Criminals pushing Rogue anti-Virus disguised as scanned documentsby Steve Ragan - Jul 18 2010, 16:41
Criminals pushing Rogue anti-Virus disguised as scanned documents. (IMG: Xerox)
Email messages masquerading as scanned documents are the latest attack vector being adopted by criminals to push Rogue anti-Virus Malware to the masses. The messages, which appear to have been sent from a Xerox WorkCentre Pro, come with a Zip file that will immediately infect the host system if accessed.
Since running this story on Friday, we’ve seen more examples of this attack. The interesting note, and the reason for the update, is that the new “scanned documents” are coming to The Tech Herald’s security e-mail address. The embedded links are switching, but the Malware itself is the same.
We’ve placed screenshots of the newest examples on page 3.
We here at The Tech Herald noticed the malicious email this morning, while checking one of the site's drop accounts for messages. The image below is the exact message with the addresses removed.
As you can see, the attachment is a typical Zip file and the message itself attempts to pass itself off as a scanned document from a Xerox Multi-Function Printer. Those with a Xerox WorkCentre Pro in their office will see the message for the fake that it is almost instantly.
The WorkCentre Pro from Xerox can scan documents to email or FTP accounts if configured to do so, but the most common scanning format is PDF, followed by TIFF and XPS. At no time will a WorkCentre Pro send a Zip file as an attachment.
It would appear that, while the malicious messages are spamming out to as many people as possible, the criminals behind the campaign are looking to single out users who use Xerox products in-house as a method of scanning and printing.
If downloaded and extracted, the file inside the Zip attachment is clearly an executable. On our test system, once we accessed the file, Microsoft’s Security Essentials flagged it immediately.
The Malware itself has a low detection rate. For example, only eight vendors detected it, according to Virus Total. However, using Virus Total as a base only accounts for signatures on hand singling out a given file, and isn’t a conclusive measure of detection [Virus Total Link].
In reality, this Malware is easily detected by several vendors including Symantec, Microsoft, BitDefender, Panda, McAfee, Sophos, and more. As you can see in the screenshot, Microsoft Security Essentials flagged the Malware the second it was accessed, but it shows no detection according to Virus Total.
The reason why the Malware is easily flagged and mitigated, despite the poor Virus Total results, is due to its behavior. The moment it is executed, the Malware attempts to install the secondary payload, which is the Rogue anti-Virus itself.
In addition, another reason for a wide detection base is because the Malware has been seen before.
Today, the criminals are using scanned documents as an attempt to grab user attention, but earlier this summer the malicious email messages claimed to be from Facebook, where the attachment was said to be information on a recent password reset.
Criminals will use whatever tactic they can to entice victims to install Malware. Previous email tactics include malicious documents that are said to be related to DHL deliveries, as well as deliveries from UPS. They have also sent messages containing malicious attachments that are allegedly from the IRS and FBI.
The lesson here is clear: never trust random email attachments, and always keep updated security software running on your system. If you happen to see an email like the one pictured above, take our advice and just delete it.