Turiel said that it appears that one group is behind the recent surge in malware-laden emails because the malware is similar. “Using our malware detection software, we have detected similar strains, variants of the same malware. So it seems to be coming from the same place. The amounts are so vast that it appears to be an orchestrated attempt to send out waves of a particular type of malware with some aim in mind.”
The surge, which began in early August, reached a peak of 25 billion malware-laden emails in one day, Turiel noted.
A review of several end-user forums revealed that the email campaign has been successful, with many users having opened the malware attachments, Turiel wrote in a blog. Once opened the malware contacts external servers and downloads several other malware files, which are then run on the infected machine. The purpose of these files is unclear, he noted.
One of the servers is registered in the Russian domain .ru; two others are in the .org domain. “So it is difficult to know where they are based”, he said.
“The problem at this stage is that it is not clear to us…exactly what the next step is. A small percentage of the malware is for phishing, but the majority is malware that is basically creating a huge network of bots under the control of some cybercriminal somewhere”, the Commtouch researcher observed.
He added, “It’s not clear what the next step is, what the huge botnet that has been created is for….It’s an interesting mystery.”
The emails use various ruses to trick recipients into opening the infected attachments: “UPS/FedEx” in which recipients receive a notification of a package that is due to arrive or has been held up with more details promised in the attached notice; “map of love” in which juicy information about global sites of interest is promised with an attached map displays a PDF icon but is actually an executable file; and a “hotel charge error” in which recipients are informed about an erroneous hotel bill.
For the hotel charge error email, the attachment uses special text that reverses the direction of the last six letters of the file. Instead of showing “cod.exe” the user sees “exe.doc” and assumes that the attached document will provide details about the incorrect charge, Turiel explained.
“What we know about the malware is that once someone clicks on the .exe file and runs the file, it would then go onto the internet and download additional files from servers all over the world, and then it would run these files as well”, Turiel related.
Turiel’s blog entry concludes: “To be continued…(maybe).”