3D Screensaver E-mails?

This morning I started to receive e-mails offering me screensavers. I immediately smelt a rat, well at least a malware author, anyway! ;-)

So, I took a look at it in more details, here's a screenshot of one of the e-mails:



I clicked on the link to see where I'd end up, and you can see what I found, below:



Looks like a very professional and polished website offering 3D Screensavers; very believable, isn't it?

So, I clicked on one of the links offered and I ended up here:



Still very believable, so I proceeded to download a copy of the screensaver offered, so that I could analyse it [you didn't think I was actually going to install it, did you? ;-)].

Will you be surprised to learn that the results of my analysis showed that this wasn't a screensaver at all, it was a piece of malware. I then proceeded to download several other samples, from the other selections offered, and the resulting files, although having different names, were all the same size [18,944 bytes], had the same MD5 hash value [which means they are all effectively identical internally], and were not being detected by a number of anti-malware tools.

At the time of posting this the files I downloaded from the site were named "Screensaver-66713.scr", "Screensaver-8719.scr" and "Screensaver-83580.scr", this of course may change, and there are certainly others with different filenames being offered.

If you see an e-mail like the one shown above, then simply delete it, as otherwise you will infect your computer, rather than save it's screen.

Hopefully by the end of today most anti-malware vendors should have updated their products to detect it.

So, in those immortal words, "Be careful out there...."

Stealthed Spam, Redux II!

The spammers are upping the stakes in the stealthed spam arena again. This entry will cover a stealthed spam I received this morning, but before that let me suggest that if you don't know what I am talking about, then you should take a look at my previous blog entries covering this area. These are [30th January 2008] and [17th October 2007]. This will also allow you to follow the development of this as a spamming technique.

So, now if you know what I mean by stealth and stealth spam, let me show you the latest example I have seen, just today, in fact:

The body of the e-mail would have you believe that it is from 'Irwin Bank and Trust':



With the above example, all the URLS [web-links] except one, used in the e-mail point to the real Banks site! All the text is probably taken from the real Banks website. This e-mail passes the tests that most of us use to decide if something is spam or not, in other words it pretty easily passes the 'Eyeball' test fairly easily as it looks pretty genuine. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what does it look like when I enable 'allow remote images' in the e-mail program?

It looks like this [yes, it is the same e-mail]:



Now it fails the 'Eyeball' test with ease.

Although, the stealthed e-mail shown above is pretty convincing, it isn't perfect as the e-mail address it shows as the from address [admin@viagra.com] and the subject used [RE:February 83% OFF] are not consistent with the rest of the e-mail, and are obviously spammy. So, the spammers need to sort these problems out to create the perfect stealthed spam.

Why do I call this 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view, at first.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!