Spam in September 2010: ZeuS-Related Arrests and the Final Days of SpamIt

Users of the LinkedIn social network were the victims of one of the biggest spam attacks in September. The attack saw a host of messages being distributed with a link to ZeuS, a malicious program which has been the focus of many an antivirus company’s attention. The messages came in spurts at the end of the month and displayed headings such as “LinkedIn Update”, “LinkedIn Messages” and “LinkedIn Alert”. The body of the message informed recipients about two unread messages.

When a user clicked the link their computer was infected with one of the variations of the Trojan-Spy.Win32.Zbot (ZeuS) program. The link to the ‘private messages’ either led to automatically generated second-level domains in the .info zone or to hacked domains in the .com zone (in the latter case the links ended in 1.html).

The ZeuS theme continued with the arrests of several dozen Eastern Europeans by U.S. and British authorities. They were accused of using ZeuS to steal $70 million over the last eighteen months. The criminals had laundered the money using fake credit cards with credentials they had acquired with the help of ZeuS.

The arrests appear to have forced the other members of the criminal gang to lie low, at least in the USA and the UK, because there was a considerable decrease in the number of Zbot (ZeuS) detections by mail antivirus programs in the territory of these countries on September 30th, the day of the arrests. The other big event in September was the imminent closure of the vast criminal partner program SpamIt, notorious for its commitment to the Canadian Pharmacy Viagra brand.

“Our spam-related forecasts for October are, on the one hand, positive – the closure of SpamIt at the end of September will no doubt affect the amount of Viagra adverts. On the other hand, the end of the month was marked by a growth in emails containing malicious code, which means the spammers have already switched from advertising pharmaceuticals to spreading malware,” said Maria Namestnikova, Senior Spam Analyst at Kaspersky Lab.

The full version of the spam report for September 2010 is available at www.securelist.com/en.