I may have disappeared for the last couple weeks, but the spam and malware did not, so this post is a roundup of various outbreaks that I wasn’t able to report on at the moment they happened. In parentheses is the date I would have (should’ve could’ve) reported on these items had I been truly on top of things:
“UPS” Malware (July 13)
We’ve gotten used to the “blended threat” malware that refers email recipients to an infected web site, however good old attachment malware is still around; the “UPS” malware was a traditional outbreak of emails with malware attachment. It began and was detected by Commtouch on July 13, with an outbreak of text-based messages purporting not to be able to deliver a package. If the recipient would just open the attached invoice…everything will be OK. Several sites have already reported on this malware already, and the fact that not all AV’s will catch it, but what they didn’t show is how the outbreak has come in short, massive waves or bursts. Reporting on slightly after-the-fact like this gives me the advantage of being able to show a trend over time, so below is the graph of samples per variants per day of ups_invoice.exe, the malware attached in those messages:
Seems to be slowing down, but it’s not over ’til it’s over…
More Naked Celebrities (July 18)
Will the world never tire of seeing popular film stars unclothed? Sorry, that was a rhetorical question. Here is a blended outbreak that was distributed via spam messages, and hyperlinked users to a fake movie site, to view an MP4 of their favorite movie star. In the example below, it was Demi Moore, but other stars were similarly promoted for the cause of malware.
Amero Spam (July 21)
I like this one, just because of how far-fetched it is. This outbreak is based on the long-running urban legend that North America is planning to roll out a unified currency similar to that of Europe, the Euro. This new money would, of course, be called the “Amero.” If you click on the link in the message (with subjects like “Dollar is dead”, “no dollars anymore”, and “Amero arrives” the amero.exe malware (a form of Storm worm, aka Tibs, Nuwar, or Zhelatin) will automatically download. Bear in mind that even though “Storm” keeps re-appearing, each time it is in different forms. At the time our analysts ran the malware through Virus Total, only 11 out of the 30 AVs tested identified it.
Here is a sample message:
and the web site it leads to:
Watch Free Movie – massive blended threat outbreak (July 22)
More blended threats with the movie theme. However this outbreak’s malicious web pages were inserted into otherwise legitimate web sites, most likely through hacking. The subjects and contents played on people’s macabre sense of curiosity (what is it about losing a body part that always brings an audience?):
- snake caught swallowing horse
- boy pokes fork into sister’s eye
- boy 4, pulls off sister’s ear
- man breaks arm in horror fall
- horses breaks riders skull in freak attack
- raw footage of snake swallowing horse
- kids rob elderly, police open fire
- woman loses foot in shock attack
- horse kicks harrison ford in stomach
- woman loses nose after dog attack
- police open fire on elderly in iowa
- man loses eye in fight
The really amusing part of this outbreak is that the subject line of the email message didn’t necessarily have anything to do with the internal message. For example, in one sample I saw, the subject was “Woman loses foot in shock attack,” and the internal message says: “Boy gouges teacher’s eye out in class,” followed by a link to http://…..viewmovie.html. I guess this was a case of over-randomization on the part of the spammers. BTW do you think they meant “shark attack”? Hmmmmm…
Because the malware was placed on otherwise non-malicious web sites, it raises the issue for web security scanners of how deep into a web site do you go when looking for malware? If the site is legitimate, can you assume that all of the content on that site is legitimate? As this case has proven, you cannot. Let’s say your AV doesn’t block this malware file that automatically downloads, codecinst.exe (and at the time the outbreak peaked, more than half of them did not identify it). Wouldn’t you feel more comfortable having a web security solution that could tell you the likelihood of this site being hacked?
More Love Blended Threats/ Postcard (July 25)
Tried and true methods for infecting new computers with bots will probably never go away, and love is one of those methods. More love spam/malware outbreaks with links to web sites that automatically download “postcard.exe”. Yawn. We’ve seen this before, a few times, certainly more than once, and I’m sure we’ll see it again. More Tibs/Nuwar/Zhelatin (aka Storm Worm). As boring as it is, it’s still happening, and still infecting people’s computers! And in this case a whopping 16 out of 35 AVs could identify it.
That’s all for now
Thanks for indulging me this long catch-up post. I’ll try not to fall behind any more, but won’t promise since I don’t like to promise something I’m not 100% sure i can keep.