Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.

Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.

also made the rounds. I...
Upcoming SlideShare
Loading in …5

Bogus IT_notification_spam_serves_a_malicious_.pdf_file__may_10__2010_


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Bogus IT_notification_spam_serves_a_malicious_.pdf_file__may_10__2010_

  1. 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 63 MAY 10, 2010 Bogus IT Notification Spam Serves a Malicious .PDF File Social engineering plays a big role in today’s threat landscape. It continues to evolve as the landscape itself changes, making security organizations and individuals with the help of media more wary of possible dangers that lurk within the sites they visit. Spam purporting to come from legitimate senders has been and still is a threat to Internet users. One such campaign infiltrated companies by posing as notification emails from their respective IT departments. The Threat Defined Bogus IT Notification Spam Run TrendLabsSM engineers recently got hold of a spam posing as an IT notification email. The spam’s subject, “Setting for your mailbox are changed,” could leave recipients feeling either doubtful or disturbed, along with the From field sporting their respective companies’ email addresses. It then went on to convince the recipients to open and read the contents of the .PDF file attachment (doc.pdf detected by Trend Micro as TROJ_PIDIEF.ZAC) before they update their email settings. The .PDF file was more than just a normal file, however. Analysis revealed that the attachment carried a malicious script (batscript.vbs aka VBS_EMOTI.A), which is executed using Adobe Reader’s /launch functionality in order to drop and run a malicious executable file (game.exe aka WORM_EMOTI.A). /launch is a legitimate Adobe Reader and Acrobat feature that allows a portable document author to attach an .EXE file to a document. This file is automatically executed whenever the document is opened. The .EXE file in this attack carried a rootkit (bp.sys aka RTKT_EMOTI.A) that hides malicious activities from Figure 1. Sample fake IT notification spam users and attempts to connect to URLs from which other malicious files may be downloaded onto affected systems. TrendLabs engineers also received other spam samples with malicious .PDF file attachments (detected as TROJ_KATUSHA.F) that used the same social engineering tactic. A Recurring Email Threat This is not the first time such a campaign was spotted in the wild. In fact, just last March, a spam purporting to be a mail service notification email was found targeting various antivirus companies. This spam also came with a malicious file attachment detected as TROJ_FAKEAV.EAO. Five months earlier, a slightly modified ZBOT spam campaign with a malicious .ZIP file attachment detected as Figure 2. Fake IT notification spam infection diagram TROJ_FAKEREAN.CF 1 of 2 – WEB THREAT SPOTLIGHT
  2. 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. also made the rounds. If that was not enough, this Trojan also downloaded another malicious file detected as TROJ_FAKEREAN.BI. Misusing Software Features Adobe Reader and Acrobat’s /launch feature was also recently used to carry and propagate botnet malware via spam purporting to come from Royal Mail, a U.K.-based mail service. The spam sported a malicious .PDF file (detected as TROJ_PIDIEF.UTA) that claimed to be a delivery notice. Unaware users who were tricked into opening the said file ended up with TSPY_ZBOT.NCT-infected systems. The Royal Mail and recent IT notification spam attacks highlight how cybercriminals misuse inherent software features for their malicious schemes. Unfortunately, Adobe is not the only software company that has suffered this fate. We have seen Microsoft Office’s macro functionality used by cybercriminals to wreak havoc as well in the past with the Melissa worm. User Risks and Exposure Cybercriminals continue to use .PDF files and email as means to prey on unwitting users. Their email messages have also grown a little more sophisticated and packed such convincing power that even the most prudent users believed them and took action. Adding timeliness and newsworthiness to their formula has no doubt been pushing their recent attacks’ success. The Messaging Anti-Abuse Working Group (MAAWG) conducted a survey on email security practices and found that 46 percent of the total number of users intentionally opened spam. As a rule, users are strongly advised not to open emails tagged as "spam" or to click links on suspicious-looking messages. Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this attack, Smart Protection Network protects Trend Micro product users by preventing spammed messages from even reaching their inboxes via the email reputation service. Web reputation service also prevents user access to malicious sites whose links are embedded in spam. Finally, file reputation service detects and prevents the execution of malicious files such as TROJ_PIDIEF.ZAC. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/fake-it-email-notification-spreads-malicious-pdf/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.ZAC http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_EMOTI.A http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_EMOTI.A http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=RTKT_EMOTI.A http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_KATUSHA.F http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAV.EAO http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEREAN.CF http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEREAN.BI http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.UTA http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.NCT Other related posts are found here: http://blog.trendmicro.com/spammers-target-antivirus-companies/ http://blog.trendmicro.com/zbot-spam-campaign-continues/ http://blog.trendmicro.com/pdf-launch-feature-abused-to-carry-zeuszbot/ http://en.wikipedia.org/wiki/Melissa_%28computer_worm%29 http://www.maawg.org/system/files/2010_MAAWG-Consumer_Survey.pdf 2 of 2 – WEB THREAT SPOTLIGHT