Malware, Phishing

Retrophitted Retrophish

In the anti-virus business, we sometimes (mis-)use the concept of the retrovirus: in biology, this is a virus which doesn't transcribe DNA into RNA (and thence into protein) like most viruses. Instead, a retroviral gene transcribes RNA -> DNA -> RNA -> protein. Please don't ask me to clarify that, I make no pretense of being a biologist, despite a background in medical informatics.

In computer virology (or, more accurately – since 21st century malware is much more than viruses – anti-malware research) the term tends to be applied to malware that attacks or subverts security software.

On a specialist anti-phishing list I'm subscribed to, there's been some discussion in the last couple of days about what one might call a retrophish, if you'll excuse the extreme looseness of the term. It's actually an email that disseminates malware of the ZeuS persuasion – ESET detects it as Win32/Spy.Zbot.YW – and there's nothing enormously interesting about that. The social engineering behind the email message is, however, a little more interesting: It spoofs (appears to come from) US-CERT sender addresses. Those I've seen appear to come from soc(at) and claim to be forwarding a phishing email to the Anti-Phishing Working Group for further investigation, asking the recipient to check the attached report (actually the zipped malware).

I wasn't really planning to write about this, but I've noticed that there are some reports noting that US-CERT says that the malware is targeting "a large number of private sector organizations, as well as federal, state and local governments," while the wording could be seen as suggesting that it's targeting anti-phishing researchers. In fact, the criminals in this case seem to be casting their nets much wider and much more randomly than that, targeting a range of domains and some very consumer-oriented email addresses. One that's just been forwarded to me explicitly targets a number of Bigfoot accounts, suggesting that it's working through lists of randomly captured addresses.

In other words, anyone might receive a copy of it. If you do, don't be fooled by its rather official appearance – it includes a “ticket and assigned incident number” and contact details almost identical to the US-CERT Security Operations Center. The attachments I've seen have filenames like "US-CERT_Operations_Report_[xxxxx]," where [xxxxx] represents a numeric string with no square braces.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.