Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Stock Spammers - Now using ZIP files

Stock Spammers are massively spamming PDF, XLS, GIF, and now ZIP based attachments to distribute stock spam.  The senders are trying to circumvent filtering controls.  I've received a # of these and an analysis of one sample sent to Virus Total is attached below.  It's not malicious, but any untrusted attachment should not be opened.

FORMAT OF ZIP STOCK SPAM: As an example, the subject line might appear as "OFFER" or "DOC".  There is no text in the message body (blank message).  There is only a single attachment (usually named like the subject line, e.g., "OFFER.ZIP", DOC.ZIP"). 


Stock Spammers - Now using ZIP files
http://isc.sans.org/diary.html?storyid=3206

QUOTE: We have received numerous emails today regarding yet another round of spam hitting the cyberwaves.  This spam is nothing more than a new twist on the pump and dump stock market emails.  It appears that these emails include a zip or RAR file for an attachment.  Once opened, these contain nothing more than the get rich quick stock market info.  There appears to be nothing malicious other than an attempt to sway the market.

VIRUS TOTAL RESULTS BELOW:

Complete scanning result of "doc.zip", processed in VirusTotal at
 07/31/2007 19:59:03 (CET).

[ file data ]
* name: doc.zip
* size: 6833
* md5.: d45288a2ea0dcebf97d5b51d918bcb70
* sha1: f13217295155a214facce79bae4b503e11b45b23

[ scan result ]
 AhnLab-V3 2007.7.31.1/20070731 found nothing
AntiVir 7.4.0.54/20070731 found nothing
Authentium 4.93.8/20070731 found nothing
Avast 4.7.1029.0/20070731 found nothing
AVG 7.5.0.476/20070730 found nothing
BitDefender 7.2/20070731 found nothing
CAT-QuickHeal 9.00/20070731 found nothing
ClamAV 0.91/20070731 found nothing
DrWeb 4.33/20070731 found nothing
eSafe 7.0.15.0/20070731 found nothing
eTrust-Vet 31.1.5019/20070731 found nothing
Ewido 4.0/20070731 found nothing
F-Prot 4.3.2.48/20070730 found nothing
F-Secure 6.70.13030.0/20070731 found nothing
FileAdvisor 1/20070731 found nothing
Fortinet 2.91.0.0/20070731 found nothing
Ikarus T3.1.1.8/20070731 found nothing
Kaspersky 4.0.2.24/20070731 found nothing
McAfee 5087/20070731 found nothing
Microsoft 1.2704/20070731 found nothing
NOD32v2 2430/20070731 found nothing
Norman 5.80.02/20070731 found nothing
Panda 9.0.0.4/20070731 found nothing
Prevx1 V2/20070731 found nothing
Rising 19.34.12.00/20070731 found nothing
Sophos 4.19.0/20070726 found nothing
Sunbelt 2.2.907.0/20070731 found nothing
Symantec 10/20070731 found nothing
TheHacker 6.1.7.159/20070731 found nothing
VBA32 3.12.2.2/20070730 found nothing
VirusBuster 4.3.26:9/20070731 found nothing
Webwasher-Gateway 6.0.1/20070731 found nothing

Comments

ThinkinOutLoud said:

Maybe we need to have some central agency issue special encrypted certificates in order for anyone to email anything, If your email doesn't have a cert, it doesn't get mailed.... or received by a mail server. (All isp's would have to jump on the bandwagon).  Then if you are caught spamming, they revoke your cert, and you're dead in the water.

# August 2, 2007 10:19 AM