There is no love lost between the people who write malware and the anti-virus companies who work hard to protect innocent users against them.
And occasionally that animosity spills out into the actual malicious code written by online criminals. Sometimes it might present itself in the form of code to attempt to avoid detection by a particular product, or techniques to avoid analysis in malware labs.
But sometimes… well, it just gets a lot more personal than that. And that’s what seems to have happened in a current malware campaign arriving in many users’ email inboxes today.
Here is what a typical malicious email looks like:
Subject: RE: Outstanding Account
Message body:
This is a reminder that your account balance of $5746.80 was overdue as of 28 April 2016.
Enclosed is a statement of account for your reference.
Please arrange payment of this account today or, if you cannot make full payment at this time, please contact us to make a payment arrangement that is mutually acceptable.
Regards,
Tonia Joseph
Sales Director
Have a nice day
The name and job title of the person contacting you is randomly chosen, as is the amount that you are being asked to pay and the date on which it became overdue.
Attached to the email is a .ZIP file (again, its precise filename varies) that contains the malicious payload.
The danger is, of course, that people who receive the email may click on the attachment (presumably in a mixture of outrage and confusion that they are being asked to pay a substantial amount of money) without thinking of the consequences.
For inside the ZIP is an obfuscated Javascript file which downloads further malicious code from the internet, designed to infect innocent victims’ PCs.
This isn’t an unusual disguise for online criminals to spread their attacks. In fact, these simple social engineering tricks have been proven to work time and time again – which is why it is so important for all computer users to exercise caution and be suspicious of unsolicited email attachments.
What makes this particular attack interesting, however, is if you take a closer look at the obfuscated Javascript inside the ZIP file.
Because it appears that whoever wrote the malware was unable to stop themselves from including an offensive message about Travis Witteveen, the CEO of anti-virus firm Avira, as well as a call-out to another security company – Vienna-based IKARUS Security.
“Travis Witteveen S**** N****’s c****”
Of course, neither of these companies are in anyway connected to the creation of the malware. It’s part of the job that all of us in the anti-virus industry get called names by online criminals from time to time. It’s part of the job and, to be honest, makes us feel like we must be doing something right!
VirusTotal reports that some anti-virus products are not yet identifying the malware, but Bitdefender security products detect both the ZIP and the .JS file as JS:Trojan.JS.Downloader.HU.
Hmmm, I never knew that about Travis Witteveen. Fascinating.
I am too cynical because it seems to me that another (if remote) possibility is that one of those companies has something to do with the malware, and wrote that endorsement disguised as abuse?
Or maybe I'm suggesting this because I secretly work for another "anti"-virus company! (Except I don't, but to paraphrase Mandy Rice-Davies, I would [deny it], wouldn't I?)
Interesting addition to this: I got a similar email but it was supposedly a car repair bill. Problem is: I don't own a car. I of course knew it would likely be malicious, the ZIP file, and virustotal.com confirmed it (I also looked at the javascript file in a text editor and probably did first). Not that I would have executed it even if virustotal.com didn't show a problem. In my example it was very obviously spoofed (their attempt was absolutely pathetic and showed a great amount of ineptitude).
REMEMBER, people: a corporation is not going to email you telling you you are late on a bill (or certainly I've not heard of that)… eBay (and similar) is/are exceptions. Even if they do they're not going to go about it this way (attached file in email) AND if they did they are being extremely irresponsible.