Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

“Here you have” Mass-mailing virus returns to old-school tactics

Created: 10 Sep 2010 • Updated: 17 Sep 2010 • 2 comments
Paul Wood's picture
+2 2 Votes
Login to vote

By Tony Millington, Malware Operations Engineer, Symantec Hosted Services

On September 9, 2010 at 15:20 (GMT) MessageLabs Intelligence identified and began blocking a new virus attack using old mass-mailer techniques. Using Skeptic’s patented heuristics, Symantec Hosted Services customers, using MessageLabs Hosted Email AntiVirus, were fully protected from this threat from the outset. As a hosted solution in the cloud, the mass mailer worm was detected using Skeptic’s unique predictive heuristics and it was blocked before it reached clients’ networks – this means that there was no need for customers to update patches or virus definitions.  The heuristic rule that triggered the detection of this virus by Skeptic was actually added in 2008.

At its peak Symantec Hosted Services were blocking over 2,000 malicious emails per a minute. The last copy was blocked on September 10, 2010 at 08:33 GMT, during which time 106,390 copies were blocked in total.

The attack used a technique that is not particularly new; we often intercept emails sent from machines infected with mass-mailers containing copies of the virus, or hyperlinks to viruses hosted on compromised websites. A favoured social engineering technique that has been used previously is the “virtual postcard” technique: an email arrives stating you have received an online e-card, please click the hyperlink to view it. The link would then lead the recipient into to downloading a viral executable that when run immediately begins to spam itself out to any email addresses it finds on your computer.

This new one uses many of the same techniques but the social engineering is vastly different.

Since the emails are sent from an infected recipient, using their own email account and legitimate email server, this lends more credibility to the emails and is different to the usual postcard-style attacks that spoof the sender addresses. This significantly enhances the social engineering as it may appear to be business related, or come from someone in your own office or even someone else that you have a business relationship with. Furthermore, some email systems mandate the use of encryption on certain correspondence, which may make it harder for security technology to analyse.

However, the grammar in the email body and its general layout is terrible; the use of capital letters in the middle of a sentence; a lack of proper spacing after a full-stop or period; there is no name after Cheers – and overall it just doesn’t look very good. However, many people have still fallen victim – perhaps persuaded by the social engineering that this email really did come from someone they know and trust. The HTML code behind the email body is also very badly formatted:

<html>
<font size=4 color=blue>Hello:<br>
<font size=4 color=black><br>
This is The Document I told you about,you can find it Here.
<font size=4 color=blue><a target=new href=http://<LINK REMOVE>.scr>http://<LINK REMOVED>.pdf
<font size=4 color=blue> </a>
<br><br>
<font size=4 color=black>Please check it and reply as soon as possible.<br><br><br><font size=4 color=blue>Cheers,
</html>

The HTML font tag is never closed properly and the data for the options for the font are never put in quotation marks. However, most browsers and email clients will ignore this and try to display it in the intended way. The hyperlink is aliased incorrectly; the domain where the malicious executable is actually located is different to what is being displayed in the email, which is a common technique for anything from phishing to viral links to general spam. Although it says that it is a .PDF file in the message, the actual hyperlink is a .SCR (an executable screen saver program), again a technique commonly used in malicious emails.

The malicious executable itself is being stopped by Symantec as W32.Imsolk.B@mm and there is a more detailed analysis about it here: http://www.symantec.com/security_response/writeup.jsp?docid=2010-090922-4703-99
 

Comments 2 CommentsJump to latest comment

deepak.vasudevan's picture

Dear Paul,

Even regarding Phishing too it is said that phished email is often identified by a broken grammar and an incorrect flow of sentence.

Can this condition be considered as one of the reliable test cases for identifying malware? Or is it just a coincidence? 

-5
Login to vote
mathell's picture

"using MessageLabs Hosted Email AntiVirus, were fully protected from this threat from the outset"

"this means that there was no need for customers to update patches or virus definitions"

The virus also propagates via file shares, so I'm not sure either of these statements is really accurate.

+3
Login to vote