‘Shipping confirmation’ malware.

Image (1) bredosplist.jpg for post 24398

On the surface things would appear to have been fairly quiet so far today. Not too many samples requiring attention and not much in the way of new, aggressive spam campaigns. But in terms of malware distribution, today has just been business as usual. Thankfully proactive detections are thwarting the attackers’ efforts.

The mass-spamming of Bredo variants has continued all morning, messages now using a shipping confirmation theme as it evolves from the previous DHL, UPS messaging.

The message within the spam entices the recipient to open the ZIP attachment, for example:

Thankfully, Sophos customers are protected from this threat – in addition to blocking the messages as spam, the malware itself is proactively detected (as Mal/Bredo-A, Mal/BredoZp-A and Troj/BredoZp-C).

If the malware where to be executed on an unprotected machine, it proceeds to report home for further commands. This ‘callhome’ would be blocked for customers running the Sophos web appliance – the remote site is already known and classified as a known C&C point. Job done.