New twist in malware threats in email attachments - Sept 22, 2011
While checking incoming email today, I received some new variations of recent malware threats, in email attachments. Upon examining the source codes I found that some are variations of the previous FDIC (Federal Deposit Insurance Corporation) warnings, directly related to the previous few weeks of scams for ACH (Automated Clearing House) canceled transactions notices.
The new scams have the Subject: FDIC message center
There is a new twist to the FDIC scams, which I saw for the first time, today, September 22, 2011. Instead of actual text, they are now using an embedded image to convey a message meant to scare recipients into opening the attached file. This image looks like it might be sent from the FDIC, complete with official logos. Rest assured it is a Photoshopped image, containing words directing victims to open the hostile attachment.
The wording on the first captured FDIC scams of 9/22/11 read as follows:
Dear Customer,
Your account ACH and WIRE Transaction have been temporarily suspended for security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.As soon as it is setup you transaction abilities will be fully restored.
Best regards, Online Security department, Federal Deposit Insurance Corporation.
The reason that the message is conveyed by an image is to get these scams past email spam filters, which work by identifying spam words. Since there are no actual text words, many of these scams will be delivered.
Presently, the malware attachment is named "FDIC information" - without any extension. This is an error on the part of the people who composed this template. Rest assured, there is a malware payload inside the attached file, which weighs in at 28,822 bytes. I am certain that the next batch of these scams will contain an extension, such as .pdf, .zip, or .pdf.zip, like the scams of the previous few weeks.
More information about the image-only FDIC scam.
The sender, From, is "no reply" <[email protected]>
The Subject is: FDIC message center
The second Received from line is forged to read:
Received: from fdic.gov ([192.147.69.84]) ...
The actual point of delivery is not that FDIC email server, but the one listed above it. In one case, this email was sent from a computer located at this address in India:
Received: from [122.175.154.80] (helo=ocxdv.com)
Here is the Whois information for that IP address (122.175.154.80):
inetnum: 122.169.0.0 - 122.175.255.255
netname: BHARTI-IN
descr: BHARTI Airtel LTD.
descr: ISP Division , Transport Network Group
descr: 234 , Okhala Phase III
descr: NEW DELHI
descr: INDIA
country: IN
Further, we can break down the narrow CIDR that this IP belongs to, as follows:
route: 122.175.154.0/24
descr: ABTS-MP-DSL-BPL
descr: ABTS MP,
descr: 1 Malviya Nagar,
descr: Bhopal
descr: Madhya Pradesh
descr: INDIA
country: IN
The details suggest that the email was sent from a DSL customer in Bhopal, India, whose computer was infected by a similar scam email, which the owner was fooled into opening. That computer is part of the botnet that is sending out these scams.
The purpose of the FDIC and ACH scams is to deliver multiple types of malware onto your computer. Among the payloads downloaded once this type of Trojan Horse is executed include: The Zbot, aka Zeus banking Trojan; The Bredolab botnet installer; fake anti-virus or system scanners (scareware), a rootkit to make the malware survive a reboot, a malware downloader and a "proxy server" that allows criminals to use the infected PC to anonymously browse the contents of other infected computers.
I hope that this article saves somebody out there from being tricked into opening the attachments in these and similar email scams. If you were tricked into opening such an attachment, even if you didn't notice anything bad going on, your PC may be compromised and may now be a zombie in a criminal spam and attack botnet. Your banking credentials may be stolen the next time you log onto your bank, or PayPal, or your website control panel. You should scan it for viruses, malware, key loggers, bots and rootkits, using your installed anti-virus program, after updating the definitions.
If your anti-virus program doesn't find anything amiss, or if you don't have any anti "malware" programs installed, you can download Malwarebytes' Anti-Malware (MBAM), install it, update it and scan for bad stuff. It removes anything it identifies for free. But, you may need to disable System Restore, then reboot, then rescan with MBAM. It is free to use manually (check for updates, then scan, the act).
If MBAM finds and removes threats from your computers, consider licensing it for about 25 bucks for lifetime program updates, automatic frequent definitions updates, scheduled fast scans and automatic real time protection against known bad-ware downloads. I am an affiliate for Malwarebytes' Anti-Malware, as well as a user. You can read about the program, download the latest version and register it online, via my affiliate links, on my Malwarebytes' Anti-Malware web page. Thanks in advance ;-)
If you lack anti "virus" protection, check out the legitimate products advertised throughout my blog and other web pages. Most offer a free trial for so many days. If you choose to install free anti-malware programs, make sure you update them frequently, set them to watch as you download or open files, and manually do a quick scan every night, before you shut down the PC, or go to bed.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.