Fake Auto Identification Card documents

Just received the following email, with a zip file attached (containing an exe file):




















Submitted the file to VirusTotal and the result isn't very good (3/36 scanners):
















Submitting the file to ThreatExpert, gives the following result

"Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system."

Added detection as: Email.Malware.Sanesecurity.08081405

Fake Contract Documents

Received the following email, which looks the same as a version received about a week ago:











Received: from [199.214.241.xxx] (h-199-214-241-xxx.norquest.ca [199.214.241.xxx]
by raq0402.xxxxxxxxxx.co.uk (8.13.1/8.13.1) with ESMTP id m7E5rk9W028214
for ; Thu, 14 Aug 2008 06:53:47 +0100

As you can see, it's got a zip attachment, which submitting to VirusTotal, gives us:
















I'd already added a signature to catch the earlier version (11th August) and it also detected this latest version too: Email.Malware.Sanesecurity.08081101 (added 11th August 2008)

Submitting this to ThreatExpert, gives you this worrying result !

Ie: "Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger, it will be run every time a target application is attempted to be launched - either to mimic it and hide its own presence (e.g. an open port or a running process), or simply to be activated as often as possible."

As you can see from the stats, it's still being spammed out:









None of this is a worry, to those admins who are blocking exe's inside zip files though :)

MSNBC StormNews Spam: Update

Well they've changed the landing page URL yesterday evening... but this change was detected with the generic Email.Malware.Sanesecurity.08081301.StormNews.MSNBCGen signature I'd added yesterday morming

As well as the URL change... they managed to make the make an Msnbc logoed one, instead of the CNN one, we had yesterday :)















There was also a change to the domain, that serves the fake anti-virus software too.

On my servers.... the stats so far...

CNN vs Msnbc:

Email.Malware.Sanesecurity.08081003.StormNews.CnnGen: 9,519
Email.Malware.Sanesecurity.08080606.StormNews.Cnn: 5,138
Email.Malware.Sanesecurity.08080802.StormNews.CnnGen: 3,483
Email.Malware.Sanesecurity.08081002.StormNews.CnnGen: 3,182
Email.Malware.Sanesecurity.08080800.StormNews.Cnn: 1,608
Email.Malware.Sanesecurity.08080902.StormNews.Cnn: 1,032

Email.Malware.Sanesecurity.08081300.StormNews.MSNBC: 2,018
Email.Malware.Sanesecurity.08081302.StormNews.MSNBC: 1,985

MSNBC StormNews Spam

Following on from the CNN virus spam we all know and love...looks like the spammers have got bored with CNN and moved onto MSNBC:




















... but the MSNBC landing page... erm... still shows the CNN logo... ooops:















Exe file info: VirusTotal and ThreatExpert

However, we do now have popups for some free rogue anti-virus scanning software:
















Needless to say, don't even try to download this!

Detection added as: Email.Malware.Sanesecurity.08081300.StormNews.MSNBC

New Fake CNN email

Looks like a new round of CNN News emails are coming in:















Here's the fake landing page:












Virus Total Report

Detection added as: Email.Malware.Sanesecurity.08080800.StormNews.Cnn

Note: if you are using Firefox and the Noscript plugin, won't see the above page

0 hour UPS Invoice

There was another spam run of the fake UPS invoice yesterday, this time with a different version of the malware, in the zip attachment:








What was interesting, was that the signatures I'd added to catch the last one, detected the new varient too:









As you can see from the above stats graph, Email_Malware_Sanesecurity_08072227
(in yellow) was being blocked from around 5.30pm to 7pm. ClamAV started detecting the attched file at 7pm (Trojan_Zbot_1737).

What does the exe file do? (contained in the zip)... well, here's what ThreatExpert said