12/13/2013

Blocking EXE attachments is working great!

Tags:
0
We have advised customers of SpamSentinel for the last month to block EXE attachments, even (especially!) inside zip files.

I have been monitoring the results on one of our servers, and they are spectacular in catching new virus outbreaks before their "signatures" are recorded. These are "zero hour" zero hour viruses, fresh off the computers of the virus makers.

Here is a screenshot showing the recent patterns, piggybacking on popular email types, like airline ticket confirmations, order confirmations, purchase orders and private photos.

All of these zip files contain EXE files inside that want to infect your machine in your haste to open them.
Subject Dangerous Attachment
Re: Interested to purchase order details.zip
Re: Interested to purchase order details.zip
Private photo IMG6299082757-JPG.zip
Your order is ready US_Airways_E-Ticket_NO36049.zip
Fedex Team Track code 4734-02741-6535 Track_1764-78103-4529.zip
Ticket #7727  is ready AA_Airlines_E-Ticket_ID08655.zip
Your ticket AA_Airlines_E-Ticket_ID58270.zip
Ticket #8469  is ready AA_Airlines_E-Ticket_ID07194.zip
Order #3198 is processed AA_Airlines_E-Ticket_ID26928.zip
Your ticket AA_Airlines_E-Ticket_ID07268.zip
Your order #NR0106 is processed AA_Airlines_E-Ticket_ID81660.zip
Fedex Team Track code 3001-14706-5033 Track_1764-78103-4529.zip
Your order #3170 is processed AA_Airlines_E-Ticket_ID79506.zip
Thank you for your order AA_Airlines_E-Ticket_ID81254.zip
The order is ready AA_Airlines_E-Ticket_ID36241.zip
Your order # NR15-2662 has been completed US_Airways_E-Ticket_NO37925.zip
Seen this picture? IMG5810314307-JPG.zip
Kindly send us the Proforma Invoice Asap. Food items.pdf.zip
Order #NR7704 US_Airways_E-Ticket_NO26131.zip
Your order # NR15-5845 has been completed US_Airways_E-Ticket_NO08933.zip
Payment advice Payslip.zip
Our PO attached PO.zip
Enquiry REW233.zip
Fedex Team Track code 4740-07014-6833 Track_1764-78103-4529.zip
FedEx Shipment Department Track code 4436-58788-5840 Track_1764-78103-4529.zip
Thank you for your order US_Airways_E-Ticket_NO78203.zip
FedEx Shipment Department Track code 3107-43181-8785 Track_1764-78103-4529.zip
FedEx Express Track code 5624-34586-7353 Track_1764-78103-4529.zip
Download your ticket #1797 US_Airways_E-Ticket_NO36208.zip
FEDEX  EXPRESS SHIPMENTS Track code 1238-50488-7111 Track_1764-78103-4529.zip
Order #NR4312 is processed Ticket_Delta_AirLines_Print_doc_1657.zip
Download your ticket #NR9798 Ticket_Delta_AirLines_Print_doc_4026.zip
P.O. 634563 Order Order Sample 1-.zip
FedEx Shipment Department Track code 5041-68031-6666 Track_1764-78103-4529.zip

 

I have a view of all of these in my Quarantine.nsf. Many show "undisclosed-recipients" which means this was a BCC attack, as below:


A picture named M2

This one contained more than 9 recipients from different organizations:

A picture named M3

I opened a few of the messages (not the attachments!) and found typical patters.

This one is "not personalized" which is often a clue.

A picture named M4

This one is allegedly a FedEx Track Code, they even made up a fake number, but it is sent to 20 people. Did we all receive that same package?


A picture named M5

This one breaks all the rules:
1. No SendTo
2. Contains a Zip with an EXE inside
3. Not personalized
4. Signature incomplete.

A picture named M6


Take a look at this one. Can you now identify why this is a very suspicious email?

A picture named M7

Lotusphere

LinkedIn

View Frank Paolino's profile on LinkedIn

Tags

Frank Paolino