Dull-looking email from printer hides sophisticated malware

If a 'document was scanned and sent to you from a HP ScanJet...,' you don't want to know what it says

By  

It most commonly attacks the CVE-2011-0611 vulnerability, which gives remote users access to the system and searches for financial information on the victim's hard drive, just as the Zeus Trojan does.

There are more details on installation and remediation in this Trusteer report on Carberp, a related malware.

"Feodo" is the third of this family; Carberp was the second, Bugat was the first according to the blog at FireEye Malware Intelligence Lab.

The resulting malware is "fully capable of man in the browser attacks in which it intercepts incoming HTML pages and adds its own poisoned HTML to ask for more information than the original form did. It might add a new field for your bank account number and PIN, for example.

It also steals the HTML pages in your cache so it has all the graphics and other pieces necessary to spoof the pages you're actually using.

In contrast with the simplistic-looking phishing envelope it comes in, the malware is quite sophisticated and capable of taking any valuable information on a user's hard drive and leaving remote-control and back-doors to enlist a victim's system in a new, large-scale botnet, according to the FireEye report.

None of this is brand new – not the code, not the servers, not the obscured path taken by the email from the .ru servers where it originated to the .au servers that are apparently sending the email to the virtual private servers that in Houston that look as if they're the ones that are really sending the spam.

It is packaged neatly in an unassuming envelope that will fail to excite the suspicions of many, and it uses malware, penetration exploits and remote-control methods that have proven very successful in the past.

The lesson here is, no matter how much you believe in technology or routinely receive messages from the Internet of Things, never, never trust email from a printer.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness