Spread of fake Microsoft Outlook alerts highlights rising use of DIY malware kits

Email filtering company Red Condor has been intercepting an email phishing attack that’s spreading faked Outlook alerts at a phenomenal rate.

More on that below.

But first let’s take this to the 30,000 foot level. This Outlook ruse is most likely  being  conducted by attackers using a Do-It-Yourself malware kit that has amazing functionality, which anybody can buy right now for less than a grand.

Over the course of 2009, DIY malware kits proliferated to the point where anyone with $400 to $700 to spend can today  buy amazingly powerful, versatile technology. A typical kit comes  complete with everything you need to instantly launch a sophisticated phishing campaign and/or create a starter botnet of your very own.

“If you know how to download music or a movie online you have the necessary experience to download and begin using one of these DIY malware kits,” says Gunter Ollman, senior researcher at Damballa. “These tools have been dumbed down and made more useable, so anyone can set up and get going.”

These tool kits are truly turnkey. They come with phishing templates, banking Trojan and botnet management interfaces. And you can easily customize and upgrade with a wide array of plug-ins. You can choose to keep it simple: spread banking Trojans via phishing campaigns and Web site drive-by downloads. Or you can create your own botnet and rent it out for the spreading of spam and scareware.

The most popular kits at the moment are built around the ZeuS botnet management and banking Trojan tool created by hacker A-Z, who I wrote about in this investigative report. A-Z for all intents and purposes has lost control of the core intellectual property he created; his brainchild has been pirated many times over.

With ZeuS-based kits , like the one shown above, you typically get “all the components you need to remotely infect, control, manage and propogate” cyber infections and cyber attack campaigns, says Ollman.

Perfectly legal to develop malware kits

Part of the reason DIY kits have taken off in popularity is that developers are taking the stance that creating and selling DIY malware kits is perfectly legal. Kit development activity is taking off in Spain, Romania and North America, says Ollman.

It is illegal is if you  use a  DIY kit to hack into computers you don’t own. The wider availability of tools has driven up the wider use of tools. Meanwhile, since there’s money to be made into spreading pharm spam and scareware promos, as well as  breaking into online accounts, demand for DIY kits is robust.

One measure of the escalation of use of DIY malware kits comes from App River. The email security firm says it blocked emails carrying links to malware at the rate of 25 million per month early in 2009, but by November the rate had spike to over 200 million per month.

Early in the year, DIY kit-generated emails flowed in a predicable pattern coming from predictable groups and geographies, says Fred Touchette, App River senior researcher. By November, tainted emails were coming from hundreds of sources all over the globe, and the sophistication of the attack began to vary: from crude text messages to somewhat sophisticated ruses with nice graphics.

“With the wider availability of these customizable malware kits that anyone can get a hold of and use, we’re seeing virus numbers really spike, coming from all different directions,” says Touchette.

The faked Outlook alert Red Condor began intercepting on Thursday is unique as to the frequency with which it is being blasted out across the Internet — and the efficiency with which it automatically customizes each message to improve the odds of fooling the recipient. The end game: trick the target into clicking on a link that will implant the banking Trojan.

“The attack has hit thousands of Red Condor’s customer domains,” says Red Condor researcher Brien Voorhees. “There doesn’t appear to be any discrimination. My personal domain was targeted and it looks like most of our other employees’ personal domains were hit as well.”

By noon Pacific time on Friday Red Condor had blocked well over a million of these messages, an indicator of a massive spam campaign, originating from a large botnet under control of the attackers.

“Certainly if you look at the volume of the attacks, it would be fair to attribute the spike to the readily available malware kits,” says Voorhees. “If you look at the types of attacks during the past year, it is clear that many are focused on taking advantage of the casual way that people use email and the Internet today, particularly when it comes to social media.”

Thus this latest Outlook attack is the most recent iteration of a distinctive type of phishing attack that took shape over the course of 2009. Earlier attacks used ruses referencing UPS shipping documents, IRS notices, Vonage account updates, H1N1 alerts and Facebook account updates to get recipients to click on a tainted Web link. Most often, the malicious link also turns the infected machine into a bot under control of the attacker.

“The fact that average Joes are now armed with automated malware distribution systems certainly raises an eyebrow, but probably should not surprise anyone,” says Voorhees.

Marc Rossi, Symantec’s manager of research and development, says established cyber gangs are probably also benefiting from heated competition to refine and market DIY malware kits.  “It’s possible that the people creating and selling these kits may be the same groups already profiting from cybercrime, and they could see this as yet another revenue stream,” says Rossi. “The popularity of the kits likely comes from people seeing how much money someone like Albert Gonzales made through online crime. ”

Observes Rossi: Newer cyber criminals using powerful DIY kits ” may think that by only doing it on a smaller scale that they’re less likely to get caught.  But it’s  difficult to ascribe motivation.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone