Friday, February 15, 2008

Happy Valentine's day


"When Love Comes Knocking" lovely title for a message. I'm a single guy, so there is no way on earth that i could receive this from a real lover.

Well, Since there are hundereds of single guys who are recieving this every Valentine day, they well get curious about the identity of the sender, so they will definitely open the message and drink the poison slowly.


This is one of the best Spam/phishing techniques to convince people to open the mails. Because we are human beings and we like to discover new things. Discover the unkown.


This was the subject of one of the many spam mails i got everyday to my Gmail account. What was the interesting part is that the mail details was the following:


Subject: When Love Comes Knocking

Sender: clariflas@ncprecisionfitness.com <<<--- First Rule: Unknown to me

Body:

Love Remains http://75.132.xxx.xxx/ <<<<----- Oh man, wait here we got an IP-based URL. So this is not an offical registered domain name. It should be another compromised host in the Internet. So i said to myself, this cool ... let's hunt.

Tools of the trade:



Malzilla: The night-hunters tool to discover malicous domains/IPs URLs in a safe way. You can parse links / IFrames. Decode Javascripts that hides executables behind it. No need for Vmware images anymore, unless you want to execute the real malware sample to see what will happen.


Let's get back to the mail, and see the screenshots of the analyzis (Click on the image):







after getting the suspicious, we will inspect it using Malzilla (Click on the image):








Let's discover the URL (Click on the image) :






So, after getting the malware name as "Valentine.exe" let's see what we can get from the antivirus vendor pages.



Malware type: Worm

Aliases: Email-Worm.Win32.Mydoom.al (Kaspersky), W32/Kipis.h@MM (McAfee), W32.Kipis.J@mm (Symantec), Worm/Mydoom.AR (Avira), W32/Kipis-H (Sophos),

In the wild: Yes



So be careful guys, follow these rules for a secure e-mail reading:


  1. Don't ever open URL's from people you don't trust.

  2. Don't ever open URL's in the form of IP like: http://23.444.xxx.xxx/, because this will be a compromised (malware infected) host.

  3. Install McAfee SiteAdvisor to protect against open malicious URLs / Sites

  4. Get a good Antispam software / appliance to filter unwanted e-mails.

  5. Educate your users / customers to follow the basics of secure e-mail reading.

And Happy Safe Valentines Day ... ;)