Rick's World

Time for some more malware that uses scare tactics. Here's something I got in my email recently...

Return-Path: <yjm@bossa-hashi.com>
X-Original-To: rick@ekle.us
Received: from 209-16-113-5.net.bhntampa.com (209-16-113-5.net.bhntampa.com [209.16.113.5])
	for <rick@ekle.us>; Fri,  3 Oct 2008 14:33:31 -0700 (PDT)
From: "Jeffrey Mclean" <yjm@bossa-hashi.com>
To: <rick@ekle.us>
Subject: New Law

I haven't seen you for weeks

New clauses have been added to the legislation regulating your online activities; some of the
operations are now considered illegal. The new law has come into force as of 25.09.2008; the
penalties have been toughened.

Please read the new document and be more accurate further on.

Remember me to your wife

Attachment: Legislation.zip

Let's look at why this is a scam.

25.09.2008

This is clearly supposed to be the date of September (9) 25, 2008. However, this date lists the day of the month before the month. This is not the traditional American style of writing dates. In America this date would likely be written as 9/25/2008. Note how the month is listed first. This implies that this was written by someone who is used to a non-American date style. Since I live in America, that makes this email suspect.

From IP Address: 209.16.113.5

If you do a reverse DNS lookup on this IP address, it returns '09-16-113-5.net.bhntampa.com'. This name appears to be Bright House Networks out of Tampa Florida. This does not appear to be anyone who has any reason to be emailing about my 'illegal online activities'. This makes me suspicious. I looked at what services Bright House Networks provides and these include 'Digital Cable' and 'Digital Phone'. This leads me to believe that this is a cable modem provider in Tampa, Florida. It looks like we have another zombie computer running in some cable modem customer's home.

Note that I got a second one of these emails from IP address 208.119.131.129. This IP address resolves to an IP owned by the Indiana State Library. This appears to be another zombie computer running in a public library in Indiana. Anyone else noticing a pattern here? These malware emails are sent by zombie computers that have already been taken over by other malware programs. These programs are designed to spread themselves in ways that are difficult to stop.

Binary Attachments

Once again, we have a binary attachment. If you extact the contents of that 'Legislation.zip' file, you find the file 'Legislation-25.doc.exe'. An EXE is an executable. It's a program that runs on your computer and does something. This is clearly not some legislation. If it was, it would be a text file (TXT, DOC, RTF, PDF, etc). And what does this EXE program do? It installs the malware on your computer! This is the 'payload' of the attack. Also, notice how the attached file has two extensions: '.doc.exe'. This is another big red flag. Windows is normally set to hide the file extension of any file displayed in Windows Explorer. This means that it would hide the '.exe' part of the filename, giving you 'Legislation-25.doc'. This makes it look like it IS a text file. This double filename extension trick is very common among spam and malware. I haven't scanned this file, but I suspect it's some form of virus/malware.

Strange statements

'Remember me to your wife'. Um, what? This doesn't mean anything. it's not even proper English. This is another red flag that this is coming from someone who doesn't have a good grasp of the English language. Note that I've gotten several of these emails from different people and this line line is different on them. The other email I got like this had the final line of 'See you around', which is a bit more believable.

So there you have it. Another malware disassembled. Always be suspicious of emails like this.