One of the main rules of IT security is to be very cautious when dealing with archived attachments in emails. “If you’re not sure, don’t open it!” It’s an easy rule to follow when the text in the message obviously has nothing to do with you.

When an experienced user reads about IT security problems at a bank where they don’t have an account, or about winning a lottery that they never bought a ticket for, then it’s usually immediately obvious that they are faced with yet another example of spam and there’s absolutely no reason to open the attached ZIP file. Cybercriminals will often resort to all types of social engineering to trick people into passing on their personal data and/or infecting their own computers. More often than not, they send messages that are made to look as though they come from well-known companies that either offer rewards for those that fill out or run the attached files (even stooping to threats of all kinds for those that fail to do so). But less mundane approaches are also used.

As we mentioned in a previous blog post, every time there is news of global interest, cybercriminals try to exploit that interest for their own malicious purposes. The death of Osama bin Laden was no exception – it was used in spam as well as black hat SEO.

We have detected two spam mailings capitalizing on the news of Bin Laden’s death, both of which were used to distribute malware.

One included a password-protected ZIP archive. The message subject was: “pictures of osama bin laden dead?”

What is strange about the mailing is that the text was taken from a standard spam message which is supposedly sent by a girl who wants to introduce herself to a man and is asking him to have a look at pictures of her that are attached.

The wedding of Kate Middleton and Prince William is by far the most popular topic of conversation today. It’s virtually impossible to look at a newspaper or a blog without seeing some mention of the royal newlyweds. And now we are getting in on the act.

And it’s not because we here at Kaspersky Lab take a major interest in the private lives of the British royals. But spammers obviously do – take a look at the offer we received today:

Yes, fake Swiss watches and iPads are so passé – what you need is a replica of Kate Middleton’s engagement ring, originally given to Lady Diana by William’s father Prince Charles. The spammers claim you now have the chance to “own a piece of British royal history”. This royal family heirloom also comes complete with a “certificate of authenticity”.

The revolutions spreading across the Arab world have grabbed the attention of people across the globe, including cybercriminals: so-called ‘Nigerian’ spam emails have recently appeared claiming to be from a variety of “relatives” of Gaddafi and Mubarak. There’s absolutely nothing new about the messages they send: the ‘Nigerians’ don’t always introduce themselves as the solicitor of some anonymous oil tycoon or a dying widow of an innocent civil servant who was murdered; increasingly, they are legally-appointed executors or relatives of well-known people who have suffered in one way or other at the hands of political opponents.

For instance, some time ago we received an email from an Olga Patarkatsiashvili who wrote in poor English asking to help her transfer the millions of the late Badri Patarkatsiashvili (a Georgian businessman and presidential candidate who died in 2008), emphasizing that she herself has been denied access to his funds. Following the wave of protests affecting Arab countries there has been a steady stream of Egyptian- and Libyan-themed ‘Nigerian’ spam.

A certain Barrister Alexander James Williams, who claims to be a representative of Hosni Mubarak, asks for help in transferring 29 million pounds. He claims that a UK resident is required to process the transaction, but the email was sent to a Russian resident who has an account with the Russian email service mail.ru.

Head of Content Analysis and Research Darya Gudkova joins Ryan Naraine on this episode of Lab Matters to talk about the use of spam e-mails to launch malware attacks.

As was predicted by many, email scams soliciting donations for Japan are appearing in user’s inboxes. We took a closer look at one of these messages and identified the following details:

Here’s an unusual spam message that turned up today:

If it wasn’t for the official name at the top of the message, you could almost be forgiven for thinking it was just another real estate advert… “Fully furnished. Situated close to retail outlets. Excellent access to public transport and local schools. Contact US Department of Defense for more details…”

But on a more serious note, the aim of this mailing was most probably to check an address database. So, whatever you do, don’t reply to stuff like this. In any case, spammers often fake their return address so that all your emotional outpourings are unlikely to reach the right people. And if the spammers do use their real address, any response from you will confirm your account is active and you’ll end up getting much more unwanted mail.

