Paul Walker’s Death Used to Spread Personalized Trojan Horses

It was only a few months ago that Paul Walker that left us in a fiery car accident. These days it is common for spammers and malware writers to use a celebrity’s death to spread malware. In this case, it started with emails with links to a video of Paul Walker’s car on fire, but instead contained a link to a malicious file.

In the latest slew of emails, the sender makes a plea to the victim to find a Dodge Viper GT that was supposedly racing with Paul Walker’s car. The email asks that anyone with information call a number in the email or open the attached file to view a picture of the Viper GT’s driver. In every sample we have dealt with there is always a promise of reimbursement or compensation for helping capture the Viper GT’s driver.

These attacks are unique because of the regular change of subject lines and body text to bypass spam filters. The attacker tries to personalize the email with the recipient’s name in the body, subject, or attached file name.

Each executable file is made specifically for the email address it is sent to and is compiled just before the email is sent. The sender’s email address is always an aol.com email account that has most likely been hacked or otherwise compromised. Whenever a user is compromised, their address book is harvested to continue the chain of personalized emails.

figure1_16.png
Figure 1.
Email about Paul Walker’s death with malicious attachment from January 30, 2014

figure2_15.png
Figure 2.
Email about Paul Walker’s death with malicious attachment from January 31, 2014

Once the malicious file has been executed an error notification is sent indicating that a  32-bit or 64-bit computer is needed to run the file. It may also indicate that the user does not have sufficient permissions to run the file even though the malware continues to run in the background.  The Trojan will start to perform DNS queries through a list of domains with similar names until the malware gets a DNS query return and then it will connect to that URL to download a file into the following directory:

"%UserProfile%\Application Data\amhldfbyjmg\kskzjmtypb.exe”

Once the file (kskzjmtypb.exe) is downloaded, it runs and connects to p9p-i.geo.vip.bf1.yahoo.com to download qr1aon1tn.exe. When this runs, it drops the following file:

"%UserProfile%\Application Data\amhldfbyjmg\fdxeuzv.exe”

Symantec detects this malware as Trojan Horse.

Symantec advises users to be on their guard and to adhere to the following security best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Keep security software up-to-date
  • Update antispam signatures regularly

Symantec constantly monitors spam attacks to ensure that users are kept up-to-date with information on the latest threats.

Too Many Hoaxes

At first, I was just plain annoyed. Someone forwarded a hoax email to me twice in the same week. I am often asked about hoax email: “Kevin, you work at Symantec, is this true?” That’s fine; that’s not what annoyed me. What set me off was that both emails had been forwarded to warn me. The forwarder wasn’t even questioning the content of the email. They had accepted clearly bogus warnings about the “world’s worst virus” as fact.
 
Then I started thinking about the Twitter discussion I recently had about education. Some security professionals are turned off by education because they don’t believe it works. The rest feel it’s important, but never done right. (I fall into the latter category.) And, I decided that my previous approach to educating people about these hoaxes was not working. Just giving people a link to a Web page that disputes the hoax is not enough. Rather than give a man a fish, I needed to teach them how to fish.
 
So, I sat down and wrote an email explaining how to spot a virus hoax. It took a little longer than just forwarding a link, but I think it will be more effective. Plus, I can now just cut and paste this email as a response the next time someone forwards a hoax email to me.
 
If you want to give what I’ve done a try, I turned my email into a template that you can use. (See below.) The next time someone forwards a hoax email to you, just cut and paste this into a reply. I’m optimistic that we can educate people—we just need to adjust and adapt when things don’t work.

-----

Dear [fill in friend’s name],
 
As you know, I work at [Company Name] in the group that covers computer security. I see my fair share of viruses. I also see quite a bit of hoax email. The email you forwarded is a hoax.
 
It is true that miscreants are sending email with attachments and making posts to people’s Facebook pages with links that lead to malware. They use high profile events or interesting sounding videos to get you to click on the attachment or link. The goal is always the same, to get you to click and become infected. It is only the come-on that changes.
 
But, the thing is, any warning that comes in via email is almost always a hoax. They are never about real malware. Sometimes they tell you to do things that could actually damage your computer. (Hoaxers have a strange sense of humor.)
 
There are five easy ways to tell if the email you’ve received is a hoax:
 
1.    Snopes verified it.
 
The email you forwarded to me is confirmed by Snopes as a hoax. The hoaxers only tell you Snopes has verified it as true so you will not check for yourself.
 
2.    It’s the worst virus Symantec has ever seen.
 
Even if it truly existed, it would not be the worst virus ever seen. Trust me. Unless it will force cylinders used for uranium enrichment to spin out of control, it is not the worse virus ever seen.
 
3.    It does irreversible harm to your computer.
 
People who write malware are crooks, not vandals. They try to steal your information. They need your machine to stay functioning to do that.
 
4.    A reliable person forwarded the email.
 
Being reliable and being a good judge of hoaxes are two completely different skills.
 
5.   You are to forward the email to everyone you know.
 
Good-hearted people try to warn others of impending disasters. Hoaxers tell people to forward an email to everyone they know. Thanks for being so concerned—it speaks well of you as a person. But, next time, please just delete the email.
 
Regards,
 
[Your name here]