian based casino use various domain names, all of which redirect to a server running on the Russian Nginx software. When a victim is enticed to click on a link to this casino, rather than arriving at an actual online casino (currently hosted at 89.136.223.126), all they see is an image that is a clickable link to a suspicious file download, currently named SetupClubVIP.exe. This file hooks into the Windows Kernel file, Kernel32.dll, where it can do whatever evil it was designed to do. I tried to have it analyzed at VirusTotal, but the Romanian server is blocking their efforts to download that file.

I would advise anybody who asks my opinion to stay away from this type of scam. Do not download suspicious files to your computer to play any online games. Above all else, make sure you have the very latest and up-to-date anti-malware program installed, to protect your PC, just in case you slip up.

Now, on to the percentages of spam by category, for the week ending January 8, 2012.

After some reading from my security sources blogs, I have learned that most of this spam blast over the last week+ was spewed out by one of the few remaining big botnets: the Cutwail Botnet. This botnet, like most of the others already taken down this year, is based in Russia. The Russian Bot Master may have just been fingered by Brian Krebs, in his "Pharma Wars" article posted on Jan 1, 2012.

The top categories of products and services being spammed the most over the last 9 days were for casinos, male enhancement gimmicks and various illicit pharmaceuticals sold from fake Internet pharmacies.

Lesser categories of spam included replica watches, fake diplomas, Russian dating and bride scams, Nigerian 419 scams and a few malware links to Russian exploit kits. I even got some unreadable spam in the Russian language and character set iso-1251.

As for totals, from December 23, 2011, through January 1, 2012, of the 339 messages I received, 169 were classified as spam, equaling 49% of all email for that period. This is exactly the same percentage of spam from the same time period last year.

I am one of those people. I have a subscription for Trend Micro Titanium Anti-Virus and Malwarebytes' Anti-Malware (MBAM). I recently was notified that I was entitled to a free upgrade to version 2012 of Trend Micro, so I downloaded it from their website. Up to that point both programs were getting along just fine. Ah, but change awaited me.

The upgrade was a simple process that combines uninstalling the previous edition (2011) and installing the newer version (2012). After the uninstaller removes the previous version you are instructed to reboot. Here is where I encountered my first obstacle.

Privileges

I operate as a Windows 7 "Standard User" - which is similar to a Windows XP Pro Power User. That means I have more privileges than a "Limited User" - but less than an Administrator. I like it that way. This type of account reduces my chances of accidental exploitation to single digits (see my articles about privileges, here, here and here). It means that in order to install security programs, or any program requiring access to operating system files, I must use the "Run As Administrator" right-click option when installing such programs.

I was working inside my Standard User account when I received the notice about the free upgrade to Trend Micro 2012, so I ran the installer using Run As Administrator. The first step was to uninstall my existing version (2011) of Trend Micro Titanium, then reboot. Everything went fine until I rebooted into my Standard User account.

As an administrator or a security professional your job is greatly dependent on information. Both of these professions require that you stay on top of things and are always aware about what is going on throughout your network. There are different ways to acquire the information required to effectively do the job and to gather the type of information one is seeking.

By monitoring internet usage the following information can be ascertained:

1. Internet Usage: This may be stating the obvious but information on internet usage is essential for an administrator and/or a security professional. With this information one can find out:
   • How much time users spend browsing
   • How much bandwidth is being consumed and for what
   • Which sites people are visiting the most.
2. Policies adherence: A good Internet usage monitor will give you reports on which internet usage policies users have tried to breach, how often they have attempted to breach them, and how many users have attempted to breach these policies. This information can then be used to identify the reasons for these attempted breaches. Is it because the policy is too strict and it stops people from doing their job? This analysis can help identify any changes required to make the policy less restricting without compromising the underlying security reason for it. It could also be the case that people don't understand the reasons for a particular security policy so this would be the perfect opportunity to educate your users.
3. Bandwidth: When you use an internet usage monitoring solution you can get a clear picture of which websites are eating up a lot of bandwidth and those users whose activity online is consuming excessive bandwidth. If your bandwidth is being used by employees who are streaming media that has no relevance to the business, you can proactively limit bandwidth use through quotas or by blocking certain sites altogether.
4. Threats: It's very important to know if and when users try to access malicious sites, because if a sudden increase is seen it can be an indication that someone is either targeting your organization or some other security mechanism has failed - for example the anti-spam solution is no longer catching phishing emails and users are clicking on links which they should not. This information can also potentially pinpoint troublesome employees. If you see a user trying to access sites that are infected with Trojans and other malware it should raise a red flag and you should investigate why that user is accessing those sites.

