View Full Version : Beware -encrypted- attachments...

2007-05-03, 19:05

- http://www.pcworld.com/printable/article/id,131523/printable.html
May 03, 2007 ~ "Spammers have stepped up efforts to use -encrypted- attachments to evade filtering systems, service provider Email Systems has reported. The technique relies on the fact that many spam systems can't scan inside emails containing encrypted or password-protected attachment, and work out that they are not legitimate. Without a rule to block such attachments, most systems will pass on the email to recipients... In recent weeks, Email Systems detected a small but steady stream of such spam emanating from bot-compromised hosts, containing a zipped-up version of the pervasive 'Storm' bot-loading Trojan that plagued Internet users... The vast bulk of spam was now automated via bots, and this made finding new infection methods even more critical to the spam economy..."

- http://www.eweek.com/article2/0,1895,2125082,00.asp
May 2, 2007 ~ "...By crafting a large number of distinct variants of a virus and releasing them in short bursts, malware writers are able to release new variants before a signature or heuristics can be created to protect against the virus. At one point early this quarter, distributors of Storm/Nuwar malware released over 7,000 such variants in a single day, Commtouch officials said. The report also states that malware writers are adopting social engineering techniques common among spammers to lure victims into opening attachments..."

:sad: :fear:

2007-06-05, 17:54

New Malware SPAM
- http://isc.sans.org/diary.html?storyid=2919
Last Updated: 2007-06-04 21:56:30 UTC ~ "...Password protected zip file as SPAM with the password included in the HTML body of the email...
> From: line may show a news organization. However the actual sources of the email is all over the map (numerous broadband IPs on several continents). Hopefully most people have been trained to not trust the From: line or reply to spammy looking emails by now.
> Sample Subject Lines:
Subject: Re: U.S. violent crime up again, more murders, robberies
Subject: Man Awakens From 19-Year Coma
Subject: Law hits Las Vegas ...bands

Several of the samples included body text such as:
Decade Of Mystery: John Ramsey Speaks
Man wakes from 19-year coma in Poland US vows to pursue hunt for missing soldiers
Password for submitted attachment is xxx

Attachments include names such as "<news organization>-news<digits>.zip". At the moment AV coverage (of the uncompressed file) is spotty..."

More detail:
- http://www.f-secure.com/weblog/archives/archive-062007.html#00001204
June 5, 2007 ~ "...Attachments are password protected Zip archives with random filenames but appear to come from news organizations. The binary inside has the filename v245o.exe and is now detected as Backdoor:W32/Spamuwi.A..."