Email offering updates to real anti-virus actually delivers malware

Share this article:
The social engineering scam delivers malware via anti-virus program updates.
The social engineering scam delivers malware via anti-virus program updates.

Hackers are growing increasingly creative in drawing up simple attacks to compromise people.

Most recently, they have concocted a type of social engineering scam that delivers malware by duping people into thinking that their anti-virus programs need to be updated, according to researchers with security software corporation Symantec.

What makes this con particularly crafty is that it uses real anti-virus products from genuine anti-virus companies, including Norton, McAfee, Kaspersky, Trend Micro, Avira, ESET, Avast, AVG, Baidu and several others.

The phony hotfix is a 323 kilobyte .ZIP file attached to an email – and because the sender of the email appears as one of those aforementioned anti-virus companies, the average computer user may be further influenced to download the bogus patch.

“Although the subject line changes, the attached zip file containing the malicious executable stays the same,” Joseph Graziano, a malware operations engineer with Symantec's MessageLabs, wrote in the post. “Once the malware is executed, a connection is made to [http://]networksecurityx.hopto.org to download another file. The malware is using a process called ozybe.exe to perform tasks.”

A Symantec researcher could not be reached for comment, but Graziano wrote in the post that Symantec has Symantec.cloud Skeptic scanner, Symantec anti-virus, Trojan.Gen and Trojan.Zbot in place for protection against this threat.

Trojan.Zbot relates to Zeus, a piece of malware typically delivered via phishing scams that uses form grabbing and man-in-the-browser keystroke logging to steal banking information.

What should alert users to this scam is that it involves a file attached to a somewhat sloppily written English-language email, as seen in the sample attached in the Symantec post.

The email alerts recipients of an important system update that requires immediate action, and goes on to say, “It's highly important to install this security update due to the new =alware [sic] circulating over the net. To complete the action please double click on the system patch KB923029 =n [sic] the attachment. The installation will run in silent mode.”

UPDATE: A Symantec spokesperson told SCMagazine.com on Friday, “As of yesterday, we've seen more than 50,000 cases of this spam being circulated worldwide. Based on our findings, this attack is primarily focusing on the United States and United Kingdom. We have seen distribution as far and wide as Argentina, The Isle of Man and Yemen, but these numbers are low and sporadic.  About 41 percent of the spam is targeting U.K. users and 37 percent are targeting the U.S. users, suggesting that the attacker is looking for English speaking countries.”
Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.