Well folks: It’s getting tricky. When I wrote about CTB-Locker, I joked around that everyone warned their users about suspicious attachments anyway. Now attackers use a new method to get around virus scanners and get their victims to open their infected files. The initial notice came from Heise with a German mail – and the notice “Ach übrigens Das Passwort: 9825” (which means “the password is 9825 by the way”) was even written in German. Heise further explains that this is a good tactics as it seems plausible that the sender forgot an attachment when sending the last mail.
To sum it why why this is a fairly new attack and how it could trick your scanners and users:
- It’s using a previous “real” message which was sent to the victim before
- It adds a passworded .zip file
- The password is given to the user with a comment in the language of the original message
This is an excellent example that the whole market is a cat and mouse game. Getting back to warnings… you should probably warn your users -again-. For two reasons this is important: Users don’t think about IT-Security the whole day, so they might have forgotten about your last warning already – frequent warnings ensure that users don’t forget to double check what they’re doing. Second reason is that this is fairly different from the other attacks we have seem in the past.
As a last resort there is still the local virus scanner which 🐛 is hopefully able to detect the file before it’s being executed. But as we’ve seen in the past – especially cryptotrojans – they use downloaders and other payload which changes fairly often.
Oh and also… if you know the sender… he might wants to check his computer for an infection as well – somehow the bad boys must have gotten your mail and a message he sent you, right?