Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

When Less is More: The Growing Impact of Low-Volume Email Attacks

View all posts > 

When Less is More: The Growing Impact of Low-Volume Email Attacks

Posted: 05 Oct 2012 01:00 | Ran Mosessco | no comments


Here at Websense® Security Labs™, we often blog about big malicious campaigns and how our products protect our customers from them. But what about smaller campaigns that are no less dangerous? 

 

Broad campaigns often spoof notifications from well-known businesses, establishments, organizations, and agencies, and are very widespread these days. However, smaller volume campaigns sometimes can be as (or even more) dangerous by bypassing the victim's defenses.

 

Last week, the Websense ThreatSeeker® Network intercepted one such campaign. This small-volume, malicious campaign targeted businesses with legitimate-looking email that refer to items like purchase orders, quotes, and supply information. All of these email had attachments that install variants of the popular Zeus malware on the victim's computer.

 

Websense Cloud Email Security quarantined these emails as containing a potential virus before most of the malicious attachments were detected by antivirus (AV) engines. Websense ACE (Advanced Classification Engine) provides the extra layers of protection that help Cloud Email Security protect customers against a wide array of threats. 

 

In many cases, AV signatures are behind the latest threats. But although ACE uses AV as one of its analytics, we found this example where AV was not detecting the threat. Other techniques such as using network behavior (volume vs. time) and reputation are very effective against big campaigns, but would not work in this case, since the volume was low. The content of these email messages looks benign most of the time, so traditional anti-spam rules would not work well either. This is where additional protection is needed. ACE can provide that protection and quarantine such suspicious messages by looking more deeply at their content and features, like the types of attachments, message attributes, web links in each message, and telltale patterns in the content body. 

 

The period of time between ACE detection and AV detection can potentially prevent a security breach at the most crucial time, averting having to "play catch-up." 

 

Let's take a closer look at the email that were intercepted.

 

The variant that was most common on September 27, 2012, had subject lines such as:

RE: NEW ORDER

RE: ATTACHED PO

Notice the email body looks quite benign:

 

 

There were other examples. See later in the text.

The most "popular" attachment was a file named "scan.rar," which carried the executable "scan.exe."

 

Here's a Websense ThreatScope™ analysis of this file, showing the malicious behavior:

 

http://aceinsight.websense.com/FileAnalysisReport.aspx?rid=65EA634D5A96460CB3489AAD8A840364

 

Compare this to the VirusTotal report at the time that Cloud Email Security detected the threat. Only 2 out of 43 vendors detected this file as malicious:


http://www.virustotal.com/file/2373c8cb97ba5bd2a9bd5451de02f872c4444c1689b8d4021a7fd3945835da7b/analysis/1348767164/

 

Of course, AV signatures eventually catch up, so the situation improved to 15/43 a few days later.

 

Cloud Email Security customers were protected regardless:

 

 

Based on the nature of the attachments and a few other key attributes in the messages, ACE determined that these email carried a potential virus and had them quarantined.

 

Some of the other variants were:

 

Subject: RE:quotation

Attachment: po.rar

 

Subject: Urgent Order.

Attachment: payment.zip

 

Subject: supply info

Attachment: payment.zip

 

Subject: New PI

Attachment: quote.exe

 

Subject: Order

Attachment: product details.zip

 

Subject: Please attend to my order

Attachment: quotation.zip

 

All of these were quarantined by Cloud Email Security based on the attributes of the message and the attachment.

 

Click on the file names below for ThreatScope reports that provide an analysis of some of the files contained in the various attachments:

list.exe

Not in VirusTotal at the moment.

 

Quote.exe

Was not in VirusTotal. After uploading the file, these were their results.

 

Notice the fake "quotation" PDF that opens with these files:

 

 

 

payment.exe

Not in VirusTotal at the moment.

 

PO.exe

Not in VirusTotal at the moment.

 

Quotation_pdf.exe

Here is the VirusTotal report for the above file.

 

Samples.scr

Was not in VirusTotal. After uploading the file, these were their results.

 

Finally, here are some additional screenshots of other email variants (these look a little more suspicious than the first example shown above):

 

 

 

 

 

 

 

 

 

 

 

Please let us know your thoughts. Are you more concerned about the low-volume attacks or the broad far-reaching high-volume attacks? Send in your comments using the box below.

 


Filed under: , ,

Leave a Comment

(required)  

Email address: (required)