Websense® ThreatSeeker® Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation may be remedied if the user clicks a URL to download a free removal tool. The "free tool" is, of course, a malicious executable that connects to malicious websites, and then drops more executables on the victim's computer.
This looks like a low-volume campaign, as we have seen (and blocked) approximately 2700 of this type of email yesterday and today.
Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.
The email may contain a subject like this:
[Symantec] - Your e-mail account may be blocked.
The "from" address varies and may appear as:
Here's a sample:
Notice that the email text contains the phrase "Scanning sytem...", which is completely false. No scan is taking place. The victim is notified that the computer is infected with the worm W32.Swizzor.C-WORM and is urged to download the removal tool for protection.
Clicking the suggested link takes the victim to:
Which prompts the user to download a file with the promising name "RemovalTool" from this location:
You can see an AceInsight report for the first URL here:
ThreatScope analysis, which is a part of the Websense CSI service, identifies the file RemovalTool.exe as malicious due to its behavior:
1. HTTP traffic to server hosting malicious content
2. Drops executable file(s)
3. HTTP traffic to uncategorized server
4. Writes to the filesystem in a directory of the user profile often used by malware
The full ThreatScope report can be seen here.
At the time of this writing, only 3/42 AV vendors on Virustotal identified the file as malicious:
How does Websense protect against this threat?
Websense Email Security products block these messages as spam using a combination of network traffic, reputation, and spam rules.
For Websense Web Security products, the real-time analytics in Web Security Gateway, Web Security Gateway Anywhere, and Cloud Web Security block the landing URL, providing further protection.