A Package-scam Malware Attack

October 25, 2011 - By Chris Larsen

Yesterday, WebPulse blocked over 100 attempts by our users to download a malicious executable. It's an attack type I don't remember specifically writing about in the past, so it's worth a quick post.

The sample I grabbed was named USPS_Invoice_10242011.PDF.exe. From the file name, I rather suspected that I would find that this was another spam-based malware attack, and that's indeed what the logs showed when I traced back -- but what kind of spam?

Well, the most common URL* was:

  www. usps.com.ww051.com/shipping/trackandconfirm.php?navigation=usps&respLang=Eng&resp=10242011

with a few to:

  www. usps.com.ww051.com/shipping/invoice.php

and the victims were coming from their e-mail app or Webmail site...

 

This sort of URL, coming in via e-mail, is a hallmark of one of the "classic" spam attacks: an e-mail that tells you that you've got a package at the Post Office (or UPS, or Fedex,...), or that it couldn't be delivered, etc. There may be an attachment that pretends to be an invoice, or instructions for pick-up, or the like, but more commonly these days there's a link to a site like the above. (Note also that the URLs are constructed a bit like classic phishing URLs: I highlighted the subdomain and path strings that will look legitimate to a casual glance.)

 

The EXE payload was well-cloaked: it was only detected as malicious by 4 out of 43 AV engines in VirusTotal when I checked yesterday afternoon. (I retried the same sample today, and it was up to 10 detections.)

In addition to the 50 or so payloads requested from the usps.com subdomain, there was another similar-sized batch coming from another attack on a different sub-domain: www. mailer-daemon.ww051.com -- using a page called download.php and a similar-looking path and query string to the first sample above.

In spite of the low AV detection rate, WebPulse dynamically flagged all of the EXEs as Suspicious -- luckily, its "Shady-EXE" detector looks for different characteristics than AV packages do, and wasn't fooled.

 

--C.L.

* Note that I added a space after the "www." to avoid having the blog software helpfully try to turn the "www.usps.com" part into a clickable link (like it just did here!)