With a good internet usage monitoring solution you can keep an eye on what is happening within your organization enabling you to be proactive on issues that you would otherwise not be aware of.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd and edited by Wiz Feinberg. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor internet usage.

As for email-borne malware threats, I received 11 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 7 spoofed NACHA and ACH pending bank transaction notices, 1 spoofed the BBB, 3 had fake query strings appended to files ending with a .htm extension. All of the above led to Russian crimeware exploit kits which use Java exploits to install either the Zeus or SpyEye banking Trojans, plus make those PC's members of spam botnets.

The balance of the incoming spam email was divided among the usual spam categories of pharmaceuticals, casinos, fake diplomas, replica watches, weight loss, and ridiculous Russian Bride dating scams, most of which had male names for the senders, but Russian female names in the message body (like "Olga from Russia, Moscow"). The grammar is absolutely horrible in those scams.

Top Spam Categories for the week ending on December 18, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

What's different about the links in these new scams is that they are HUGE! They all start out like any normal hyperlink, with a domain name and a particular file. But, appended to the end of the file name is a humongous "query string" (query strings begin with a question mark), containing multiple long groups of letters and numbers, separated by = signs. I have just analyzed one that has 214 alpha-numeric characters in the query string!

But, like octopus ink, things aren't always as they appear to be!

Being a Webmaster and web page writer, it didn't take me long to figure out that the file type that had the query string appended to it was not a valid active content file. Sure, it could possibly have been rigged to be such a file, like a php type, but these are not. They are Plain Jane simple html files, ending in the extension .htm. The .htm file type does not accept any query strings. If you append such a string of characters to it, the server will ignore them completely. All you see is the htm, or html file contents.

All of the rigged links I have traced are placed on compromised websites hosted on Apache web servers. The standard configuration of Apache web servers does NOT parse .htm, or .html files for active content. They are treated as "static" or flat files. No matter what the characters are that follow the file name and extension, the Apache servers where these links are pointing will ignore the phony query strings.

But, the .htm file type link in the scam emails is not where this story ends. The contents of each and every one I have analyzed contains a few simple lines of straight forward HTML code and an "iframe" (inline frame) - which imports a page hosted on a Russian website named csredret.ru (or variation thereof), containing a JavaScript array that leads to targeted attacks based on the brand of browser you are using and the installed plug-ins, especially unpatched versions of Java.

After seeing another such scam email link tonight, I decided to write a spam filter to detect this type of link. I named the filter: "Fake Query String In Link." The filter is for the anti-spam program MailWasher Pro.

I often write about Java vulnerabilities being exploited by criminals who install exploit attack kits onto web servers under their control; mostly in the former Soviet Union. The number one exploit targets vulnerabilities in Java. In my last blog article I wrote a couple of paragraphs about how Java vulnerabilities are exploited to take over computers with no user interaction.

If you have Java installed on any of your PCs, it is important to check for updates and apply them as soon as possible. Windows PC users can check for updates by using the Control Panel Java applet's "Update" tab. On that tab there is a section where you can select automatic checking for updates on a schedule of your choice. Since Oracle doesn't seem to have any regular schedule for updating Java, I recommend setting the automatic checks to every day, at a time when the PC is turned on. The updater hides in the System Tray, be the clock, and only appears if there is an update available.

