Monday, November 15, 2010

"DHL Services" Scam E-mail with Oficla Malware Attachment

Scammers are once again trying to trick innocent victims into opening an attachment containing malware. I first told you about fake DHL e-mails containing evil attachments in October 2009, a similar scam claiming to be from UPS a year ago, and within the past month I've reported on two more malware-laden scam e-mails claiming to be from UPS/USPS and FedEx.

My regular readers know the drill by now.  DHL and other shipping companies won't send you attachments containing information, tracking numbers, or shipping/mailing labels. If you get an e-mail claiming to be from such a company that invites you to download an attachment, delete the e-mail; it's a fake, and its attachment could harm your computer. So far these attachments have all been Windows malware, so if you're a Mac user, you're more likely to be immune, but don't get all cavalier and act like Macs are impenetrable fortresses of security; they're not (skim my previous articles about Mac security).

Here's a sample e-mail:
From: "DHL Services" {donotreply.s.nr6999 @} [forged From address]
Subject: DHL service. Get your parcel S.NR5944 [number may vary]
Date: November 15, 2010

The company could not deliver your package to your address.
The package was returned to DHL office.
Information about your package is attached to the letter.
Look through the information about your package thoroughly.

Thank you for using our services.
DHL Customer Services.

[Note: The rest of the e-mail contained white text on a white background, intended to fool spam filters while being hidden from the e-mail recipient. This portion of the e-mail is usually different in each sample, so I've omitted it.]
Attachment: [file name may vary]
The malicious attachment is currently only detected by 12 out of 43 major antivirus engines, with detection coming soon from at least one vendor. Most of the following information is courtesy of VirusTotal:
File name: DHL_Information.exe
MD5   : 70da9f26213bfa1b947fcc58dd854cad
SHA1  : 57cad53f527fc97ac3e88a22ce295dcd7b2a882f
SHA256: ac068ce7055505ec0e501ea816959936f5d9221651715a93d37f99b631dbaf58
File size : 74240 bytes

12/43 detection rate as of 2010-11-15 23:11:32 (UTC)

Variously identified as: Gen:Variant.Oficla.10, Generic BackDoor.u, Troj/Oficla-BA, Trojan.Agent.AQWD, Trojan.Oficla-17, Trojan.Oficla.83, Trojan.Sasfis, Trojan.Win32.Generic.pak!cobra, Trojan.Win32.Oficla.chq, W32/Trojan2.NLPW, Win32.Outbreak!IK, etc.
As I've said before, antivirus software won't keep you 100% protected—especially against new malware, as these detection rates show—so it's always important to be cautious about downloading files or clicking on links.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

Thursday, November 11, 2010

"FedEx Services" Malware, Boonana/Koobface Update, Sophos for Mac, and Firesheep

There's been plenty going on in the realm of computer security lately.  Here's a brief update.

First, the breaking news: there's a new Oficla malware attachment spreading via fake FedEx e-mails, not unlike the UPS/USPS scam e-mail I told you about recently.  Here's a sample:
From: "FedEx Services" { @} [forged From address]
Subject: Track your shipment No445272 [number may vary]
Date: November 11, 2010

This is a post notification.

Your package has been returned to the FedEx office.
The reason of the return is - Incorrect delivery address of the package

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the FedEx office in order to receive the packages.

Thank you for your attention.
FedEx Customer Services.

