Video Screencast Help
Security Response

Fake Antivirus Renewal Email Rises from the Dead

Created: 01 Mar 2013 09:53:26 GMT • Updated: 23 Jan 2014 18:09:09 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

Over the last few years, many reports, white papers, and blogs have been released detailing targeted attacks. For example, some attacks employ sophisticated infection methods, such as watering hole attacks, and some rely on exploit code hidden in document files mixed with social engineering schemes. Some time ago, when the malware world was still dominated by mass-mailing worms that used fake emails as the infection method, one of the schemes was a fraudulent license renewal notification from well-known antivirus vendors.

Some may think that this scheme had become extinct but we saw evidence recently that it is still alive and kicking when an email was sent to an electric power company and a major industrial company in Japan.

Figure 1. Fake antivirus email with a Zip file attached

Inside the attached .zip file there is a file with a .doc.exe extension, which smells fishy. The file name is gibberish as well.

Figure 2. File name of the file found inside the Zip file

Although the file uses an MS Word icon, this file is an executable file and will therefore run regardless of whether MS Word is installed on the computer or not. This file is detected by Symantec as Trojan.Dropper. Once it is executed, it drops a simple back door onto the computer, detected as Backdoor.Trojan, which connects to a command-and-control (C&C) server and awaits commands from the remote attacker.

Interestingly the same “From” address was used to send different fraudulent emails to several airline companies targeting recipients that appear to be Japanese. As the targets are airline companies, the attacker was smart enough to use aviation related information in the email, but the use of the doc.exe tactic remained the same.

Figure 3. File name of the attachment sent to airline companies

This file is also detected as Trojan.Dropper that also drops Backdoor.Trojan, which connects to the same C&C server mentioned previously.

Once the back door is successfully opened, the attacker can take control of the computer and do whatever he or she wants, including stealing information that could be used in subsequent attacks.

While using defense systems against sophisticated attacks has become an absolute necessity, often a simple and old trick is enough to compromise a computer. Basic security practices can often be forgotten when security software is used and this sort of email rarely lands in your inbox. It is important to remember the expression “Disaster strikes when you least expect it.”