Update: Huge amounts of UPS and Facebook malware attachments

Virus distributors have steadily decreased their usage of email as a means of malware distribution. The more popular methods nowadays include the use of drive-by downloads as well as “voluntary” downloads of “shockwave updaters” and “movie codec files”.

But the last day or so has seen very high levels of emails with attached malware. At one point these accounted for over 30% of all email received. 

Almost all of the malware comes in 2 flavors:

  • Facebook password reset (about 10% of the emails)
  • UPS package notifications (about 85%)

Titles are all variations of “United Parcel Service notification 00290″ And the file extracts to an exe – but with a PDF icon:

Commtouch’s Command Antivirus detects these as variants of W32/Bredolab. The UPS and Facebook methods are certainly not new, but the email headers have been altered in a way we haven’t seen often – possibly to confuse some anti-spam systems. The headers indicate that the zombie addresses (shown in pink) are simply relaying the malicious emails from some higher level (yellow highlight). The higher level addresses (which look a tiny bit like the IPv6 format) are basically nonsense that cannot be resolved, and the relay names are created from random text.

Update: 4th April 2011

An updated graph of last week showing the huge spike from Tuesday to Thursday. The outbreak is continuing today but in smaller numbers. In our experience the next stage will be an increase in spam.