Wednesday, August 17, 2011

New York City "Uniform Traffic Ticket" tops spammed malware

Email attachments that contain malicious code are still being used to infect computers and steal the data found on those computers. While it is easy to find people who discount this threat, believing no one would be foolish enough to open one of these email attachments, the criminals are working hard to make their approaches more convincing.

Today we've seen more than 11,000 copies of their newest attempt come in to the UAB Spam Data Mine. The email received looks like this:



The email contains several falsified header indicators, including at the most basic level that it claims to come from "@nyc.gov". In addition to this, however, there has been a "Received:" tag added to make it appear to have originated from a legitimate New York City IP address:

Received: from nyc.gov ([167.153.240.51]) by xx.xx.xx.xx; Wed, 03 Aug 2011 12:20:46 +0530

The City of New York is the registrant for every IP address beginning with "167.153.*.*" - in fact 167.153.240.51 is the IP address of the website "nyc.gov" where Mayor Bloomberg's homepage can be found.

The other false information is the date. Both the date in the Received: tag and the date in the "Date:" tag have been falsified to make it seem this email has been in your in box for several days by the time you see it.

Just from the falsified header, we would predict that this email is going to be in the same family of malware as the "IRS Notification" and "UPS Notification" emails seen earlier this week, which also contained falsified Received: tags.

The zip file contains an executable file disguised as a PDF file:



When the malware is launched, it connects to "sfkdhjnsfjg.ru" on 195.189.226.117.

from there it fetches "/ftp/g.php" and "pusk3.exe" -- exactly the same as the IRS Notification spam and the UPS Notification spam.

VirusTotal Report



Another group of spam messages this morning pretends to be a notice that you have received money via Western Union.

The attachment is of course a virus:

VirusTotal Report.

Money Transfer Information
MONEY TRANSFER INFORMATION
Money Transfer Information 00375
Money Transfer Notice
MONEY TRANSFER NOTICE
MONEY TRANSFER NOTICE 06457
Western Union: Money Transfer For You
WESTERN UNION: MONEY TRANSFER FOR YOU
Western Union: Remittance Advice
WESTERN UNION: REMITTANCE ADVICE
Western Union: Transfer Of Money
WESTERN UNION: TRANSFER OF MONEY
Western Union: You Have Money Transfer
WESTERN UNION: YOU HAVE MONEY TRANSFER
Western Union: You have received a money transfer
WESTERN UNION: YOU HAVE RECEIVED A MONEY TRANSFER




Another top spammed malware attachment today delivers emails with these subjects:

Re: End of July Statement Required
Re: FW: End of July Stat.
Re: FW: End of July Statement
Re: FW: End of July Statement required
Re: FW: End of July Statement Required
Re: FW: End of July Statement REquired
Re: FW: End of July Statement REquired!
Re: FW: End of July Stat. required
Re: FW: End of July Stat. Required

The email body says simply:

Hallo,
As requested i give you open Invoices issued to you as per 5th Aug. 2011
Regards
DEENA BUCKLEY


Here's the VirusTotal report for this one.


No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.