The bad guys are busy today

Got two suspicious emails today.   Here is the first one

image

Click to enlarge..

The first thing to notice, this wasn’t sent directly to me.  The address is close but not me.  So this is some bot who put address in alphabetical list and set it out to groups at a time.

2nd thing, zip files have become notorious for sending virus and malware.

3rdly, I’ve been on fb all morning without any problem logging in so i know my password hasn’t been changed.

But what if I had opened that file.  Well I tested it against several antivirus programs.

Just scanning the file directly with Symantec didn’t find anything.

Opening the zip revealed an executable waiting to deliver it’s payload.

image

Symantec 10 didn’t find any problems with this file with normal scans but Sophos found it as Mal/BredoZP-B

The 2nd one was a little more crafty.

image

1st thing, this was sent directly to me but with an address i use specify for those sites which require you to enter an email address.  I use this one so i can confirm but discard any junk mail they send.

I tested the link to see if it redirected to a suspicious site.  No it actually went to that site with a doc file waiting for me.

I checked the site the file is hosted at and it belongs to:

Registrant:
R**** Z****
{Redacted}

miami, Florida 33138
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MARCUSLAWCENTER.COM
Created on: 16-Oct-09
Expires on: 16-Oct-11
Last Updated on: 25-Jan-10

So i opened the doc file expecting maybe a macro or something.  No macros found, and it passed my initial av scans.

When i opened it i found this..

image

So why not just send me the PDF directly?  Why package it directly into a word document?  So i look at the properties of the “pdf”  AH HA!

image

in side of there is an executable waiting to be ran.

Symantec 10 didn’t find anything wrong with this file but Sophos did detect it as Virus/spyware Rooj/Resdro-C

as a side note, Marcus Law did remove the link and placed an alert on their website.  They have made an effort to thwart off any further infection.  This should be an example however to all admins of websites to ensure the security of your servers, keep up to date with patches and fixes and lock those servers down as much as possible.