Dull-looking email from printer hides sophisticated malware

If a 'document was scanned and sent to you from a HP ScanJet...,' you don't want to know what it says

A particularly effective-looking bit of phishing spam is circulating in the U.S. right now, disguising itself as an errant document sent from a smart, Internet-connected printer used by a business partner or colleague at the same company.

The subject line meets one of the two major criteria for a really effective lie: It is designed to be so routine and uninteresting that few victims will thing about it long enough to doubt its authenticity: "Fwd: Scan from a HP ScanJet #XXXXXX"

The numbers at the end vary, as does some of the text in the body, though most are very similar.

A document was scanned and sent to you using a Hewlett-Packard ScanJet OFC993-2P

Sent to you by: A.L.

Pages : 8

Filetype(s): Images (.jpeg) View

Location: LK.5FL.

Clicking on the image takes victims to one of three Russian web sites: dsakhfgkallsjfd[.]ru:8080, doosdkdkjsjdfo[.]ru:8080 or debiudlasduisioa[.]ru:8080.

Each is loaded with a Phoenix Exploit Kit (PEK), which has been successful enough to keep itself viable since it first turned up in 2007.

When a victim hits the malware site, a PHP script hits a MySQL database that collects statistics on who the visitors are and where they came from. It then serves pages designed to exploit the specific collection of browsers, anti-virus and operating system the victim uses.

The specific attack uses known vulnerabilities in Flash, PDF and Windows primarily, though also Java and Adobe Reader. It downloads the malware payload along with an additional layer of code that hides what the malware is doing while it unpacks and installs itself, to protect against antivirus.

That's just to get the exploit code in place, however.

The real payload is part of the Bugat/Feedo banking-information-stealing family of malware, which security company FrontOne describes as being similar to the scarily effective AeuS and SpyEye.

The Feodo Trojan that seems to be the dominant attack module is not part of a commercial malware kit, however, as the others are. It is more likely the property of one gang, FrontOne guesses.

It most commonly attacks the CVE-2011-0611 vulnerability, which gives remote users access to the system and searches for financial information on the victim's hard drive, just as the Zeus Trojan does.

There are more details on installation and remediation in

this Trusteer report on Carberp
, a related malware.

"Feodo" is the third of this family; Carberp was the second, Bugat was the first according to the blog at FireEye Malware Intelligence Lab.

The resulting malware is "fully capable of man in the browser attacks in which it intercepts incoming HTML pages and adds its own poisoned HTML to ask for more information than the original form did. It might add a new field for your bank account number and PIN, for example.

It also steals the HTML pages in your cache so it has all the graphics and other pieces necessary to spoof the pages you're actually using.

In contrast with the simplistic-looking phishing envelope it comes in, the malware is quite sophisticated and capable of taking any valuable information on a user's hard drive and leaving remote-control and back-doors to enlist a victim's system in a new, large-scale botnet, according to the FireEye report.

None of this is brand new – not the code, not the servers, not the obscured path taken by the email from the .ru servers where it originated to the .au servers that are apparently sending the email to the virtual private servers that in Houston that look as if they're the ones that are really sending the spam.

It is packaged neatly in an unassuming envelope that will fail to excite the suspicions of many, and it uses malware, penetration exploits and remote-control methods that have proven very successful in the past.

The lesson here is, no matter how much you believe in technology or routinely receive messages from the Internet of Things, never, never trust email from a printer.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies