Thursday, April 26, 2007 3:00 PM
cmosby
Symantec Security Response Weblog: Spam Attack: RARed Trojan
Spam Attack: RARed Trojan
Symantec Security Response has seen an increasing number of submissions of Trojan.Peacomm and related malware arriving in emails containing password-protected RAR archives.
As with the previous Peacomm spam run, the email contains an image (a GIF file) and an attachment. The image contains a message about a patch that can be used to "remove worm files" and the password for the file attached. However, in this case, the attachment is a RAR archive.
The files inside the RAR archive are detected as Trojan.Packed.13. This detection for Trojan.Packed.13 was available in definitions dated March 22, 2007. The Trojan.Packed.13 sample drops another malicious file, which is also already detected by March 22 definitions, this time as W32.Mixor.Q@mm.
These are some of the email Subject lines being used by this wave of spam:
Trojan Alert!
Virus Alert!
Virus Detected!
Virus Alert!
Warning!
Spyware Alert!
Worm Detected!
Some sample Attachment Filenames seen are as follows (where xxxxx represents a 5 digit random number):
bugfix-xxxxx.rar
removal-xxxxx.rar
patch-xxxxx.rar
hotfix-xxxxx.rar
Security Response has also noticed a slight increase of activity in TCP port 2525, which may be related to the spamming of the threat, as port 2525 is used as an alternative SMTP port in some servers.
Symantec Security Response has received several queries regarding how to best limit the impact of the latest run of Trojan.Peacomm spam. As with any e-mail-based malware, it's best to handle tackle it at the gateway by using email filters to block the mail, for example by subject line or attachment name. Also, Symantec's Brightmail-enabled messaging products now have a rule to block this latest spam run. Since the rule was added yesterday it has successfully blocked over 1.2 million messages!
We looked into the possibility of creating a reliable detection for the encrypted RAR archives. The only possible way to detect these files is to create a signature using the file header. With RAR archives using full encryption with AES, the header is only 14 bytes in size. All other information such as filename and other attributes are encrypted. While it is technically feasible to create a detection based on the file header and the approximate size of the file, there is a high risk of false positive detections, as clean RAR files of approximately the same size would also be detected. Taking the risk of false positives into consideration, and based on the fact that there are other more effective means to block this malware, we have made the decision not to release this detection
Posted by Brian Ewell on April 25, 2007 02:00 PM
Source: Symantec Security Response Weblog: Spam Attack: RARed Trojan
Filed under: Security and Anti-Virus, AntiVirus Information, Spam\Phishing