Email malware: blast from the past

It is, as Aryeh Goretsky remarked to me recently in a slightly different context, almost like Old Home Week. He was referring to recent work by a number of luminaries formerly prominent in antivirus research like Eugene Spafford, Ken van Wyk, and even Fred Cohen.

But today I'm waxing nostalgic about a piece of malware. Not one of those anniversaries that have filled so many blogs, articles and videos recently (happy birthday, dear Brai-ain….), but something that just popped into my mailbox. A malicious attachment. To be precise, an executable concealed in a ZIP file with the name NudeFot.zip, the executable being named 

nudefot.jpg                          _________________.exe

Give or take a few characters. The idea, of course, is that the victim will fail to notice the real (.EXE) filename extension somewhere way off to the right and out of the window, and think that they're opening a picture. A somewhat naughty picture, judging by the filename. Well, nothing new here: that kind of misdirection goes back to the heyday of mass mailers and beyond, and I remember all too well the last decade's spate of executables concealed in ZIP and RAR files in the hope of avoiding gateways that filtered files with certain filename extensions suggesting executable files or active content.

The message that accompanies it is also somewhat traditional. But it's worth reproducing to get a handle on what sort of social engineering is being used here.

 From: Lisbet [mailto:jarrodl@webnethost.net]
Sent: 07 March 2011 19:38
To: david.a.harkness@spiritaero.com
Subject: Re: foto

Hello, david.a.harkness.
  
Friday, March 01, 2011, 10:35:3 AM, you wrote:
    
>> Hi            
>> I miss you so much. I send you my photo.
>> Please do not show it to your family and friends.
>> Many kisses, Your Love. 
          
Hello. 
Super cool foto :)
call me 2401659
 

Best regards,
jarrodl         mailto:jarrodl@netease.net
 

As you might have deduced, I'm not david.a.harkness@spiritaero.com, but the mail reached me at an account name similar enough to make an unwary recipient think that there must have been some sort of delivery glitch. And the message text, like the filename, is clearly meant to suggest a naughty picture of some sort. Though personally, if I knew angela.q.ribbentrop@spiritaero.com well enough for her to send me a nude photograph signed "Many kisses, Your Love", I probably wouldn't start my response "hello angela.q.ribbentrop", but perhaps that's a generational thing.

The other thing that puzzles me is that Lisbet (or jarrold@webnethost.net, or jarrodl@netease.net) wants me to call her 2401659. But I suppose that's her prison number.

And in case you wondered, we detect that particular file as Win32/Spy.Zbot.YW trojan.  It's a backdoor/password stealer from a family we know all too well.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

  • Johan

    "But I suppose that's her prison number"  Haha that's a good one David :)

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
08 Mar 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.