New DHL Notice Campaigns Deliver Backdoor Threat

By Matthew Hines  |  Posted 2009-10-29 Print this article Print

Researchers with BitDefender are tracking the emergence of a new spate of phony overnight delivery notice attacks, calling out a set of threats currently in circulation that attempt to create backdoors that leave affected machines almost completely under the control of their assailants.

The attacks also utilize popular rogue AV scanner techniques to further entrap users, giving them a decidedly staged effect.

According to a recent blog post authored by BitDefender expert Andrei Berczki, the multi-tiered campaign first arrives in users' in-boxes posing as a notice of a failed package delivery from carrier DHL, encouraging recipients to click and download an attachment that promises to allow them to pick up their shipments in person.

The attachment, obfuscated as a zip file, instead infects their device with a Trojan (labeled as "Trojan.FakeAV.VH") once executed. BitDefender is identifying the involved e-mail/spam campaign as "Glecia" and said that it cannot propagate itself, and is therefore dependent on third party interaction to get passed along among users.

After implanting itself on a device, the attack then operates a typical fake AV scanner approach, marketing itself as "AntiVirus Pro 2010" and eventually launching malware infection warnings that push end users to download additional programs promising to help rid their machines of the reported issues.

People who follow through and download the advertised AV utilities predictably end up with the gaping backdoor, leaving their machines open to a litany of subsequent attacks, Berczki said. The expert noted that the involved attackers have typically employed the access point to attempt to connect infected machines to a Russian domain to receive additional commands.

Among the orders that the researchers have observed being sent back to machines so far include commands to forward additional system information, open specific URLs (likely leading to poisoned URLs or propping up click fraud schemes), delete files, and even delete all files from root, including any resident Windows and Program Files folders.

Attacks that use fake delivery notice and AV scanner techniques to dupe end users may seem like old hat by now to those who follow the crimeware industry actively, but clearly they must be working somewhere for scammers to continue to invest development cycles into the threats.

So, if you're not expecting a package, and don't remember downloading any new AV clients, you're obviously being targeted by attackers if this one shows up in your in-box.

Keep an eye on that backdoor.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel