Excel-lent Spam

I mentioned in my 'Experiments in Spam' posting the following: "On the spam front there have been a couple of new developments, but that's another posting." Well, this is the posting which will cover the latest tricks being used by the spammers to try and get past any anti-spam defenses you have in place.

The spammers are actively trying out different files formats, we've seen image spam [.gif, .jpg, .bmp, .png] Microsoft Word document spam [.doc, .dot], Adobe Acrobat spam [.pdf] and recently we've started to see several new file formats being targeted, so let me now cover what's new.

Take a look at this first screen-shot, can you guess what file format is being used by the spammers here?



You all recognise it don't you? Yes, it is a spreadsheet, or more specifically it is a Microsoft Excel Spreadsheet, so the spammers are now using .xls format as well now to get their 'crud' into your inboxes.

Now, look at the next screen-shot and you will notice that the e-mail shown in it has a file attachment, in this case it is a ZIP file, can you guess what's in it?



No, not malware, although using ZIP files is a common way for the malware authors to send their creations to you, sometimes even using password protected [encrypted] ZIPs to get past anti-malware defenses.

The final screen-shot [below] gives the game away, does it look familiar?



Yes, it is an Microsoft Excel spreadsheet again.

Both of these XLS spam screenshots show 'Pump-n-Dump' stock spam/scams.

So far the spammers using the file formats, especially the Microsoft ones used by Word and Excel, have refrained from including malicious content [executables], macros and web links to malicious content or booby-trapped web sites containing exploit code. This won't last.

So, what can we expect next from the spammers?

• More compression and packing tools to be used.


• More common file formats to be used.


• Embedded web links leading to malware files or exploits.


• Embedded executable files or malicious scripts/macros or exploits.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!