Credulity revisited
QV this blog here.Has the world virus speed record been broken yet again?
A little background first: We have quarantined all emailed .exe files on sight for some time now. A few users still insist on sending self extracting ZIP files, so we can't just silently drop them (unlike other "executable" files, which we do silently drop, such as .pif and so on).
Came in this morning to find an impressive number of quarantined items sitting in the Trend quarantine log. Carefully extracting one of the blocked executables and running my local virus scanner over it, I found nothing amiss. But clearly the message was a virus. Plenty of telltale signs:
- Since when did Microsoft ever send patches to users by email?
- Spoofed sender and recipient addresses (envelope addresses in MTA log were different every time)
- Wording not wholly consistent with Microsoft style (possibly "Engrish"), for example: "Install now to protect your computer from these vulnerabilities, the most serious of which could allow an malicious user to run executable on your computer."
- Several of these messages were apparently bounces, but analysis of the headers reveals that the "bounce" is forged.
- A few used an old broken MIME exploit, attempting to conceal executable code in a MIME object in an <IFRAME> tag with a CID reference
- Most are indeed .exe, but a few are .pif or .scr (generally the "bounces", using the broken MIME exploit)
- ... and so on and so forth
Updated signature in local virus scanner and ran it again. Bingo! Found Swen.A.
Why is this worthy of comment? Well, the sheer volume of the things mainly. Twenty eight since a little before 11:00 pm (UTC +0100) last night and a new one c. every 20 minutes at the moment.
OK, some of these things will propagate without user intervention, because they will find unpatched MS OE systems and be able to exploit the aforementioned MIME vulnerability. But most of them are propagating because users (bless their little cotton socks) trust them...
"It says it's from Microsoft, so it must be from Microsoft."
...never pausing to ponder how Microsoft got their email address in the first place, or why they have abandoned their established update policy (web pull) in favour of a very crude replacement (email push).
I still do not know what the total payload of this thing is but, overheard in a conversation with a user here yesterday...
"I'm going to have to re-install Windows. I don't know what is wrong with my home PC, it's running really slow, but I installed that latest patch that Microsoft sent me, and now I can't edit the registry..."
Category: Viruses and Worms
Technorati: Viruses and Worms
Unable to post a comment? Please read this for a possible explanation...
- 
