I thought I’d take a different turn with the first article — and look at one of the nasty emails that arrived this week. No, not one of those emails, one of the emails that brought malware along with it. Of course, let’s see what they’re trying to do to me (and to you, if you get these, too).
First, the malware-infested email is trying to use "social engineering" to get us to open the emails. What’s social engineering? It’s designing emails to mislead you into a gullible, unthinking response to do exactly what the bad guy wants. Sometimes, he wants your personal information. Other times, he wants to infect your computer. The name of his game is "money."
The first one that made me think of this article was one that claimed to be a notice from the UPS delivery service. It read like this:
From: “UPS Mail Support”
To: <feedback@terryscomputertips.com>
Subject: Your Tracking # 9473631090Sorry, we were not able to deliver postal package you sent on October the 19th in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 6$ per day.Your UPS
Attachment: UPSInvoice8771.zip
First, let’s take a look at some of the email headers, especially ones that email users don’t normally see unless they look for them.
X-Spam-Checker-Version: SpamAssassin 3.3.0-r613124 (2008-01-18) on
xxxxxx.hostgator.com
—We see that my web host’s mailserver ran the SpamAssassin program to evaluate how likely this was to be spam
X-Spam-Level: ******
—And it got a 6 rating
X-Spam-Status: No, score=6.5 required=8.0 tests=DOS_RCVD_IP_TWICE_B,
FH_HELO_EQ_D_D_D_D,FORGED_RELAY_MUA_TO_MX,HELO_DYNAMIC_IPADDR,
KB_RATWARE_MSGID,RDNS_DYNAMIC shortcircuit=no autolearn=disabled
version=3.3.0-r613124
—First, we see that the spam-score wasn’t high enough to trigger the filter. We see which spam tests the email failed, including that it used a forged email relay, that it was from a dynamically assigned IP address, and that it had a known "ratware" message-ID.
Received: from rrcs-74-218-83-26.central.biz.rr.com ([74.218.83.26]:1809)
by xxxxxxx.hostgator.com with esmtp (Exim 4.68)
(envelope-from <ptmniyey@bodybuilding.com.sg>)
id 1KxpV4-0007FH-TG
for feedback@terryscomputertips.com; Wed, 05 Nov 2008 15:01:21 -0600
Received: from [74.218.83.26] by m1.dnsix.com; Wed, 5 Nov 2008 16:01:15 -0500
—74.218.83.26 is a dynamically assigned (DHCP) address on RoadRunner’s business network, which tells me that someone’s business mailserver is probably being used to relay spam emails<
Message-ID: <01c93f5f$bb161780$1a53da4a@ptmniyey>
From: "UPS Mail Support" <ptmniyey@bodybuilding.com.sg>
—Notice that the idiot is probably using Outlook or Outlook Express, as both of those hide the return address. I’ve never understood why Microsoft thought it was helpful to hid the email address. Of course, in this case, the address could be have been faked, but perhaps not — after all, if they were going to go so far as to fake the return address, why didn’t they fake it with something consistent with the scam?
To: <feedback@terryscomputertips.com>
Subject: Your Tracking # 9473631090
Date: Wed, 5 Nov 2008 16:01:15 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C93F5F.BB161780"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
—and it was sent by someone using Outlook Express 5.
One of the first indications of trouble was that my anti-spam program changed the Subject line from
Subject: Your Tracking # 9473631090
so that it it read
Subject: [spam] Your Tracking # 9473631090
So, right off the bat, the bad guy’s attempt fell prey to my anti-spam system. If nothing else, this would make me more wary.
However, he made me stop and think for a second, when he referred to a specific shipment date. I sometimes send stuff by UPS, but the date wasn’t right.
The second factor was that he sent the email to an invalid email address. That’s another giveaway, although you have to have your own domain name to see this kind of error.
Notice the last line of the body, in which he tries to boost our interest in the email’s contents — if I don’t go get my package in ten days, they’ll charge me 6$ per day. Of course, we SAY "6$" but we write it as "$6."
The payoff was in the attachment UPSInvoice8771.zip. If I unpacked the zip file, I would find an executable file to double-click (remember, Windows by default hides the file extension, so most people wouldn’t see the .exe even after they saw the .zip in their email program. When you use Windows’ unzip program, the final step is to show you the unpacked files in Windows Explorer (where the default setting is to hide file extensions of known file types.
So, what was in the zip file? VIPRE Antispyware+Antivirus identified it as Trojan-Downloader.braviax and as High Risk, and quarantined the zip file. Vipre’s report on the risk details advised that Braviax is a trojan that displays alarmist alerts on the user’s computer to coerce the user into payig for rogue anti-malware applications to clean up the purported infections. Vipre recommended immediate removal of the file from the computer (at this point, the removal would be from Vipre’s Quarantine).
Related articles:
and