The actual campaign has evolved since it was first seen back in June. For example, the URL in the spam message changed to an IP address rather than a regular URL. Many of these IP addresses appear to be compromised machines themselves, so not only are ‘bots’ being used to send out spam, but infected machines are being used to server the malware.
One of the many mechanisms we have for fighting malware, spam and web threats is a system called ADoM (automated download monitor). As the name suggests this continually monitors websites seen in spam that may be hosting malware and if / when the content changes (or appears) we download it and automatically analyse it (it’s at this point I should provide a screenshot of a slick looking graphical interface linked to Google Earth or similar, but our systems tend to be simply functional)
We’ve created a number of rules that decide when to add a URL to the monitoring system, so for these ecard spam campaigns, we monitor any URL seen in spam that uses an simple IP address and a number of other characteristics (I don’t want to give away too much to the bad guys). Whenever we match on these characteristics, the malware at that URL is automatically retrieved, and scanned to ensure we still have detection. If the malware author has changed the payload significantly enough to evade detection, the sample will automatically get flagged to an analyst so detection can be updated.
The system also provides a report for the likes of me, to monitor how we are progressing. We have seen, over 600 unique URLs on this system in the past few days, all of which we still detect with the latest update of JSEcard, so for the time being at least, we appear to be slightly ahead of the malware author.