Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Spam Traveling with .SCR File Attachments, Trojans in Tow



 By: Brian Prince
2007-11-21
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: Websense and MessageLabs uncover a spam campaign that is using .scr file attachments in targeted attacks.

Security researchers uncovered a spam campaign Nov. 19 targeting senior level executives that utilizes .scr file attachments to spread Trojans. Such file extensions are typically associated with Microsoft Windows screensavers.

The campaign is one of two reported by MessageLabs. The first wave was aimed at banks and financial institutions and claimed to come from the United States Department of Justice; the second, reported some 3.5 hours later, did not use an .scr file and was aimed at a variety of organizations and posed as an email from the Better Business Bureau, said Paul Wood, an analyst with MessageLabs.

"Some organizations are targeted more than once with e-mails for more than one person at the same organization," Wood said. "In the first run, the subject contains the full name of the recipient and the full name of their organization. The attachment is a .zip file containing an .scr [executable]. In the second run the attachment is an RTF file with a .doc extension, but contains an .exe that appears to masquerade as a PDF."

Resource Library:
Early analysis suggests the attachment installs a backdoor remote access Trojan of some kind, potentially for stealing data, he said.

Click here to read about an e-mail phishing scam targeting credit union executives.

The spike of spam was relatively small—the first wave consisted of 472 messages, and the second wave topped out at 462, according to MessageLabs. However, what makes this activity significant is its similarity to profiles of earlier attacks by the same group, Wood said.

"The originating servers appear to be compromised or under the control of the senders. Almost 60 percent are in the United States, and almost 40 percent are in Japan," he said. "They are real servers, not botnets."

Researchers at Websense Security Labs reported the spam attack posing as an e-mail from the USDOJ claims a complaint has been filed with the USDOJ against the recipients company. The e-mail urges recipients to open the attached "complaint," which will unleash a Trojan, Websense officials said.

"We have seen approximately 175 unique e-mails [on Nov. 19]—low volume for this—and approximately 25 as of today," said Dan Hubbard, vice president of security research at Websense. "We do not have details on who is sending the mails; all information is spoofed."

Wood said an .scr file attachment should arouse suspicion because it is not a legitimate document file format.

