Flurry of malware this past week

  • Article

Over the past week or so, I have seen a flurry of malware activity that has
been escalated to me.  Of course, the most famous of these is the “Here you
have” spam campaign that contained a short message with a purported link to a
.pdf that instead was a link to a .scr.  This spam/malware campaign, though
brief, caused a lot of problems in the world of email.  At one point, for a
brief period of time, it was responsible for 14% of all spam.

Yesterday, we had another problem with malware.  This particular problem was
a piece of malware that contained some javascript but was a zero-day virus. 
However, the contents of the email text made the message look rather benign.  In
fact, it looked like a legitimate business message with an HTML attachment. 
Here is the body text of the spam message (name of actual bank munged and
replaced):

Today I was served a summons from BizyBank with regards to the 20th avenue
foreclosure.  Attached is a copy of the summons in its entirety and the first
page of the borrower final closing statement at the time the borrower received
$100K from TZLK Enterprises.

At the time of applying for the loan, I remember the borrower mentioned about
paying off my loan in a short period of time because they were also getting
financing from somewhere else. I believe when BizyBank’s loan was closed
(without our knowledge) the title company that handled their financing should
have paid us off so BizyBank would be in the first position.

In this case, the title company / closing agent for BizyBank made a mistake.
I believe that BizyBank is also insured by their closing agent, but at this time
I don't know who this agent is.

BizyBank is summoning the wrong party.

You can see by looking at the text of this message, it doesn’t look like
spam.  It looks like a legitimate piece of communication.  We had spam rules
that caught this before the A/V vendors did, but again, it appeared to cause a
lot of havoc with some of our customers.  And now, today, the above malware
campaign had morphed yet again and we were seeing a few more escalations around
it (or at least I was notified to at least one).

What is interesting to me is that for most of my time in anti-spam, I have
remained somewhat insulated from malware and most of my familiarity with it
comes from doing academic research.  I hadn’t had a lot of escalations
surrounding it.  That is not to say that we never had them, they just weren’t
escalated to me they way they have been in the past two weeks.  At this point, I
am unclear if malware problems have always been like this (appearing frequently)
or if this is a new trend – malware outbreaks that hit hard and hit fast around
the Internet and do a lot of damage in a short period of time.  Obviously, that
has always been malware’s goal but my query is regarding whether or not the
outbreaks haven’t even more sinister (sent from a wider array of IPs and in
higher volumes in a shorter period of time).