Google redirected malware – two months later

A little over a month ago, we blogged about celebrity-themed malware campaign that was redirected through Google [1], [2]. Even though the spam campaign linking to the malware is now two months old, it is still going strong. Hence, it is worthwhile to look at how this campaign has evolved. Here is a graph showing the malware campaign as a percentage of total messages received during the last three weeks:

Spam volume of Google redirected malware

Just yesterday, the campaign reached a total of 2% of all detected spam. It seems that malware authors are having success with redirecting through Google to distribute their malware. Fortunately, we have been proactively detecting the message spams since the beginning of the campaign.

The malware authors did not rest on their laurels, however. They have changed both the look of the spam and the malware itself. At least three different variants of the emails were seen in the past day, as shown in the following three messages:

Google redirected malware spam v1

Google redirected malware spam v2

Google redirected malware spam v3

The first message looks very similar to the original messages seen in February [3]. The second message can be called the “bare-bones” version of the campaign. Lastly, the third version is themed to look like an embedded video player inside an email, much like those sent out by services like Youtube. Common to all three messages is the reliance on social engineering to trick the users. Readers who are curious about celebrity gossip (or their neighbor) may be tricked to click the link.

While the spam messages themselves are changing, the distributed malware have also been updated frequently. The first samples we received are proactively detected as Troj/Exchan-Gen. Recent samples are detected by the Troj/Exchan, Mal/TibsPk, and Mal/EncPk families of identities, as well as Troj/Bdoor-AJR. The malware authors are clearly experimenting with a lot of different methods to avoid detection.

Nevertheless, we’ll continue to monitor the situation to ensure the detection of this campaign regardless of what the malware authors try to do next.