Correction: The story previously stated incorrectly there were two separate spam campaigns involving .scr files.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Spam Traveling with .SCR File Attachments, Trojans in Tow
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}ks㶲*Q3CO#d[mXVi)S$IV˭_zВ6ЍFh|GggD]ݴ1p͙M55|zg`HRsgޅ-34 @oRQP ĠxnwݶN`P'~ > \?g3U;Y|R(áh] ]( ѼeMGQR`F Cw*Nul9 Q)+X^DP~FDM:ǎ-4rwN̚0/PcwҴdh-vu=yͨ /B1r!f-{4ɿTݱ[ L=iLVG;%0ýtf?Dk> NZ] ZSˆ辥{$)5< \g4QL1H6}~8IZ QK68VR`?Ķh¹p\.* }= :ԍ۱|$ .j.9a&ԃ C(p}=\'BL|:j/Eӝfؖq[th(V*Z]QKru_):?Wcm9 2+[ѾK\(Uu7ںs m%k%ms|uO}~N6ox9vtx//;YHM~c/DJ V4D-āY^:G5=(ǭ~㖯[%MR?4,fϷ 3+i3*,GQD~6/NM㳣Nl,aV4*2V]鮘FȏwAժsyҽ59i{ ݙOtHM Wh:s0N/z 6O{uH0kh`cR^ٗ ?td[W;Ǥ MXO'_gs`HםBm۲ܾ,BZKEka(7fhX@?$eR2-L9X@/@שS A4VtBm&T7oh2 4 .ϬFh-Aho*K>Lr &@Sk~$GM ]sΚb.L2<|)=mZ—W/(AK/ ڊ5|*(if);΀/3A.r)i" 6=aB+^뻹(4l=j\G֛esJ֖t];3Eя1-+}7Oۭ ]u/{]tZ0*>cq4Y`A-. 8ǹ:on:j~b:??JjexQW_W, FKP̶#ؠe)u{yNmNR'})5ٴ1'4}t>'჎$>h&ƋCriYnL,rӇtw@N{ݧn]=&tfo/*Abχ& ahMi5 >F#m &>vl 8d $(s>w[L,)0( JC=ˋF0P6 = 2/?>aCxwݐ,P}@=XS9;ݲeǀԜ:;r%Ea1C.O)))I.B$(ZȻ"!Aly [$t Xhl++~#~vGBj+6ODs@PGҹ;vjP)̄rZ z)2ٜʬ$3Mf X*ȉ#o"0%X ,gZ Xk5Ʋ fj~iڛ,Â%1A.ϼG36I `0ED$%\Ew,Ofzn8 Iϵ(a6Ê0ӊYsƾ sF~GM'9X0N,cBb+H5LôLhD,iocsYlE^\'1nuC\f{aMv"Vv6P0*FSMzB9;m9PMMUPS7˕L<+׬UPM g2)*[hs<8:[(O7\EYbꞦ5XScX`D~wzb0qm/n)NaV|\vΖuVkͲG{_No6ʞviXZ @eY mc-׾0^Ԣ,Q|u$"!lsiŰ,B /0|:Cb&^fthQ?mM*`5:m _&TYV0>2ei[[ahd[ʸAfJg~c &*d ë?v=kOGn&zϐ|pP9g3?磔YTp$480T]2akRhj]Maf(0q |0b=9ߟ{8[=z,.K i{y]ؕ.[R\|znN > z4'Z>pd`/R=:¿uouj)ՃI ,䧒ZQJ~&[b"ud\6˰@eִ &;rm۽' zfdݙ(yR+rf!9֐I4U$\ ؕGQ,~lanEk 5!70MC LK=9޻ئQ7Ϗ9(gd%d)'HV/굄ЪZZfAq{ 8pG#}y>W&7XfeY: ~_m^J39X>>: '012&z@j9ajv6 (&Lt0Ȑ%=Wl0۩t>ztVPBK&nƚ73}&mno^D{x<c۝ErN?dZIp|avKrekH˷bgfo餙E@<sU*)[LbT~\3gbg]a+w22Owž_FpapgH7ng|/ U;I9TYb5J9ޣ0)6@yb#kUa bȈCzfzJ$>3?^if?}T*JZӳ$*+@:erz埍8jKCߪ 车m48 Z&IEyĘ 3^6"B@ ˸tOלY0pz!vB3ZOUc)zF A0ע:]wVO1Ok7tEh[(kx,VbsZ;t1?x>6Bz?$Y^3/pǻ"TS8L,ӤN)fTDіxi'>fax!wl q%ӝr* oBٸEO[,lmSsSdAGJ脚fye5-eH5NRMLC]OC/%$;kB6zs gaM6mn3jt.o6Dr0&@v\f(Ӑ` qΣ@P)V-<(m1> QZ4ղoeW!= lj9l01!tQ^rVTSu&Ա™OH1D:n;WQ杊'cv,Q7&}Z9} DK{,i;;坠P.FsgOɍ2 Xw= Zt Ud_Rxa9yhSr9nkҺ?5L0c,H~ ;'|$A1|MuSOF 95C/3r¸E}l(=hGt?vJow{ѧ}E4 7tRTsd;i6ӱ$BUU+jۻA\EVe.tٓN|;9qi ,F}d3D?yiВ11>onR;-4zC@AcIU~(TR.fO"J骇\v%(c]MU,^RRMJ>^'k@" bY_BIKwvzkYXxlSOo ?ֈ '|Ȟ8^jѼc)輳2 [a[C؞qaLpx2HC%6÷Fp7N Ϧf_ O%FJ ,Q`mZ،9!/hvpmU4bZy"N0) W_M7⎍zkQ$g |o(o&򽡎xk5) kNW&/6o).w?дg=.0(yS/4 K[⹋^]:lMo %n:;-gsX#goEw8)Cat#g'w˥haGLX)@2< ,vFue"#L'fo6 w2@=RcyV.`YXz8t "Zd!b!