Incident Response, Malware, TDR

Email offering updates to real anti-virus actually delivers malware

Hackers are growing increasingly creative in drawing up simple attacks to compromise people.

Most recently, they have concocted a type of social engineering scam that delivers malware by duping people into thinking that their anti-virus programs need to be updated, according to researchers with security software corporation Symantec.

What makes this con particularly crafty is that it uses real anti-virus products from genuine anti-virus companies, including Norton, McAfee, Kaspersky, Trend Micro, Avira, ESET, Avast, AVG, Baidu and several others.

The phony hotfix is a 323 kilobyte .ZIP file attached to an email – and because the sender of the email appears as one of those aforementioned anti-virus companies, the average computer user may be further influenced to download the bogus patch.

“Although the subject line changes, the attached zip file containing the malicious executable stays the same,” Joseph Graziano, a malware operations engineer with Symantec's MessageLabs, wrote in the post. “Once the malware is executed, a connection is made to [https://]networksecurityx.hopto.org to download another file. The malware is using a process called ozybe.exe to perform tasks.”

A Symantec researcher could not be reached for comment, but Graziano wrote in the post that Symantec has Symantec.cloud Skeptic scanner, Symantec anti-virus, Trojan.Gen and Trojan.Zbot in place for protection against this threat.

Trojan.Zbot relates to Zeus, a piece of malware typically delivered via phishing scams that uses form grabbing and man-in-the-browser keystroke logging to steal banking information.

What should alert users to this scam is that it involves a file attached to a somewhat sloppily written English-language email, as seen in the sample attached in the Symantec post.

The email alerts recipients of an important system update that requires immediate action, and goes on to say, “It's highly important to install this security update due to the new =alware [sic] circulating over the net. To complete the action please double click on the system patch KB923029 =n [sic] the attachment. The installation will run in silent mode.”

UPDATE: A Symantec spokesperson told SCMagazine.com on Friday, “As of yesterday, we've seen more than 50,000 cases of this spam being circulated worldwide. Based on our findings, this attack is primarily focusing on the United States and United Kingdom. We have seen distribution as far and wide as Argentina, The Isle of Man and Yemen, but these numbers are low and sporadic.  About 41 percent of the spam is targeting U.K. users and 37 percent are targeting the U.S. users, suggesting that the attacker is looking for English speaking countries.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.