ESET Threat Blog

Urban Schrott, IT Security & Cybercrime Analyst at ESET Ireland, reports seeing more e-mail pretending to be from Microsoft is circulating, "warning" computer users that "Conflicker" is again spreading rapidly.

ESET's ThreatSense engine identifies the malware as Win32/Kryptik.CLU trojan, and running it would result in further malware infections.

Here's an example Urban quotes of one of the spoofed emails, though there are many more:

Subject: Conflicker.B Infection Alert
Date: Thu, 18 Feb 2010 20:15:30 +0900

Dear Microsoft Customer,

Starting 12/11/2009 the ?Conficker? worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

Figures at Virus Radar, a resource we maintain to track threats circulating as email attachments, indicates an infection ratio of 0.036% today, putting it a close second to Win32/Zafi.B.

While these aren't the sort of volumes we regarded as high in the early noughties, that's a substantial ratio these days, when email attachments are not a particularly common vector.

In fact, we don't particularly publicise Virus Radar any more, as it comprises a very small proportion of the entire threat-range, and can easily be misinterpreted. However on this occasion, it does suggest a pretty determined spam run.

As we've seen so many times before, cybercriminals are not ashamed to exploit horrors like the Haiti earthquake or 9/11, so it would be naive to expect them not to make use of our warmer sentiments, too. My colleague Urban Schrott at ESET Ireland has just blogged a cautionary note on that very topic. 

I recently blogged at Mac Virus about an excellent blog by Dancho Danchev on “How the Koobface gang monetarizes Mac OS X” by compromising legitimate sites with a PHP backdoor shell in an attempt to direct OS X traffic to affiliate dating programmes.  

As I mentioned at the time, Dancho included a lot of detail on a range of scam dating sites that are currently active. Not surprisingly, we’re seeing somewhat related material (Russian bride scams, malware populated domains with Valentine’s Day themes)  at ESET.

Here are some domains Pierre-Marc has flagged that include malware-populated pages that seem to have Valentine's Day themes. (For obvious reasons, I haven't included the full pages.)

• hxxp://holidays.prosperity66.com/ 
• hxxp://obscurepop.com/ 
• hxxp://www.webfetti.com/ 
• hxxp://www.3wishes.com
• hxxp://www.whatstruehealth.com/ 
• hxxp://my-vogue.com/2009/01/st-valentine-sexy-and-trendy-apparel/

I'm also hearing about large quantities of Russian Bride spam: my colleague Urban Schrott in Ireland has mentioned sites like datemeet.ru and girlandboysex.ru. Journalist Larry Seltzer has also mentioned receiving lots of this stuff.

Checking my own spam traps, I found some of those fake eCards that Randy loves so much, a sprinkling of  East European ladies wanting to get to know me, and an avalanche of Viagra spam. I wish I could tell you what my wife said about that, but this is a family blog.

By the way, quite a few of those fake eCards include bit.ly compressed URLs. You might want to watch out for those.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or http://twitter.com/ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/