Spammers disguise malware as Vodafone MMS email

11/08/2012
G DATA Blog

Attackers have sent out a huge number of email messages containing a malicious attachment, posing as Vodafone MMS picture. The alleged picture turns out to be an executable Trojan backdoor.

The email includes original links to Vodafone websites, which makes it a lot less suspicious for spam filters and explains why so many users have initially received the email.

Screenshot of a spam email with malicious attachment, disguising as Vodafone MMS message


The given telephone numbers in those mails vary, but the gist always remains the same: The recipient is asked to open the attached file, which is said to be a picture. Unzipping the archive reveals a file called Vodafone_MMS.jpg.exe – again, the attackers try to mask the executable file with the “.jpg” file extension and users who do not display the file extensions in their Windows system, might fall for this trick.

Interesting: This time, the attackers did not set a .jpg file icon to make this trick even more authentic. The file icon remains that of a normal application, matching the real file type: .exe! This is a hint for the attentive user, that there is something wrong with this MMS attachment.

The malware:

The current file is detected as Trojan.Generic.KDV.780689 (Bitdefender) and Win32:Karagany-MX [Trj] (Avast). It is a kind of dropper/malware installer/loader.
It registers itself in 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched

and it also drops a copy of itself into the system: %Users%\All Users\svchost.exe
With this technique it can survive computer reboots. Obviously, the original Windows system file named svchost should be located in C:\Windows\System32, nowhere else!

The file is resident in the memory and this is where the dropping takes place: The Vodafone_MMS file has another PE file embedded in its code, which is encrypted twice. This PE file is decrypted, written into the memory and executed. Its function: The malware starts to listen to port 8000 and waits for incoming instructions. G Data scanners detect this second file as Trojan.Gamarue.E (Bitdefender) and Win32:Citadel-K [Trj] (Avast).

Confusing function set:

Our analysis did not show any other activity of this malware. It only listens to port 8000 but it does not attempt to send out any identifying information about the infected machine and therefore tell the attacker where to send the instructions to.

Conclusion:

The initial file and the dropped file are both files you don’t want to have on your machine and you don’t want to have them running every time your computer is working – no doubt about that. But, we have to conclude, that the functionality alone is not yet harmful. But once the attacker manages to connect to the infected system, the problems start. Still, the question is: how will the attacker identify the ip(s) of the infected machine? The email spam campaign did not appear to be a targeted attack, in which the attacker might already know the target’s IP information.
Some users might have port 8000 open, because they are using e.g. SHOUTCast servers or make a port forward from port 80. But, the listening file we detected does not interact with the information, connects to any C&C server or downloads further malware, which would make sense.


What you can do:

 

  • Use an up-to-date, comprehensive security solution with a virus scanner, firewall, web and real-time protection. A spam filter that protects you from unwanted spam mails also makes sense.
  • Have the file extensions displayed in your Microsoft Windows operating system. Instructions for the different versions as well as a fix-it are available on the Microsoft website "How to show or hide file name extensions in Windows Explorer".
  • Do not click on links or file attachments in emails and social networks without pausing to think first. The files or website could be infected with malicious code. If a message from a friend seems strange, users should first check if it is authentic.