Friday, May 18, 2012

Social Engineering: Facebook Photo

Please welcome a guest-blogger, Sarah Turner, who authored today's report. Sarah is a malware analyst in the UAB Computer Forensics Research Laboratory and is the editor of our daily "Emerging Threats By Email" report. I asked her to put together an article about a prevalent spam campaign that has been running wild for about a month now. While the HISTORICAL malware described below is fairly well detected, each morning when a new version has come out the detection has been low, with improvement over the next 24-48 hours. If you see a message like this, RESIST TEMPTATION! DO NOT CLICK!


Social Engineering: Facebook Photo

Guest blogger: Sarah Turner

This campaign utilizes social engineering containing subject lines that insinuate a photo is enclosed that was obtained from a social media site or public domain depicting the recipient or the ex girlfriend of the recipient in a scandalous or otherwise embarrassing predicament.

The campaign only uses 8 subjects, shown below.

  • FW:Check the attachment you have to react somehow to this picture
  • FW:They killed your privacy man your photo is all over facebook! NAKED!
  • FW:Why did you put this photo online?
  • FW:You HAVE to check this photo in attachment man
  • RE:Check the attachment you have to react somehow to this picture
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?
  • RE:You HAVE to check this photo in attachment man

The email body can vary between the 3 samples shown below:

I have a question-have you seen this picture of yours in attachment?? Three facebook friends sent it to me today...why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))

Hate to bother you,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter...The question is is it really you???.

I'm sorry,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that due??.

all of which encourage the recipient to open the attachment and see the image to which they’re referring. Typically the attachment is in the form of a .ZIP containing an executable, however the attachments received on May 16, 17, and 18, the attachment extension was not as a .ZIP but as “.jpg.exe”.

The first few times this malware was received (April 20 – 23), once it was downloaded and prompted to run, it acted as an AntiVirus Software.

After that, the received malware was identified as Cutwail delivering Zeus. The executable would be prompted to run and there would be no recordable network traffic but multiple changes would be made to your Registry and a new file, named svchost.exe would be added to your computer. The executable received today had a detection of XXXX on Virus Total.

UAB has 11 prominent MD5’s associated with this campaign (and a couple mis-formed files)

count md5_hex
24998  b42cf3d2cc829aba1e771f9517b2b97d (38 of 41 detects at VirusTotal)
21754  57f40166fd7cafe84ef51fe5f7776c51 (21 of 41 detects at VirusTotal)
21011  77e7fc1b2addc8ee5ea74e3592d4ab89 (14 of 41 detects at VirusTotal)
14918  76e144a572b4c52e3ddb8bd860dfbdd9 (36 of 41 detects at VirusTotal)
9562  5dea03a160543724d7cf4adda93a28ae (36 of 41 detects at VirusTotal)
9138  061f96cf8f7713d17e580900ba20c6b4 (31 of 42 detects at VirusTotal)
8286  9badf88e346bd0530d4e5248d2bb2f35 (37 of 42 detects at VirusTotal)
6362  d60bfa876dc382908fbcde1c96d5b95f (36 of 42 detects at VirusTotal)
5604  bf7b30a96dc8be8bbfb826158afb2379 (34 of 42 detects at VirusTotal)
4742  8cc36756d15560335ed53c47bd7cbc5e (36 of 42 detects at VirusTotal)
2538  d6f05da06a26d9d731273a0fa26dd7e1 (12 of 42 detects at VirusTotal)
This campaign was seen for the first time on 4/20/12 and was the top campaign seen today. Below is the full list of days and receipt counts from prior to this week.
receiving_date count
----------------        ------
 2012-04-20      6372
 2012-04-21      20819
 2012-04-22      3182
 2012-04-23      5739
 2012-04-29      14918
 2012-05-03      9252
 2012-05-04      308
 2012-05-06      2
 2012-05-07      9138
 2012-05-08      8286
 2012-05-08      13
 2012-05-11      1279
 2012-05-12      4325
 2012-05-16      7260
 2012-05-17      17053
 2012-05-17      13751
 2012-05-18      4701
 2012-05-18      2538
We have seen at least 6,757 unique IP addresses used to send us copies of this email with one of these malware attachments. When the malware is fresh, as it is each morning in the Emerging Threats By Email report, the detection rates are much lower. For example, here is the status from the May 17th Emerging Threats By Email report: So, yesterday morning when the report was written, that version of the malware had 7 detects, although as of this writing it has 14.