Targeted Trojan attacks?

Published: 2006-02-12
Last Updated: 2006-02-14 00:14:36 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Update

I received a number of responses to the Diary entry below reporting similar _emails_. The reports showed or pointed to HTML emails with similar contents and construction. Examining the emails after setting MS email clients to "text" only will render a GIF attachment to the email.

In a few cases the html emails were flagged as phishing email by various AV products. In one case the email was flagged as both a phish email and seperately as a trojan/pwstealer/keystrokelogger.

I received analysis summary results of the Sun site's illicit.GIF file from two AV sources. Their analysis were similar. Since they were similar, quoting one "The only thing I would add is that it has been verified the GIF is not some executable code, but just a 'clean' image inside an HTML email where the image is hyperlinked.  Clicking on the image takes one to a phishing site."

Thanks Mugg and Eric Chien for taking the time to follow up on the Diary .

So that leaves me with many other protection, detection and incident response  questions that the results of their analysis begs, I'll look at those and report any results as resources allow.

Thanks again to everyone who submitted information, samples and pointers to samples.

Original Diary Entry Follows;
You have to love it when malware blows through your ISP's Email gateway AV, hits your desktop, and only 2 vendors flag it. This has been occuring regularly over the last few months. Some of todays email details are below. At this time only F-Secure and Kaspersky catch it, F-Secure says "malware found Trojan-Spy.HTML.Bayfraud.in (virus)".

After Googling the Subject of the email I'm writing about, "eBay Customer Notice: Details Confirmation", I saw a few returns, one was at archives.java.sun.com. Sun has been notified.

That page also references the trojan I was sent, only the image name is different, at the sun site it's named illicit.GIF [image/gif] and there's date/time visible on the page display [Fri, 21 Oct 2005 23:44:45 +0100], who knows how trustworthy that date information is. If it's accurate and based on the Jotti and Virustotal results next, it's a touch troubling.

If you're seeing any of these please drop us a note. Thanks!

illicit.GIF analysis results at Jotti and Virustotal.

Jotti.Org says
File:  illicit.GIF 
Status:  INFECTED/MALWARE 
MD5  15492310e33e16810c4d880b8f343f8d 
Packers detected:  -
Scanner results 
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found Trojan-Spy.HTML.Bayfraud.in 
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing

This is a report processed by VirusTotal on 02/12/2006 at 20:13:06 (CET) after scanning the file "illicit.GIF" file.
Antivirus Version Update Result
AntiVir 6.33.0.81 02.11.2006 no virus found
Avast 4.6.695.0 02.10.2006 no virus found
AVG 718 02.10.2006 no virus found
Avira 6.33.0.81 02.11.2006 no virus found
BitDefender 7.2 02.12.2006 no virus found
CAT-QuickHeal 8.00 02.11.2006 no virus found
ClamAV devel-20060126 02.12.2006 no virus found
DrWeb 4.33 02.12.2006 no virus found
eTrust-InoculateIT 23.71.74 02.11.2006 no virus found
eTrust-Vet 12.4.2074 02.10.2006 no virus found
Ewido 3.5 02.11.2006 no virus found
Fortinet 2.54.0.0 02.12.2006 no virus found
F-Prot 3.16c 02.09.2006 no virus found
Ikarus 0.2.59.0 02.10.2006 no virus found
Kaspersky 4.0.2.24 02.12.2006 Trojan-Spy.HTML.Bayfraud.in
McAfee 4694 02.10.2006 no virus found
NOD32v2 1.1404 02.11.2006 no virus found
Norman 5.70.10 02.10.2006 no virus found
Panda 9.0.0.4 02.12.2006 no virus found
Sophos 4.02.0 02.11.2006 no virus found
Symantec 8.0 02.12.2006 no virus found
TheHacker 5.9.4.094 02.10.2006 no virus found
UNA 1.83 02.09.2006 no virus found
VBA32 3.10.5 02.11.2006 no virus found

Some Email details;

Return-path: <support_num_3381305590018@ebay.com>
**snip**
Received: from ppp85-141-237-194.pppoe.mtu-net.ru ([85.141.237.194])
 by orngca-mx-08.mgw.rr.com with SMTP; Sun, 12 Feb 2006 13:52:34 -0500
Date: Sun, 12 Feb 2006 14:43:23 -0400
From: eBay <support_num_3381305590018@ebay.com>
Subject: eBay Customer Notice: Details Confirmation [Sun, 12 Feb 2006 21:46:23 +0300]
To: pnk@nycap.rr.com
Message-id: <4oomdf$ha2v4r@orngca-mx-08.mgw.rr.com>
MIME-version: 1.0
X-Accept-Language: en-us, en
Fcc: mailbox://support_num_3381305590018@ebay.com/Sent
X-Identity-Key: Id7
X-Virus-Scanned: Symantec AntiVirus Scan Engine <=== Gateway AV
Original-recipient: rfc822;pnolan
Content-Type: multipart/mixed;
  boundary="----=_cKusyvfBPGgnaHbQBgKUeaDHKTZHAlKYr"

Attachment name patch.GIF

Subject eBay Customer Notice: Details Confirmation

UPDATE I received a different piece of malware five minutes later ( ; ^ ), through the ISP Email Gateway AV undetected. There was no attachment, Subject is "Please Check Your Account !"
Keywords:
0 comment(s)

Comments


Diary Archives