Last week we saw an interesting series of emails which seemed to indicate a mid-outbreak change of tactic. The initial series of emails all had banking and account related themes. The emails indicated that it was necessary to open an attached document file. The attachments were actually zipped executable Trojan downloaders.
A Virus-Total (www.virustotal.com) scan showed reasonably high detection rates amongst AV vendors (although we gave them a very generous three days). At this point we would remind readers about the importance of zero-hour detection as provided by certain products. Updating signature files many hours after an outbreak will not protect users who receive these attached files before the update has been made available and downloaded. Note the file size – a relatively large 150KB.
Similar account-themed emails continued to appear over the next 2 days – but this time with an embedded link. The executable file with an almost identical large file size was again categorized as a Trojan downloader. Here again we tested the file at Virus Total one day after the outbreak (as above – this is lots of time in outbreak terms) and got a 66% detection rate.
The 150KB file size is shown below.
The conclusion for malware distributors: If at first you don’t succeed – send a link…