Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Beijing Olympics Scams Ramping Up | Main | IRS Refund Scam: Old Wine, Old Bottle »

February 18, 2008

Lots of Undetected Malware Attachments Floating Around

For about the past ten days, I've been receiving numerous messages with From: fields identifying the sender as coming from my domain, and content bearing password-protected .zip files. Unfortunately, most of the big-name antivirus products don't appear to be identifying these attachments as being evil. The sender is trying various social engineering tricks to get recipients to open the attachments. The tricks aren't anything new, but they bear repeating, especially for those who don't normally get this kind of stuff. Here are my observations.

First, the From: fields all have an address bearing @dannyg.com, signifying to me that the program used to send this garbage automatically plugs the recipient's domain into the forged From: field. Account names used with the sender's supposed address are names such as info, mail, service, news, and admin. I try to put myself in the shoes of an employee at a small company with its own domain. How would I react to receiving a message claiming to be from service, mail, or admin @ my company's domain? The sender hopes I'll feel comfortable believing that the message is coming from inside my own world.

[Examination of the message's header, of course, reveals that the message originated from anywhere but inside the recipient's email system.]

At this point, the recipient's guard may be reduced a bit. How about the Subject: lines? Here are some that I've seen:

  • Account Error ID#5203
  • You've received an E-Card from a dear friend.
  • Your Membership Details!
  • Free one year trial
  • Visa and Mastercard and Amex news
  • Sorry your account has been suspended

To a trained eye, these lines are immediately bogus. But to the casual email user, a few of these are really eye-catching—especially because they have the "stamp" of being "from" his or her own domain. There's no doubt about it: a goodly number of these messages will be opened.

What's inside these messages?

All of them include instructions like this:

Please use the following password to read the attachment
Password: 2960

[In the more than half-dozen samples I've seen, the so-called password numbers are all different. Frankly, I don't even know if the password is required to open file successfully because I won't try it on a Windows machine here. The file doesn't open at all on a Mac.]

Several messages I've seen have additional verbiage that makes you wanna open that attachment:

  • The message cannot be represented in plain text because it contains personal and sensitive data, so the message has been attached.
  • The message has been sent as a secure passworded attachment.
  • Partial message is available as a secure passworded attachment.
  • Again, put yourself in the shoes of a reluctant email user at a small company. A message arrives claiming to be from "admin" within your company's domain; the Subject: says that your account has been suspended; the message body says that the message can't be shown because it has personal and sensitive data, requiring you to open it via a password. You're already terrified by (or disgusted with) the IT department (that must be where "admin" is, right?), so you open the attachment.

    And here's where the pain really begins.

    I've run a few of the attachments through VirusTotal as they arrived. Sadly, each new variant I received failed to be recognized by most of the major antivirus programs. Tonight's release wasn't caught by Kaspersky, Microsoft, Sophos, or Symantec, to name a few of the biggies. It's possible that some of these products will detect problems once the attachment attempts to worm its way through your system, but I'd be pretty nervous to be alerted after the fact, because you simply can't know if a new undetected process running alongside slipped under the radar.

    Telling your email users (and your emailing mother, for that matter) not to open attachments is insufficient warning when recipients are faced with the types of mind games inflicted by the creators of these campaigns (to generate more botnetted zombies). Training for email users needs a far more proactive approach so that safe email handling behavior becomes automatic.

    Posted on February 18, 2008 at 11:20 PM