Monday, October 19, 2009

Zipped Malware Attachments in Spam: Here comes Conflicker!

This morning I had a couple tweets from our friends at Arbor Networks. (I actually don't know who tweets their feed, but I always picture it as coming from my friend Jose Nazario...)

The first one said:

malcode being spammed as attachment in emails with subject line "Conflicker.B Infection Alert", claims to be from MSFT (follow:

I checked the UAB Spam Data Mine, and saw that we were also seeing the same spam.

Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

A couple interesting spam features - first, although the "Sender name" on the spam is "Microsoft Windows Agent", the email actually is setup to use the recipient's own email address as the "From" email. This is a fairly common spammer trick - who blocks email from themselves?

The second interesting feature is that the email contains an attachment named "". We have been receiving spam for several days claiming to be a Microsoft Outlook update using "" as the name of the upgrade we should be installing:

You have (5) New Message from Outlook Microsoft

- Please re-configure your Microsoft Outlook Again.
- Download attached setup file and install.

That email was also "from yourself", using the name "support". The subject for that email was primarily:

Microsoft Outlook Notification for the (your email here)

We received our last Microsoft Outlook Notification email at 1:13 AM.

The very first Conflicker email arrived at 12:50 AM, and started coming in a steady stream by 1:05 AM.

I thought it would be interesting to show what Percentage of all the spam we receive at the UAB Spam Data Mine was a "Zipped Malware Attachment". MOST of these were named "", and contained "fake antivirus" updates, however some have been Zeus or Zbot infectors.

Zipped Malware has ranged from 2.5% to 6.8% of total spam during past two weeks

(Click for full-sized image)

One of the most interesting days represented by this graph was on October 14th, when we began to receive the spam labelled "new settings" in the graph above:

Dear user of the mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, Technical Support.

The subject line on these emails was:

A new settings file for the (youremailhere) has just been released

The malware file size was 13063 bytes with MD5 = 8e84d473b6d2e0fa62e4021b09ea94b5.

At the same time, we had a huge number of nearly identical spam messages which instead of having the attachment, pointed to an Avalanche fast flux website and claimed to be a new Microsoft Outlook Web Application update, as we described in our October 14th blog entry: Targeted URLs in spam . . .OWA Settings update.

Other emails represented on this graph are given below:

Subject: Your internet access is going to get suspended

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

ICS Monitoring Team

Subject: Western Union transfer is available for withdrawl

Dear customer.

The amount of money transfer: 1037 USD.
Money is available to withdrawl.

You may find the Money Transfer Control Number (MTCN) and receiver's details in document attached to this email.

Western Union.
Customer Service.

Subject: UPS Delivery Problem Number 2321 (random number)

Dear customer!

Unfortunately we were not able to deliver the postal package which was sent on the 20th of June in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Subject: DHL Tracking Number 3YMH6JJY (Random tracking number)

Dear customer!

The courier company was not able to deliver your parcel by your address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Thank you for attention.
DHL Express Services.

Subject: Thank you for setting the order No.475456 (always that number)

Dear Customer!

Thank you for ordering at our online store.
Your order: Sony VAIO A1133651A, was sent at your address.
The tracking number of your postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

Internet Store.

Subject: You've received a postcard

Good day.

Your family member has sent you an ecard from

Send free ecards from with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days.
If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, open zip attached file.

Of course, no one should ever open a ".zip" file received as an email attachment, but be especially careful of this campaign!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.