Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Digg this story   Add to del.icio.us  
For Love or Money—Social Engineering by W32.Ackantta.B@mm
Andy Cianciotto, Symantec Security Response 2009-02-28

Over the past two days, Security Response has observed an increase in detections of W32.Ackantta.B@mm and subsequently, Trojan.Vundo.

 

 

 

 

W32.Ackantta.B@mm is a mass-mailing worm that gathers email addresses from a compromised computer and spreads by copying itself to removable drives and shared folders. Trojan.Vundo is typically installed by visiting a Web site link that is contained in a spam email. However, we've observed that W32.Ackantta.B@mm actually emails a zipped file containing a copy of a Trojan.Vundo dll.

The worm may arrive on the computer as “postcard.pdf.exe,” with a snowman icon:

 

 

Once the worm is executed, it may display an image of cartoon animals such as the following image:

 

 

 

 

Yet again, attackers are taking advantage of the global economic environment by using social engineering to entice users to open malicious email attachments. Some of the observed subjects include the following:

 

Job offer from Coca Cola!
Thank you for your application


The attackers have also attempted to appeal to the desire for friendship by using the time-tested technique of malicious e-card subjects, such as the following:

 

You have got a new E-Card from your friend!
You have received A Hallmark E-Card!


In particular, we've observed the attachments listed below. We expect that—as is common with social engineering techniques—these attachments could change:

 

copy of your CV.zip
e-card.zip
job-application-form.zip
postcard.zip


As a result of this increased activity, we've released more aggressive heuristics that detect and block hundreds of Trojan.Vundo variants. We have also increased the Risk Level of Trojan.Vundo from Level 1 to Level 2.

Based on our submission data, it appears that the worst of this attack is behind us, as detection levels appear to be decreasing. We plan to keep a vigilant eye on the current activities and any new developments. Stay tuned.

Note: My thanks to Angela Thigpen for her assistance with the research on this threat and information provided in this article.




The information, views, and opinions contained on this page are those of the author and do not necessarily reflect the views and opinions of SecurityFocus.






 

Privacy Statement
Copyright 2009, SecurityFocus