In the last several weeks malicious spam has risen from around five percent to over 15 percent. These spam emails typically contain a link to a file hosted on a compromised website. This rise can be attributed to four of the leading botnets, in particular, the Rustock botnet which has been especially aggressive in spreading malware as we has previously mentioned here and here. What is also interesting is that all four of these botnets are pushing to install the same rogue anti-virus program on their victims’ machines.
Both Grum and Mega-D have previously been focused on sending spam advertising pharmaceutical products, now Mega-D is also sending the 'BBC NEWS' spam shown above and Grum has devoted nearly all of its spamming capacity to delivering messages with links to the file video-anjelina.avi.exe.
In the above Rustock spam email, the link leads to a compromised website hosting the default.html page. The html filename changes often, we have seen r.html, live.html and watchit.html among others. Currently these pages show an image of a media player and request the user to download the file flash_player_update.exe. This page will also load an IFrame which will attempt to install the malware via browser exploits.
Srizbi is sending a number of different types of malicious spam. The email above links to the file index1.php on a compromised website shown below. The links on this site are the same as subject lines seen in spam and all link to an exe file. Srizbi is also using a ‘pornotube’ themed website as well. Both of these sites look quite professional which aids in the deception.
The objective of the malicious spam from all four of these botnets is to install the rogue antivirus program ‘Antivirus XP 2008’. Presumably the owners of these botnets get a commission on each install or purchase of this program or else the Antivirus XP crew is renting these botnets in order to spread their software. We have also seen other types of malware being installed at the same time such as spam bots, information stealers and proxy programs.
