Monday, October 11, 2010

What Spam is out there?

More than 90% of world's email traffic is spam, or at least so they say. We don't see most of it, because it gets filtered by services such as spamassassin, spamhaus, or gmail itself. However, sometimes a message makes it to our inbox. Normal people just delete these messages (some of them actually fail for the scams that are contained in them and buy the advertised stuff), but for security researchers it is also intersting to understand where there messages are coming from. Nowadays, most of the spam is sent by botnets. Infected computers from all over the world get orders from their Command and Control servers, and start sending unwanted emails. Compared to traditional spam, which is carried out by dedicated servers, this approach has the advantage to make it hard the blacklisting of the spamming IPs.
Currently, 4 botnets are responsible for the majority of the worldwide spam: rustock, lethic, megaD and cutwail. Let's see what kind of spam these four botnets send out.
Rustock is suposedly the largest, or at least the most active, spamming botnet out there. A recent research shows that it is responsible for 39% of worldwide spam. This botnet is one of the most sophisticated regarding to packing its e-mails to avoid detection. For example, at the end of the subject line they always put some random text fetched from wikipedia. This botnet is mainly sending out Viagra-related spam, with subject lines of the form dear xys, get 80% off all prices. The body of the email usually contains a fake newsletter, with a link pointing to an online pharmacy. Below is an example of such an email.

Lethic is quite large too. This botnet has a fairly specific behavior while packaging its e-mails. It merges together different words, or it mispells common spam keywords to avoid detection. Lethic seems to be running three campaigns. The first one is a drug campaign.  The subjects of the mails belonging to this campaign contain words such as QualityMedications, MaleEnhancement, WithoutPrescription.  The second campaign run by lethic is a replica watch one. The subjects of the mails in this case contain words such as Rep1caWatch and Bvlgari. The third campaign aims to sell proprietary sotware for cheap. Common keywords here are OemSoftwares and Adobe.
Cutwail is another large botnet. As for lethic, they run a cheap drugs / Viagra campaign, but this botnet seems to be focused on phishing scams. In our test setup we observed malware samples belonging to this botnet to send out fake Facebook requests, Amazon and UPS confirmation e-mails, and, more recently, LinkedIn related e-mails. All these e-mails contain links to a fake login page, aiming to steal victims' login credentials.
Below is an example of a phishing e-mail sent by cutwail.

The last large spamming botnet is MegaD. This botnet is sending out male enhancement related emails, but it is easily recognizable from the other ones because of the funny subjects the emails are shipped with (Immense manhood without problems, Eldorado of ero-cures).