You can also check for Java updates manually, from the same Java applet icon in Control Panel. It is found on the Update tab page, as a button labeled Update Now. Use it to install the latest version, if you haven't already received notification by the auto-updater.

It is important that you uninstall all previous versions of Java, in order to protect your computers from exploits that target them by their default folder location. Use your Control Panel "Add/Remove Programs," or the Windows 7 "Programs and Features" icon, to get rid of all previous builds prior to the latest version. Reboot after you run all of the old Java uninstallers. Then, after you re-enter Windows, go to Start and click to open "(My) Computer" - then double-click on the C drive, then on Program Files, and look for the Java folder. Open it (double-click) and look for any leftover older Java version number folders and delete them manually. Keep in mind that the new current version, as of 12/12/2011, is version 6 build 30.

You can also check to see if you have Java installed on this page on Java.com. You can download the latest stable version of Java from java.com.

If your computers have Java installed (even an old insecure version), you can check to see if you have any insecure software installed, or are missing any Windows Updates, by using the Secunia Online Software Inspector. It uses Java to scan your computer for out-dated software and browser plug-ins, including Java and provides download links to get the latest versions of those programs or plug-ins. I recommend scanning from Secunia one a week, just to be sure you are fully patched!

The same vulnerability being exploited in Reader 9.4.6 also exists in the newer version 10.1.1 of Adobe Reader X and Acrobat X. However, those programs operate by default in protected mode, which nullifies the exploit vector being target in the ongoing attacks. Nonetheless, Adobe has scheduled a security update for these newer versions, to be released on January 10, 2012. That update will apply to all supported platforms of Adobe Reader.

If you use the Foxit PDF reader, they have released a new version to respond to the same vulnerability as exists in Adobe's Reader (see Foxit security notice here). You can download the latest version (5.1.3) of Foxit from their website.

Microsoft is going to be releasing 14 patches on December 13, 2011. Be sure you check for these Windows Udates during the afternoon of this coming Patch Tuesday. You may or may not need all 14 patches, depending on your Windows operating system and installed Microsoft Office programs. If you use Windows XP, with SP 3, you are definitely going to get a lot of patches! If you haven't upgraded to SP 3, your PC is in extreme danger of takeover by numerous vulnerabilities that were patched, but require SP 3 to receive them.

Other software vulnerabilities being exploited in the wild this week include a critical flaw in Yahoo Messenger 11.5.0.152 and older. This happens to include the current version! The World waits with bated breath for Yahoo to respond with a patched update. The flaw allows hostile status update messages to be placed by hackers and criminals, with links to malware servers. The victims are unaware that their status message system is being used to trick other people on their Yahoo Messenger contact lists.

To protect themselves until a patch is released, Yahoo users should set their Yahoo Messenger to "ignore anyone who is not in your Yahoo! Contacts." That should keep you safe from being exploited by strangers, but you could still be tricked if one of your existing contacts gets hacked. Keep this in mind and check for updates regularly, via the Yahoo Messenger Help menu item.

Overall, it was a quiet week, threat-wise. I only received 10 messages leading to malware servers and none that carried malware in attached files. Of these malware threats, 2 spoofed Bank Of America, 2 spoofed the BBB, 2 were fake contract links, 1 fake changelog, and 3 ACH or FDIC scams.

Although I didn't personally see any, I read that other security researchers and honeypots have captured spam email containing links to fake update notices for Adobe Acrobat and Reader and Adobe X Suite Advanced and fake "License keys" for Adobe InDesign. All of these led to the installation of Trojan Horse programs that steal banking credentials and force the infected machine to become part of a spam and attack botnet.

Please go directly to www.adobe.com (type it into your browser's address bar) to obtain any updates or licenses for Adobe products. Do not click on links in email messages. 99.99999% are fraudulent and lead to malware exploit kits.

Top Spam Categories for the week ending on December 11, 2011:

These statistics were obtained from MailWasher Pro, an anti spam program that goes between email servers and your desktop email client.

