…today I’m waxing nostalgic about a piece of malware. Not one of those anniversaries that have filled so many blogs, articles and videos recently (happy birthday, dear Brai-ain….), but something that just popped into my mailbox…
It is, as Aryeh Goretsky remarked to me recently in a slightly different context, almost like Old Home Week. He was referring to recent work by a number of luminaries formerly prominent in antivirus research like Eugene Spafford, Ken van Wyk, and even Fred Cohen.
But today I’m waxing nostalgic about a piece of malware. Not one of those anniversaries that have filled so many blogs, articles and videos recently (happy birthday, dear Brai-ain….), but something that just popped into my mailbox. A malicious attachment. To be precise, an executable concealed in a ZIP file with the name NudeFot.zip, the executable being named
nudefot.jpg _________________.exe
Give or take a few characters. The idea, of course, is that the victim will fail to notice the real (.EXE) filename extension somewhere way off to the right and out of the window, and think that they’re opening a picture. A somewhat naughty picture, judging by the filename. Well, nothing new here: that kind of misdirection goes back to the heyday of mass mailers and beyond, and I remember all too well the last decade’s spate of executables concealed in ZIP and RAR files in the hope of avoiding gateways that filtered files with certain filename extensions suggesting executable files or active content.
The message that accompanies it is also somewhat traditional. But it’s worth reproducing to get a handle on what sort of social engineering is being used here.
From: Lisbet [mailto:[email protected]]
Sent: 07 March 2011 19:38
To: [email protected]
Subject: Re: foto
Hello, david.a.harkness.
Friday, March 01, 2011, 10:35:3 AM, you wrote:
>> Hi
>> I miss you so much. I send you my photo.
>> Please do not show it to your family and friends.
>> Many kisses, Your Love.
Hello.
Super cool foto 🙂
call me 2401659
—
Best regards,
jarrodl mailto:[email protected]
As you might have deduced, I’m not [email protected], but the mail reached me at an account name similar enough to make an unwary recipient think that there must have been some sort of delivery glitch. And the message text, like the filename, is clearly meant to suggest a naughty picture of some sort. Though personally, if I knew [email protected] well enough for her to send me a nude photograph signed “Many kisses, Your Love”, I probably wouldn’t start my response “hello angela.q.ribbentrop”, but perhaps that’s a generational thing.
The other thing that puzzles me is that Lisbet (or [email protected], or [email protected]) wants me to call her 2401659. But I suppose that’s her prison number.
And in case you wondered, we detect that particular file as Win32/Spy.Zbot.YW trojan. It’s a backdoor/password stealer from a family we know all too well.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
