Malware Watch: Fake Patch Tuesday emails, fake MSRT tool, spamvertised Bredolab, Android mobile malware

Malware Watch: Fake Patch Tuesday emails, fake MSRT tool, spamvertised Bredolab, Android mobile malware

Summary: This week's Malware Watch features three currently active malware campaigns - fake Patch Tuesday emails, BREDOLAB-malware serving emails, fake MSRT tool, and the the first (reported) SMS-trojan targeting Android users.

SHARE:

This week's Malware Watch features three currently active malware campaigns - a spamvertised malware-serving attack impersonating Microsoft's Security Team, a scareware variant that mimics Microsoft's Software Removal Tool, multiple spamvertised BREDOLAB-serving campaigns, and the first (reported) SMS-trojan targeting Android users.

- Fake Microsoft Patch Tuesday malware campaign

From the perspective of the malicious attacker, timing is everything. Whether it's the real-time syndication of trending topics for the purposely of serving malware and scareware through blackhat SEO (search engine optimization), or riding on the buzz wave of a particular event, this type of social engineering campaigns remains .

One of the most popular (same campaign seen in 2008, and two times in 2009) events which often ends up as leading topic for a malware campaign, is Microsoft's Patch Tuesday.

According to researchers from BitDefender, a currently spamvertised campaign is impersonating Microsoft's Security Team, urging users to download and execute the malicious win.exe, which once executed starts relying spam through the infected user's PC.

Sample message:

Hello,

Microsoft's security team investigated the release of a new zero-day flaw that exposes Windows users to blue-screen crashes or code execution attacks. Because of this, Microsoft plugs 34 security holes in a patch. You can download the patch from here. If the link doesn't work, you can use.

Thank you for your understanding, Microsoft team

- Scareware variant mimicking Microsoft's Software Removal Tool

Imitation has always been a form of flattery. Researchers from Sunbelt are reporting on a scareware variant mimicking Microsoft's Software Removal Tool. Naturally, the application recommends the installation of the bogus Shield EC Antivirus, stating that "Antivirus software can't be installed. Your license key 4739537485639445 has expired on 2010/06/05" and asking for credit card details on an insecure page.

- BREDOLAB malware-serving campaigns using multiple topics

Known for its persistence and Q&A applied from a social engineering perspective due to the systematic introduction of new topics, researchers from Trend Micro, CA and Symantec, are reporting on multiple BREDOLAB malware-serving campaigns, enticing users into executing malicious attachments.

Popular topics include, but are not limited to:

"Review your annual Social Security statement" "First Birthday Invitation" "Resume" "Your reservation is confirmed" "Another candidate brought to you" "Solve this if you could...!!!!" "Code (random number)" "acceptance letter and benefit summary" "Angel Awards" "Final_moments_of_Air_France" "Homax Docs" "INVITATION" "Resume & Coverletter - Feedback" "Merriage Invitation" "Picture sizes" "NYCEDC Employment Application" "Sales Dept" "Proposal" "Resume text" "SIGN BOARDS" "Your Quote from AA Getaway Coaches" "Your receipt from Apple Store, Fifth Avenue" "Beauty and the Geek 2" "fill this Passport Form" "In USA on August 15 and 16" "Picture sizes" "Status" "Employee Orientation" "Garages"

- The first (reported) SMS-trojan targeting Android users

Earlier this week, a mobile malware targeting exclusively Android users, in particular Russian users, was reported by Kaspersky Labs.

Once the socially engineered user gives the application all the necessary permissions thinking it's a legitimate Movie Player application, the malware is supposed to start sending SMS messages to a premium-number charging $5 for each SMS.

Why supposed to? According to a note published by Trend Micro yesterday, "the malware code did not work properly due to programming errors that caused exceptions. In effect, the malware failed to do its intended routine which is to send SMS to premium rate numbers".

Topics: Collaboration, Malware, Microsoft, Mobility, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • An ounce of prevention...

    An ounce of prevention, does nothing to prevent an ounce of stupidity...

    I think we need some sort of globally accepted harsh punishment for people who write and use malware... Any ideas???

    (I'm thinking cut off their hands and feet and drop them on a small island in the Pacific. We could do the same for child molestors and rapist)
    i8thecat
    • Island in the Pacific

      @i8thecat Hey! I live on a small island in the Pacific, I don't want them here!
      levinson
      • RE: Malware Watch: Fake Patch Tuesday emails, fake MSRT tool, spamvertised Bredolab, Android mobile malware

        @levinson
        [i]Hey! I live on a small island in the Pacific, I don't want them here! [/i]

        ROTFL

        @i8thecat
        [i]I think we need some sort of globally accepted harsh punishment for people who write and use malware... Any ideas??? [/i]

        A bullet for every skull involved?
        klumper
  • RE: ...globally accepted harsh punishment...

    Nah, that is too good for them!

    I prefer to use them as real `Shark Bait`. Inflict some bleeding cuts on them, throw them overboard IN SHARK INFESTED WATERS, and troll. Kind of like a modern day version of `keelhauling`. But, no mercy should be shown.

    More info on keelhauling: http://en.wikipedia.org/wiki/Keelhauling

    Note cultural reference #1.
    fatman65535
  • Malware and arms and legs amputation... etc

    Oh dear! My,my! Cut off their hands and feet?
    Sounds good. But are YOU willing to do it? You sound very brave- I'm sure you're the right person for the job.
    But if you're a tad squeamish, then perhaps you could simply "inflict some bleeding cuts" on them, and keelhaul them.
    But I suspect you're probably not even up to this, pantywaist. You'd rather a flunky do it.
    But if you are, please forward your address to the nearest police department. (and optionally your psychiatrist) ...
    PercySludge
    • Oh I'd do it

      @PercySludge
      [i]Oh dear! My,my! Cut off their hands and feet? Sounds good. But are YOU willing to do it? [/i]

      Trust me, I would. My solution is even quicker, and cheaper (look above). It wouldn't take long before other, "would-be" (contemplating) culprits caught on.

      And yes, problem solved -- if it could only be enacted.
      klumper
  • RE: Malware Watch: Fake Patch Tuesday emails, fake MSRT tool, spamvertised Bredolab, Android mobile malware

    Everyone who get blasted by either of these ventures deserve to have their systems blitzed. (1) Microsoft does not send out update email messages. Likewise the update for the malicious software tool is not submitted in this fashion either. Both are only provided through Microsoft updates. If you want it at a time other than the update cycle, you should be wise enough to get it from Microsoft.com. We spend too much time worrying about the dead heads.
    eargasm
  • RE: Malware Watch: Fake Patch Tuesday emails, fake MSRT tool, spamvertised Bredolab, Android mobile malware

    Someday people will learn. Until then I'll just live well off the $25 Million I'm getting from the dead Nigerian General's wife.
    bhartmann
    • RE: Malware Watch: Fake Patch Tuesday emails, fake MSRT tool, spamvertised Bredolab, Android mobile malware

      @bhartmann
      What???!!! that be-atch promised me that money. All I had to do was give her my account info and she promised the money would be transferred in about a week.....
      dawgstyler