28/03/2013

An Easter greeting for you? No, a clever attack strategy!

An Easter greeting for you? No, a clever attack strategy! Mails

Screenshot of a fake parcel delivery notification emailThe emails that are currently making the rounds to lure recipients into the malware trap look like this or similar to this. The design is based on the Deutsche Post AG colour scheme and will therefore appear trustworthy to many recipients; despite the fact that the logo is missing completely and the language is far from correct.

Of course, the specified link does not lead to a parcel label but malware code that is downloaded to the victim's computer.

 

 





What happens when you click it?

The person visiting the URL receives a file that is supplied by means of a PHP script. If a user has already received malware code at his or her IP address, the file is not sent to this IP a second time.
The file name is DeutschePost_ID672146.251.zip or something along those lines. This archive contains the actual malware, an executable file - the file icon shows a text document but it is actually an .exe file.

What malware infects the computer?

The current cases analysed by G Data Security Labs contained Trojan.Generic.KDZ.11929 (Engine A) / Win32:Trojan-gen (Engine B).

The malware disguised as a text file has numerous functions. Here's an excerpt:

  • First of all, <link file:30648 _blank post fake>an actual text document opens to make the victims believe that the file that they have clicked on has a real function. Of course, the information provided there is fictitious.
  • It changes the registry entries in such a way that it is automatically executed again when the computer is restarted.
  • It tries repeatedly to establish an online connection to a predefined list of IPs to receive additional instructions, for example, to download additional malicious files.


At the time of analysis, none of the predefined IPs could be reached. Hence, the malware did not receive any additional instructions at this point and was not able to download additional files. However, G Data Security Labs already know that some of these IP addresses are malware suppliers and there is thus hardly any doubt that additional malware was supposed to be loaded.

The attackers can replace the initially supplied malware and therefore the IP addresses to be contacted as well as files to be potentially downloaded with any other files at any given time and thus change their attack strategy.

How can you protect yourself?

  • Use an up-to-date, comprehensive security solution with a virus scanner, firewall, web and real-time protection. A spam filter that protects you from unwanted spam mails also makes sense.
  • The installed operating system, browser and its components as well as the security solution installed should always be kept up-to-date. Program updates should be installed immediately to close existing security holes.
  • Have the file extensions displayed in your Microsoft Windows operating system. Instructions for the different versions as well as a ‘Fix it’ package are available on the Microsoft website "How to show or hide file name extensions in Windows Explorer".
  • You should not click on links or file attachments in emails and social networks without pausing to think first. The files or website could be infected with malicious code. If a message from a friend seems strange, users should first check if it's authentic.