Industry News

Spammed-out malware campaign contains offensive hidden message for anti-virus CEO

There is no love lost between the people who write malware and the anti-virus companies who work hard to protect innocent users against them.

And occasionally that animosity spills out into the actual malicious code written by online criminals. Sometimes it might present itself in the form of code to attempt to avoid detection by a particular product, or techniques to avoid analysis in malware labs.

But sometimes… well, it just gets a lot more personal than that. And that’s what seems to have happened in a current malware campaign arriving in many users’ email inboxes today.

Here is what a typical malicious email looks like:

Spammed-out malware campaign contains offensive hidden message for anti-virus CEO

 

Subject: RE: Outstanding Account

Message body:

This is a reminder that your account balance of $5746.80 was overdue as of 28 April 2016.

Enclosed is a statement of account for your reference.

Please arrange payment of this account today or, if you cannot make full payment at this time, please contact us to make a payment arrangement that is mutually acceptable.

Regards,

Tonia Joseph

Sales Director

Have a nice day

The name and job title of the person contacting you is randomly chosen, as is the amount that you are being asked to pay and the date on which it became overdue.

Attached to the email is a .ZIP file (again, its precise filename varies) that contains the malicious payload.

The danger is, of course, that people who receive the email may click on the attachment (presumably in a mixture of outrage and confusion that they are being asked to pay a substantial amount of money) without thinking of the consequences.

For inside the ZIP is an obfuscated Javascript file which downloads further malicious code from the internet, designed to infect innocent victims’ PCs.

This isn’t an unusual disguise for online criminals to spread their attacks.  In fact, these simple social engineering tricks have been proven to work time and time again – which is why it is so important for all computer users to exercise caution and be suspicious of unsolicited email attachments.

What makes this particular attack interesting, however, is if you take a closer look at the obfuscated Javascript inside the ZIP file.

Because it appears that whoever wrote the malware was unable to stop themselves from including an offensive message about Travis Witteveen, the CEO of anti-virus firm Avira, as well as a call-out to another security company – Vienna-based IKARUS Security.

Spammed-out malware campaign contains offensive hidden message for anti-virus CEO

 

“Travis Witteveen S**** N****’s c****”

Of course, neither of these companies are in anyway connected to the creation of the malware.  It’s part of the job that all of us in the anti-virus industry get called names by online criminals from time to time.  It’s part of the job and, to be honest, makes us feel like we must be doing something right!

VirusTotal reports that some anti-virus products are not yet identifying the malware, but Bitdefender security products detect both the ZIP and the .JS file as JS:Trojan.JS.Downloader.HU.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment
  • I am too cynical because it seems to me that another (if remote) possibility is that one of those companies has something to do with the malware, and wrote that endorsement disguised as abuse?
    Or maybe I'm suggesting this because I secretly work for another "anti"-virus company! (Except I don't, but to paraphrase Mandy Rice-Davies, I would [deny it], wouldn't I?)

  • Interesting addition to this: I got a similar email but it was supposedly a car repair bill. Problem is: I don't own a car. I of course knew it would likely be malicious, the ZIP file, and virustotal.com confirmed it (I also looked at the javascript file in a text editor and probably did first). Not that I would have executed it even if virustotal.com didn't show a problem. In my example it was very obviously spoofed (their attempt was absolutely pathetic and showed a great amount of ineptitude).

    REMEMBER, people: a corporation is not going to email you telling you you are late on a bill (or certainly I've not heard of that)… eBay (and similar) is/are exceptions. Even if they do they're not going to go about it this way (attached file in email) AND if they did they are being extremely irresponsible.