Video Screencast Help
Symantec Intelligence

Rise in ZIP File Attachments in Spam Emails Lead to Bredolab Malware

Created: 15 Apr 2011
Paul Wood's picture
+1 1 Vote
Login to vote

Posted on behalf of Mat Nisbet, Malware Analyst, Symantec.cloud

On the 16th of March Rustock, the largest of the spamming botnets, was taken down. As you would expect,  global spam levels started to drop, as can be seen when you look at the number of mails being delivered  to one of our spamtraps.

However, on the 26th March we saw a large increase in the amount of data traffic hitting our spamtraps,  despite the number of actual emails continuing to decline.

Investigation revealed that the reason for this was that the Cutwail botnet had started sending much  more emails with zip file attachments than normal, meaning the average size of each mail was much  higher than normal. The chart below shows that there have been a couple of spikes in early March, which  may have been short test runs, but from the 26th March onwards there has been a sustained increase in  spam traffic with a zip attachment.

These mails are all variations on the same familiar subject, a package could not be delivered and you  need to open the attachment to print out and take to their depot in order to collect it.

This is a screenshot of a typical example:

Notice that the grammar is lacking in several places. Also the parcel number is used in three separate  locations (the subject line, 2nd line of the mail, and the filename of the attachment) and is different  in each location.

Inside the zip file attachment is an executable file, which if run, will infect the users' machine. The  malicious files are all variants of the Bredolab malware. Once on the system, the Bredolab family of  malware allows the attacker to take control of the machine and download other things to it. Most likely  the infected machine would become part of a botnet, being used to spread the infection to others.

If you receive an email informing you that you have an undelivered package, be wary. There should be a  phone number for you to contact the depot yourself, and opening hours of the depot. Also, if it asks  you to print an attachment, do not do so. In reality, all that is needed is the ID number of a parcel,  as you will be asked for identification when you go to collect it.