Jul 8, 2011

EdgeWave Inc. (OTCBB/OTCQB: EWVE), a leader in Secure Content Management (SCM) solutions, has flagged an interesting virus campaign exploiting the Internal Revenue Service (IRS). The message come with subjects such as “The IRS 2011 Summer Forums,” and “The Internal Revenue Service 2011 Summer Forums Invitation,” among other similar variants.

The body of the message starts with the salutation “Exclusively for [targeted individual],” (only, the recipient’s full name appears where the bracketed text is). The message goes on to describe the tax forums, which seems like something only tax practitioners would be even remotely interested in. Apparently the IRS does host such events, and a quick look confirms that the IRS is aware of the malicious campaign. This kind of targeted attack is called spear phishing and it continues to be one of the most significant threats on the web today.

Attached to this message is a specially crafted Microsoft Word Document which contains an Adobe Flash based exploit. The document itself would just appear to be a blank document to the victim, or it might crash the program. Either way, opening the document (named application_form.doc) would initiate the attack against the user’s system. This would result in code being executed which would then download other malicious software to be executed on the now compromised system. That malware is typically associated with root-kits which give attackers a backdoor into the system. This allows a remote attacker to monitor keystrokes, search the hard drive and even piggyback encrypted sessions with online banking systems.

The vulnerability is codified as CVE-2011-0611 which is listed as “Critical” by Adobe and was initially discovered back in April of this year, circulating in the wild as a Zero Day exploit. This vulnerability was also implicated in some of the high-profile targeted attacks earlier this year.

At the time of our detection, the malicious .doc was only recognized by two of the 43 antivirus engines at Virus Total. As of the time of this writing, nearly 24 hours later, the detection remains low with a paltry five engines or not quite 12% detecting the malware.

“The general trend in spam has shifted from a vehicle for advertising dubious products and services to one of being a vector used to target specific individuals as part of a larger, concerted attack,” said Cameron Schmauch, Security Software Engineer at EdgeWave. “Protecting against these threats is nontrivial and there are vast differences among security providers in their ability to protect their clients from Advanced Persistent Threats (APTs) and spear phishing attacks. These kinds of spam campaigns serve as a sobering reminder that not all solutions are up to the task of contemporary email borne threats.”

This campaign is a continuance of a string of Advanced Persistent Threats which security researchers are coming to know as the new face of spam. Over the past year spam has taken a turn towards low-volume, more specific targeting and rather innocuous seeming, or downright misleading content. A mere click could end up granting access to the machine (and the privileged access that machine enjoys in a larger network context) to cybercriminals potentially thousands of miles away. Spam volume may be down, but the threats are more sophisticated and dangerous than ever.

Visit EdgeWave’s Security blog for more details on this campaign. Screen captures and images of the campaign are available upon request.

About EdgeWave, Inc.
EdgeWave Delivers the World's Safest Inboxes™ by eliminating email-borne security risks from targeted, socially engineered attacks. Our multi-layered Email Security Platform provides unparalleled predelivery protection, postdelivery detection and incident response to secure inboxes from today's proliferating messaging threats like ransomware, spear phishing, business email compromise and more. Headquartered in San Diego, CA, EdgeWave has more than 2,500 customers and over 3.5 million protected users worldwide.

For more information, please visit EdgeWave online at https://www.edgewave.com or follow us on LinkedIn, Twitter, Facebook or Google+

Amy Dardinger