Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Friday, 18 May 2012

Social Engineering: Facebook Photo

Posted on 13:58 by Unknown
Please welcome a guest-blogger, Sarah Turner, who authored today's report. Sarah is a malware analyst in the UAB Computer Forensics Research Laboratory and is the editor of our daily "Emerging Threats By Email" report. I asked her to put together an article about a prevalent spam campaign that has been running wild for about a month now. While the HISTORICAL malware described below is fairly well detected, each morning when a new version has come out the detection has been low, with improvement over the next 24-48 hours. If you see a message like this, RESIST TEMPTATION! DO NOT CLICK!

_-_
gar

Social Engineering: Facebook Photo

Guest blogger: Sarah Turner

This campaign utilizes social engineering containing subject lines that insinuate a photo is enclosed that was obtained from a social media site or public domain depicting the recipient or the ex girlfriend of the recipient in a scandalous or otherwise embarrassing predicament.

The campaign only uses 8 subjects, shown below.

  • FW:Check the attachment you have to react somehow to this picture
  • FW:They killed your privacy man your photo is all over facebook! NAKED!
  • FW:Why did you put this photo online?
  • FW:You HAVE to check this photo in attachment man
  • RE:Check the attachment you have to react somehow to this picture
  • RE:They killed your privacy man your photo is all over facebook! NAKED!
  • RE:Why did you put this photo online?
  • RE:You HAVE to check this photo in attachment man

The email body can vary between the 3 samples shown below:

Hey,
I have a question-have you seen this picture of yours in attachment?? Three facebook friends sent it to me today...why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))
Hate to bother you,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter...The question is is it really you???.
I'm sorry,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that due??.

all of which encourage the recipient to open the attachment and see the image to which they’re referring. Typically the attachment is in the form of a .ZIP containing an executable, however the attachments received on May 16, 17, and 18, the attachment extension was not as a .ZIP but as “.jpg.exe”.

The first few times this malware was received (April 20 – 23), once it was downloaded and prompted to run, it acted as an AntiVirus Software.

After that, the received malware was identified as Cutwail delivering Zeus. The executable would be prompted to run and there would be no recordable network traffic but multiple changes would be made to your Registry and a new file, named svchost.exe would be added to your computer. The executable received today had a detection of XXXX on Virus Total.

UAB has 11 prominent MD5’s associated with this campaign (and a couple mis-formed files)

count md5_hex
24998  b42cf3d2cc829aba1e771f9517b2b97d (38 of 41 detects at VirusTotal)
21754  57f40166fd7cafe84ef51fe5f7776c51 (21 of 41 detects at VirusTotal)
21011  77e7fc1b2addc8ee5ea74e3592d4ab89 (14 of 41 detects at VirusTotal)
14918  76e144a572b4c52e3ddb8bd860dfbdd9 (36 of 41 detects at VirusTotal)
9562  5dea03a160543724d7cf4adda93a28ae (36 of 41 detects at VirusTotal)
9138  061f96cf8f7713d17e580900ba20c6b4 (31 of 42 detects at VirusTotal)
8286  9badf88e346bd0530d4e5248d2bb2f35 (37 of 42 detects at VirusTotal)
6362  d60bfa876dc382908fbcde1c96d5b95f (36 of 42 detects at VirusTotal)
5604  bf7b30a96dc8be8bbfb826158afb2379 (34 of 42 detects at VirusTotal)
4742  8cc36756d15560335ed53c47bd7cbc5e (36 of 42 detects at VirusTotal)
2538  d6f05da06a26d9d731273a0fa26dd7e1 (12 of 42 detects at VirusTotal)
This campaign was seen for the first time on 4/20/12 and was the top campaign seen today. Below is the full list of days and receipt counts from prior to this week. 
receiving_date count
----------------        ------
 2012-04-20      6372
 2012-04-21      20819
 2012-04-22      3182
 2012-04-23      5739
 2012-04-29      14918
 2012-05-03      9252
 2012-05-04      308
 2012-05-06      2
 2012-05-07      9138
 2012-05-08      8286
 2012-05-08      13
 2012-05-11      1279
 2012-05-12      4325
 2012-05-16      7260
 2012-05-17      17053
 2012-05-17      13751
 2012-05-18      4701
 2012-05-18      2538
We have seen at least 6,757 unique IP addresses used to send us copies of this email with one of these malware attachments. When the malware is fresh, as it is each morning in the Emerging Threats By Email report, the detection rates are much lower. For example, here is the status from the May 17th Emerging Threats By Email report: So, yesterday morning when the report was written, that version of the malware had 7 detects, although as of this writing it has 14.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Indictments reveal $77 Million in Illegal Pill Sales
    Congratulations to the Daytona Beach FBI, US Attorney Robert O'Neill, and their colleagues at IRS and FDA. The Daytona Beach News report...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Morocco based "Team Evil" reroutes prominent Israeli websites
    After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" ha...
  • Minipost: Google v. Pacific WebWorks
    I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by crea...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ▼  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ▼  May (7)
      • What about the Social Security Numbers? (The Utah ...
      • Lessons from the First Cyber Cops
      • Social Engineering: Facebook Photo
      • Nichole Michelle Merzi of Operation Phish Phry get...
      • IRS Identity Theft leads to 25 year Sentence for A...
      • Waya Nwaki pleads guilty in globe-spanning phishin...
      • Paypal "You Just Sent a Payment" spam leads to mal...
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (93)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (7)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ►  August (23)
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile