Email offering updates to real anti-virus actually delivers malware

Share this article:
The social engineering scam delivers malware via anti-virus program updates.
The social engineering scam delivers malware via anti-virus program updates.

Hackers are growing increasingly creative in drawing up simple attacks to compromise people.

Most recently, they have concocted a type of social engineering scam that delivers malware by duping people into thinking that their anti-virus programs need to be updated, according to researchers with security software corporation Symantec.

What makes this con particularly crafty is that it uses real anti-virus products from genuine anti-virus companies, including Norton, McAfee, Kaspersky, Trend Micro, Avira, ESET, Avast, AVG, Baidu and several others.

The phony hotfix is a 323 kilobyte .ZIP file attached to an email – and because the sender of the email appears as one of those aforementioned anti-virus companies, the average computer user may be further influenced to download the bogus patch.

“Although the subject line changes, the attached zip file containing the malicious executable stays the same,” Joseph Graziano, a malware operations engineer with Symantec's MessageLabs, wrote in the post. “Once the malware is executed, a connection is made to [http://]networksecurityx.hopto.org to download another file. The malware is using a process called ozybe.exe to perform tasks.”

A Symantec researcher could not be reached for comment, but Graziano wrote in the post that Symantec has Symantec.cloud Skeptic scanner, Symantec anti-virus, Trojan.Gen and Trojan.Zbot in place for protection against this threat.

Trojan.Zbot relates to Zeus, a piece of malware typically delivered via phishing scams that uses form grabbing and man-in-the-browser keystroke logging to steal banking information.

What should alert users to this scam is that it involves a file attached to a somewhat sloppily written English-language email, as seen in the sample attached in the Symantec post.

The email alerts recipients of an important system update that requires immediate action, and goes on to say, “It's highly important to install this security update due to the new =alware [sic] circulating over the net. To complete the action please double click on the system patch KB923029 =n [sic] the attachment. The installation will run in silent mode.”

UPDATE: A Symantec spokesperson told SCMagazine.com on Friday, “As of yesterday, we've seen more than 50,000 cases of this spam being circulated worldwide. Based on our findings, this attack is primarily focusing on the United States and United Kingdom. We have seen distribution as far and wide as Argentina, The Isle of Man and Yemen, but these numbers are low and sporadic.  About 41 percent of the spam is targeting U.K. users and 37 percent are targeting the U.S. users, suggesting that the attacker is looking for English speaking countries.”
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.