“This month, the URLs linked from these sham messages point directly to a Zip file containing the malware,” explained Andrew Brandt, a researcher at Solera Networks. “That’s an abrupt change from March, when exploit kits using a similar social engineering hook delivered the malware variously called Cridex or Bublik, which in turn downloaded a raft of password stealers.”
The message content remains relatively static, but the links constantly shift to a long list of websites that belong neither to the company named in the bogus email, nor the malware distributor, Brant found. The URLs follow a consistent naming convention, but the links only remain active for a short period of time (typically less than a day).
“With so many stolen Web sites available, the malware distributors don’t seem to be all that bothered,” Brandt said. “We’ve seen at least 126 separate web domains used in this campaign since the beginning of the month. All of them are owned by small businesses, organizations or individuals.”
Solera first noticed the new tactic on April 4, when it received an email in one of its spam collection points with malicious URLs embedded.
Interestingly, infected computers don’t immediately phone home immediately after executing the malware, but instead wait from five to 20 minutes before “exploding with a flood of beaconing, from five to 10 connection attempts per minute,” Brandt noted.
The malware runs under a hooked instance of svchost.exe, which in turn spawns a default text editor and displays this little message: “Mark Smith of Los Angeles has been a very busy person.”
The April attacks are a variant on an older scheme. PandaLabs, Panda Security’s anti-malware laboratory, first detected Kuluoz as part of a Christmas scam campaign that involved a fake FedEx delivery message aimed at tricking users into downloading the worm and a fake antivirus program called “System Progressive Protection.”
“With the start of the Christmas season, many consumers go searching for gifts for their loved ones, often on the internet,” said Luis Corrons, technical director of PandaLabs. “Unfortunately for users, cyber-criminals know this and leverage this time of the year to spread malicious emails aimed at tricking users and stealing their money.”
The spam message purports to come from FedEx, and contains a link to download a “receipt” for the user to collect the package that has supposedly been delivered to them. However, if the user clicks on the link, they are taken to a web page that downloads a .zip file named “Postal Receipt”. This file contains an executable with a Microsoft Word icon that downloads a variant of the Kuluoz.A worm, which in turn tries to connect to a remote server in order to receive commands from attackers and perform several malicious actions on the affected computer, including running files.
Once run, the worm opens the notepad, displaying a blank page to make users believe they are running a legitimate file. In addition, it downloaded a fake anti-virus program called “System Progressive Protection,” which simulates a computer scan. The scan reports a number of infections, and prompts the user to buy the anti-virus to remove them. However, this is just a scam aimed at stealing victims’ money, as none of the reported infections are real and the ‘anti-virus software’ is fake.
To avoid getting infected by this malware, as with other social engineering-led campaigns, consumers and webmasters alike should make sure that their anti-virus products are updated to the latest signatures, and they should be very wary of unsolicited emails, as always.
The good news is that it has a fairly high rate of detection. “The Kuluoz signal-to-noise ratio is really, really low,” Brandt said. “Fortunately, the large amount of noisy traffic makes it really easy to find infected systems.”