Cyber Criminals Use Scanned Documents to Push Rouge AV
The recent attack vectors being used by the cyber criminals to spread rouge antivirus malware to the user's computers are e-mail messages concealed as scanned documents, as reported by The Tech Herald on July 18, 2010.
This type of spam e-mails come with the subject line "Scan from a Xerox WorkCentre Pro #0713393." The email also contains an attachment of an archive file called "XeroxN45586.zip".
The e-mail urges readers to open the attached document and says that the document was scanned and sent to the user through a Xerox WorkCentre Pro.
The e-mail states that the total number of images attached with the e-mail is '1' and it also claims to be sent by a 'Guest'.
The e-mail also informs the recipient about the attached File Type: ZIP [DOC]. It (e-mail) also mentions that 'WorkCentre Pro Location: machine location not set' and the Device Name as: XRX0847AA7ACDB49675923. In case of further details and information, it asks the readers to visit the link http://www.xerox.com.
As per the security experts, it seems that the criminals have copied the original e-mail template of Xerox scanning machines and have just customized the listed file type.
The security experts further stated that although Xerox WorkCentre Pro can transfer scanned documents through e-mail, they can never be sent in ZIP format.
When the readers open the file archive, an executable file called Xerox_doc.exe discloses - a new alternative for Oficla Trojan. trojans of the malware family 'Oficla', operate as the botnet and mainly used as the circulation platform for other types of threats like scareware or adware.
The security experts have highlighted that the malware already has a low detection rate. For instance, the Virus Total claims that only eight vendors could detect it. However, the Virus Total as a measure accounts for signatures out on a displayed file and it is not a definite method for the detection of Virus Total Link.
Actually, this malware is easily identified by various vendors, including Microsoft, BitDefender, Symantec, Sophos, Panda, McAfee and many more. In spite of the, poor Virus Total results, the main reason behind the easy flagging and alleviation of this malware is its behavior. The moment it is downloaded, the malware tries to install another payload, which is nothing but the rouge anti-virus itself, as stated by the security experts. Moreover, another reason for an extensive detection base is the fact that this malware has already been seen before.
Related article: Cyber Child abuser Sentenced To Imprisonment
» SPAMfighter News - 29-07-2010