Tuesday, February 7, 2012

Fedex, DHL, Deutschen Post and you've got ... a virus

Among the many things I truly love about my Google Mail is its ability to detect viruses in what people try to send me. But first things first.

I used to operate my own mail server for nearly a decade. Along the road came the installation of an antis-spam daemon (spamassassin team: you rock!), an attempt at installing an anti-virus/anti-malware using ClamAV, and various other tweaks and tunes to make it (a) work correctly and (b) avoid something that approaches 90% of undesirable content.

Also, as I am more and more often traveling, I installed a webmail application on my server, so I could process my mail without having to establish a POPS/IMAPS connection to my server. This came with the loss of a few features, but all in all, it was working OK.

Then one day, I tried Google Mail. The interface is sleek and easy to use, I have all my features back and things. And Google gets my e-mail on my "own" address.

So recently, I have started getting more and more "Message left on server: ...." as it contains a potential virus or suspicious attachment. And more and more, I have been intrigued about these.

They all purport to come from DHL, FedEx or Deutschen Post. They all have a ZIP attachment, and they all enjoin you to take an immediate action: execute the piece in the attachment. The title are visibly generated at random for the last part, all the zip have an executable. The latter has a title that is non random: in all the recent zip files I received, the exec file name is "Deutschen_Post_oder_DHL-ID.exe".

In these, I have identified two different strains.

The first one has a MD5 hash value of "3162d052c388c5310a5f1a9f429c670c" and a size of 135168 bytes. As of 02/07/2012 10:58am EST, only 14 scanners out of 42 detect the executable file as malware (Report on VirusTotal.com), less than 40%.

The second strain has a MD5 hash value of "c497c6d0b69cb2e03236af82cc651193" and a size of 114688 bytes.  As of 02/07/2012 11:05am EST, only 10 scanners out of 43 detect the executable file as malware (Report on VirusTotal.com), less than 30%.

As (a) the names are consistent except for a random part in the zip file, (b) the archive content is exactly the same within a strain and (c) that I got these from various IPs, I lean toward an automated type of distribution, possibly a worm or a bot type.

I still need to do some homework and play with these to see whether they point to the same "owner".