Thursday, November 02, 2006

Recognizing Malware email attacks

I all-too-frequently get emails which are attempting to install some form of malware on my system (in addition to the even-more-frequent phishing attempts). The vast majority of these seem to come from people I do not know. Some appear to come from companies I do know such as eBay, Walmart, or Amazon.

Some even come from friends -- not because my friends wanted to send them to me, but rather because they fell victim to the attack and the malware on their system used their address book to propagate itself to their friends. I once received such a piece of email from a very cute co-worker telling me "I love you"... Needless to say, she didn't.

So, how does one recognize when they receive such a piece of email?

Let's examine an email I received this am:

Subject: Confirmation for Order 37679041
Date: 2:20 AM
Dear Customer,

Thank you for ordering from our internet shop. If you paid with 
a credit card, the charge on your statement will be from name 
of our shop.

This email is to confirm the receipt of your order. Please do 
not reply as this email was sent from our automated confirmation 

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting 
archive with "37679041.pdf" file ).

Problems that I noted with this email include:

  • I haven't placed any recent orders with Walmart. Big red flags as this is the most common attack vector -- claiming something has happened that you would be upset about and hoping you act without thinking carefully. If you ever get one of these that does make you think something has happened, I suggest you open a new browser window and type in the sites address from memory (NOT using any of the information in the email as it is *all* suspect, including things like a mis-spelling of the site name).
  • The order summary is in an attached self-extracting archive -- this should set off big red flags for anyone. Be very careful about opening any attachment on an email, but especially self-extracting (.exe) archives.
  • The date of the order is "08 Oct 2006" -- almost a month ago. Most confirmations are sent the same day or just a few days later.
  • The email was sent to an address which I do not use with Walmart -- something that I recommend for everyone -- use unique addresses for different vendors to make this kind of thing much easier to detect
  • the order was summarized in text already, so there was no need to open the attached "order summary". They're hoping the "upset" factor discussed above gets you to open the attachment without thinking.

I could go on taking the email apart, but you get the picture. Lots of inconsistencies and a strong play on the emotion of getting ripped off

One thing to remember, if you get an attachment that you think might be OK, but you're not sure. Instead of running it to see if it's OK (and then you're hosed), use one of the online scanning tools such as VirusTotal. Just take the attachment and forward it in a new message to with the subject "SCAN".

I did that for the attachment in the email above and the report I received was:

Complete scanning result of "", processed in VirusTotal at 11/02/2006 12:07:33 (CET).

[ file data ]
* name:
* size: 24733
* md5.: e0f9839c326ec24eb5faccc48e02e06d
* sha1: 0085a9c1700602df06686620e40f57c862fe833c

[ scan result ]
 AntiVir found [TR/]
Authentium 4.93.8/20061102 found [W32/Agent.BMW]
Avast 4.7.892.0/20061102 found [Win32:Small-BMW]
AVG 386/20061102 found [Generic2.FQH Warning: Hidden extension .exe]
BitDefender 7.2/20061101 found [Trojan.Agent.AAV]
CAT-QuickHeal 8.00/20061101 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20061102 found [Trojan.Small-403]
DrWeb 4.33/20061102 found [Trojan.PWS.Pape]
eTrust-InoculateIT 23.73.43/20061102 found nothing
eTrust-Vet 30.3.3174/20061102 found [Win32/Ursnif.U]
Ewido 4.0/20061102 found nothing
F-Prot 3.16f/20061101 found [security risk named W32/Agent.BMW]
F-Prot4 found [W32/Agent.BMW]
Fortinet found [W32/ACN.BS!tr.pws]
Ikarus found nothing
Kaspersky found []
McAfee 4886/20061101 found [New Malware.j]
Microsoft 1.1609 /20061102 found [PWS:Win32/Agent.BB]
NOD32v2 1.1849/20061102 found [Win32/PSW.Small.BS]
Norman 5.80.02/20061101 found [W32/Suspicious_U.gen]
Panda found [Suspicious file]
Sophos 4.10.0/20061026 found [Troj/PWS-ACN]
TheHacker found [W32/Generic!zip-dobleextension]
UNA 1.83/20061101 found [Win32.virus]
VBA32 3.11.1/20061101 found [suspected of]
VirusBuster 4.3.15:9/20061102 found nothing

Note that most of the tests resulted in a virus/malware being found in the attachment. That means that it is bad stuff and you should delete it immediately.

If it all comes out OK (they all say "found nothing") you still might not be OK if it is a very new attack. I tend to wait a day or two after receiving something that is suspicious and checking it again... If it still is OK, you're probably OK.

The moral of the story is that you have to be suspicious of every incoming email. Start out with the assumption that it is an attack and only after convincing you that it isn't should you open it and let it in to your computer.

Tags : / / / / / /

No comments: