MX Lab just intercepted an email with the subject “A new settings file for the jp@******.com has just been released”, similar to the latest ZBot variant, but with a major difference in distribution. This time the email conatins the ZIP archive install.zip with the executable install.exe.
Body of the email:
Dear user of the ****.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox jp@****.com settings were changed. In order to apply the new set of settings open zip attached file.
Best regards, ****.com Technical Support.
Further investigation shows us that this virus is listening to the name W32/FakeRean.A.gen!Eldorado (F-Prot), TrojanDownloader:Win32/FakeRean (Microsoft), W32/PackSpam.A!worm (Fortinet) or W32/FakeAV.AE!genr (Norman).
Virus Total permlink and MD5: 7d96ce7f588613f0343049918de70665. Only 15 of the 41 AV engines detected the trojan correctly. For more information regarding this tojan you could check out the Microsoft Malware Protection Center.
[Update - 16/10/2009 11:36 PM, local Belgian time]
The subject line changed to “Microsoft Outlook Notification for the ******.******@*****.be” and this is now the body of the email:
You have (6) New Message from Outlook Microsoft
- Please re-configure your Microsoft Outlook Again.
- Download attached setup file and install.
The trojan itself is still in the same ZIP archive and is around 50 kB large.
Virus Total permlink and MD5: 958e5d61d6617806f649946e02ff04c8. At Virus Total only 24 of the 41 AV engines detect the trojan so be carefull.
5 Comments
Comments RSS TrackBack Identifier URI
Leave a comment
Love the site, just found it today with the 0 day exploit on 10/14/09. Can you start including subject lines in the spam/virus e-amil you detect. Many spam filters and attachment blockers can query by subject and that would help me and others grreatly.
Great site, really like the picture and I look forward to checking back in more.
Thanks,
The subject is mentioned in the article. So far we only had one version but it is possible that there are multiple versions going around the world. We can only provide information from our experience.
A possible sibject line could be: “The settings for the andre@****.com mailbox” as we’ve seen as a variant on the latest ZBot trojan with similar content but with the difference that the payload is on a malicious host.
One more thought regarding spam filters and attachment blockers:
These techniques can stop those emails coming into your mailbox but they are most of the time not doing this in real time. What I mean is that if you build and configure a rule to block messages based on the subject line, you could face new viruses coming through when the email parameters like the subject change.
It is not 100% protection for sure.
I see that, not sure how I missed it (da) and I agree that it is not a logical defense method. However many spam vendors do not have the 0 day protection in place or may be classifiying the threat incorrectly. We have a tool within our spam device that allows the admin to block/drop individual e-mails in the event the spam filter is not catching them.
Block to me is always prefered as then you don’t run into the issue where a user may think it is legit and try to deliver it to themselves.
This specific one morphed to a new subject aroun midnight EST on 10/15 that said Microsoft outlook – also in increased in file size from 24k to 500k bypassing most if not all spam appliances just based on file size attributes. Real-crafty!
From a security stand point, a zero hour ,or 0-day protection, anti virus system is a must have these days. Virus writers are so clever that they can easily fool traditional anti virus engines and can outrun anti virus engines based on distributed AV definitions once an hour. Combined with powerfull botnets and the latest techniques they can distribute viruses and trojans variant more often. The AV vendors are just catching up on this. Sorry that I have to say this.
We do recommend each and every (potential) client not to look for anything less than a zero hour AV engine. At MX Lab we have such an engine and quite often we see our clients getting protected while others have emails with malicious attachments in their mailbox.
In the early days we had two email security appliances as gateway servers. We received hourly new definitions. In those days we often placed extra filters to block ZIP attachments based on their name to catch a virus. These appliances had 3 layered anti virus engines and they still didn’t catch the malware. Of course, those gateways are ancient history by now.
I can’t confirm that this virus increased in size to 500k because I haven’t intercepted such one yet. What we receive is around 50k. Try to configure your appliance that it will scan large emais too but be carefull not to overload your systems. Appliances comes with hardware that can’t handle heavy loads (limited RAM, older CPU,…).
At MX Lab we treat everything as supsicious until proven safe, no matter what file size it has. We quite often see spam with file sizes between 150k to 250k.
Good luck in catching them.