It is, as Aryeh Goretsky remarked to me recently in a slightly different context, almost like Old Home Week. He was referring to recent work by a number of luminaries formerly prominent in antivirus research like Eugene Spafford, Ken van Wyk, and even Fred Cohen.
But today I'm waxing nostalgic about a piece of malware. Not one of those anniversaries that have filled so many blogs, articles and videos recently (happy birthday, dear Brai-ain….), but something that just popped into my mailbox. A malicious attachment. To be precise, an executable concealed in a ZIP file with the name NudeFot.zip, the executable being named
Give or take a few characters. The idea, of course, is that the victim will fail to notice the real (.EXE) filename extension somewhere way off to the right and out of the window, and think that they're opening a picture. A somewhat naughty picture, judging by the filename. Well, nothing new here: that kind of misdirection goes back to the heyday of mass mailers and beyond, and I remember all too well the last decade's spate of executables concealed in ZIP and RAR files in the hope of avoiding gateways that filtered files with certain filename extensions suggesting executable files or active content.
The message that accompanies it is also somewhat traditional. But it's worth reproducing to get a handle on what sort of social engineering is being used here.
From: Lisbet [mailto:email@example.com]
Sent: 07 March 2011 19:38
Subject: Re: foto
Friday, March 01, 2011, 10:35:3 AM, you wrote:
>> I miss you so much. I send you my photo.
>> Please do not show it to your family and friends.
>> Many kisses, Your Love.
Super cool foto :)
call me 2401659
As you might have deduced, I'm not firstname.lastname@example.org, but the mail reached me at an account name similar enough to make an unwary recipient think that there must have been some sort of delivery glitch. And the message text, like the filename, is clearly meant to suggest a naughty picture of some sort. Though personally, if I knew email@example.com well enough for her to send me a nude photograph signed "Many kisses, Your Love", I probably wouldn't start my response "hello angela.q.ribbentrop", but perhaps that's a generational thing.
And in case you wondered, we detect that particular file as Win32/Spy.Zbot.YW trojan. It's a backdoor/password stealer from a family we know all too well.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security