MessageLabs has released their Intelligence Report for September 2008. A press release summarizing the report is here. The full report is here.
Posts tagged ‘MessageLabs’
Picasa Spam Redirect
September 4, 2008, 11:57 am
The MessageLabs Intelligence report for August 2008 reports that spammers are using links to Flash/Shockwave files hosted on Picasa (a Google web album service). The Flash then redirects the user to the spammers site.
CBL List (partially) Blocks MessageLabs
April 10, 2008, 10:38 am
Looks like the shoe is on the other foot. Last week I was chortling that MessageLabs was tar pitting Google in an automatic response to gmail sending out so much spam. Now some of MessageLabs IPs have been blocked by the CBL. Apparently that is rather widely used. I’ve already seen rejections from Cox and Comcast. CBL is used in SPAMHAUS and other aggregate blocklists as well.
MessageLabs has reported they have worked with CBL to resolve the issue. The latest updates for CBL have removed this block in the latest update of the CBL.
Tax Contract for $companyname
April 8, 2008, 10:12 am
This morning MessageLabs blocked a suspicious message to a recipient in our finance department.
Subject: Re:tax contract for
The message contained a Word document attachment named incomplete_contract.doc. The word doc contained a embedded exe named MicrosoftWordhasencounteredanerrorandneedstoclose.Pleasedoubleclicktheicontoreloadmsword.exe
These are probably the same people who tried last week with subject lines “Re : Tax Refund for %firstname% %lastname% with a scr attachment.
Going through my email I see a similar detection back in February Complaint Filled against
Looking at the online black market
March 15, 2008, 6:29 pm
SC Magazine has a whitepaper from MessageLabs titled The Online Shadow Economy – A Billion Dollar Market. It reports on the research of MessageLabs Senior Architect of Development Maksym Schipka into the online criminal underworld, particularly Russian websites and forums.
You can buy customer written malware for as little as $250. Support is available for an extra $25 a month to ensure your malware continues to evade detection. As others have also reported, malware writers test their products against anti-virus software before release to guarantee that existing signatures will not detect it. This is where MessageLabs as been so great. The combination of established antivirus scan engines and their own Skeptic engine, a heuristic scanner, prevents malicious email attachments from getting through.
Schipka’s research suggests that malware authors can produce new, unique malware every 45 seconds
in order to keep it undetected. Signature based protections are not going to stand up to that attack.
If you do go to that link to read the research paper, be aware that SCMag will force you to register (I didn’t find a bugmenot account). Also they will email the password you input in clear text. SCMag, thanks for cleartexting my password. I almost forgot the password in the one second between registering and receiving the “welcome” email.
Google CAPTCHA breakage leads to increase in spam
March 7, 2008, 2:50 pm
MessageLabs Intelligence report for February 2008 reports that ” 4.6% of all spam originates from the major web mail-based services and the proportion of spam from Google increased two-fold from 1.3% in January to 2.6% in February.”
They speculate that this increase in Google spam occurred because hackers have recently compromise Google’s CAPTCHA. A CAPTCHA is used to prevent automated account registrations by spam bots. Yahoo and Hotmail’s CAPTCHA method was previously compromised.
Mail from the major webmail services (Google, Yahoo, and Hotmail) are from legitimate servers, and domain key signed or have a SPF record. A spam filter then can only act on the content of the message and not the reputation of the sender.
Spammers are in it for the money and they aren’t going to slow their attack. Webmail providers need to continue to work to be good Internet citizens and prevent their servers from being part of the problem.
BBB Spam Run
February 26, 2008, 9:56 am
Watch out for more BBB phishing/exploits.
Today MessageLabs detected another Better Business Bureau attack targeted at two of our VPs.
Subject: “BBB Complaint Case #
From: seatac@bbb.org
The message contained a PDF file with a embedded EXE.
We had one slip through to our CEO earlier this month that caused some panic. Fortunately the attacker was trying to use a redirect on the BBB website, and the redirect wasn’t working anymore. If the user had been able to follow the link successfully, they would have been prompted to run a malicious activeX control supposedly from Adobe.
Mal/Dropper-L
August 13, 2007, 9:03 am
We had a couple viruses get past MessageLabs last night. That is not something I normally see. Both files were named lgame.zip and contained a single file lgame.exe. The subject of the message was “Hot Pictures.” Sunbelt Software’s analysis of this file is really good. You can view that online here.
The email messages were detected as a virus by the scanner on the mail server. It was detected as Mal/Dropper-L.
I plan to report this false negative to MessageLabs but their support has been very unresponsive to similar incidents. Their script requires me to save the infected message in a msg format, zip it and mail it to them. Because my mail server antivirus quarantined the attachment, it would be very difficult to reconstruct the original message.
