Normally, Fridays are pretty quiet days in the labs; Russian spammers have left for the weekend, and we can get down to the work of cleaning up the fringe cases, improving detection systems in general, and proactively spotting trends and preemptively blocking the attack vectors that will be used in the following week's campaigns. The last thing we wanted to see late on a Friday afternoon was a new spam campaign. Surprisingly, some enterprising soul in Russia decided to release an update to their spam engine at 3:30 AM on a Saturday morning (4:30 PM on Friday for us). Unfortunately for the spammer, this meant it was the central focus of our attention, and we had just been reviewing spam trends - which made for a very short-lived spam campaign (for our customers), and revealed a bit about the spammers themselves.
Just as Dmitry Samosseiko's Partnerka paper was being presented at Virus Bulletin, here we were looking at what appears to be a staged update of a Partnerka affiliate's spam system -- the campaign was Russian in origin, sent via botnets, and included links pointing to redirect pages hosted on compromised websites.
For those who didn't follow the VB presentation, an interesting finding presented was that the most popular Partnerka products are:
- Online pharmacies selling generic versions of popular drugs
- Networks promoting 'scareware', a.k.a. 'rogue anti-virus' products
- Counterfeit luxury products such as fake Rolex watches
- Adult sites
- Dating services
- Affiliate traffic generated via IFRAME insertions.
After doing some digging, what did we discover? Similar spam campaigns being sent out pushing those exact same products. Having had our attention drawn to this fact by the spammers themselves, we began following an interesting trend over the ensuing weeks: high volume campaigns in these categories, all with the same identifiable pattern listed above, were being updated to evade spam filters in the exact same manner.
These spammers tend to use automated templating systems to generate "unique" spam and blast it out to all the email addresses they can get their hands on via their botnets of infected computers. The templates, of course, become easy to detect over time, so they have to update them, changing visible and hidden aspects of the messages to make them slip around their targets' spam filters.
The templates had previously been detected in text/html formats. Here is a sample of the changes they made:
- Friday, September 25: Spam linking to Adult sites (changed to multipart/alternative in a table)
- Thursday, Oct 01: Spam linking to Online Pharmacies (discount medicines) (changed to text/plain two-line with link)
- Friday, October 02: Spam linking to Online Pharmacies (Viagra) (changed to text/plain two-line with link)
- Monday, October 05: Spam linking to Online Pharmacies (Viagra) (changed to multipart/alternative in a table)
What about the other categories? They rarely make it on our radar, as the products they are pushing are so obvious that the messages get blocked by Sophos's products before a human being ever lays eyes on them.
As a result, detection and blocking of all campaigns by this group has become trivial for the time being, as we already know the changes they are making to their campaigns before they are made. It makes proactive blocking much easier. While I know it won't last, I have to thank whoever was responsible for considerately updating one of their campaigns during our Friday afternoon.