Tuesday, 26 June 2007

stock spam evolve: new syle pdfs

Spammers have now come up with a new style of stock emails.

First they used just plain text, next they used static image files. Next, they used random image files, all to avoid filtering.

Due to people starting to use FuzzyOcr, the stock spammers, moved into pdfs.

The pdfs contained plain text, which again using the right tools can be filtered.

This morning, the "next generation" appeared; pdf's with random images embedded in the pdf :(

Firstly, here's the email you receive:

Pdf example 1:

Pdf example 2:

Interestingly, both pdfs would not open in a couple of the free pdf readers but they seem to open fine in Adobe Pdf reader.

Initial detection of this varient has been added as: Email.Stk.Gen538.Sanesecurity.07062600.pdf

Update (12:45): more new varients using random pdf filenames now!

Pdf example 3:

Pdf example 4:

Pdf example 5:

Monday, 18 June 2007

Greeting Card: fun.exe

ISC has an interesting article on an Attack involving .hk domains

So, perhaps this is a related attack.

It starts with a greeting card:

If you've not got Javascript enabled, you'll see this screen, where the file it wan't you do download is on a .hk server and the exe is called fun.exe:

Looking deeper at the code, it's doing something iffy:

If you do click on the link, you are served an exe file, which when submitted to VirusTotal gives you this result:

Again, coverage not too hot :(

Currently detected as: Email.Malware.Sanesecurity.07061701

Greeting card

Received a whole load of these "greeting cards" this morning:

The fake site you visit has some "re-direct" code:

If you do actually go to the site, it'll look something like this, followed by an auto-download of
the "flash-player" needed:

Submitting the exe file to VirusTotal reveals, surprise surprise... it's not a flash-player:

The email is currently being detected as: Email.Malware.Sanesecurity.07061801

Free Video malware

Received a few copies of this email this morning, which as you can see, is asking to click on a link to download an exe file:

As you can see from the source code, they've tried to hide the contents by encoding the email with base64:

Submitting the exe file to VirusTotal, gives us this worrying picture:

Hopefully, now it's been submitted to VirusTotal, more AV's will add detection.