Spiderlabs, the malware research team at Trustwave, has analysed one of these spam emails: a spoofed notification claiming to come from booking@qantas.com.au.
The covering letter, which contains none of the grammatical and typographical errors typical of many spam mailings, looks professional and genuine and displays the Qantas logo. The subject line in this instance is ‘Booking reference 46810991.’ Needless to say there is a zipped attachment, which contains an executable of the Andromeda bot loader.
“You must print the receipt provided and bring it with you when you check-in at the airport, as proof of purchase. A print out of the ‘Manage Your Booking’ page will not be accepted.” Any recipient who has actually booked a flight on Qantas could quite easily be tempted to open the attachment; other targets might do so out of curiosity. SpiderLabs’ advice is ‘don’t’. “Just be distrustful when you see unsolicited email in your inbox especially if you do not expect it,” warns Rodel Mendrez in a blog posting yesterday.
Anyone who does open the attachment will unknowingly run the Andromeda bot loader. This drops malware onto the infected system, and creates an autorun registry entry to ensure execution following a reboot. It also adds an entry to the Windows firewall exception list to allow the malware to phone home and download further malware.
If the malware successfully opens communication with its C&C server, in this instance it fetches Zeus/Zbot – one of the original and most successful of the banking trojans. Zeus was first detected in 2007. It seeks to steal account details via man-in-the-browser keystroke logging and form grabbing. Once it is installed it is difficult to either detect or remove; and the best defense is to avoid infection. It was once estimated that 3.6 million PCs were infected in the US alone.
“Cybercriminals have been actively spamming out Andromeda loaders for the past year,” warns Mendrez. In fact, Qantas issued its own warning via Facebook in December 2012: “Authentic Qantas 'Seat Selection' emails will contain your name and booking details and will not include an attachment.” But of course Qantas is not the only ‘lure’, and users need to be vigilant with all emails.
“Most of the time the spam campaigns are very legitimate looking. It may be hard to spot whether it’s a malicious email. But if you are cautious, you will easily tell a legitimate and a fake email,” says Mendrez. He suggests seeking to verify the sender before opening an attachment; but if in doubt, “just delete it and you should be fine. And also, avoid clicking on links in the email.”