New FakeAV HTML Spam (Sept 16, 2010)

SonicWALL UTM Research team observed a high volume of FakeAV related e-mail spam campaign during the last two days. These e-mails arrive with a malicious HTML attachment and used different themes to lure users into opening the file. The HTML attachment will eventually redirect users to a FakeAV drive-by download web page.

SonicWALL UTM Research team has received more than 200,000 e-mail copies from this spam campaign so far and it is still going on.

The following are the email samples used in this campaign:

Sample #1
Subject: Employment letter for visa application
Attachment: jun wang letter.html
Email Body:
————————
Hi:

Thank you
————————

The e-mail message looks like below:

Sample #2
Subject: find a copy of the letter
Attachment: copy of the letter.html
Email Body:
————————
Hello

Thank you
————————

The e-mail message looks like below:

Sample #3
Subject: Invoice for Floor Replacement
Attachment: Invoice-Stocketon.html
Email Body:
————————
Hi,
Please see attached invoice for stockton floor project. Thanks!
————————

The e-mail message looks like below:

Malware Installation:

This instance of FakeAV spam wave used an HTML file attachment that redirects users to a FakeAV download page instead of the usual Trojan downloader we’ve seen before and covered in this previous SonicAlert

Once the user opens the HTML file attachment, it will redirect to this webpage-{hxxp://dark-[removed]in.com/x.html} with following message:

Soon after, the user will see a fake virus infection alert prompting to download a Microsoft Security Assessment Tool to fix the problem.

Regardless of the user input to the alert window, it will show the fake AV scanning seen below:

After it finishes scanning, it will show the message below to continue removing detected Viruses. At this point, the User’s computer is not yet infected but only made to believe so that the User will unknowingly continue to download and install the FakeAV.

If the user clicks on remove all button, it will prompt for the downloading of the FakeAV installer.

SonicWALL Gateway AntiVirus provided protection against these spammed FakeAV variants via following signatures:

• GAV: VBS.Drost1 (Trojan)- 14 million hits in last 48 hours
• GAV: Suspicious#fakeav_14 (Trojan) – 1,416 Hits

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.