Be skeptical or be a victim

Again, anti-malware software fails more than it succeeds. In the end, your skepticism may be your best defense.

On the Internet people lie to you all the time. Back in April, I wrote that the most important aspect of Defensive Computing may very well be skepticism.

For the second time in the last few days, I received a phony e-mail message purporting to be from the package delivery company UPS. A skeptical person would have deleted the message, and good thing too, because odds are that anti-malware software on a Windows* computer would not have protected the trusting or inexperienced user that believed the scam.

The first thing to be skeptical of is the From address. Never trust the From address in an e-mail message, it is easily forged. Digging into the e-mail headers showed that the message, shown below, actually came from a computer at IP address 121.139.93.144.

Civilians (meaning someone not involved in law enforcement) cannot reliably trace an IP address to a city, let alone an exact address. However, tracing it to a country is, I believe, reliable: the message came from Korea.**


Subject: Problems with delivery

Unfortunately we were not able to deliver postal package you sent on September the 1st in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office

Thank you for your attention!
Your United Postal Service
http://www.ups.com


The attached file, ups_invoice.zip contained a single file, ups_invoice.exe.

The interesting thing here is the constant struggle of anti-malware companies to keep up with the latest malicious software.

I sent the EXE file to Virus Total and they had already seen it. Of the 36 anti-malware products they scanned it with, only 14 (39 percent) correctly flagged ups_invoice.exe as something to avoid. Among the free anti-malware programs, Avira's AntiVir correctly flagged it as bad, but Avast and AVG did not. McAfee missed it, as did NOD32, Panda, PC Tools, Sunbelt and Trend Micro.

Yes, this message was amateurish and a number of things give it away as phony. However, the next one may not be so obvious and anti-malware software will always be imperfect. Thus, skepticism may be your best defense.

Update September 12, 2008: Two more of these came today. Neither even bothered hiding the EXE file inside a zip file. I sent one of them to VirusTotal and, again, they had seen it before, this time about 20 hours prior to my uploading it. Initially, 17 out of 37 anti-malware products (46%) detected it as suspicious. When I requested VirusTotal to scan it again, 17 out of 36 products (47%) detected it as malicious. Beats me what happened to that missing anti-malware product.

*As is the norm, Mac and Linux users would have been protected as the malicious software was Windows based.
**The message initially passed through an e-mail server run by servage.net, which was probably innocent in all this.

See a summary of all my Defensive Computing postings.

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Is a 12.9-inch iPad Pro coming soon?

Apple may be getting ready to unveil the iPad Pro, iPad Mini 4 and a new Apple TV. Also, Google's Nexus refresh starts Sept. 29 and Tesla announces pricing on the Model X SUV.

by Jeff Bakalar