Hey, you put your Trojan in my spam!

A Trojan in my spam? True. The most recent version of malicious code that we are seeing being delivered by spam is a Trojan in greeting card spam. Malicious code in spam has been around off and on for some time. We’ve even blogged about it in the past; here (from January 2007) and it appears that at least one more spammer thinks it is a novel tactic.

We’ve observed over 18 million of these spam messages in the past few days and have successfully blocked the ones we have seen. Each of the messages we’ve seen so far has a Hong Kong domain (.hk ) in the subject line. Messages containing this Trojan are easy to spot, carrying subject lines such as:

Subject: Mima sent you a .hk! Greeting
Subject: Martha sent you a ..hk! Greeting

The body of the message appears to be a greeting card and instructs the recipient to click the link to view the greeting card. Do not click the link, as it allows infection by the Trojan. Decidedly not a friendly greeting card.

In the words of the Ghost Busters, “We’ve got one…” We’ve got what?, I hear you ask. We now have an example of alleged SMS spam with some real statistics rather than the usual conjecture. We know SMS spam has been growing through the monitoring of such sites as Grumble Text [1 ] however we’ve never had true insight into the scale of a professional SMS spamming operation.

Well recently that changed - TelecomWeb broke the story [2 ] that,

“Verizon Wireless filed a lawsuit against Nev.-based I-VEST Global Corporation and various "John Does," alleging they sent unsolicited commercial electronic messages (wireless spam) to its customers.” and that “The lawsuit, filed in U.S. District Court in Trenton, N.J., alleges that, beginning in April, I-VEST attempted to send more than 12 million text messages to Verizon Wireless handsets, offering information about buying stocks or real estate. However, the carrier says spam filtering and network monitoring actions it took prevented the vast majority of "the messages from getting through to subscribers' handsets and resulted in fewer than 5,000 messages being delivered."

So this shows us that the attempt was of a reasonable size, and that the anti-spam and network monitoring tools in place allowed them to either automatically block or react in a timely fashion to block the spam run.

What about the court documents? Well the court documents are available on Pacer [3 ] and, while the first provides details of the complaint [4 ], both actually provide some examples of the SMS spam allegedly sent [4 ] [5 – Exhibit A ].

From reading the court documents, some interesting things emerge. The first is that in the first document, [4 ] point 27, Verizon mention that they had to develop and purchase systems in order to combat the defendant’s Spam operation. Point 28 describes the strain that the attack placed on the Verizon SMSC and associated infrastructure.

Anyway, a fascinating insight into the scale and the ramifications of SMS spam on operators.

A short note to thank Khoi Nguyen and Eric Chien of Symantec, for bringing the information to my attention and finding the court documents, respectively.

[1 ] http://www.grumbletext.co.uk/
[2 ] http://www.telecomweb.com/tnd/23581.html
[3 ] http://pacer.psc.uscourts.gov/
[4 ] Verizon1.pdf
[5 ] Verizon2.pdf

On multiple Windows Live Messenger accounts (formally MSN Messenger), we received the messages (don't visit the link!):

     Get surprise at http://www.messengerweb.info/ Unbelievable!

     Hey, http://www.messengerweb.info/ helps u find out who is your friend!

     U have deleted me! Look here http://www.messengerweb.info

Was this a new worm? Or a bot that was sending out IM spam? Turns out it is neither and instead much more like adware. The site being advertised states they can find out who may have removed you from their contact list. All the service requires is for you to "enter your MSN account and password and we will tell you who has left you out from their lives."

However, if you read the fine print, it states "By using this service the user allows Messenger-Tips to send intant messanges [sic ] to your online contacts and/or change temporarily the nickname in order to advertise free this service."

So, these messages aren't coming from a bot or a worm, but friends on your contact list who have given out their username and password to this service. The service then sends messages to everyone on their contact l ist.

As usual, we recommend that you do not give out your account details to third parties. If you provided your credentials to this site, we recommend you change your Live/MSN/Passport/Hotmail password here.

Update: We have received the following similar messages in Spanish:

     hola mira, en www.TeBloqueo.com puedes averiguar quien te tiene No Admitido en el Msn

Translation: Hi look, at www.TeBloqueo.com you can check who has you blocked in MSN

We haven't confirmed if this Spanish site is a copycat or related.