[Note: The rest of this was white text on a white background, intended to fool e-mail spam filters while being hidden from the e-mail recipient. This portion of the e-mail is usually different in each sample.]
-- Wo mag mein Vater, meine Mutter sein?JULIA So waschen sie die Wunden ihm mit Tränen? Ich spare meine für ein bängres Sehnen. Nimm diese Seile auf. --Ach, armer Strick, Getäuscht wie ich! Wer bringt ihn uns zurück? Zum Steg der Liebe knüpft er deine Bande, Ich aber sterb als Braut im Witwenstande. Komm, Amme, komm! Ich will ins Brautbett! Fort! Nicht Romeo, den Tod umarm ich dort. WÄRTERIN Geht nur ins Schlafgemach! Zum Troste find ich Euch Romeo: ich weiß wohl, wo er steckt. Hört, Romeo soll Euch zur Nacht erfreuen; Ich geh zu ihm; beim Pater wartet er. LORENZO Komm, Romeo! Hervor, du Mann der Furcht! Bekümmernis hängt sich mit Lieb an dich, Und mit dem Mißgeschick bist du vermählt. ROMEO Vater, was gibts? Wie heißt des Prinzen Spruch? Wie heißt der Kummer, der sich zu mir drängt Und noch mir fremd ist? LORENZO Zu vertraut, mein Sohn, Bist du mit solchen widrigen Gefährten. Ich bring dir Nachricht von des Prinzen Spruch. ROMEO Verbannung? Sei ba rmherzig! Sage: Tod!
Attachment: [file name may vary]
As a reminder, companies like FedEx, UPS, DHL, and the U.S. Postal Service never send attachments containing mailing labels or tracking numbers—and they especially won't send Windows .exe programs.

If you extract the .zip file and run the .exe application (FedEx_mailing_label.exe) on a Windows PC, it will attempt to download more malicious software onto your PC, including fake antivirus software.

The malicious attachment is currently only detected by 12 out of 43 major antivirus engines, which should tell you to always be cautious of what you download and open, because your antivirus program won't stop everything. Most of the following information is courtesy of VirusTotal:
File name: FedEx_mailing_label.exe
MD5   : b7e6a7f9f527acaac54d0dfb1b4d7d87
SHA1  : 05af292c42a2e20d45dbbc919762d3a0c2158aa2
SHA256: 0e434c9a0740ba104ef8320af39c12c599ef3a1de527ea1779d1f59e1c50a806
File size : 74752 bytes

12/43 detection rate as of 2010-11-11 22:57:27 (UTC)

33/43 detection rate as of 2010-11-13 18:30:57 (UTC)

Variously identified as: Artemis!B7E6A7F9F527, Bck/Qbot.AO, Dropper.Generic2.BTTI, Generic.dx!uqm, High Risk Cloaked Malware, TR/Bamital.H, TR/Spy.ZBot.MY, TROJ_BAMITAL.AH, Troj/Agent-PHW, Trojan:W32/Bamital.D, Trojan:Win32/Oficla.AD, Trojan.Bamital, Trojan.Bamital!gen1, Trojan.Bredolab-1027, Trojan.Generic.5074337, Trojan.Oficla.80, Trojan.Oficla.CPS, Trojan.Win32.Generic.pak!cobra, Trojan.Win32.Oficla, Trojan.Win32.Oficla!IK, Trojan.Win32.Oficla.azk, Trojan/Oficla.azk, Trojan/Win32.Oficla, TrojWare.Win32.Trojan.Oficla.~D, W32/Agent.PHW!tr, W32/Oficla.R.gen!Eldorado, W32/Pinkslipbot.gen.t, W32/Sasfis.Z!tr, Win-Trojan/Oficla.74752, Win32:Oficla-AX, Win32/Bamital.BD, Win32/Oficla.JF, etc.
Here's VirusTotal's analysis of the fake antivirus software (with a measly 7 out of 43 detection rate) that FedEx_mailing_label.exe downloads from 109.196.143 .136:
File name: avpsoft_fgdhdflgkhjkf.exe
MD5   : 7db84663de821b00423fbf3838a0030f
SHA1  : b925ffe7cb695eda324dce99a2a1f482f1b16271
SHA256: 59085adc7a91f4fc4a424ee8de925f6efcf90c7e453fdc18c26d37e6c7ed8732
File size : 987648 bytes

7/43 detection rate as of 2010-11-12 00:10:34 (UTC)

24/43 detection rate as of 2010-11-13 18:31:16 (UTC)