Interestingly, Turkish hosted online casinos were the top category of spam. I created some new rules for my MailWasher Pro spam filters to detect and delete the new Casino Spam. There were 15 casino spam messages.

I write about a lot of different types of spam, but one of the oldest, next to email and USENET, is spamming the "REFERER" field on a website's raw access logs. I have been seeing this form of spam for over a decade now.

What is a raw access log?

Websites are usually setup or configured to generate a text or graphical log of all visits to those sites (a.k.a: "hits"). These logs contain information that is useful to Webmasters of the websites. Graphical access logs use pie or column charts to show where the hits are coming from, who sent them to you, what details they were searching for and other useful facts about each request. A "raw access log" presents these details in plain text format, in space-separated groups.

Why would anybody want to spam a website's raw access logs?

Over a decade ago, spammers learned that some website owners, or free hosting companies, or individuals hosting their own web servers at home (usually against T.O.S) were actually publishing their raw access logs so that the owners could read them in a web browser, from anywhere they might be. Most of these published access logs are not password protected, meaning anybody anywhere can view them, if they know the location of those website log files. Since so many people do not understand website security at all, they leave configurations in a default state. This means that if their raw access logs are published, the folder location will be predictable, based upon the operating system of the web server. That web server is usually the Apache Web Server.

Thus, when spammers began seeing website raw access logs that were in default folder locations, on various web servers, they could read them in their browsers, as could anybody else in the World who reads that language. So, some enterprising S.O.B. came up with the brilliant idea of posting a request for some files on some websites, and they decided to include fake "referrer" details.

What is the referrer field in an Access log?

The referrer field is a section of an access log that tells the owner/maintainer of the website where each visitor came from, just before they came to your website. In other words, who referred them to you. This information is extremely valuable for learning who links to your web pages, or is writing about you, or has found your site by means of a search engine result.

What do spammers do to referrer fields to turn them into spam?

Instead of revealing the actual referring page location of the website that the visitor (human or machine) was visiting when they decided to come yours, spammers use special web software programs to create whatever content they wish to present for the referer field. That special content usually takes to form of spammy links containing the names of illicit goods (illicit prescription drugs, counterfeit goods), or services (shady or illegal businesses).

Did I just misspell "referrer" as "referer?"

Nope. When the original Apache Web Server documentation was written, back in 1945, the scientists working on it accidentally misspelled the word Referrer as Referer. This misspelling has stayed with us to this very day!

Now, on to the rest of the details about Referer spam.

First place went to spam for the ridiculous Russian Bride scams. Second place went to spam for fake-replica name brand watches. Third place remained firmly in the grasp of male enhancement scams. Every other typical spam category paled compared to these three.

The other categories of spam last week were covered by casinos, Cialis, fake diplomas, weight loss drugs, NACHA failed deposit fraud and money mule job scams. If you have been reading my blog you know that the NACHA emails are all fraudulent and are meant to infect your computers with a bank account stealing Trojan and to draft it into a spam botnet.

Most of the online exploit attacks that succeed, like the NACHA and ACH fraud, do so by means of exploit kits that seek to compromise vulnerable versions of the Java Virtual Machine. Java is the #1 attack vector targeting user's web browsers. If you are using a non-current version of Java, or even have older versions in your Program Files directory, you are at great risk of being exploited. The exploits I refer to will place financial and auction account credential stealing Trojans on your computer, along with making it a zombie member of a spam botnet.

You can check to see if Java is installed on your Windows computers by going to Control Panel and looking for an icon named Java. If it is there, double click to open the control box, then click on the Update tab, then click the button to check for updates. Accept any updates to Java. Set the updater to automatically check every day, at a time when your PC is on. Next, use the Add/Remove Programs icon to look for older versions of Java and uninstall all but the newest version and build. Close and restart your browser to flush out any lingering out-dated version of Java.

If you don't need Java, or don't know if you need it, uninstall it completely and close the number one attack vector used by the BlackHole Exploit Kit.