Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.
But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. The sudden increase can be seen in the graph below:
Almost all of the malware comes in 2 flavors:
- Facebook password reset (about 10% of the emails)
- UPS package notifications (about 85%)
The UPS notifications generally look like this:
Commtouch’s Command Antivirus detects these as variants of W32/Bredolab. The UPS and Facebook methods are certainly not new, but the email headers have been altered in a way we haven’t seen often – possibly to confuse some anti-spam systems. The headers indicate that the zombie addresses (shown in pink) are simply relaying the malicious emails from some higher level (yellow highlight). The higher level addresses (which look a tiny bit like the IPv6 format) are basically nonsense that cannot be resolved, and the relay names are created from random text.
Update: 4th April 2011
An updated graph of last week showing the huge spike from Tuesday to Thursday. The outbreak is continuing today but in smaller numbers. In our experience the next stage will be an increase in spam.