Malware Watch: Fake Patch Tuesday emails, fake MSRT tool, spamvertised Bredolab, Android mobile malware

This week’s Malware Watch features three currently active malware campaigns - a spamvertised malware-serving attack impersonating Microsoft’s Security Team, a scareware variant that mimics Microsoft’s Software Removal Tool, multiple spamvertised BREDOLAB-serving campaigns, and the first (reported) SMS-trojan targeting Android users.

- Fake Microsoft Patch Tuesday malware campaign

From the perspective of the malicious attacker, timing is everything. Whether it’s the real-time syndication of trending topics for the purposely of serving malware and scareware through blackhat SEO (search engine optimization), or riding on the buzz wave of a particular event, this type of social engineering campaigns remains .

One of the most popular (same campaign seen in 2008, and two times in 2009) events which often ends up as leading topic for a malware campaign, is Microsoft’s Patch Tuesday.

According to researchers from BitDefender, a currently spamvertised campaign is impersonating Microsoft’s Security Team, urging users to download and execute the malicious win.exe, which once executed starts relying spam through the infected user’s PC.

Sample message:

Hello,

Microsoft’s security team investigated the release of a new zero-day flaw that exposes Windows users to blue-screen crashes or code execution attacks. Because of this, Microsoft plugs 34 security holes in a patch. You can download the patch from here. If the link doesn’t work, you can use.

Thank you for your understanding,
Microsoft team

- Scareware variant mimicking Microsoft’s Software Removal Tool

Imitation has always been a form of flattery. Researchers from Sunbelt are reporting on a scareware variant mimicking Microsoft’s Software Removal Tool. Naturally, the application recommends the installation of the bogus Shield EC Antivirus, stating that “Antivirus software can’t be installed. Your license key 4739537485639445 has expired on 2010/06/05” and asking for credit card details on an insecure page.

• Go through the Ultimate Guide to Scareware Protection if you want to learn more about the most popular monetization tactic used by cybercriminals these days

- BREDOLAB malware-serving campaigns using multiple topics

Known for its persistence and Q&A applied from a social engineering perspective due to the systematic introduction of new topics, researchers from Trend Micro, CA and Symantec, are reporting on multiple BREDOLAB malware-serving campaigns, enticing users into executing malicious attachments.

Popular topics include, but are not limited to:

“Review your annual Social Security statement”
“First Birthday Invitation”
“Resume”
“Your reservation is confirmed”
“Another candidate brought to you”
“Solve this if you could…!!!!”
“Code (random number)”
“acceptance letter and benefit summary”
“Angel Awards”
“Final_moments_of_Air_France”
“Homax Docs”
“INVITATION”
“Resume & Coverletter - Feedback”
“Merriage Invitation”
“Picture sizes”
“NYCEDC Employment Application”
“Sales Dept”
“Proposal”
“Resume text”
“SIGN BOARDS”
“Your Quote from AA Getaway Coaches”
“Your receipt from Apple Store, Fifth Avenue”
“Beauty and the Geek 2″
“fill this Passport Form”
“In USA on August 15 and 16″
“Picture sizes”
“Status”
“Employee Orientation”
“Garages”

- The first (reported) SMS-trojan targeting Android users

Earlier this week, a mobile malware targeting exclusively Android users, in particular Russian users, was reported by Kaspersky Labs.

Once the socially engineered user gives the application all the necessary permissions thinking it’s a legitimate Movie Player application, the malware is supposed to start sending SMS messages to a premium-number charging $5 for each SMS.

Why supposed to? According to a note published by Trend Micro yesterday, “the malware code did not work properly due to programming errors that caused exceptions. In effect, the malware failed to do its intended routine which is to send SMS to premium rate numbers“.