Spammers have now come up with a new style of stock emails.
First they used just plain text, next they used static image files. Next, they used random image files, all to avoid filtering.
Due to people starting to use FuzzyOcr, the stock spammers, moved into pdfs.
The pdfs contained plain text, which again using the right tools can be filtered.
This morning, the "next generation" appeared; pdf's with random images embedded in the pdf :(
Firstly, here's the email you receive:
Pdf example 1:
Pdf example 2:
Interestingly, both pdfs would not open in a couple of the free pdf readers but they seem to open fine in Adobe Pdf reader.
Initial detection of this varient has been added as: Email.Stk.Gen538.Sanesecurity.07062600.pdf
Update (12:45): more new varients using random pdf filenames now!
Pdf example 3:
Pdf example 4:
Pdf example 5:
A hopefully interesting blog from the world of zero hour malware, phishing, scams and spams
Amazon
Tuesday, 26 June 2007
Monday, 18 June 2007
Greeting Card: fun.exe
ISC has an interesting article on an Attack involving .hk domains
So, perhaps this is a related attack.
It starts with a greeting card:
If you've not got Javascript enabled, you'll see this screen, where the file it wan't you do download is on a .hk server and the exe is called fun.exe:
Looking deeper at the code, it's doing something iffy:
If you do click on the link, you are served an exe file, which when submitted to VirusTotal gives you this result:
Again, coverage not too hot :(
Currently detected as: Email.Malware.Sanesecurity.07061701
So, perhaps this is a related attack.
It starts with a greeting card:
If you've not got Javascript enabled, you'll see this screen, where the file it wan't you do download is on a .hk server and the exe is called fun.exe:
Looking deeper at the code, it's doing something iffy:
If you do click on the link, you are served an exe file, which when submitted to VirusTotal gives you this result:
Again, coverage not too hot :(
Currently detected as: Email.Malware.Sanesecurity.07061701
Greeting card
Received a whole load of these "greeting cards" this morning:
The fake site you visit has some "re-direct" code:
If you do actually go to the site, it'll look something like this, followed by an auto-download of
the "flash-player" needed:
Submitting the exe file to VirusTotal reveals, surprise surprise... it's not a flash-player:
The email is currently being detected as: Email.Malware.Sanesecurity.07061801
The fake site you visit has some "re-direct" code:
If you do actually go to the site, it'll look something like this, followed by an auto-download of
the "flash-player" needed:
Submitting the exe file to VirusTotal reveals, surprise surprise... it's not a flash-player:
The email is currently being detected as: Email.Malware.Sanesecurity.07061801
Free Video malware
Received a few copies of this email this morning, which as you can see, is asking to click on a link to download an exe file:
As you can see from the source code, they've tried to hide the contents by encoding the email with base64:
Submitting the exe file to VirusTotal, gives us this worrying picture:
Hopefully, now it's been submitted to VirusTotal, more AV's will add detection.
As you can see from the source code, they've tried to hide the contents by encoding the email with base64:
Submitting the exe file to VirusTotal, gives us this worrying picture:
Hopefully, now it's been submitted to VirusTotal, more AV's will add detection.
Subscribe to:
Posts (Atom)