Spam with viruses

Date: 15/09/2014

Despite the fact that Russia (surprise!) is not among the leaders in computer infectioning by this method (three leaders are traditionally USA, Germany and the UK), we suppose it will be still useful to find out what makes many users in different corners of the world click on attachments in messages from unknown senders. Off we go!

Top 10 malicious programs spread via email in the third quarter of 2014 (courtesy of Kaspersky Lab)

Angry letter

Sender’s address (‘From’ field)

The first thing that the malefactor shall take care of when sending malicious spam is in whose name the mailout is conducted. Messages from individuals (except for mailout from the hacked mail account to address book recipients) are not effective enough, that’s why different companies, organizations and even judicial and governmental authorities are taken advantage of.

Lately, international delivery services (DHL, FedEx, United Parcel Service (UPS) or TNT) are especially popular. If you remember, Cryptolocker was spread in this way under the guise of a FedEx or UPS delivery report.

Malefactors solve the problem of sender’s address in ‘From:’ field it in several ways:

  • hack the email of the required company and send messages from there (which is extremely complicated to realize and hardly feasible especially in case of a big and serious company);
  • register a domain name, which is very similar to the name of the required company;
  • use free mail service by registering there something like manager.fedex@mail.ru, admin.vkontakte@gmail.com or police.mvd@ya.ru;
  • replace the real sender’s address (there are several ways to do so, starting from using different programs and Internet services down to scripts for sending messages).

 I sent this message from 'Bill Gates' myself using Sending Mail program

Subject of the message (‘Subject’ field)

Subject of the message shall be attractive for the recipient and motivate him to open the message. Naturally, it shall correspond to the line of business of the organization in whose name the message is sent.
If the mailout is performed, for example, in the name of a delivery service, then the most popular message subjects will be:

  • everything connected with sending, tracking or delivery of mail (shipment notifications, delivery status, shipment confirmation, shipment documentation, delivery information);
  • order information and invoice;
  • message and account notification (account creation and confirmation, receipt of new messages).

Examples of 'Subject' field completion in messages from popular delivery services

Mailouts from different state authorities are more typical for our country, and in this case malefactors choose corresponding topics e.g. ‘Judicial decree’ (in the name of court bailiff federal agency) or ‘Ticket for payment of fine for traffic violation’ (you may guess yourself in whose name such message is sent).

Message from 'court bailiffs'

Message body and arrangement

To make messages credible, the malefactors actively use logos of companies under whose name they are acting, their contact information, links to official web-pages and other information.

In order not only to convince the recipient in message credibility, but give him/her also an impulse to open the attachment, mail delivery error notifications (wrong recipient address, absence of recipient, etc.), request to take actions with indication of possible sanctions for failure to perform or a phrase with indication of what is contained in the attachment (for example, ‘reconciliation report’, ‘consignment note’ or ‘invoice’) may be used.

Besides, different standard word-combinations typical for official mailout are commonly used (something like ‘please do not reply to this email’ or ‘this is automatically generated email’).

Types of malicious attachments

Executable file

Despite the fact that the majority of mail servers have not been letting pass executable files for a long time already, such type of malicious attachments still can be encountered. As a rule, such file is camouflaged as some harmless document (doc or PDF) or an image.

At that, the file is linked with a corresponding icon and gets a name, e.g. ‘consignment.pdf.exe’ (at that ‘exe’ extension often is separated from the file name with many spaces to make it less obvious).

Attachments with password protected archive file

A password protected archive file allows bypassing all antivirus checks on mail servers, firewalls and security scanners. A malicious file itself, as in the first case, is camouflaged as something harmless.

The most important here is to motivate the recipient to enter the password, indicated in the message, unzip the attachment and open it.

You believed it was a 'reconciliation report'? :) What if they really give some cash?

Attachment as a document with exploit or malicious VBA-script

Such message can pass the prohibition against transfer of executable files, and in many cases also antivirus check on mail servers (especially, if exploit is fresh).

Security vulnerabilities for Adobe Acrobat Reader (CVE-2013-0640,
CVE-2012-0775), Adobe Flash Player (CVE-2012-1535) or MS Office (CVE-2012-0158,
CVE-2011-1269, CVE-2010-3333, CVE-2009-3129) are used most frequently.

Except for exploits, MS Office docs with malicious macros based on VBA can be used as malicious attachments (yeah, there are still people who do not prohibit execution of macros in Word and antiviruses not always react to such scripts).

Malicious VBA-script code (Trojan-Downloader.MSWord.Agent.y according to Kaspersky) in Word document

In total, 11 antiviruses out of 56 on virustotal.com recognized the threat in a malicious document

Embedded HTML-documents

A message contains an HTML-document attachment with a code which performs a drive-by attack. In many cases this method allows bypassing antivirus filters of mail servers, as well as prohibitions, which blocks passing iframe.

Such messages normally do not contain attachments, and message body contains several links to the same resource, which either contains exploit bundle or redirects to other malicious resource. All these links are camouflaged as links to decent and safe websites or plain text.

Conclusion

In spite of everything, spamming is still a very efficient way of spreading malicious code. It may be supposed that with decrease of software and hardware security vulnerabilities, this method will be used more and more often, assuming increasingly sophisticated forms in order to take advantage of the most vulnerable part of any informational system — its user.

Related posts:
2022.06.01 — Cybercrime story. Analyzing Plaso timelines with Timesketch

When you investigate an incident, it's critical to establish the exact time of the attack and method used to compromise the system. This enables you to track the entire chain of operations…

Full article →
2022.06.01 — Quarrel on the heap. Heap exploitation on a vulnerable SOAP server in Linux

This paper discusses a challenging CTF-like task. Your goal is to get remote code execution on a SOAP server. All exploitation primitives are involved with…

Full article →
2022.06.02 — Climb the heap! Exploiting heap allocation problems

Some vulnerabilities originate from errors in the management of memory allocated on a heap. Exploitation of such weak spots is more complicated compared to 'regular' stack overflow; so,…

Full article →
2022.06.01 — Log4HELL! Everything you must know about Log4Shell

Up until recently, just a few people (aside from specialists) were aware of the Log4j logging utility. However, a vulnerability found in this library attracted to it…

Full article →
2022.01.12 — Post-quantum VPN. Understanding quantum computers and installing OpenVPN to protect them against future threats

Quantum computers have been widely discussed since the 1980s. Even though very few people have dealt with them by now, such devices steadily…

Full article →
2023.03.26 — Poisonous spuds. Privilege escalation in AD with RemotePotato0

This article discusses different variations of the NTLM Relay cross-protocol attack delivered using the RemotePotato0 exploit. In addition, you will learn how to hide the signature of an…

Full article →
2022.02.09 — Dangerous developments: An overview of vulnerabilities in coding services

Development and workflow management tools represent an entire class of programs whose vulnerabilities and misconfigs can turn into a real trouble for a company using such software. For…

Full article →
2022.06.01 — First contact. Attacks on chip-based cards

Virtually all modern bank cards are equipped with a special chip that stores data required to make payments. This article discusses fraud techniques used…

Full article →
2022.01.12 — First contact. Attacks against contactless cards

Contactless payment cards are very convenient: you just tap the terminal with your card, and a few seconds later, your phone rings indicating that…

Full article →
2022.06.01 — Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols

The magic and charm of dynamic routing protocols can be deceptive: admins trust them implicitly and often forget to properly configure security systems embedded in these protocols. In this…

Full article →