Dorf, Tibs and UPS - the malware spamming spree continues

Filed Under: Malware, SophosLabs, Spam

Although I spend less time than I used to processing the operational day to day malware and spam submissions, it did not take me too long this week to start appreciating work of people doing this job every day of every week.

One has to juggle between processing the incoming files queue, customer queries as well as with steady influx of new spam and malware campaigns and infected URLs. During the last few days there were several campaigns that combined spamming with malware planted on randomly compromised domains. On the other hand some campaigns simply sent new malware samples as attachments to email messages. It is a busy week.

I am pleased that most of the Dorf files are proactively detected as Mal/EncPk-DA which means our customers are protected without updates to our products but it also leaves a feeling of unease since we also want to block the messages using anti-spam rules. Dorf email messages are a bit difficult to block based on the content. Some of them include excerpts from the legitimate documents, some simply link to an infected file hosted on a compromised site and some combine the link with a MUA signature identical to the legitimate signature. The number of generated messages is high and it can take up to 30 minutes to get things fully under control and all messages detected as spam.

The mechanism used to construct Dorf emails is not known to me but I would love to be able to analyse it. It seems to me that it uses techniques similar to some random text generators. Here are some subjects and contents observed in today's Dorf campaign:

Myanmar declares hate for Americans
Hurricane Dolly causes millions of damage
Politician caught in Asian massage parlor
Pitt sues paper over photos leak
Black widow found guilty of killing 5 ex husbands
Sex and the City star found brutally murdered
Cambodia declares hate for Americans
Free cars for every house purchased
Guam B52 crash - miracle survivor found
Cambodia declares hate for Europeans
Christian Bale re-arrested after resisting arrest
Fox Mulder no longer attractive
Red Sox fans run rampage in Times Square
Photos of your wife cheating you
North Korea launches missiles at South Korea
Male escort service hiring now Feel free to enroll
Daughter sets dogs on millionaire father
Court rules lesbians are different from lesbos
Lottery winner attacked by pit bulls
Cambodia declares war on Thailand
Wii console explodes causing death
Pet rabbit saves owners from fire
Monkeys taught to handle a gun
MSN messenger found to have spyware

From the subjects it would seem that Cambodia is quite an aggressive little country, but I have been there this year and I can assure you that Cambodians are a very peaceful bunch these days and a visit to Angkor temples is highly recommended.

Meanwhile, Tibs-related emails carry the following subject line:

Anjelina Jolie XXX Video Free

with a text body that links to an infected file hosted on a compromised site.

Anjelina Jolie seems to be a recurrent theme between the Dorf (that often include a nude photo of the film actress) and Tibs malware campaigns. The style of both campaigns is very similar and once again indicates that both malware families are related.

The UPS malware spamming uses more of a classical way of spreading - as an attachment to an email message. It pretends to be an invoice and sends mesages in English and German, with an attachment being a ZIP file. We have released a detection for yesterday's and today's variants as Troj/Spy-AS and Troj/Spy-AT. We will also release a generic signature soon, which should be able to detect the future variants without an update.

You might like

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.