So an email made its way through all the spam filtering:
From: USPS Service <email@example.com>
Reply-To: USPS Service <firstname.lastname@example.org>
Subject: Failure to deliver
Your parcel can’t be delivered by courier service.
Status:The size of parcel is exceeded.
LOCATION OF YOUR ITEM:Riverside
STATUS OF YOUR ITEM: not delivered
SERVICE: One-day Shipping
Label is enclosed to the letter.
Print a label and show it at your post office.
Information in brief:
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $12.70 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for your attention.
It had, of course, an attachment:
Zip archive attachment (Label_Parcel_USPS_ID.45-123-14.zip)
Not having sent a package using “one-day shipping” (which the USPS would call Express Mail), this seemed odd, as did the somewhat stilted phrasing.
We all know how this is going to work out, but let’s do the exercise anyway.
Save the ZIP attachment in /tmp, then …
Apply ClamAV: run freshclam to update the virus signatures and fire clamscan at the ZIP file:
/tmp/Label_Parcel_USPS_ID.45-123-14.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 1201128 Engine version: 0.97.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.04 MB Data read: 0.02 MB (ratio 2.00:1) Time: 7.549 sec (0 m 7 s)
Huh. Well, then, it must be safe, right? (The alert reader will note that my version of clamav is one click back from the latest & greatest. Maybe that would make a difference. Probably not.)
Let’s see what VirusTotal has to say:
SHA256: febe98371e5b327118f5a703215f6f55ab47760764c68b0b9a64d1e5bdb28e25 File name: Label_Parcel_USPS_ID.45-123-14.zip Detection ratio: 3 / 42 Analysis date: 2012-04-20 11:40:44 UTC ( 0 minutes ago )More details
Antivirus Result Update AhnLab-V3 - 20120420 AntiVir - 20120420 Antiy-AVL - 20120420 Avast - 20120420 AVG - 20120420 BitDefender - 20120420 ByteHero - 20120417 CAT-QuickHeal - 20120420 ClamAV - 20120419 Commtouch W32/Trojan2.NQWF 20120420 Comodo - 20120420 DrWeb - 20120420 Emsisoft - 20120420 eSafe - 20120419 eTrust-Vet - 20120420 F-Prot - 20120420 F-Secure - 20120420 Fortinet - 20120420 GData - 20120420 Ikarus - 20120420 Jiangmin - 20120420 K7AntiVirus - 20120418 Kaspersky - 20120420 McAfee - 20120420 McAfee-GW-Edition - 20120420 Microsoft TrojanDownloader:Win32/Kuluoz.A 20120420 NOD32 a variant of Win32/Kryptik.AEKY 20120420 Norman - 20120420 nProtect - 20120420 Panda - 20120420 PCTools - 20120420 Rising - 20120420 Sophos - 20120420 SUPERAntiSpyware - 20120402 Symantec - 20120420 TheHacker - 20120420 TrendMicro - 20120420 TrendMicro-HouseCall - 20120420 VBA32 - 20120419 VIPRE - 20120420 ViRobot - 20120420 VirusBuster - 20120420
Obviously, this blob of slime arrived still warm from the oven: even though the Big Name AV checkers have up-to-date signatures, they detect nothing wrong and would happily let me run a Trojan installer. That’s what malware protection buys you these days.
To a good first approximation, whatever virus scanner you’re using won’t save your bacon, either; the advice to keep the signatures up-to-date is necessary, but not sufficient. Of course, you know enough to not autorun random files on your Windows box, but this attack works often enough to justify sending messages to everybody in the world. Repeatedly.
I recently had a discussion with someone who wanted a system secured against email and web malware. She also insisted that it had to run Windows and share files with other Windows machines. I declined to bid on the job…