So these are showing detection rates of 25 to 30 (out of 54). They've
been in circulation anywhere from 42 to 17 hours prior to submission to
VT:
https://www.virustotal.com/en/file/2ff399253c8d4a5af2d3f0ca3129ff9d2928ae1492ee
dc2898d74e371370cf68/analysis/1415281082/
https://www.virustotal.com/en/file/783633059ec8460836213723e723d334928cd8c6b288
c9dca2a99edd883f3e1f/analysis/1415281089/
https://www.virustotal.com/en/file/b76d73da310e08271d76ce1e8cf1ed0b66856a234caa
4fbea2fb6d7197786f0d/analysis/1415281094/
https://www.virustotal.com/en/file/90ce65ada5b65554edb2a998118df4bff9d750de5604
a712a91c0ce1e3f31fad/analysis/1415281101/
https://www.virustotal.com/en/file/0a067aee4ca3b3568a991ed7d71102dd6abc09c9e312
56b2eec7606f1faa5c84/analysis/1415281106/
The following 23 AV/AM products detected all 5 samples:
Ad-Aware AhnLab-V3 Avast AVG Avira
AVware BitDefender DrWeb Emsisoft ESET-NOD32
Fortinet F-Prot F-Secure GData McAfee
nProtect Rising Sophos SUPERAntiSpyware
Symantec Tencent TrendMicro-HouseCall VIPRE
The companies responsible for the following 8 products are clearly
*trying* to develop or endow these products with the ability to detect
these droppers, but are not doing so with the same efficiency or
technical competency as the above 23 companies:
Cyren Microsoft McAfee-GW-Edition NANO-Antivirus
Norman TrendMicro Kaspersky Antiy-AVL
The above 8 products detected only 3 of these samples as malware, except
for Kaspersky (detected only 2) and Antiy-AVL (only 1).
The difference in detection capability between the TrendMicro-HouseCall
and TrendMicro products continues to be unexplained.
6 of these products gave the same identifier (BGKM) for these samples,
indicating they share a common scan engine or database. These samples
were also identified as Kuluoz (3 times), Zortob (twice), Wonton (once)
and only once as Aspxor (which I understand these really should be
called).
The following 15 products did not detect any of these 5 samples as
malware:
AegisLab Agnitum Baidu-International
Bkav ByteHero CAT-QuickHeal
ClamAV CMC Comodo
Ikarus Jiangmin K7AntiVirus
K7GW Kingsoft Malwarebytes
You can receive your court orders here:
http://www.filedropper.com/notice-to-appear
What is strange about this long-running malware distribution campaign is
that:
1) presumably it is easy to block, given the very simple and
repeating contents of the message body, and the diagnostic
X-Mailer: XimianEvolution1.4.6 header line.
2) my server is blocking upwards of 60% of the entire routable IPv4
address space. The amount of spam I get from botnets and
"rentable" IP's (what I will call Black IP's) is almost nil for
the past 2 months - so these Ximian Evolution spams are making
up a significant portion of the spam that's I'm receiving from
these "Black" IP's. These IP's are usually associated with
other types of spam (notable drug, expensive watches, purses,
etc and info phishing). So it seems to me that these more
"valuable" black IP's (valuable because they probably have little
or no previous history of sending spam) are being put to use to
distribute the Aspxor dropper as opposed to sending the far more
mundane sorts of spam that has direct commercial or financial
motives.
So I have to ask why would the Ximian Evolution spammer, who is being
tasked to employ his botnet to distribute these Aspxor droppers, using
perhaps his most valuable bots (from an IP pov) - why is he not being
more creative in terms of spam header and body construction?
These spams are trivial to block at level of the header and body level.
I have to wonder who the spammer thinks are receiving these spams...?
Spam headers:
==================
Return-Path:
Received: from institutionalinvestorlawyers.com ([206.205.91.75])
Wed, 5 Nov 2014 02:45:58 -0500
From: "Notice to Appear"
Subject: Urgent court notice
X-Mailer: XimianEvolution1.4.6
Return-Path:
Received: from minnesota-injurylawyers.com ([216.195.253.26])
Wed, 5 Nov 2014 15:36:03-0500
From: "Notice to Appear" * Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|