Another day, another example exposing the fragile human security in an organization. Malware writers and spammers greatly depend on disguising their payload as innocent messages or software, which may even pretend to be offering a form of service to the innocent victim. The aim is to make the user perform an action: execute an infected e-mail attachment, click on a link to a compromised web site, or reply to fake unsubscribe notices and the list just goes on and on.
Just recently, I discovered an e-mail in my Inbox claiming to be originating from the DHL Support Services. DHL is a high profile legit international company which offers transport and logistics services. The e-mail also had attached a zip archive containing an executable file. The message of the e-mail states that there was a problem delivering my package due to an undisclosed problem. The message continues by trying to convince me to print the ‘invoice’ attached to the e-mail. The ‘invoice’ being referred to in the message is the executable found in the zip archive.
The e-mail body and attachment claiming to originate from DHL Support Services
As previously stated, the e-mail ended up in my Inbox and my personal antivirus did not detect the attachment as malware. However, I am still very susceptible that the attached file is malware for the following reasons:
- The MIME From domain is listed as dhl-support.com. This domain is registered on an individual from Germany but not on the actual DHL organization.
- I did not have any postal packages which were not delivered.
- The structure, grammar and tone used in the message do not seem to match those that would be used by a commercial company.
- DHL have the facility to track any packages using their website. Why would they send an ‘attachment’ with an email?
Whois information for domain dhl-support.com. Clearly, this domain is not registered for DHL.
In order to confirm this, the zip archive was uploaded to VirusTotal.com for analysis. As at the 23rd September 2009, nearly half of the antivirus engines at VirusTotal did NOT manage to detect the attachment as malware.
Partial results after the analysis by VirusTotal.com
These engines form part of some of the most popular antivirus applications that protect desktops of home and business users and organizations’ servers. It takes time for the antivirus vendor to discover the malware, analyze it and distribute the necessary updates to detect it. This time lapse can prove to be the security hole for an organization or a disaster for the home user. This is why it is important to make use of a product which has multiple different antivirus engines such as GFI MailSecurity.
The antivirus engines that did manage to detect the malware, listed it as yet another variant of the infamous Bredolab Trojan. This Trojan firstly appeared around May and variants have been going around in the form of attachments in spam messages throughout all these months.
DHL and any other transport services organization will never send you an executable via e-mail to run on your desktop for any reason. This is simply an attack on users and organizations alike. The best defense is always education. Although software does protect, as we have seen, it is also prone to failure.