By Andrew Brandt
As autumn approaches, the world typically sees an increase in the number of online shopping trips, as people take advantage of bargains from late-year sales, and prepare for various holidays. And, right on cue, we’re also seeing an increase in the number of Trojans distributed in the guise of “shipping confirmation” email messages. And these Trojans are packing a triple threat of backdoors designed to steal logins and take command of infected PCs.
The Trojan arrives attached to a vaguely-worded email message thanking the recipient for their order of a high-ticket item. Previous versions of this same kind of message were crafted as though the message source was one of the major shippers, such as FedEx, UPS, DHL, or the US Postal Service, and the message (purportedly) contains tracking information.
But these new versions appear to come directly from an online retailer, with attached files in the form of a zip archive containing an executable with an icon that makes it look like an Office document, such as an Excel spreadsheet. These email messages also imply that the document contains tracking information, but they give the user an extra nudge to open the file by telling the user to “print the label to get your package.”
Um, wait, what? Why would I need to print a label to receive a package? That makes no sense whatsoever. Do the malware authors think we’re dumb, or what? No, don’t answer that, because we’re not dumb. They’re using psychology against us.
The effectiveness of a trick like this comes from the wide range of possible reasons someone might have to justify opening the attachment when they see this kind of email drop in. Whether you want to claim a gift you think you’ve received from someone, you’re worried you might be a victim of fraud, want to be helpful and tell the retailer that they got the wrong email address, want to claim this mistaken order for an expensive gift as your own, or just be nosy and want to see what someone else ordered from a store, the initial reaction of many people is going to be the same: Open the file and take a look inside.
Wrong move. Once you’ve done that, it unleashes its payload on your PC. And this payload is a doozy: It includes three separate backdoors, Trojan-Backdoor-Progdav (aka Zeus, one of the most widely distributed backdoors on infected computers); Trojan-Backdoor-Stinkbreath (aka BredoLab); and Trojan-Glecia, a browser-hijacking keylogger which appeared for the first time earlier this year (and refers to itself in the Registry as “Microsoft Online Helper!“). With helpers like these, who needs enemies?
The installation of any of these permits the person behind this scheme remotely operate your computer (to engage in other criminal activity, send spam, and/or steal passwords); All three on a single computer is a recipe for disaster. In effect, the malware distributor behind this is ramping up to earn some serious holiday income—at your expense.
The installers we’ve seen aren’t actual Excel spreadsheets performing some sort of novel exploit against Office applications; Typically, it’s just a regular application, with a .exe extension, with the file modified to use an Excel document icon. That is about the oldest trick in the Social Engineering book, dating back to Windows 9x days. But since many people, even in the Windows Vista era, still don’t have their computer set up to view file extensions, it’s easy to be fooled. To make sure you can see file extensions on your PC, choose the Folder Options item from the Tools menu in any Explorer window. Click the View tab, uncheck the “Hide extensions for known file types” option, then click OK.
Bottom line, you should never open any attachment you’re not expecting to receive, and you should never open any executable program that’s been attached to an email, period. The bad guys behind this scheme want to make this a fantastically lucrative holiday for themselves, no matter what it costs you. Don’t give them the satisfaction, or the opportunity.