![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
New malware vector: short-circuit victims' rational thought with fake IRS notices!
I'm not quite smart enough to do real malware analysis like ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
foxgrrl does, but ever since the days of the "I Love You" virus, I've been tremendously amused by the social-engineering tricks that malware authors use to trick victims into opening their payloads. Tonight I received one that struck me as especially clever: a fake "Notice of Underreported Income" letter with a link to a page where the target (my company) is prompted to download an .exe which purports to be the tax statement. The page -- which is now down, and I'm sorry I didn't get a screenshot -- is a well-done mockup of the IRS' own site, but it's actually a PHP page hosted on www.irs.gov.vdsl.im. Ha ha!
I saved the offending .exe and ran it through a decompiler. From the sheer number of CryptoAPI symbols and symbols related to Windows file handling present, I'm guessing it's some kind of "encrypts your whole hard drive" ransomware. There are also several other symbols, such as BuildImpersonateExplicitAccessWithNameW, which suggest that the original source language was Delphi. (Aside: why the hell is Delphi such a popular language among malware authors? Some of the most eye-poppingly awful source I've ever seen -- in a 2004-era issue of 2600, amusingly -- was somebody's attempt at a rootkit written in Delphi. The author waxed rhapsodic about how great it was that a Delphi compiler could be had for free on a CD-ROM that came with some magazine that was on the stands at that time. This further cements my opinion that malware authors these days are nothing more than a combination of the worst aspects of script kiddies and cut-and-paste wannabe programmers. If you're trying to write something for Win32 without access to Visual Studio or one of those other closed-source compilers, either learn cygwin/MinGW or get off my lawn. Amateurs.)
More than that I do not know, as figuring out what a program does from its representation in assembler is beyond me. If any of my Faithful Readers want a look at it, I'll be happy to send them a copy.
And, of course, if you receive what appears to be a threatening email from the IRS, take a close look at the links in the message, and examine the email headers as well. (In this particular case, an email that was really from support@mail.irs.gov would not have a Return-Path header of scubaedrs530@shatneresque.com. It's also important to look at the Received headers -- particularly the last one, as this will tell you what IP the message originated from. In this case, it came from 95.58.33.236, which looks to be a metro broadband network in Kazakhstan. Again, not the kind of place the IRS is likely to be sending anything from.)
ETA:patrickat rightly points out that the IRS does not send official tax correspondence via e-mail, so you don't even have to look at the headers to know that a letter like this isn't legit.
foxgrrl does, but ever since the days of the "I Love You" virus, I've been tremendously amused by the social-engineering tricks that malware authors use to trick victims into opening their payloads. Tonight I received one that struck me as especially clever: a fake "Notice of Underreported Income" letter with a link to a page where the target (my company) is prompted to download an .exe which purports to be the tax statement. The page -- which is now down, and I'm sorry I didn't get a screenshot -- is a well-done mockup of the IRS' own site, but it's actually a PHP page hosted on www.irs.gov.vdsl.im. Ha ha!I saved the offending .exe and ran it through a decompiler. From the sheer number of CryptoAPI symbols and symbols related to Windows file handling present, I'm guessing it's some kind of "encrypts your whole hard drive" ransomware. There are also several other symbols, such as BuildImpersonateExplicitAccessWithNameW, which suggest that the original source language was Delphi. (Aside: why the hell is Delphi such a popular language among malware authors? Some of the most eye-poppingly awful source I've ever seen -- in a 2004-era issue of 2600, amusingly -- was somebody's attempt at a rootkit written in Delphi. The author waxed rhapsodic about how great it was that a Delphi compiler could be had for free on a CD-ROM that came with some magazine that was on the stands at that time. This further cements my opinion that malware authors these days are nothing more than a combination of the worst aspects of script kiddies and cut-and-paste wannabe programmers. If you're trying to write something for Win32 without access to Visual Studio or one of those other closed-source compilers, either learn cygwin/MinGW or get off my lawn. Amateurs.)
More than that I do not know, as figuring out what a program does from its representation in assembler is beyond me. If any of my Faithful Readers want a look at it, I'll be happy to send them a copy.
And, of course, if you receive what appears to be a threatening email from the IRS, take a close look at the links in the message, and examine the email headers as well. (In this particular case, an email that was really from support@mail.irs.gov would not have a Return-Path header of scubaedrs530@shatneresque.com. It's also important to look at the Received headers -- particularly the last one, as this will tell you what IP the message originated from. In this case, it came from 95.58.33.236, which looks to be a metro broadband network in Kazakhstan. Again, not the kind of place the IRS is likely to be sending anything from.)
ETA:
patrickat rightly points out that the IRS does not send official tax correspondence via e-mail, so you don't even have to look at the headers to know that a letter like this isn't legit.
no subject
no subject
no subject
I love all the letters purporting to be about a PayPal issue when I don't have a PayPal account.
no subject
Get off my lawn.
:)
Even funnier...
no subject
You know, technically they don't even need to be able to decrypt it. Get moniez, then run. What are they going to do, leave a negative eBay rating? "Results not as expected. Would not pay ransom again."
no subject
There's an advantage to actually recovering the victim's files -- that way the victim can be hit by the virus again. The next step should really be protection-money-ware, where if you don't pay a fee every month, your files get encrypted all over again (and you have to pay more to get them unencrypted, naturally).
no subject
no subject
I love it. (Not Delphi, I mean I have no opinion on that language other than it's a bit fringe...)
I mean did the guy program it on an Amiga too? Just to be safe.
I've always wanted to write malware that, you know, helps people. [rolls eyes].
no subject
no subject
no subject
no subject
no subject
no subject
no subject
no subject