Here at Websense® Security Labs, we often blog about big malicious campaigns and how our products protect our customers from them. But what about smaller campaigns that are no less dangerous?
Broad campaigns often spoof notifications from well-known businesses, establishments, organizations, and agencies, and are very widespread these days. However, smaller volume campaigns sometimes can be as (or even more) dangerous by bypassing the victim's defenses.
Last week, the Websense ThreatSeeker® Network intercepted one such campaign. This small-volume, malicious campaign targeted businesses with legitimate-looking email that refer to items like purchase orders, quotes, and supply information. All of these email had attachments that install variants of the popular Zeus malware on the victim's computer.
Websense Cloud Email Security quarantined these emails as containing a potential virus before most of the malicious attachments were detected by antivirus (AV) engines. ACE, our Advanced Classification Engine, provides the extra layers of protection that help Websense Cloud Email Security protect customers against a wide array of threats.
In many cases, AV signatures are behind the latest threats. But although ACE uses AV as one of its analytics, we found this example where AV was not detecting the threat. Other techniques such as using network behavior (volume vs. time) and reputation are very effective against big campaigns, but would not work in this case, since the volume was low. The content of these email messages looks benign most of the time, so traditional antispam rules would not work well either. This is where additional protection is needed. ACE can provide that protection and quarantine such suspicious messages by looking more deeply at their content and features, like the types of attachments, message attributes, Web links in each message, and telltale patterns in the content body.
The period of time between ACE detection and AV detection can potentially prevent a security breach at the most crucial time, averting having to "play catch-up."
Let's take a closer look at the email that were intercepted.
The variant that was most common on September 27, 2012, had subject lines like:
RE: NEW ORDER
RE: ATTACHED PO
Notice the email body looks quite benign:
There were other examples. See later in the text.
The most "popular" attachment was a file named "scan.rar," which carried the executable "scan.exe."
Here's a ThreatScope™ analysis of this file, showing the malicious behavior:
http://aceinsight.websense.com/FileAnalysisReport.aspx?rid=65EA634D5A96460CB3489AAD8A840364
Compare this to the VirusTotal report at the time that Cloud Email Security detected the threat. Only 2 out of 43 vendors detected this file as malicious:
Of course, AV signatures eventually catch up, so the situation improved to 15/43 a few days later.
Websense Cloud Email Security customers were protected regardless:
Based on the nature of the attachments and a few other key attributes in the messages, ACE determined that these email carried a potential virus and had them quarantined.
Some of the other variants were:
Subject: RE:quotation
Attachment: po.rar
Subject: Urgent Order.
Attachment: payment.zip
Subject: supply info
Attachment: payment.zip
Subject: New PI
Attachment: quote.exe
Subject: Order
Attachment: product details.zip
Subject: Please attend to my order
Attachment: quotation.zip
All of these were quarantined by Cloud Email Security based on the attributes of the message and the attachment.
Click on the file names below for ThreatScope reports that provide an analysis of some of the files contained in the various attachments:
Not in VirusTotal at the moment.
Was not in VirusTotal. After uploading the file, these were their results.
Notice the fake "quotation" PDF that opens with these files:
Not in VirusTotal at the moment.
Not in VirusTotal at the moment.
Here is the VirusTotal report for the above file.
Was not in VirusTotal. After uploading the file, these were their results.
Finally, here are some additional screenshots of other email variants (these look a little more suspicious than the first example shown above):
Do please let us know your thoughts – are you more concerned about the low-volume attacks or the broad far-reaching high-volume attacks? Send in your comments using the box below.
Leave a reply
