These started as purported notifications of a similar failure to deliver a package via UPS, morphed briefly into some narrative about a contract pending signature and then switched to Fedex as in this sample.

Today, we are seeing many samples purporting to be e-tickets from a variety of airlines.

These all have two characteristics in common, alongside the obvious similarity in their looks.

1. They use time honoured social engineering tricks to entice recipients into opening them.
2. They are undetected by virtually every AV program (indeed, absolutely every AV program available to us).

These are currently arriving here (and being silently quarantined, though not by an active AV scan) at a rate of ten to a dozen every hour.

It's been so long since such a virulent mass mailing worm has been seen that many people seem to have dropped their guard. We've even seen users forwarding them from their personal to their business email accounts, apparently so that they could look into this problem contract during office hours.

The inescapable conclusion here is simply this. Given the ability of the creators of this malware to generate and seed new variants so rapidly, signature based anti-virus is, very clearly, completely useless.

Now there's an opportunity for you to save some money.

Cancel maintenance on that expensive AV scanner and use policies to control the flow of malware instead.

Category: Viruses and Worms
Technorati: Virus Worm UPS Fedex

1. Todd Carpenter21/08/2008 16:29:36

I somewhat disagree with you Chris, which is very rare. We employ a layered approach to our anti-malware environment and have not seen one of these come through the defenses. I believe we are up to about 120 attempts an hour and our gateways haven't had a problem.

2. Chris Linfoot21/08/2008 16:50:31

We've had no problem either. But it's our policy of no executable code in emails that is blocking these, not AV signatures because the AV people just can't keep up.

I agree that security is most effective when a multi-layered approach is taken. I just think that signature based AV is self evidently one layer that just. Doesn't. Work.

At least not any more.

3. Conrad Longmore22/08/2008 09:16:18
Homepage: http://www.dynamoo.com/

Yes, no EXEs in ZIPs is the best thing to do to protect yourself. User education can also help.. you won't be able to stop EVERYONE from being stupid, but if at least one of your users alerts you to the problem then you are in a much better position to deal with it.

On detection rate.. yeah, they suck. But the EXE file that you are seeing is really an installer, when it runs they will typically unpack and download many different components and it's a this stage that the AV software can detect something. Unfortunately, by this point the machine is infected and will most likely need an MBR wipe and rebuild.

4. Gary Cousins22/08/2008 09:32:54

AVG for Lotus Domino spots and removes it.

5. Ben Rose22/08/2008 10:33:15
Homepage: http://www.jaffacake.net

I've never seen one, it must be blocked somewhere.

Unable to post a comment? Please read this for a possible explanation...