SANS ISC: Massive Google scam sent by email to Colombian domains

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

This morning many users in my city woke up with supposedly good news from a resume they sent to google looking for open positions:

Of course this scam does not have anything new and innovative to cause a massive impact, but here is the catch: in this part of the world, people love P2P networks and love to download unlicensed content like Windows Operating Systems, music and paid programs so they don't have to pay a cent for it. Since standard security controls like antivirus and Host IPS shows those programs like malicious and then block most of its functionality, there are a huge number of people that disregard such measures to access freely those unlicensed contents.

The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection radio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=153521#none and the backdoor description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=100938.

This little thing caused lots of help desk calls this morning to my company because people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:

• Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
• Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
• Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid  performing actions that could materialize such risks like dealing with p2p software.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org