« Model for a High Security Zone Verification | Main | Web site vulnerabilities »

Monday, 23 November 2009

Avoid malware threats: do what malware analysis would do

Gary Warner has published an intriguing article describing how the UAB Spam Data Mine finds new malware threats delivered by email.  Gary provides a step-by-step description of the automation implemented at UAB, using an example (this morning's Social Security version of Zeus). The procedure Gary outlines is very detailed, but not impossible for a human to repeat. In fact, I highly recommend studying it in the context of what any individual can do to reduce his own threat to falling victim of a malware download.

For example, the UAB spam analysis considers the Subject lines and Senders that arrive in 15 minute intervals and builds a picture over time of the prevalence of related themes or senders: in Gary's example, the repeated mention of "Social Security statement" in subject lines serves as a trigger. Related subject lines and senders are counted, and high counts trigger a more careful analysis. Can an individual follow this same sequence of actions and discern spam from safe email? Let's consider a real world example.

Last night, I received a stream of email from  "CVS Pharmacy". The subject lines, however, were "Weekend is near", "Busy or just absent?", and other random sentences that phishers use to attract attention to their phish email.  Looking at the message body, I see that the message is exactly the same, with each message containing a banner claiming "Delivery department work across the Globe."

At this point, the UAB spam analysis would visit hyperlinks in the suspicious message bodies and begin crawling for malicious executables buried amid the web pages.  DO NOT VISIT ANY LINKS. Rather, at this point, I - and you - should be saying, "Warning, Will Robinson! Mark or delete the message as spam".

Note that while humans are not automatons, we tend to respond automatically given repetitive tasks. Phishers and spammers rely on the fact that many email users haven't been programmed to respond in the manner that the UAB spam analysis automation responds. Now that you've seen how relatively simple a "spam aware" response can be, apply it!

Congratulations to Gary for providing a relatively straightforward and painless way for readers to improve their defenses against spamming and phishing awareness.

Posted at 11:23 AM in Anti-Malware and Anti-phishing |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories