I'm not quite smart enough to do real malware analysis like foxgrrl does, but ever since the days of the "I Love You" virus, I've been tremendously amused by the social-engineering tricks that malware authors use to trick victims into opening their payloads. Tonight I received one that struck me as especially clever: a fake "Notice of Underreported Income" letter with a link to a page where the target (my company) is prompted to download an .exe which purports to be the tax statement. The page -- which is now down, and I'm sorry I didn't get a screenshot -- is a well-done mockup of the IRS' own site, but it's actually a PHP page hosted on www.irs.gov.vdsl.im. Ha ha!

I saved the offending .exe and ran it through a decompiler. From the sheer number of CryptoAPI symbols and symbols related to Windows file handling present, I'm guessing it's some kind of "encrypts your whole hard drive" ransomware. There are also several other symbols, such as BuildImpersonateExplicitAccessWithNameW, which suggest that the original source language was Delphi. (Aside: why the hell is Delphi such a popular language among malware authors? Some of the most eye-poppingly awful source I've ever seen -- in a 2004-era issue of 2600, amusingly -- was somebody's attempt at a rootkit written in Delphi. The author waxed rhapsodic about how great it was that a Delphi compiler could be had for free on a CD-ROM that came with some magazine that was on the stands at that time. This further cements my opinion that malware authors these days are nothing more than a combination of the worst aspects of script kiddies and cut-and-paste wannabe programmers. If you're trying to write something for Win32 without access to Visual Studio or one of those other closed-source compilers, either learn cygwin/MinGW or get off my lawn. Amateurs.)

More than that I do not know, as figuring out what a program does from its representation in assembler is beyond me. If any of my Faithful Readers want a look at it, I'll be happy to send them a copy.

And, of course, if you receive what appears to be a threatening email from the IRS, take a close look at the links in the message, and examine the email headers as well. (In this particular case, an email that was really from support@mail.irs.gov would not have a Return-Path header of scubaedrs530@shatneresque.com. It's also important to look at the Received headers -- particularly the last one, as this will tell you what IP the message originated from. In this case, it came from 95.58.33.236, which looks to be a metro broadband network in Kazakhstan. Again, not the kind of place the IRS is likely to be sending anything from.)

ETA: patrickat rightly points out that the IRS does not send official tax correspondence via e-mail, so you don't even have to look at the headers to know that a letter like this isn't legit.

This one's a first for me: an eBay phishing email in Spanish, purporting to be from service@escrow-ebay.es, with accompanying fake Spanish website. (For the love of God, if you click on that link, do not attempt to sign in with actual eBay credentials. You probably shouldn't click on it anyway, though it doesn't appear to attempt to do anything evil other than phishing.)

COSIC has quite a few Spaniards; if I run into any of them before I head back to the States next week, I'll run the email by them and see if there are any amusing grammatical mistakes. (I will laugh my ass off if it turns out they're using, say, Mexican Spanish as opposed to Castilian Spanish.)