Sophos Discovers a New Fake E-mail Campaign

Security researchers at security firm Sophos have detected a fresh spam campaign making rounds on the Internet and looking to infect the computers of netizens with malicious programs.

Elaborating the attack, the security firm said that the first most important thing to be noted is that the e-mail contains faked sender's address. Some of such addresses are: Elizabeth Boucher elizabeth.boucher_ce@treasury.govt.nz, "US Department of Treasury" noreply@usdot.com and Chang Avery c.averysh@treasurytoday.com. This is most probably to grab the attention of potential victims.

Sophos also noted that a number of spam messages include references to OFAC (Office of Foreign Assets Control), like: "Please view the attached report of the declined deposit by OFAC, the file is a Microsoft Excel Spreadsheet."

It is the attached Excel file that contains the trouble element. The file is found to exploit the security hole dubbed CVE-2009-3129. This particular vulnerability is known to affect the recent versions of MS-Excel and Excel Viewer, states Sophos security expert, Stephen Edwards, in a blog post on Sophos.com in the second week of June 2010. According to him, the malicious file has been identified as Troj/DocDrop-Q by Sophos.

According to Edwards' blog post the malicious Excel file tries to decrypt, install and execute another executable file that copies itself to \googletoolbar32.exe and then creates a registry entry known as "Google Search Engine" to facilitate its automatic execution on reboot.

The .exe file has been detected as Mal/Koobface-G - member of Koobface family, including rogue anti-virus, according to the expert.

So to avoid falling for the spam campaign, users are suggested to be extremely cautious while dealing with e-mail file attachments, particularly those containing Excel files, which may be infected. Users are also advised to ensure that their Excel is fully patched with the latest updates. Sophos said that Microsoft has described the vulnerability exploited in this scam as a part of MS09-067 and has issued patches to fix the vulnerability.

In addition of the above suggested measures, users are also advised to install reputed and updated anti-spam and anti-malware filters.

Related article: Spike in Attacks Causes Early Release of Windows Patch

» SPAMfighter News - 6/19/2010