Update: Huge amounts of UPS and Facebook malware attachments

March 30th, 2011 by Avi Turiel | Category: Antivirus, Email Security | 14 Comments »

Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.

But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. The sudden increase can be seen in the graph below:

Almost all of the malware comes in 2 flavors:

Facebook password reset (about 10% of the emails)
UPS package notifications (about 85%)

The UPS notifications generally look like this:

Titles are all variations of “United Parcel Service notification 00290″ And the file extracts to an exe – but with a PDF icon:

Commtouch’s Command Antivirus detects these as variants of W32/Bredolab. The UPS and Facebook methods are certainly not new, but the email headers have been altered in a way we haven’t seen often – possibly to confuse some anti-spam systems. The headers indicate that the zombie addresses (shown in pink) are simply relaying the malicious emails from some higher level (yellow highlight). The higher level addresses (which look a tiny bit like the IPv6 format) are basically nonsense that cannot be resolved, and the relay names are created from random text.

Update: 4th April 2011

An updated graph of last week showing the huge spike from Tuesday to Thursday. The outbreak is continuing today but in smaller numbers. In our experience the next stage will be an increase in spam.

Share and Enjoy:

Tags: facebook, malware, UPS

Gloria

I’ve been receiving these stupid UPS ones for a few days now. Very annoying!
http://twitter.com/joeyrutledge Joey Rutledge

I received one of these into my yahoo email account then other day. Funny thing is when I downloaded it the antivirus scanner that Yahoo uses didn’t recognize it as a virus. Maybe someone should try and get them to go with Commtouch for scanning.
http://blog.commtouch.com/cafe/email-security-news/ups-malware-now-sent-via-dhl/ UPS malware now sent via DHL! | Commtouch Café

[...] In their desperation to push out more malware today the senders seem to have overlooked the required filename change – the “DHL.zip” files are now carrying …… UPS.exe (as distributed in the last 2 days). [...]
Peter

We have received a few of them as well. When looking for info we found http://blog.mxlab.eu/2011/03/27/u201cunited-parcel-service-notification-48161u201d-from-ups-contains-trojan/
http://notebooks.com/2011/04/04/email-malware-increases-dramatically-prepare-for-more-from-epsilon-breach/ Email Malware Increases Dramatically, Prepare for More [Epsilon Breach]

[...] or UPS, at one point accounting for nearly 30% of all email sent. The news comes by way of CommTouch, an Internet Security website, and is especially troubling when you consider the recent data [...]
http://billmullins.wordpress.com/2011/04/04/tech-thoughts-daily-net-news-april-4-2011/ Tech Thoughts Daily Net News – April 4, 2011 | Bill Mullins' Weblog – Tech Thoughts

[...] Huge amounts of UPS and Facebook malware attachments – Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”. But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. [...]
MailChannels

I was beginning to wonder if the decrease in spam was permanent. Obviously we will find out soon.
http://blog.maysoft.org/ Frank Paolino

Nice posting, and interesting stats. I re-blogged this on my Lotus Notes Email blog:nhttp://blog.maysoft.org/blog.nsf/d6plinks/FPAO-8FNUB3n
http://www.stopspamtips.com/after-rustock-botnet-rebuilding-underway/ After Rustock, botnet rebuilding underway | Stop Spam Tips

[...] e-mail in late March and early April. While the dramatic jump in virus-laden spam accounted for as much as 30 percent of total email traffic, it subsided soon after. Yet, the results seem to indicate that the bot masters’ attempt to [...]
http://www.stopspamtips.com/botnets-rebuild-after-rustock-takedown/ Botnets Rebuild After Rustock Takedown | Stop Spam Tips

[...] e-mail in late March and early April. While the dramatic jump in virus-laden spam accounted for as much as 30 percent of total email traffic, it subsided soon after. Yet, the results seem to indicate that the bot masters’ attempt to [...]
http://erosionoffreedom.wordpress.com/2011/06/13/blackplague-vs-hackers-the-ups-wars/ Blackplague vs Hackers : The UPS Wars « The Erosion of Freedom

[...] Huge amounts of UPS and Facebook malware attachments (commtouch.com) [...]
http://blog.commtouch.com/cafe/malware/a-wild-malware-rollercoaster-%e2%80%93-over-500-increase/ A wild malware rollercoaster – over 500% increase | Commtouch Café

[...] – over 5.5 times the average level before the outbreak. The attack closely resembles the large outbreak reported on at the end of March. The graph below illustrates the [...]
http://billmullins.wordpress.com/2011/08/17/3-2-1-ups-malware-blasts-off/ 3..2..1 – UPS Malware Blasts Off! | Bill Mullins' Weblog – Tech Thoughts

[...] – over 5.5 times the average level before the outbreak. The attack closely resembles the large outbreak reported on at the end of March. The graph below illustrates the [...]
http://www.jatheon.com groupwise email archiving

I receive stuff like this on a daily bases, but if it passes trough spam filters I just simply ignore it. I just know what kind of email to expect.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Update: Huge amounts of UPS and Facebook malware attachments

Find us around the Web

Subscribe to our newsletter

About Commtouch Cafe

Categories

Recently Written

Blogroll

Tags