Malware SPAM campaigns
- http://labs.m86secur...ramps-up-again/
February 14, 2011 - "... over the last week, we have seen the return of two familiar-looking malware spam campaigns.
* Post Express: Package Available
* United Parcel Service: Notification
While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads. The Post Express variety originates from the Asprox spambot... The UPS themed spam originates from one of the Cutwail spambot variants... VirusTotal results for the sample* are not overly helpful, show widely varying names, including banking trojan, zbot, Bredolab and Oficla. Interestingly, when we pulled out some of strings from the malware sample, we saw that it did indeed have an interest in banking... another string we found in the malware body was “Program Files\Trusteer\Rapport\bin\RapportService.exe”. Trusteer Rapport is anti-fraud software which the SpyEye banking trojan toolkit specifically has an evasion option for. Not being content with just banking data, the bot also proceeded to download a number of different files, including Waledac and Cutwail spambots, plus it also threw in this fake anti-virus software for good measure... two lessons from this brief analysis. First, similar looking campaigns are not necessarily the same. Second, installer bots such as these can lead to a swathe of different malware on the infected host."
(Screenshots available at the m86 URL above.)
* http://www.virustota...fea3-1297477589
File name: USPS_Document.exe
Submission date: 2011-02-12 02:26:29 (UTC)
Result: 32/43 (74.4%)
- http://tools.cisco.c...r...&sortType=d
February 14, 2011
___
- http://labs.m86secur...-spam-campaign/
February 15, 2011 - "... the Cutwail botnet changed its spamming theme this week. The malicious spam pretends to be from the FDIC... the spammer did not manage to configure the spam template correctly and left the from field still using the domain ups.com..."
(Screenshots available at the URL above.)
- http://www.virustota...1458-1297829427
File name: 7529534f159bb49113908071a3061aa4
Submission date: 2011-02-16 04:10:27 (UTC)
Result: 26/43 (60.5%)
Edited by AplusWebMaster, 16 February 2011 - 01:35 PM.