#hĐؙY -)DYє\GolsӚ˗ mATUorF{qAr1[j`Rޕ'/tH}Uw$uTRcCpX" ,"8[S B~ ݞ}Szqar!,t4 Fw;xX8"d[IsmV[TER6UI(S~Ya uó~%>H[_a!L3pq\+/? ROdIaU"Xb*b62W2UeAX*onT_|[S[pU:xj^,Csxg:9!PB `.mnS{[)Kz pӣ<QQI^T90AVt21mn\uK~{QQ ;M͉(pZMMMMteT+?MWNMJm=$&Js=: :Ds-Pߦj_xb\Y 4וl8L/kJGbEEԺ&P q0v&|wp:"I-.]}G Ck[IPٮ;6BFP%*QbH! l!0mD'g!nfq! kʙv/Ǿ5eK|\c_?>j Ʉj>\,%L}[=9X}'@E&]|p= 94s 7sL ũ;$]Uz/f5C> {IףA1U7g $X/?:4|w;u0i8ltx;b%&B%Ƣ=fӇʟj82cwkZ7d` Y#=M>f+@/;E(ZF aI IeL'kA>>ͧ]C'y@y@y@y@@z^x@{L6@>XR{6>| "ڈA@=~ "`_:hcc7ŵib {L+a#,0IBՎ԰RZs(?I暂wB,GU; {猜 썯l60Bn-Fu%O .fAxߥ9ۼvM~))VW>8#|; ˵zMAmǠtz)h<ta8/~677 IČIS>nx}t`}\lw=}B O oq*d 4B3E077WhKIg0 #~嚆5wg3rPeGi敮uEYӭy[Н;_%: RΫ*Z/|(;v OK6oy䞛qnzr'D%R|w4 MƿZǃ2pB˝pblZC؆_߳  ZRˬkDI3Ʊ).b*NhVP2QTKoy^dH`?&M%5>ZG ^b+\ B,vaDȡ-b᫫1ʵm <߉y!,tqZ4zm,OZj*bdFyAx!Fv;Kb+6Q{$Ip+jj5&A^Ve"1ckzzD,?t"RVЮ(> 0>B,@FpxIYL˃=QʹE3, Y覟K15\R{\.he,zUdI+2&/ czRO&7Sj9椷 O=#T|T|SHU% & 0Zp>b\y zܑhschCy?Vz^3!=-Bn&(kxzJ2Ko^;C'ܬDM- ܮrǞܐ@p찌o?1=7w$ d߇n-& ~iXr>H'*t}jhTjʴJ &fzVCTj~Ew(/9囌}yj]SjZYS#({c9jXrɵFY5Kt/}ZpY$XkO:Vga^N0wRʥz5y[9iThkHу%.Q&Z:<}Q-mEJ)!gBqK @xl9 c=ZF]j(djW>S4H vH 㽽WԄn$5DX#%NgNON}NLUtMЭT2^@yj >#Թ|I_tyZܾ\`{|oEZ`3+nsl+ZKɶ8+YlwAQgg)q8 @Lwt0 D!?O Ki~RJHuTW"Yu?lg՚M,?z`hîֿ|Ɉֲs%0?5&GSxcLW<00t#PγjNT\OpY}XC3 CL^\}ĭRA+oS[YS_D_dqmmB+n$&}&`Cqqt7%eZS[ٓk8GG_ 6f^FGZQ)MG)Y}o {cb2zވ5pb XZ`Oh$}bܞ-RWldb"@՘`_پi? ?:};ozxX23dP_[{ouB}NG :fxr'O⺢ 2l,a]ą*`աu?䏃ِ O>!F|1[GB(W9$#M9[[Ѿp}S1";9'pp\pr@K@L+2&Bs879࿿_zLi}nOKZ&9a k(E$0oLUۈ( nc36#|- 07m]S0lOpW'ACjs`b6\]:ovN5j' P=:YXBj@̐0(ˏIJ uXZFB(s ֞Oou7@F`p3W VjMDO"ӁRs]j%u\]❴YU^&*_^Ӕ^*BI] / (HZ W{}GCHIPk;9f5h]]&k"6}<_w%9jwooW[u{{sپ\1Ϣ31F;d6ME`9,eiE)3C9lꌹ6Wc\sxYx鎾(ah,.6ytg$;G(%lFyї51o&>uyBup:ϏПxu3K_,fyPM/ǭ}hj4=V0.8SL^}'vn<))-VNyʻ9'@vN1/?=}N:Yg}yC:9CL2^S?/?9ak^ȃȡ">E9yyß(9_~O9gP~S(GN_^%e\]_O7GtAtsU\W9_\O{99k}G௏9 ?~rC(+h&࿛Ku3Ay+GZWpz~;29)G9R{WKӜ}(gUsVnVa{CjgU_/Gޫ@Isu=I+ťfW*7yKxM}%ks5vkYAm{} yW /"yeo2)AQFgG6+.ȭ-'Hl]=g%%x=0?Mu{1پWߕ\~UnE+tq22#s"qG\%[n3'rcvD4k{HO9|\z[,G$q=PW].6pqS0n+ 4` +v](73-"';ZʈPsvdmoCd y^$ٝx|G]Vl<-t&n\eyf(/@FA@>u VqF`^u= !:i>m=]wrl#kvܙ%3H_/A>ك;=~`ɞ<39L$~gi+-x=%4Id`'4s `-C{)B9 H|\k<##1苌Y Mc{Vkͅ*u8w i#:4.o N甽aCm5u;WeԦu"vHϵg98X0D00Y~l+>FՋpaHzBGa|o5J(KESXn Ղ]#rF331#qyU YT8T"?zGmÜz)JJ)@bފRΥJu^wm [c3SY,> V_dvO~%B+*π ̅zF>K:S3U)ւ_/gзǁ/;K{KV9((& ]a1W%$}HRͤ_[=$sDJrE)ߠ(b/<% *`>=.X&">m<'6}Fu;H "@"dr%ȼ˖) Mm+#84#>1zEy?ĵ Maz:SAW (9|d@loM]-1ue|nHJUƧf2{O]!(ْ0?Fu:h/Asl2qV[ +"  KmӴ1u¥"UXJNRX,8. kl9i3;\r$c<[_Eڵ<oc3)+~`[wt%(5x2;v͆LVe؋$| _[0~X+m˕bA<\n2?>%i#{@ =(ۊnfT| %`GYU`Z+v#q얢U.nDODNű<<Sf}')VSL_X1_Q>q&g\ƕEy@Xqө8Yo?.)ZwByڽKRI>Q}v,:~vҎ.3Jbq')iwޟVwϻ XںqKZ_w?^HQEeiNђu',!ջjt.ߧ+e=;P7 r̳ś|G`bhPlyPVKG36HZ\֓}\/mt;Ǎo=F駰a9TU>\JBS+4WY/WgЧTN&N⇅ wm&l2)v}mb-c6C-;=&