The emails had a wide variety of subjects and were coming in fast and furious around 4:00 this morning:
A query in the Malcovery Spam Data Mine shows the variety of subjects used in the campaign:
count | subjectThe campaign was further confused by the fact that every email attachment had a unique MD5 hash (one of the tricks we use to cluster emails is to look for them to have the same attachment).
-------+--------------------------------------------
90 | Someone showed me your picture
86 | I love your picture!
85 | This is the funniest picture ever!
85 | What you think of this picture?
84 | You look so beautiful on this picture
80 | Tell me what you think of this picture
78 | You should take a look at this picture
78 | Take a look at my new picture please
75 | Is this you??
69 | Someone told me it's your picture
66 | Should I upload this picture on facebook?
62 | Picture of you??
50 | Your friends won't be happy about that
48 | My private picture only for you
47 | Private
46 | Your picture is all over the web now
44 | Keep it secret
43 | Keep it private
43 | Could you explain please?
43 | Do you think I'm attractive?
41 | Photo of you naked??
40 | Do you think I'm 'pretty or ugly?
40 | My private photo for you
39 | Do you think she is hot?
37 | Hey check out this picture
37 | I just can't belive this
35 | You look terrible on this photo
35 | I found this picture of you
35 | My private picture
35 | To show how much I love you
35 | Please rate my picture
35 | Your wife won't be happy about that
34 | How do you think she looks?
34 | Please tell me this is your photo
33 | Shame on you
31 | Your opinion needed
30 | Check out my photo but keep it private
26 | I love you so much please check my photo
22 | My private photo
11 | What you think about my halloween costume
7 | Your wife wont like this picture
7 | Happy Halloween
6 | Check this out!!
6 | Best halloween costume
6 | Your wife will be shoked
6 | Worst picture ever!
5 | Private picture of you?
5 | Biggest pumpkin lol
5 | Halloween costume
4 | You are fucking ugly
4 | Biggest fail of the month
4 | Best halloween costume ever
4 | You are so sexy
3 | Are you crazy??
3 | Naked picture of you
3 | You like my halloween costume??
3 | WTF?
3 | Busted you naked
3 | WOW WTF is this???
2 | Please explain??
2 | Let me know if this is really your picture
2 | Check out my halloween costume
2 | Seen this shit before??
2 | LOL
1 | Spam: My private photo
1 | Can't belive this!
(66 rows)
I won't go into the technical details of how it works, but the ZIP file contained an SCR file -- an old filetype that used to be a common way for people to share "Screen Saver" files. Trying to "view" the Image file from inside the .ZIP actually results in the .SCR file being executed, and downloading and executing the file "soft.exe" from the website at 91.216.163.208 as you can see from this code-dump of the SCR file.
The file failed to run in our default analysis Sandbox so we had to break out the Raw Iron ... since the malware was being so paranoid, I used a camera to document what came next rather than taking screenshots in the program.
The Fake AV was called "AntiVirus Security Pro" and popped up in the typical fashion to run a "Full Scan" of my system:
While it was running a pulled a running process name and found that the malware had copied itself to my "Local Settings\Temp" directory and was running from there with the name "dnn9d9n39dn93nd39b9d393d3bdb.exe" (as you can see in the CMD window behind the scan above.) That file was 569,344 bytes in size.
After the scan completed, I went ahead and told it to Repair All of the threats it had found.
Unfortunately, it failed to repair some of the infections, because I was running a "limited version" of Antivirus Security Pro.
But there is HOPE! Even though "Not all threats have been eliminated." I could "Buy Full Edition" to fix the remaining 19 threats! What a relief!
When I chose not to do that right away, the Fake AV popped up occasional helpful HINTs that said "We strongly recommend activating full edition of your antivirus software for repairing threats."
Pretty darn expensive Fake AV! To the authors - please note that you are more likely to get the $99.99 for a LIFETIME license as opposed to six months. Nobody is going to pay $59.99 for a 30 days license, but we also aren't going to pay $99.99 for only 6 months! Maybe you could try 1 year, 2 year, 5 year?
Sadly, my credit card didn't clear. I'm shocked. I tried really hard to make up a valid card number! The good news is that the "Antivirus Tech Support" link on my desktop would take me back to the shop anytime I wanted to try again by visiting "techprotectorltd.com":
Fake AV IS A CRIME! REPORT IT!
Were you a victim of this scam? Whether you paid for the Fake AV or not, I would strongly encourage you to report your experience to the Internet Crime and Complaint Center by visiting: IC3.gov and using the "File a Complaint" button!
No comments:
Post a Comment