October 07, 2008Malware Attachments Still Circulate
It's getting harder and harder for malware-laden attachments—especially those bearing the commonly-used filename extensions—to get past server-based security software. But that doesn't mean the crooks won't keep trying. The key is to modify the package enough with each iteration to prevent the file from being identified as a known hunk o' crap.
The first goal of an attachment delivery message—once it has made it into an inbox—is to create enough curiosity or outrage in a simple message to get the recipient to open the file. I personally believe that the outrage approach is more easily exploitable against cautious recipients who are more likely to trash an email from an unknown sender containing an unexpected file.
An example arrived today that will surely get the dander up on quite a few recipients:
Subject: Your bill. Please pay within the next week.
The bill is attached. Password is 123.
The attached file is named bill.zip, and VirusTotal reports that only 22% of its list of antivirus products identified it as anything suspicious. A lot of very big antivirus names missed it (at this hour, anyway). So, if the recipient was outraged at receiving a bill from a karate studio (as indicated in the forged From: field of the copy I received), he or she would open the file to find out what it's about and contest it...by which time a Trojan downloader has already been installed on the PC.
It's just another example of what I call the "impending doom" trick to get recipients to act. With the world financial situation going through troubled times, I fully expect crooks to experience a boom in doom.Posted on October 07, 2008 at 08:38 AM