Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.
Thank you.
United Parcel Service of America.
Although it was obvious for me that there must be something wrong with this mail (my address was not in the "to:" field, I don't use my Yahoo address for shipping issues and I've never been in contact with UPS before), I was surprised that the automatic Yahoo attachment scanner did not raise an alert. So I first entered the mail body in Google and found this article. Wait a minute, this article was written in October 2009, nearly 3 months ago. I clicked some other addresses that were shown by Google and found that this malware is broadcasted since August 2009, more than enough time for Yahoo to adapt its signatures. Maybe the malware has already been deleted without Yahoo telling me. So I decided to download the attachment onto my Linux box:
c0274669838712565b1ff5f36a5e8886 UPS_invoice_NR67974.zip
Yahoo still did not complain. So let's see what's in the Zip file:
Archive: UPS_invoice_NR67974.zip
End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of UPS_invoice_NR67974.zip or
UPS_invoice_NR67974.zip.zip, and cannot find UPS_invoice_NR67974.zip.ZIP, period.
Ah, this looks much more like I expected. If it's not a Zip, what is it?
UPS_invoice_NR67974.zip: RAR archive data, v1d, os: Win32
And unpacking this file revealed
2149ae56fffb57b17b55221c8922db96 UPS_invoice_NR67974.exe
An online malware check with Virustotal returned this result. What strikes me most, is that only 20% of the scanners used by this site were able to detect the malware.
Today's lesson: Don't trust your antivirus software too much. The best antivirus program is worth nothing if you don't use your brain. Keep your eyes open even if your system says that there's no need.
Update: Yahoo's scanner still does not recognize attached malware. I just received this message:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.
Thank you.
United Parcel Service.
Again, Yahoo's scanner did not complain. This time an attachmend with this MD5 sum slipped through:
f44d4410401a43380077a0bf769fa49c UPS_invoice _Nr78155.zip
Virustotal thinks differently about this, although only 6 out of 41 raised an alert. Kaspersky detected Packed.Win32.Krap.w.
I wouldn't make such a fuss about it, if it weren't that obvious that these files are infected. I would expect every common scanner to find the malicious content.
Second update:
MD5 sum:
dc4a1e661cab4b9b062d78b5c4efd989 DHL_Label _Nr34791.zip
contains:
28d798d6021e600101ba68ea87345656 DHL_Label _Nr34791.exe
Zip file has been uploaded to different online malware scanners and returned these results:
Yahoo is informed and shows no reaction. Come on guys, is it really that difficult? I know it's a free service, but does this mean they have to be exposed to malware. Think about it, you're not only putting in danger your non-paying customers, but all the people they have contact with. Is it that what you want?
Third update:
Md5 sum:
0369b2f18a421c9b7a6939ebca4ce575 UPS_invoice_NR45675.zip
Yahoo scores 0:4. Hopefully the paying customers get a better service.
Fourth update:
MD5 sum:
e0c80f8b6b859b4aa19937384931a91b UPS_invoice_Nr19373.zip
- Kaspersky is currently working on their scanner page, so this service is not available right now.
- Dr Web runs into timeout.
- Did anyone ever succed in sending a file to Jotti? I keep trying this for weeks, but I always get stuck after pressing the "send" button.
I don't know what song Yahoo's security guys like best, but it's not "She works hard for her money".
Keine Kommentare:
Kommentar veröffentlichen