Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Malicious Email Messages Posing as Antivirus Notifications

View all posts > 

Malicious Email Messages Posing as Antivirus Notifications

Posted: 28 Aug 2012 03:36 PM | Ran Mosessco | no comments


Websense® ThreatSeeker® Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation may be remedied if the user clicks a URL to download a free removal tool. The "free tool" is, of course, a malicious executable that connects to malicious websites, and then drops more executables on the victim's computer.

 

This looks like a low-volume campaign, as we have seen (and blocked) approximately 2700 of this type of email yesterday and today.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

 

The email may contain a subject like this:

 

[Symantec] - Your e-mail account may be blocked.

 

The "from" address varies and may appear as:

scanner@symantec.com

scanonline@f-secure.com

symantec@verisign.com

scan@sophos.com

symantec@sophos.com

virscan@secureroot.com

noreply@verisign.com

 

Here's a sample:

 

 

 

Notice that the email text contains the phrase "Scanning sytem...", which is completely false. No scan is taking place. The victim is notified that the computer is infected with the worm W32.Swizzor.C-WORM and is urged to download the removal tool for protection.

Clicking the suggested link takes the victim to:

hxxp://www.protectedssl.net/removal/SymantecRemoval&2012&09.data=SwizzorC.php

Which prompts the user to download a file with the promising name "RemovalTool" from this location:

hxxp://www.protectedssl.net/RemovalTool.exe

You can see an AceInsight report for the first URL here:

 http://aceinsight.websense.com/report.aspx?g=18D3325A54C64DBA9B7ACC7702DF4748

 

ThreatScope analysis, which is a part of the Websense CSI service, identifies the file RemovalTool.exe as malicious due to its behavior:

1. HTTP traffic to server hosting malicious content

2. Drops executable file(s)

3. HTTP traffic to uncategorized server

4. Writes to the filesystem in a directory of the user profile often used by malware

 

The full ThreatScope report can be seen here.

 

At the time of this writing, only 3/42 AV vendors on Virustotal identified the file as malicious:

 

 

 

 

How does Websense protect against this threat?

Websense Email Security products block these messages as spam using a combination of network traffic, reputation, and spam rules.

For Websense Web Security products, the real-time analytics in Web Security Gateway, Web Security Gateway Anywhere, and Cloud Web Security block the landing URL, providing further protection.

 


Filed under: ,

Leave a Comment

(required)  

Email address: (required)