madison

Zero Day

Ryan Naraine and Dancho Danchev

Spamvertised United Parcel Service notifications lead to malware

By | March 23, 2011, 6:45am PDT

Summary: A currently spamvertised campaign is brand-jacking United Parcel Service (UPS) for malware-serving purposes.

A currently spamvertised campaign is brand-jacking United Parcel Service (UPS) for malware-serving purposes.

Sample subject: United Parcel Service notification

Sample attachments: UPSnotify.rar; UPSnotify.exe

Sample message: Dear customer. The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc.

Upon execution the malware (UPSnotify.exe) downloads additional binaries including a scareware variant. Users are advised to avoid interacting with suspicious attachments.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Topics

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Talkback Most Recent of 19 Talkback(s)

  • RE: Spamvertised United Parcel Service notifications lead to malware
    thanks, just had a user attempt to download one of these this morning. Thankfully, our Netgear UTM blocked it.
    ZDNet Gravatar
    PepperdotNet
    23rd Mar
  • Seems like wasted breath.
    "Users are advised to avoid interacting with suspicious attachments."

    If they haven't learned this by now they're not likely to ever do so.
    ZDNet Gravatar
    ye
    23rd Mar
  • ZDNet Gravatar
    gordygreytop@...
    23rd Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    This UPS-themed attachment was detected and blocked by Yahoo email's Norton scan. However, the Fedex-themed attachment received last week wasn't. Just goes to show how lame AV is these days.

    VirusTotal's look at the Fedex attachment:
    http://www.virustotal.com/file-scan/report.html?id=cb082f9a9b0df4deaa755d88f4b6431ecda5deea7d36791a4c1938c2b7d3438c-1300651243
    ZDNet Gravatar
    ejhonda
    23rd Mar
  • A/V has been lame for quite some time.
    @ejhonda: Just goes to show how lame AV is these days.

    Yet it continues to be recommended as a means to protect your computer. IMO A/V software essentially is limited to helping people catch known trojans.
    ZDNet Gravatar
    ye
    23rd Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    @ejhonda:However, the Fedex-themed attachment received last week wasn't.
    I had just the opposite effect. I even signed up on Norton, just so I could post how sorry their AntiVirus is. I found it strange, that in the UPS email, Norton would catch it about 1 in 20 times I tried to open it! If the AV does not catch it the first time, what good is it? I am so sick of Norton, I figured this would put it in their face!

    http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-AntiVirus/m-p/421976#M153090

    No viruses detected
    The virus scan did not find any viruses in your attachment. Click the download button to continue.
    United Parcel Service document.zip (6KB)

    Virus detected
    The attachment you are trying to download contains a virus and it can not be cleaned.
    FedEx notice.zip (10KB)
    ZDNet Gravatar
    HRIRAR
    25th Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    I should have known better, but because I was expecting a package I thought this might have been legit and downloaded it, now I cant get rid of it. Advice please!
    ZDNet Gravatar
    Becabpg
    24th Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    @Becabpg I'm guilty of the same thing, Norton did catch it but I thought it was a mistake as I too was expecting something via UPS, but anyway, I used combofix, from bleeping.com(pay attention to the .com it is NOT .org) and it has worked (so far) I hope your as lucky with it a I was.
    ZDNet Gravatar
    cjbcarousel
    31st Mar
  • Think a bit
    Really....just use your brain a little and people could avoid these issues. I mean, how would UPS get your email address?
    ZDNet Gravatar
    candy21
    24th Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    @candy21:I mean, how would UPS get your email address? The BIG clue to me was, both UPS and FedEx had multiple email Cc:s. As for UPS having personal email addresses, I do a lot of business with both companies. I gave them my email address, so they can keep me informed of my package tracking. Only both of these had multiple Cc:s, all with Yahoo emails, and all were alphabetically sequenced. DEAD giveaway!!
    ZDNet Gravatar
    HRIRAR
    25th Mar
  • Incomplete story
    While it was good to alert people, nothing was said about how it installed into your computer, and if a rollback would undo it's damage or what to do. If you write an article about something like this, then increase the value of the article by providing repair solutions that are known to work. And for the comments section, the old rules don't always work. If you've never been caught, your day is coming and with the thousands of malware/virus/spoofs that are out there, your day to be foiled may be just around the corner. Be quick to help, not condemn or ridicule.
    ZDNet Gravatar
    david@...
    24th Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    I received 2 of these UPS emails and was receiving pkg's I was expecting from them. Since the arrival dates were wrong, I finally decided to open them, also because I had cancelled one of the pkg's. I can't remove them from my inbox, when attachment in clicked they go to a zip file, but can't be opened..I have Norton. Am I protected from Malware?
    ZDNet Gravatar
    artjud
    25th Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    @artjud:I have Norton. Am I protected from Malware?
    First read the reply I sent to candy21. Dead giveaway!
    Second, to answer this question in two letters: NO!
    Read the reply I sent to ejhonda.
    ZDNet Gravatar
    HRIRAR
    25th Mar
  • ZDNet Gravatar
    HRIRAR
    25th Mar
  • RE: Spamvertised United Parcel Service notifications lead to malware
    I got that e-mail today and some other day. I don't click on the attachment since I'm afraid my computer will go bad. Luckily, I have Trend Micro Internet Security on my home computer since March 10 of this year. Especially if I rebuild my brother's computer and upgrade my grandpa's old IBM Aptiva, I might want to install either the Microsoft Security Essentials (Freeware - $0.00) or upgrade my Trend Micro to a 3-user subscription (for $20.00 more). For those who have a crappy Anti-Virus, like McAfee, Norton, or others, except for Microsoft Security Essentials, ESET Nod32 Anti-Virus, or Trend Micro, I would recommend you get the Trend Micro Internet Security Suite (approx. $29.99 MSRP + State Tax for a 1-user edition, $49.99 MSRP + State Tax for a 3-user edition, or $79.99 MSRP + State Tax for a 5-user edition). If you get something from USPS (United States Postal Service) or FDIC (Federal Deposit Insutance Corporation) with a tracking number, add the recipient's e-mail address to your blacklist (block this e-mail)* and delete the e-mails immediately since your computer will get infected, even Mac's and Linux OSes can still get infections.

    *go to your ISP's e-mail help, or other e-mail client's help guide to block e-mails. For Hotmail/Windows Live Mail, check the box on the e-mail that's in the Junk mail folder (or Microsoft blocks those e-mails), click Sweep and click on Block From (adds the e-mail addresses to the blacklist) and click OK, and delete the e-mail(s) from your Delete folder.
    ZDNet Gravatar
    ben_ben2
    26th Mar

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

White Papers, Webcasts, & Resources