Variously identified as: FraudTool.Win32.RogueSecurity (v), Gen:Variant.Kazy.3155, Generic.dx!uqn, Heur.Suspicious, Mal/FakeAV-DO, Medium Risk Malware Dropper, Rogue:Win32/Winwebsec, TR/Kazy.3155, Trj/CI.A, TROJ_FAKEAV.SMES, Trojan.Agent/Gen-Backdoor, Trojan.Fakealert.19447, Trojan.Win32.FakeAV.rnh, W32/FakeAV.ABDX, W32/FakeAV.DO!tr, W32/Kryptik.ZZ!tr, Win-Trojan/Fakeav.987648.DU, Win32:FakeAlert-ST, Win32/Adware.SecurityTool.AD, etc.
See the Web of Trust report for showtimeru .ru and a couple of Russian IPs to which the e-mail attachment phones home and attempts to download additional malware:
Since a lot of people asked about this last time, I'd like to remind readers that Windows .exe files can only infect Microsoft Windows operating systems.  If you're using a Mac, Linux, or other operating system (and assuming you haven't installed Parallels, VMware, CrossOver, Wine, etc. to enable you to run Windows apps on your Mac) you can't be harmed by accidentally downloading a malicious Windows .exe application.

Second, an update about the Boonana/Koobface malware, which I recently mentioned. A new variant is circulating according to reports from ESET and SecureMac, and even Microsoft's Windows-only antivirus product is detecting the Mac version of this malware. (Components of this malware are variously detected as Boonana, JAVA_JNANA.A, Java/Boonana.A, OSX/Koobface.A, Troj/Boonana-A, Trojan-Downloader.Java.Alboto.a, Trojan:Java/Boonana, Trojan:MacOS_X/Boonana, Trojan.Jnana.1, Trojan.Jnanabot, trojan.osx.boonana.a, trojan.osx.boonana.b, Win32/Boonana.A, etc.)

As I mentioned previously, disabling Java and being careful to not click on suspicious links on Facebook, Twitter, other social networks, and unexpected e-mails should help you avoid malware of this type.  If you're on Windows, I recommend uninstalling Java, and if you're on a Mac, I've posted instructions for disabling Java on Macs and a link to get SecureMac's free removal tool (which has been updated to remove the new "b" variant). Of course, it would also be wise to install antivirus software, which brings me to...

Third, commercial antivirus vendor Sophos recently released their antivirus software for free to all Mac users (for personal home use only).  You can download it at

Fourth, I thought I should at least briefly mention Firesheep, since it's been in the news a lot recently. Firesheep is an add-on for Firefox that makes it incredibly easy for anyone to hijack someone else's unencrypted Web browser sessions, allowing wannabe hackers and script kiddies to, for example, break into the Facebook or Twitter account of someone who's sharing the same public Wi-Fi hotspot at the local coffee shop.  It doesn't just allow bad guys to break into social networking sites, though; also affected are Amazon, Google (except Gmail), Bing, Windows Live, Dropbox,, Flickr, The New York Times, and other sites. Firesheep has already been widely distributed, with more than 721,000 downloads in under 3 weeks.

The best way to avoid getting hacked by Firesheep users is to use a VPN (a secure remote connection to a private network, for example securely logging into your home computer and using the browser on that computer rather than browsing directly from your laptop, iPad, or other device on an unencrypted Wi-Fi network). Using the EFF's "HTTPS-Everywhere" Firefox add-on (whose name is actually a misnomer, since it can't enable https:// for all sites) can help force secure connections for only a handful of specific sites, while sessions on other sites will remain vulnerable. Public Wi-Fi providers (Starbucks, McDonald's, hotels, etc.) can help protect users by enabling WPA/WPA2 encryption and giving out the password to guests, rather than providing unencrypted wireless networks (see the links hereafter for details on how this works). However, perhaps the best way to fix the problem is for every Web service provider to encrypt the full browser session, not just login pages. Start encouraging the sites you use to enforce https:// access to all pages of their site to protect their customers/users from Firesheep session hijacking. For further analysis of Firesheep, see Steve Gibson's blog and audio podcasts (with searchable text transcripts) here and here.

UPDATE, 13 Nov 2010 @ 10:50 PST: Added additional malware names and current detection rates.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.