Tuesday, 21 August 2007

storm worm: next generation

Sorry for the late right up on this.. but it was more important to get all the signatures out this morning to cover all these variants then to do a write up.

Here's one of the many variants of the storm worm "member"/"logon" emails:

If you do click on the link you either get an auto-downloaded exe file or you get to see the following page (note: firefox pops up a warning about the page [red stop sign])

The exe file you are asked to download is re-packed every 30 mins or so, to try and avoid detection by anti-virus software. The sample above was submitted to VirusTotal with the following results:

Detection for all these email variants was added about 09:30am BST as the following:

Email.Malware.Sanesecurity.07082100 to Email.Malware.Sanesecurity.07082107

Friday, 10 August 2007

Stock Spam changes format: FDF

As reported by the F-Secure blog instead of using PDF spam, we now have FDF formatted spam....which stands for format data format, used by various PDF readers.

Update: it appears that all is not what it seems: the first few bytes of the .FDF file are actually %PDF-1.5, which means that all the spammers have done is renamed the extension from .PDF to .FDF. A real .FDF file has the magic-bytes %FDF-1.2. The pdf readers just open it as a PDF because of the magic-bytes. Sneaky

Here's an example email that came in:

And here's it's contents:

Note the random hex number (shown in red) which is used by the spammers to change the Adobe encrypted contents of the file, so it's hard to detect a pattern, ie: you can't use an md5 hash of the file (just like the problems caused by the image spams)

The good news is, that although this was a new technique that the spammers used... it was already 0-hour protected by signature: Email.Stk.Gen606.Sanesecurity.07080101.pdf

Which was nice :)

New E-Card Storm Worm