Pages

Saturday, July 10, 2010

Update. Design contest: Top Ten targeted attack emails of 2009-2010. (Now Top Twenty)

Thanks to F-Secure mention of some of the targeted attack emails from our collection, there was an increased interest to the content and appearance of the messages. We usually pay more attention to  malware and forget about the message part, which is supposed to look impressive and lure recipients into opening malicious attachments. Today we present the Top Ten particularly well crafted messages of 2009-2010. They blend in with the rest of the mail filling our mailboxes and most are designed to look like another newsletter or publication. Some of the messages below were posted here earlier in 2010 or 2009. Some are spoofed while others are from free email accounts. PDF attachments are most common but MS Office documents get sent often too - especially during the days of unpatched vulnerabilities.

Update July 10, 2010 - Here are 10 more messages to add to the list of winners

This recent message from Russia reminded me about this targeted emails design contest we had in March 2010  and I decided to add more candidates. Shall we choose one winner in the end of the year?
I would say there is a subtle evolution in the design and sophistication of the attacks - comparing to the Top Ten winners posted in March 2010(scroll down to see)

Virustotal links show the malicious payload as it would be detected at the time of the receipt

 1. Jun 20 CVE-2010-1297 PDF Adobe 0-Day Meeting agenda from alexis.mo88@gmail.com

Virustotal 5/41  Zero Day

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihjtfHgJ0GEkN4_c9uANche2jVXQTdbd0rasoEESDVLyyCRtbCe8G3t4_OwKOGnGEHl0VUmFqvtgZCdMPlOlqCOk82yTu7fyXvvvdWn-OATxCzyAUeLV7r21vQOcvvX_mKPpZiKj9PlRc/s1600/msg.jpg

2. Apr 10 CVE-2010-0188 PDF Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit

Virustotal 5/39


3 May 5 CVE-2010-0188 PDF 2010-05-06 Asian Pacific Security stuff from samuelberger19@yahoo.com

Virustotal 6/41

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkDill_-UjkWCYTFCaKLfYcVojLQ5V0O0JkMKuYgygr7czvVEorKow_MVN0SLA7rTGgF-UW7LNHLUAgsTmuQjKQc-G_i6Dpy26Us_i59DObOI1nCEsMMVQeL2fDW0hnLGiLmtn65id5JI/s1600/msg2+-+Copy.jpg
4. May 9 CVE-2010-0188 PDF Concept Paper.pdf from global.faruk@gmail.com

Virustotal 6/41 
 The forwarded conversation (it might be real or fake) together with a malicious attachment are quite convincing.


https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0C8ifcmcNOFHhgaBP8mpUSSqf6QgZk9MovQYxDdtkfIx_vDrI0tkw42bzKJTJWuwA2m7EszX7_Yxfqkw-Jvjwu7x3GmAYSHhw8TeWCVnW4TCLAJw8078690KxYqoZwBk93dWmcUnyG84/s1600/msg.jpg

5. Mar 30 CVE-2009-4324 PDF China and Foreign Military Modernization from americansina@gmail.com

Virustotal 8/42

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-M9AZKUjBbpW2OZigBe3vbAcv4LaCXH6g1cw9y8aKhvLTIYzl4RGntSlWb1jfHJps3ip0mKJllxQPY_V4g6z3_ZpPgW1Ez5GOo3vOEe9Fm3ydtg7B7kSM4NVQDN7GdLLg5uZpaNQjE6w/s1600/msgch.JPG




Virustotal 14/41

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhskCbHO-IBW2BeUAtaFUS2GS8Pcf1-KkRf1eAhTXi3qVIM9VTC4cz7p5stX0N6T9qdFCdERGmKtiqczSHHnjZ5EnS2eIchIVYOYUaKg8oi439C67QCCFUH77kox4JwNatN5aKQbtU1OVg/s1600/msg.jpg


7. Mar 24 CVE-2010-0188 PDF rumours in N Korea2010march from coljoint@aol.com 

Virustotal 4/42

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgju713aKIsYcYA0tOyykWxGGAUz9Sx3aJZRxWnKQQO0e_Ob2Nj5RFk2EsakIYJJruhknITy1CPIBtGFHSqp3XoFf0OlWzWcltFP9c-FwpWqFCtWCWmsP5MluMGp7M6x-mApiDF6G5MTX0/s1600/msg.JPG


8. Mar 23 CVE-2009-4324 PDF Talking Points on Chinese Currency from eaisecs@nus.edu.sg

Virustotal 7/42

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwzE9QgWobaWVdoekJ5Iz5e4zbpiQreIpMAlv3KFJhZ-uvRLxj9IWwXRbxHCHUPlHLyd1a7ZKFRIk_h0VNb3N9-tvDrhY3YFZp89wB6aYlMxpYzgaHhyphenhyphenEbewIGnG_t19XdW2bYmpganjE/s1600/msg.JPG

9. Mar 14 CVE-2010-0188 PDF 2010 Trade Policy Agenda from irc@state.gov

Virustotal 14/42

[tradepolic.jpg]

10.  Mar 18 CVE-2009-4324 PDF Report on 2010 NPC Mar 18, 2010 8:53 AM
Virustotal 10/42 

[msg1.jpg]


ORIGINAL TOP TEN LIST (March 2010)

Virustotal links show the malicious payload as it would be detected these days. Most of them had much lower antivirus detection rate at the time of the receipt  - compare it to the AV detection rate of one of the recent messages (CVE-2010-0188).


Click on the pictures to enlarge
1 US-Taiwan Exchange Program Enhancement
Virustotal scan


2 2009 DoD ATC Procedures
Virustotal scan



3 Wolf Letter to Secretary Clinton Regarding China Human Right
Virustotal scan
 
4 Asking for an interview from NBC Journalist
Virustotal scan 





5 Peer Review - Assessing Chinese Military Transparency
Virustotal scan
6 Terrorism in Asia
Virustotal scan 
7 Top risks of 2010
Virustotal scan


8 RSIS Commentary 54/2009 Ending the LTTE
Virustotal scan 

9 The Chinese Navy's Budding Overseas Presence

10 Road Map for Asian-Pacific Security
Virustotal scan


 

1 comment:

  1. Such a very good and informative post. thanks for sharing with us....

    ReplyDelete