I submitted to virustotal. Here are their results. (this is 7 hours after the files were originally sent).
| File lgame.exe received on 08.13.2007 15:00:28 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2007.8.9.2 | 2007.08.13 | - |
| AntiVir | 7.4.0.60 | 2007.08.13 | Worm/Ntech.D |
| Authentium | 4.93.8 | 2007.08.11 | - |
| Avast | 4.7.1029.0 | 2007.08.13 | Win32:Agent-JYG |
| AVG | 7.5.0.476 | 2007.08.13 | - |
| BitDefender | 7.2 | 2007.08.13 | DeepScan:Generic.PWS.Games.4.2D9F7732 |
| CAT-QuickHeal | 9.00 | 2007.08.13 | - |
| ClamAV | 0.91 | 2007.08.13 | Trojan.Dropper-2099 |
| DrWeb | 4.33 | 2007.08.13 | BackDoor.Bulknet |
| eSafe | 7.0.15.0 | 2007.08.10 | - |
| eTrust-Vet | 31.1.5055 | 2007.08.13 | Win32/Cutwail!generic |
| Ewido | 4.0 | 2007.08.13 | - |
| FileAdvisor | 1 | 2007.08.13 | - |
| Fortinet | 2.91.0.0 | 2007.08.13 | - |
| F-Prot | 4.3.2.48 | 2007.08.10 | - |
| F-Secure | 6.70.13030.0 | 2007.08.13 | Trojan-Downloader:W32/Agent.BRK |
| Ikarus | T3.1.1.12 | 2007.08.13 | Trojan-Downloader.Win32.Agent.brk |
| Kaspersky | 4.0.2.24 | 2007.08.13 | Trojan-Downloader.Win32.Agent.brk |
| McAfee | 5095 | 2007.08.10 | - |
| Microsoft | 1.2704 | 2007.08.13 | - |
| NOD32v2 | 2455 | 2007.08.13 | a variant of Win32/TrojanDownloader.Agent.BRK |
| Norman | 5.80.02 | 2007.08.13 | - |
| Panda | 9.0.0.4 | 2007.08.12 | - |
| Prevx1 | V2 | 2007.08.13 | - |
| Rising | 19.36.02.00 | 2007.08.13 | - |
| Sophos | 4.20.0 | 2007.08.12 | Mal/Dropper-L |
| Sunbelt | 2.2.907.0 | 2007.08.11 | - |
| Symantec | 10 | 2007.08.13 | Trojan.Pandex |
| TheHacker | 6.1.8.167 | 2007.08.13 | - |
| VBA32 | 3.12.2.2 | 2007.08.11 | - |
| VirusBuster | 4.3.26:9 | 2007.08.12 | - |
| Webwasher-Gateway | 6.0.1 | 2007.08.13 | Worm.Ntech.D |
| Additional information | |||
| File size: 20992 bytes | |||
| MD5: dfade0d9b21be4fd57dd6975d9fe7ccd | |||
| SHA1: 31786e2b62ce7b79c9bed6bd0cfd9c01b3ef67e6 | |||
update: MessageLabs did realize they had let this through and sent us a list of messages to delete. Unfortunately they sent it to the lead contact (who was on vacation) rather than sending to all of us. Fortunately we’d already caught those messages.
ISC Diary: Spam Storm effecting Canada
August 11, 2007, 2:56 pm
Today’s SANS handler diary notes a SPAM storm is effecting the availability of mail servers at some companies in Canada.
Its always amusing to note spammer mistakes in formulating the email addresses. In this case it looks like they are using $firstname$randomword$lastname. That’s not going to work very well. 
The sheer volume, is causing some issue though.
The handler suggests that it is a best practice to reject email for bad addresses at your MTA, immediately after receiving the a bad RCPT TO. I agree that will prevent a whole lot of unnecessary mail processing. I am concerned though that in the absence of additional software, this will assist the spammer with address harvesting. If the bad guy can determine that you only accept valid addresses, and you don’t have a mechanism to kill directory harvesting attempts, they’ll be able to brute force valid addresses. Companies like Postini (Google) and MessageLabs have this sort of feature. I dont know about other MTAs.
FT reports Message Labs is for sale
July 14, 2007, 2:54 pm
After hearing about Postini’s sale to Google, I wrote earlier this week wondering if Message Labs were also on the market.
A Friday article in the Financial Times reports that Message Labs has been positioning itself to be bought. As Brightmail, Frontbrdge and now Postini were purchased, it is hard for me to see if Message Labs is the the odd man out or if their value is greater now that other options have been removed. The article also states that if a sale is not complete, an IPO could be in the works (reminds me of the Sybari IPO where Microsoft bought the company).
The article reports that likely buyers are McAfee, TrendMicro, IBM and HP.
