There are two major methods malware writers use to infect and take control over remote systems. The first one relies on exploiting unpatched vulnerabilities in software such as a web browser or configuration vulnerabilities such a weak passwords. The second method relies on vulnerabilities of the human condition. We, humans, have a need to be liked, by our friends, family and colleagues but also by complete strangers that often send us greetings for major holidays like Easter, Christmas or New Years Day. Social engineering has been proven to work and it remains a major weapon in the attacker’s arsenal. I was not too surprised today when I found this message today in one of our spam feeds. It was only a matter of time when Christmas related spam messages linking to malware would reappear.
I was curious to find out more about the linked file which was hosted on a server located in Austria which was configured to reject download requests once the file is delivered. I managed to download a relatively large Winrar self-extractable file which made me think that it could be one of the Zapchas variants. Zapchas usually contains several malicious components with a common purpose of recruiting the infected system into a botnet.
My suspicions have been proved correct since the individual malicious components were already detected as Troj/Agent-FWS, Mal/Zapchas-C and Troj/Mirchack-A. I had some time for a quick analysis before I created detection for the dropper. Once run, the malware starts the Flash player showing a greeting animation unrelated to Christmas. The message is nice enough so I was willing to forgive the spelling mistake.
The actual malicious activity occurs as soon as the animation is closed. The malicious components try to hide themselves by copying to the c:\RECYCLER folder and then connect to an IRC server hosted in USA. This is where nice greetings end and a reality of having to remove malicious components that recruited our computer into a botnet kicks in. As Christmas is getting closer we can certainly expect more Christmas themed attacks and we should all be especially cautious about electronic cards coming to our mailboxes in this period. I have added the detection for the dropper as Troj/Zapchas-EO.