Press ReleaseSource: Marshal

George Bush and Microsoft Exploited by Spammers as Malicious Spam Surges to Record High
Friday July 25, 8:20 am ET

Rustock Botnet Now Generates 21.5 Percent of Global Spam, Making It the Second Highest Producing Botnet After Srizbi, According to Marshal's TRACE Team

ATLANTA, GA--(MARKET WIRE)--Jul 25, 2008 -- According to experts from Marshal's TRACE team, emails with exploitive headlines mentioning George Bush, Microsoft and Al Qaeda in their subject lines are part of a coordinated malicious spam campaign from criminals controlling the Rustock botnet.

The recent, large-scale campaign is designed to infect computers with malware and convert them into part of the Rustock botnet -- and it is succeeding, says Marshal. Over the last month, Rustock has grown to claim second place among the largest spam producing botnets behind the Srizbi botnet in first place. Rustock has increased its share of global spam volumes from 10 percent in mid-June to 21.5 percent last week, according to Marshal's TRACE statistics.

Malicious spam, which is designed to infect computers with malware rather than promoting a product, rose to an all-time high of almost 19 percent of spam last week. In June 2008, malware spam surged to its previous highest level of 10 percent, up from 3 percent where it had been steady since February 2008.

"This newest malicious spam campaign from Rustock stands out for two reasons," said Phil Hay, lead threat analyst for Marshal's TRACE Team. "First, it is a particularly good example of an arrangement of social engineering methods designed to get you to lower your guard and infect yourself -- it is easy to be taken in by it. Second, the scale of the campaign is significant. In terms of volume, this is one of the biggest malicious spam campaigns we have ever seen."

Rustock's latest campaign exhibits a broader trend where spammers hack into legitimate websites to host their malware. Numerous small businesses and private websites have been targeted in this campaign, including a badminton club in China and a hypnotherapist's site in the United States. Hijacking legitimate websites and using them to host malware makes the spammers harder to track and shut down with less evidence linking the spammers to the malware.

There is a range of messages being sent as part of the campaign, each with a different news headline. Examples include:

 
--  "Bush Down to 8 Friends on Myspace"
--  "Yahoo sold to Microsoft, record price"
--  "Al Qaeda Reports Declining Revenues in Fiscal '08"
--  "Martian Soil Fantastic for Growing Weed Says Nasa"
--  "Obama Is Anorexic Over-Exerciser"

"Some of the headlines are hard to take seriously and some of them are believably enticing," said Hay. "The Rustock spammers appear to be experimenting to see which types of headlines solicit the most hits from recipients. A common theme seems to be sensationalizing recent prominent events such as Microsoft's bid to acquire Yahoo. Celebrities like Pamela Anderson and Paris Hilton also feature as subjects."

The body of the messages contains more sensational headlines -- usually on a topic unrelated to the subject line -- and a URL link. The links typically end with '/viewmovie.html', '/stream.html' or '/r.html'. If a recipient clicks on one of these links, a webpage opens showing a fake web video attempting to load and a popup window appears prompting the user to install a file called 'codecinst.exe'. The file is malware. If it is downloaded and installed it fetches a fake Windows XP anti-virus program as well as the Rustock spambot itself. In addition to this threat, the webpage opened by the link also contains JavaScript components designed to exploit vulnerabilities in Internet Explorer and download the malware automatically.

"The spammers appear to realize that recipients are wary of the dangers of executable files in spam messages," said Hay. "They are trying to disguise the installation of the executable under a believable pretext. It is quite common today for people to receive news forwarded to them as links in email. It is also quite common for those links to be related to hosted web videos and for video players to require codec updates before they will work. Even for security conscious users it is easy to fall for this one and it appears that many have."

Rustock is not a name many people are familiar with, but it is well known within the security industry. Today it is one of the most established spambots. It has been operating in various forms for more than two years, is estimated to comprise over 150,000 infected PCs, and distributes close to 30 billion spam messages daily.

"Based on the way the volume of spam from Rustock has grown over the past month, it is reasonable to conclude that the criminals behind it have had great success infecting more PCs with this latest campaign," said Hay.

More information and examples of the offending message can be found on Marshal's TRACE Center website -- http://www.marshal.com/trace/traceitem.asp?article=719.

About the Marshal TRACE Team

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at www.marshal.com/trace. TRACE services are provided as part of standard product maintenance that includes updates to Marshal's unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides "Zero Day" security protection against new email and virus exploits the day they emerge.

About Marshal

Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal's Americas headquarters is in Atlanta, Georgia, with corporate headquarters in London (UK) and offices in Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at www.marshal.com.


Contact:
     Media Contact:
     Monica Shaw
     Carabiner Communications
     770-367-9534
     mshaw@carabinerpr.com
      
Source: Marshal


Mail to Friend Email Story
Alerts Set News Alert
Printer Version  Print Story 

Copyright © 2008 Yahoo! Inc. All rights reserved. Privacy Policy - Terms of Service
Copyright © 2008 Marketwire. All rights reserved. All the news releases provided by Marketwire are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.