Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    We recently noticed that there has been an increase in spammed messages that use airline information as bait. These messages are made to look like notifications from airlines such as Delta Airlines, British Airways, US Airways, and American Airlines. Each message comes with an attachment—often in the form of a fake e-ticket—that recipients are supposed to open. This attachment is actually a BKDR_KULUOZ variant.

    spam_sample_holiday_kuluoz

    Figure 1. Screenshot of sample spam

    KULUOZ variants are known to download and execute other malware, such as SIREFEF/ZACCESS and FAKEAV variants. KULUOZ variants are also evolving: we’ve even seen one variant, detected as BKDR_KULUOZ.MN, that collect system information including the antivirus installed in the affected computer. This is a routine previously unheard of from this malware family.

    While we have seen KULUOZ spam in the past, there have been no significant change in numbers in the past several months. KULUOZ spam now represents nearly half of all malicious spam attachments.

    spam_holidays_1

    Figure 2. Breakdown of spam attachments over a one-week period

    Based on our investigation, this batch of BKDR_KULUOZ is distributed by the Cutwail/Pushdo botnet. Previously, we noted that the said botnet was responsible for sending out Blackhole Exploit kit (BHEK)-like spam that serve UPATRE variants.

    Previous instances of KULUOZ spam used shipping and airline notifications as bait. The exclusive use of airline tickets in this new campaign could be a deliberate move, considering people frequently travel over the holidays. Victims may be more inclined to click attachments if they’re actually expecting airline tickets.

    Users should remain extremely careful when opening messages. Since most messages are specially crafted to look as legitimate as possible, it’s ideal to double-check with the sender to see if an email is legitimate. Trend Micro Smart Protection Network blocks all related threats in this attack.

    With additional insights from Merianne Polintan, Jerwin Solidum, Maydelene Salvador, and Mark Manahan.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice