The Barracuda Labs Internet Security Blog

by Shawn Anderson – Security Researcher

Have you ever driven down the road with a police vehicle right behind you? Do your nerves heighten and your stomach drop? This happens to a lot of people, and when the flashing lights turn on there is one thing to do. Pull over, right? The pure adrenaline rush from thinking, “What did I do wrong?” masks the paranoia of whether or not the person is really a police officer.

What would happen if you received an email from the police department stating that you were in violation of the law? Would your stomach drop and your nerves kick in as though the police vehicle just turned on its lights behind you? Would you stop to think whether the email is legit or not? Unfortunately, impersonating the police can be very effective for spammers who are trying to persuade recipients to click on a link or open an attachment. Forcing the recipients to consider their possible guilt can distract them from questioning the legitimacy of the email itself.

At Barracuda Networks, we are witnessing a large spam outbreak with malicious attachments that impersonates (spoofs) the New York State police. The email states that the recipient was in violation of the law, and contains a description of the traffic violation. It also claims to contain the actual ticket as an attachment with instructions to open it, print it and send it to ‘Town Court’ in some small town somewhere in New York state

The attachment is actually malware, a variant of Trojan.Downloader. If run, it downloads Trojan.Fakealert which further compromises the computer.

Emails like these teach a very important lesson. Many malicious spam messages go to great lengths to appear to be sent from some official government agency or other large organization. Unfortunately the contents of email messages are very easy to fake. The sad truth is that you should never assume that an email message is legitimate. Instead, if an email raises concerns you should verify the contents by phone or postal mail, and never run emailed attachments like the one in the message above.

Tips for configuring your spam firewall to block this attack:

Currently, the malicious spam is spoofing the “From” address domain of “nyc.gov”. Since “nyc.gov” has a Hardfail SPF record set up in its DNS txt record, most conventional filters will block these spoofed messages. Enabling SPF on your spam filter will help block these spoofed emails.

It is common, however, that these types of malicious outbreaks will rotate their sender domains, and it is likely that they’ll spoof other state domains. SPF records are not always set up or set up properly in DNS for domains that are commonly spoofed, so relying solely on the SPF filter is not recommended. Other content scanning techniques are required to block these attacks as they rotate sender domains. Customers using the Barracuda Spam & Virus Firewall should make sure their Energize Updates are up to date and that they are on the latest version to help block these types of malicious emails.

by David Michmerhuizen & Luis Chapetti – Security Researchers

Version 8 of Microsoft Windows is under active development and is tentatively scheduled to be released sometime in 2012.   Screen shots have already leaked to the internet, and some opportunistic spammers are already using the promise of a Windows 8 download to lure unsuspecting users into swallowing a malware payload.

The spam itself is short and simple.  Spammers often make tell-tale spelling and grammar goofs, so keeping the text short is a good way to reduce mistakes.

Windows 8 Spam

Even though it’s only two sentences, they’ve still managed to introduce a stray question mark in the name.   If that doesn’t make you suspicious, a quick check of the link destination should

Revealing the details of the spam link

The double extension of .gif.exe is used to make the file appear to be a .gif file on Windows systems that are not configured to display program extensions.

Even if the type of file is partly obscured by the filename there shouldn’t be any confusion once you click on the link.  Windows asks you if you are sure you want to run this software.

Are you sure you want to do this?

Of course, you don’t typically run a program in order to “get more details” about some topic.   At this point what you want to do is to press “Don’t Run” and back away.

But let’s suppose your defenses were down and your overwhelming curiosity about Windows 8 had you pushing that “Run” button.  Here’s what happens

Running 8final.gif.exe

The program opens up a spiffy Windows graphic.   That’s it.  Those are your details.

Except not quite.  The program is a variant of Trojan.Zapchast.   After it opens the graphic it gets to work installing an Internet Relay Chat client – mIRC, along with special scripts that turn the client into a backdoor.

This Zapchast isn’t all that sneaky though.  If you look at the screen shot above you’ll see a blank spot in the notification bar, just to the left of the speaker icon.   Hovering over it ever reveals an “mIRC Daemon Tools” tooltip.    You can actually open it and watch the bot-herder at work.

A glimpse of the backdoor in action

This IRC controlled backdoor is set to start whenever the computer is started.   It monitors the channel (in this case, #drones) for messages that it interprets as commands and then carries them out.   Once infected, the host computer can be directed to download and run other malware, search for personal information, send spam – in short, your computer belongs to the bot-herder.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.