IBM and Sophos security pros report observing an uptick in spam with malicious .zip file attachments.
Security researchers are reporting an uptick in malware hidden in .zip files
being sent out in spam to Web users.
According to IBM's X-Force, there has
been a significant increase in the number of spam messages with malicious .zip
file attachments during the past few weeks.
"Normally we see that between 0.1 and 1.5 percent of all spam messages
contain a .zip attachment ... Since [the] beginning of August the percentage of .zip
spam has increased significantly," said a joint Aug. 24 blog
post by X-Force researchers
Larimer and Ralf Iffert.
Sophos reported Aug. 26 a widespread campaign of spam posing as e-mails from
FedEx with subject lines such as "Fedex Tracking number" and "Fedex
Invoice copy." As a lure, the e-mails mention a failed package delivery.
Unlike many of the other FedEx-related malware attacks in the past, the
e-mails' message about a failed delivery comes in the form of an image rather
than text-possibly in an attempt to avoid
Anyone who makes the mistake of opening the attachment is greeted with a
"[The Trojan] downloads further malicious code from the Internet,"
explained Graham Cluley, senior technology consultant at Sophos. "Obviously
the nature of the code it downloads can be changed at any time, but the usual
suspects would be spyware code to steal your log-in details, turn your computer
into a bot, etc."
Sophos has not linked the FedEx attack to any particular botnet, but as of
approximately noon EDT,
the Trojan represented a third of the malware the company was seeing Aug. 26,
According to IBM, the increase during the
past few weeks hasn't been tied to a single malware campaign or spam botnet,
and there are a few different types of malware used.
"First, [there] are some messages that contained a variant of the Zeus
v2 Trojan," the X-Force researchers wrote. "Zeus is a very common
Trojan that's generated with a kit that anyone can purchase online ... There are
a lot of ways it gets spread, but the operators of this particular botnet are
growing it by sending out e-mails with .zip file attachments. The goal
of Zeus botnets is usually to steal personal information, and the type of
information stolen is commonly online banking data that the criminals will use
to access bank accounts to transfer money."
IBM also observed other e-mail campaigns
using .zip files. One set, armed with subject lines such as "Car
& Car loan" and "Employee Orientation," used another
variant of Zeus; a third contained a copy of the Bredolab
"[Bredolab] downloads a rogue antivirus program called SecurityTool
that pretends to find viruses on your PC when none exist," the
researchers wrote. "Actually, if you fall for this one, your machine is
probably so full of malware that the fake
results are probably not too far off."