Video Screencast Help
Security Response

The (File)Name Game!

Created: 03 Oct 2008 18:38:15 GMT • Updated: 23 Jan 2014 18:39:41 GMT
Elia Florio's picture
0 0 Votes
Login to vote

Digging into our honeypots and spam-trap systems to look for malicious attachments is always an interesting exercise. We can identify different spam campaigns and map together malicious binaries by correlating attachments and filenames. Nevertheless, it's also funny to see how the bad guys are still trying to entice users to run executable attachments-pushing their creativity and social engineering skills to extreme levels. Invoices, contracts, delivery notices, and all types of tickets are travelling by mail everyday, hitting millions of mailboxes; all in the hope that a few users, sooner or later, will be fooled by a perfectly orchestrated malicious e-mail (yes, it does still work, and old tricks are always the best).

Just for fun, I tried to create a picture of the breakdown of the most common malicious spam campaign observed on a set of emails received during the month of September. As you will notice from the chart below, the "Fees_2008-2009" attachment is still the most prevalent, followed closely by "e-card" and various "video codec" Trojans. A series of fake "Contract, Abstract, and Approved" Trojan files are also making the rounds these days.

Looking from a different perspective, we can still gather interesting information about filenames commonly used by malicious program by digging into generic antivirus detections. Many of these malicious binaries are compressed or encrypted with custom-made packers, often armored with exotic anti-emulation and somewhat funny anti-debugging tricks to evade antivirus detections. Using the polymorphic abilities of a packer, the bad guys generate hundreds of different samples from a single malicious executable in order to minimize the chance of being detected. These bad packers-used only by malicious programs-are very common for a lot of different Trojans and misleading applications, which jump from one packer variant to another every time they are detected by generic detections.

Generic antivirus detections for files created by bad packers are frequently released for our products with the prefix name of "Packed.Generic." It is nice to see a single generic detection catching thousands of different malicious samples in one shot, as shown by the chart below, calculated only during the month of September. Spikes in volumes usually occur either when a new spam campaign starts, or when there's a shift in the threat landscape (with a malicious code family moving from one packer to another).

Packed.Generic detections are also useful for identifying different malware families that share the same bad packer. I always wonder if this fact means that there's a single guy behind the distribution of different Trojans, or if it's just a coincidence.

Here are some filename statistics related to some of our recent generic detections having good hits recently:

Name:        Packed.Generic.177
Description:    Commonly used by misleading applications such as AntiVirus2008,
AntiVirus2009, AntiVirusXP2008 and their Downloaders.

AV2009Install_*.exe (e.g. AV2009Install_880401.exe)

Name:        Packed.Generic.186
Description:    Commonly used by Trojan.Blusod, Trojan.Fakeavalert and Downloaders.

lphc*.exe (e.g. lphcjooj0ecg4.exe)

Name:        Packed.Generic.187
Description:    Used by AntiVirus2009 droppers and Downloaders.

A9installer_*.exe (e.g. A9installer_770522157731.exe)
MultyCodecUpgr*.exe (e.g. MultyCodecUpgr.7.20765.exe)
video*.cfg.exe (e.g. video1055.cfg.exe)
video(*).cfg (e.g. video1054.cfg)

Name:        Packed.Generic.188
Description:    Used by Trojan.Blusod, Backdoor.Tidserv and AntiVirus2008.

lphc*.exe (e.g. lphcjooj0ecg4.exe)

Regardless of the spam campaign, filenames, and/or packer used, the thing that you may have noticed these days is the fact that pretty much all of these malicious emails and samples are somehow related to misleading applications. In most cases, these misleading apps end up downloading and installing an antivirus clone program or a fake security product. So, now that you know the common filenames used by the bad guys these days, watch what you click when you receive your next email!

Message Edited by SR Blog Moderator on 10-03-2008 02:23 PM