Researchers Warn of .Zip File Spam Surge

IBM and Sophos security pros report observing an uptick in spam with malicious .zip file attachments.

Security researchers are reporting an uptick in malware hidden in .zip files being sent out in spam to Web users.

According to IBM's X-Force, there has been a significant increase in the number of spam messages with malicious .zip file attachments during the past few weeks.

"Normally we see that between 0.1 and 1.5 percent of all spam messages contain a .zip attachment ... Since [the] beginning of August the percentage of .zip spam has increased significantly," said a joint Aug. 24 blog post by X-Force researchers Jon Larimer and Ralf Iffert.

Sophos reported Aug. 26 a widespread campaign of spam posing as e-mails from FedEx with subject lines such as "Fedex Tracking number" and "Fedex Invoice copy." As a lure, the e-mails mention a failed package delivery.

Unlike many of the other FedEx-related malware attacks in the past, the e-mails' message about a failed delivery comes in the form of an image rather than text-possibly in an attempt to avoid anti-spam filters.

Anyone who makes the mistake of opening the attachment is greeted with a Trojan.

"[The Trojan] downloads further malicious code from the Internet," explained Graham Cluley, senior technology consultant at Sophos. "Obviously the nature of the code it downloads can be changed at any time, but the usual suspects would be spyware code to steal your log-in details, turn your computer into a bot, etc."

Sophos has not linked the FedEx attack to any particular botnet, but as of approximately noon EDT, the Trojan represented a third of the malware the company was seeing Aug. 26, Cluley said.

According to IBM, the increase during the past few weeks hasn't been tied to a single malware campaign or spam botnet, and there are a few different types of malware used.

"First, [there] are some messages that contained a variant of the Zeus v2 Trojan," the X-Force researchers wrote. "Zeus is a very common Trojan that's generated with a kit that anyone can purchase online ... There are a lot of ways it gets spread, but the operators of this particular botnet are growing it by sending out e-mails with .zip file attachments. The goal of Zeus botnets is usually to steal personal information, and the type of information stolen is commonly online banking data that the criminals will use to access bank accounts to transfer money."

IBM also observed other e-mail campaigns using .zip files. One set, armed with subject lines such as "Car & Car loan" and "Employee Orientation," used another variant of Zeus; a third contained a copy of the Bredolab downloader.

"[Bredolab] downloads a rogue antivirus program called SecurityTool that pretends to find viruses on your PC when none exist," the researchers wrote. "Actually, if you fall for this one, your machine is probably so full of malware that the fake SecurityTool results are probably not too far off."