Since the beginning of August, our Japan office has seen 900+ mails of a certain kind in their spam traps.

We noticed two common patterns in all of the mail. First, the links in these spammed messages all point to compromised servers. Also, the file names of the redirectors are all dictionary words followed by two digits. The files redirect the users to online pharmacy sites and fake watch stores. Here is a screen capture of a directory hosted on one of these online sites:

You might wonder why this caught our attention. The answer is simple: about half of these files contained links to 'gumblar.x' servers.

The upper red link points to a pharmacy site, the lower one is a gumblar.x URL.

So basically an unsuspecting (and unprotected) user who will click these links in their mail will experience a typical 'gumblar-attack' while browsing a pill catalog. The recent peak of such hybrid attacks may be a sign that the cybercriminal(s) who’ve been slowly but surely growing the Gumblar botnet worldwide, and who up until now have been keen to fly under the radar, are now starting to monetize it. The first test runs of mixed pharmacy/gumblar pages were actually identified by our experts as early as April 2010, when we noticed a few mails of this kind, with subjects like "Twitter 61-213".

On further investigation of the involved servers, it turned out that plenty of them have additional malicious code injected directly into their www root. We counted mostly gumblar.x but also some 'pegel.*' and other obfuscated code containing iframers or other redirectors.

Additionally, almost ALL of these domains contained a link to 'hxxp://nuttypiano.com/*.js' at the end of the file.

There are more than 300 different .js files in circulation on such servers, the content of these is obfuscated and similar to known 'pegel' threats. To make our researchers' task more difficult, the malicious code will only be sent once to the same IP address. However, we have managed to download several samples from the same locations and identified polymorphic-like structures.

These are redirecting to other :8080 locations, which in turn try to push more malware onto the victim's machine.

Here is a quick summary of such injected sites, sorted by country: #1 is the US, followed by FR, DE, TR and JP. Affected webmasters should consider changing their compromised ftp credentials, clean the machines which led to the leak, and investigate their server logs for more details.

In recent spam mails we have often noticed links to *.html files with random names. Another trend is that the cybercriminals do not even bother to register domains for their dirty deeds, but simply plant their malicious code on compromised hosts. "Simply?" one may ask, and sadly the answer seems to be "yes" based on our observations.

For example, we have collected some hundred mails of a certain type promoting online software shops - a small portion is shown in the animated gif image below.

All of the samples stick out by virtue of the fact that they contain colored text/links which point to compromised legitimate websites. The links also show that the locations of the files are directly on the root URLs and not in a subfolder of some vulnerable application as we usually see.

We can assume that the intruders have ‘write’ access, at least to the www root of the involved sites - a very worrying fact. We have also confirmed that in many cases not only were the abovementioned spam links stored on the victim’s servers, but additionally, malicious iframes or javascript snippets were injected into the main content of the sites.

Another sample reaching us today just confirms that the cybercriminals are not sparing with the domains they abuse, and indeed seem to have a pool of unknown quantity at their disposal. The capture below shows a spam mail where each of the 12 links in the mail body points to a unique site. All of these sites also contain malicious code in their root which we detect as 'Trojan-Clicker.JS.Agent.*'

Please do not attempt to visit these links shown if you are not sure of what you are doing.

At last! What every football fan has been dreaming of. The start of World Cup 2010!

Even if you hate football, you just can’t help but know it’s World Cup time again, and one thing’s for sure, spammers will be doubly aware of it. It’s not that long since our last post dedicated to football-related spam. The Nigerian letters proclaiming lottery wins that we wrote about then have continued unabated – we have received lots of other messages all stating that the recipient has won millions of dollars in a FIFA competition.

One day before it all kicked off, a different kind of mailing appeared with the subject ‘FIFA World Cup South Africa... bad news’. The body of the message tells you to find out more about some “scandal news” that is contained in the attachment.

As you can see, the attachment is an HTML file. We’ve already written much about spammers hijacking the hottest news stories for the exclusive purposes of distributing malware and adverts for Viagra – in this case it is the latter. The HTML file redirects users to a Canadian pharmaceutical site.