by David Michmerhuizen & Luis Chapetti – Security Researchers
Version 8 of Microsoft Windows is under active development and is tentatively scheduled to be released sometime in 2012. Screen shots have already leaked to the internet, and some opportunistic spammers are already using the promise of a Windows 8 download to lure unsuspecting users into swallowing a malware payload.
The spam itself is short and simple. Spammers often make tell-tale spelling and grammar goofs, so keeping the text short is a good way to reduce mistakes.
Even though it’s only two sentences, they’ve still managed to introduce a stray question mark in the name. If that doesn’t make you suspicious, a quick check of the link destination should
The double extension of .gif.exe is used to make the file appear to be a .gif file on Windows systems that are not configured to display program extensions.
Even if the type of file is partly obscured by the filename there shouldn’t be any confusion once you click on the link. Windows asks you if you are sure you want to run this software.
Of course, you don’t typically run a program in order to “get more details” about some topic. At this point what you want to do is to press “Don’t Run” and back away.
But let’s suppose your defenses were down and your overwhelming curiosity about Windows 8 had you pushing that “Run” button. Here’s what happens
The program opens up a spiffy Windows graphic. That’s it. Those are your details.
Except not quite. The program is a variant of Trojan.Zapchast. After it opens the graphic it gets to work installing an Internet Relay Chat client – mIRC, along with special scripts that turn the client into a backdoor.
This Zapchast isn’t all that sneaky though. If you look at the screen shot above you’ll see a blank spot in the notification bar, just to the left of the speaker icon. Hovering over it ever reveals an “mIRC Daemon Tools” tooltip. You can actually open it and watch the bot-herder at work.
This IRC controlled backdoor is set to start whenever the computer is started. It monitors the channel (in this case, #drones) for messages that it interprets as commands and then carries them out. Once infected, the host computer can be directed to download and run other malware, search for personal information, send spam – in short, your computer belongs to the bot-herder.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.