Select Page

Cyren Security Blog

Update: Huge amounts of UPS and Facebook malware attachments

Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.

But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. The sudden increase can be seen in the graph below:

Almost all of the malware comes in 2 flavors:

  • Facebook password reset (about 10% of the emails)
  • UPS package notifications (about 85%)

The UPS notifications generally look like this:

Titles are all variations of “United Parcel Service notification 00290″ And the file extracts to an exe – but with a PDF icon:

Commtouch’s Command Antivirus detects these as variants of W32/Bredolab. The UPS and Facebook methods are certainly not new, but the email headers have been altered in a way we haven’t seen often – possibly to confuse some anti-spam systems. The headers indicate that the zombie addresses (shown in pink) are simply relaying the malicious emails from some higher level (yellow highlight). The higher level addresses (which look a tiny bit like the IPv6 format) are basically nonsense that cannot be resolved, and the relay names are created from random text.

Update: 4th April 2011

An updated graph of last week showing the huge spike from Tuesday to Thursday. The outbreak is continuing today but in smaller numbers. In our experience the next stage will be an increase in spam.

You might also like

LinkedIn Phish Kit

Scam Warning Back in January, LinkedIn posted a warning about connection requests from individuals impersonating employees of a legitimate organization. These requests come from newly created accounts. If someone accepts the request, the attackers will have more...