Zeus Attached To Cancer Email Scam
March 28, 2014 by admin
Filed under Around The Net
Comments Off on Zeus Attached To Cancer Email Scam
Thousands of email users have been hit by a sick cancer email hoax that aims to infect the recipients’ computers with Zeus malware.
The email has already hit thousands of inboxes across the UK, and looks like it was sent by the National Institute for Health and Care Excellence (NICE). It features the subject line “Important blood analysis result”.
However, NICE has warned that it did not send the malicious emails, and is urging users not to open them.
NICE chief executive Sir Andrew Dillon said, “A spam email purporting to come from NICE is being sent to members of the public regarding cancer test results.
“This email is likely to cause distress to recipients since it advises that ‘test results’ indicate they may have cancer. This malicious email is not from NICE and we are currently investigating its origin. We take this matter very seriously and have reported it to the police.”
The hoax message requests that users download an attachment that purportedly contains the results of the faux blood analysis.
Security analysis firm Appriver has since claimed that the scam email is carrying Zeus malware that if installed will attempt to steal users’ credentials and take over their PCs.
Appriver senior security specialist Fred Touchette warned, “If the attachment is unzipped and executed the user may see a quick error window pop up and then disappear on their screen.
“What they won’t see is the downloader then taking control of their PC. It immediately begins checking to see if it is being analysed, by making long sleep calls, and checking to see if it is running virtually or in a debugger.
“Next it begins to steal browser cookies and MS Outlook passwords from the system registry. The malware in turn posts this data to a server at 69.76.179.74 with the command /ppp/ta.php, and punches a hole in the firewall to listen for further commands on UDP ports 7263 and 4400.”
Google Expands Malware Blocker
Google has expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.
Chrome’s current “Canary” build — the label for very-early versions of the browser, earlier than even Chrome’s Dev channel — will post a warning at the bottom of the window when it detects an attempted download of malicious code.
Features added to the Canary build usually, although not always, eventually make it into the Dev channel — the roughest-edged of the three distributed to users — and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.
Chrome has included malware blocking for more than two years, since version 12 launched in June 2011, and the functionality was extended in February 2012with Chrome 17.
Chrome is now at version 30.
Canary’s blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser’s settings.
“Content.exe is malicious, and Chrome has blocked it,” the message in Canary reads. The sole visible option is to click the “Dismiss” button, which makes the warning vanish. The only additional option, and that only after another click, is to “Learn more,” which leads to yet another warning.
In Canary, there is no way for the user to contradict the malware blocking.
That’s different than in the current Stable build of Chrome, which relies on a message that says, “This file is malicious. Are you sure you want to continue?” and gives the user a choice between tossing the downloaded file or saving it anyway.
As it has for some time, Chrome will show such warnings on select file extensions, primarily “.exe,” which in Windows denotes an executable file, and “.msi,” an installation package for Windows applications. Canary’s expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software — it cited screen savers and video plug-ins in a blog posting — that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.
Google’s malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple’s Safari and Mozilla’s Firefox all access to warn customers of potentially dangerous websites before they reach them.
In Chrome’s case, the malware warning stems not only from the Safe Browsing “blacklist” of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.