Friday, September 2, 2011

Increase in malicious spam


Rodel Mendrez from M86 Security labs has made an excellent post on a Massive Rise in Malicious Spam:
http://labs.m86security.com/2011/08/massive-rise-in-malicious-spam/


As he notes in his conclusion, "It seems spammers have returned from a holiday break and are enthusiastically back to work."


So I decided to check out if I had received some spam as well. Jackpot ;-) !



UPS notification



























Re: End of July Statement Required




Your credit card has been blocked





ACH Transfer Review



Most of the files are displaying a Word or PDF icon to trick
the user in opening the file:




Some examples of attachments, with their respective
VirusTotal results:


Invoice_08.17.2011_Collcod.exe
MD5: cf0397bb622e4ed9dfdeb07fcbfa9687
VirusTotal Report


MasterCard_invoce_ID73284783275943.doc.exe
MD5: 0b7eba77dd4bcea3c670c4a664e98778
VirusTotal Report


UPS_Document.exe
MD5: 17f9148b130a94ab1f50030ebbf2415a
VirusTotal Report


form-62091.exe
MD5: e18d8cb2a4264a3c559d7967b3c6ab99
VirusTotal Report


When opening either of these files, you can end up with a rogue.
One example rogueware I got was "System Repair":


System Repair rogueware


The dropped file that is launching the rogueware:


pusk3.exe
MD5: 27077c2058983bb76bd09cdad69f7bde
Result: 36/44 (81.8%)
VirusTotal
Report
ThreatExpert
Report
Anubis Report




Conclusion

Conclusion is pretty simple: Do not open any attachments from unknown senders.
If you happen to be infected with System Repair, you can for example use the guide on Bleepingcomputer:
http://www.bleepingcomputer.com/virus-removal/remove-system-repair