A massive attack this weekend has been inundating users with emails with subjects like “Wow, Cool Games” and the like. The content of the email messages contain only “Try http://xxx.xxx.xxx.xxx, where the X’s are varying IP addresses. At one point our spam detection lab was seeing over 80 new and different IP addresses flying by each hour. The sites themselves look remarkably similar to the online games sites my children play every day, complete with pictures of Sonic the Hedgehog and other familiar game heros. However the “games” icons each link to a single executable file, designed to download some crimeware to the unsuspecting user’s computer.
The attack has much in common with last week’s NFL virus attack, in that they are relying on social engineering to convince users to voluntarily download the virus, thinking it is something useful or fun. The sites themselves are well-designed, look professional, and there is nothing obvious to tip off the user that it’s actually a malware site.
From our research, the IP addresses used to host the sites are dynamic, meaning that they are home computers that have been compromised and used to host these and who knows whatever else. The sites stay online for a matter of hours, since spammers and virus writers are well aware of the fact that most filtering solutions will start to block messages based on the IP address contained in the message content, but the response time can take several hours to even days. Of course RPD blocks these types of messages almost immediately, based on identifying recurring patterns in the messages and their distribution patterns. OK, it’s a gratuitous plug for Commtouch technology – thanks for bearing with me