Thanks to F-Secure mention of some of the targeted attack emails from our collection, there was an increased interest to the content and appearance of the messages. We usually pay more attention to malware and forget about the message part, which is supposed to look impressive and lure recipients into opening malicious attachments. Today we present the Top Ten particularly well crafted messages of 2009-2010. They blend in with the rest of the mail filling our mailboxes and most are designed to look like another newsletter or publication.
Some of the messages below were posted here earlier in 2010 or 2009. Some are spoofed while others are from free email accounts. PDF attachments are most common but MS Office documents get sent often too - especially during the days of unpatched vulnerabilities.
Update July 10, 2010 - Here are 10 more messages to add to the list of winners
This recent message from Russia reminded me about this targeted emails design contest we had in March 2010 and I decided to add more candidates. Shall we choose one winner in the end of the year?
I would say there is a subtle evolution in the design and sophistication of the attacks - comparing to the Top Ten winners posted in March 2010(scroll down to see)
Virustotal links show the malicious payload as it would be detected at the time of the receipt
1. Jun 20 CVE-2010-1297 PDF Adobe 0-Day Meeting agenda from alexis.mo88@gmail.com
Virustotal 5/41 Zero Day
2. Apr 10 CVE-2010-0188 PDF Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit
Virustotal 5/39
3 May 5 CVE-2010-0188 PDF 2010-05-06 Asian Pacific Security stuff from samuelberger19@yahoo.com
Virustotal 6/41
Virustotal 6/41
The forwarded conversation (it might be real or fake) together with a malicious attachment are quite convincing.
5. Mar 30 CVE-2009-4324 PDF China and Foreign Military Modernization from americansina@gmail.com
Virustotal 8/42
7. Mar 24 CVE-2010-0188 PDF rumours in N Korea2010march from coljoint@aol.com
Virustotal 4/42
8. Mar 23 CVE-2009-4324 PDF Talking Points on Chinese Currency from eaisecs@nus.edu.sg
Virustotal 7/42
9. Mar 14 CVE-2010-0188 PDF 2010 Trade Policy Agenda from irc@state.gov
Virustotal 14/42
![[tradepolic.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeDZ_kSBvRJvw-Se0fLhgE7ZjLVuNfZSHZCFp742QB8E_z9vMsH0dJtNT8OdifS0WezXl9NMLy73GoLVh2biBNtVtb1A11pecYvbSTsFn-6tRm_hiDE-Kr66iKPLuZBopVkVA6pFhGl7g/s640/tradepolic.jpg)
10. Mar 18 CVE-2009-4324 PDF Report on 2010 NPC Mar 18, 2010 8:53 AM
Virustotal 10/42
![[msg1.jpg]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEislm2NK3kTDVMM7AsAMRxKGqJth5mL4pM94AX-eZQ7RifLo1xFOTumakg_odUj-AaIjQFIGNr6qru-1S3WCZANCUkibctqewR4yiDBXsvOcDboLXqq4jRK9EaV8Yx9DwryMTkRv9pbShk/s640/msg1.jpg)
ORIGINAL TOP TEN LIST (March 2010)
Virustotal links show the malicious payload as it would be detected these days. Most of them had much lower antivirus detection rate at the time of the receipt - compare it to the AV detection rate of one of the recent messages (CVE-2010-0188).
Click on the pictures to enlarge
1 US-Taiwan Exchange Program Enhancement
Virustotal scan
Virustotal scan
4 Asking for an interview from NBC Journalist
Virustotal scan
Virustotal scan
Such a very good and informative post. thanks for sharing with us....
ReplyDelete