mxlab - all about anti virus and anti spam » Email security

Malware distribution techniques

mxlab — Mon, 21 Apr 2008 18:14:02 +0000

At first I thought of a new phishing email, based on the fact that it comes from a bank, includes a long URL in the body and it is related to your banking account where you need to renew your certificate.

Connection-Colonial Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date – 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten days and 3 hours before the certificate is due to expire, if it has not been renewed. Upon receiving the renewal notice, certificate owner is required to connect to Colonial Bank Certificate Management System and present the client certificate. Secure Server e-Cert Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date. Successful renewed application will receive an email notification from Colonial Bank. Applicant can just browse to the URL stated in the email and then download the certificate.

Download now

2003 Colonial Bank, N.A.

Further investigation show us that it is indeed a technique to distribute malware. The download URL doesn’t give a login screen but takes you to a web site where you need to download the certificate and this is an .exe.

The download gives us an Colonial_CertificateUpdate04192008.exe and is in fact the Trojan-PSW.Win32.Papras. This trojan steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.

As always, take extra attention if you receive these kind of formatted emails.

Phishing levels peak

mxlab — Mon, 14 Apr 2008 00:35:00 +0000

MX Lab detects in increase in phishing emails between 09/04/2008 and 13/04/2008, bringing the phishing level up to 0,28% of all blocked messages where in the past this level was 0,03%.

These phishing emails are mostly regarding a “locked bank account” or “verify your details” but we see other phishing attempts targeting Google Adwords customers stating that their account is locked.

Very good PayPal phishing email

mxlab — Wed, 02 Apr 2008 11:12:53 +0000

A certain phishing email from ‘PayPal’ caught our attention. When investigating the phishing email we could find that this is a very professional one. The email in fact confirms your payment to a company, in this case Plimus, for an amout of$55,89 USD. The email provides a link to dispute the transaction and this is where the phishing starts.

Following the link to report a dispute results in being directed to http://**-***-**-***.fld-bsr1.chi-fld.il.******.cable.rcn.com:90/www.paypal.com/cgi-bin/ and it brings you to the “PayPal login screen”.

Typical to phishing sites is that you can type in whatever you want as login or password, you will always be directed to a webform.

These guys have even included the animated screen ‘Logging in’ that you have when logging in to the real PayPal web site. After this screen you get a full webform which will try to get your full details.

MX Lab protects Comap Nordic email communication

mxlab — Fri, 12 Oct 2007 15:16:01 +0000

After providing email security for Comap Benelux, MX Lab extends its services to protect email communication for the domains comap.se/.no/.fi and .dk.