by Dave Michmerhuizen & Luis Chapetti – Security Researchers
If you’re a malware spammer, the number one challenge you face is how to get people to open, read and follow links in your message.
To accomplish this, one of the driving emotions that spammers appeal to is curiosity. For years spammers have sent emails offering glimpses of gory accidents, scantily clad women and outrageous celebrity behavior – anything that might get you to drop your guard, suspend your critical thinking and click through some dodgy link in the hope of seeing some juicy nugget.
An excellent example of that fell into the Barracuda Labs spam traps recently. It claimed that President Obama is a homosexual and offered an incriminating picture that would prove it. Who wouldn’t be curious about that?
We actually hope most people wouldn’t be. The email is so obviously bogus you might think no one would click on the link. Well, in the interest of research, we did, and in our investigation we found that quite a few other people did as well.
Clicking on the link in the email and running the download is pretty anticlimactic. The download attempts to divert your attention by opening cute picture of a koala bear.
(click for larger image)
Behind the scenes it silently installs a copy of a commercially available keylogger known as Perfect Keylogger. This program monitors every program you run and every key stroke you enter. and stores them in a local file, like this example
(click for larger image)
Perfect Keylogger also captures screenshots periodically and stores them off to disk. Every so often it gathers together the captured data and sends them to a remote server using the File Transfer Protocol (FTP).
(click for larger image)
FTP sends traffic in the clear, so it was possible for us to get a listing of the server that receives the keylogger data.
(click for larger image)
Only a few days after the spam was first seen there are a large number of folders on the keylogger website, each representing a person who clicked on the initial link and ran the downloaded program. It appears that outrageous headlines spurs curiosity which is effective in getting people to click on links and install malware.
The lesson here is not to let that curiosity get the better of you, even if the email and link appear to come from some trusted source. If the content is designed to intrigue or titillate then there’s a good chance that the end result will be unpleasant.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.
Leave a reply
