Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Update: Huge amounts of UPS and Facebook malware attachments

Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.

But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. The sudden increase can be seen in the graph below:

Almost all of the malware comes in 2 flavors:

  • Facebook password reset (about 10% of the emails)
  • UPS package notifications (about 85%)

The UPS notifications generally look like this:

Titles are all variations of “United Parcel Service notification 00290″ And the file extracts to an exe – but with a PDF icon:

Commtouch’s Command Antivirus detects these as variants of W32/Bredolab. The UPS and Facebook methods are certainly not new, but the email headers have been altered in a way we haven’t seen often – possibly to confuse some anti-spam systems. The headers indicate that the zombie addresses (shown in pink) are simply relaying the malicious emails from some higher level (yellow highlight). The higher level addresses (which look a tiny bit like the IPv6 format) are basically nonsense that cannot be resolved, and the relay names are created from random text.

Update: 4th April 2011

An updated graph of last week showing the huge spike from Tuesday to Thursday. The outbreak is continuing today but in smaller numbers. In our experience the next stage will be an increase in spam.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...