Trojans and rogue anti-virus detected disguised as shipping and parcel confirmations

News by Dan Raywood

Malicious links that appear as shipping confirmations and fake parcel announcements have been detected as having a strong rise.

Malicious links that appear as shipping confirmations and fake parcel announcements have been detected as having a strong rise.

Webroot's Andrew Brandt claimed that 'Shipping Confirmation' malware is on the rise as autumn approaches and an increase is noted in online shopping.

Brandt claimed Webroot was: “seeing an increase in the number of Trojans distributed in the guise of ‘shipping confirmation' email messages. These Trojans are packing a triple threat of backdoors designed to steal logins and take command of infected PCs.”

Previous versions claimed to be from FedEx, UPS, DHL, or the US Postal Service with the message (purportedly) containing tracking information. The new versions appear to come directly from an online retailer, with attached files in the form of a zip archive containing an executable with an icon that makes it look like an Office document, such as an Excel spreadsheet.

Brandt said: “These email messages also imply that the document contains tracking information, but they give the user an extra nudge to open the file by telling the user to ‘print the label to get your package'.

“The effectiveness of a trick like this comes from the wide range of possible reasons someone might have to justify opening the attachment when they see this kind of email drop in. Whether you want to claim a gift you think you've received from someone, you're worried you might be a victim of fraud, want to be helpful and tell the retailer that they got the wrong email address, want to claim this mistaken order for an expensive gift as your own, or just be nosy and want to see what someone else ordered from a store, the initial reaction of many people is going to be the same: open the file and take a look inside.”

Once opened, the payload contains three separate backdoors: Trojan-Backdoor-Progdav (aka Zeus, one of the most widely distributed backdoors on infected computers); Trojan-Backdoor-Stinkbreath (aka BredoLab); and Trojan-Glecia, a browser-hijacking keylogger that appeared for the first time earlier this year.

Meanwhile M86 Security has detected that the Pushdo botnet has been very active in sending malicious emails with fake parcel notification themes, with tens of thousands of such messages being received daily.

Rodel Mendrez, threat analyst at M86 Security, said: “The messages have a zip attachment that purports to be a parcel invoice or a document. The attachment is actually the BredoLab Trojan, a notorious downloader capable of downloading scareware programs, password stealers, spambots, and just about anything the malware author wishes to download on to the infected computer.”

M86 Security claimed that the BredoLab Trojan uses a legitimate looking icon to disguise it as a document file. The BredoLab samples it tested downloaded the rogue anti-virus software ‘Anti-virus Pro 2010' from ‘'. 

“These sorts of generics downloaders are becoming more problematic. If you get infected, your computer is then potentially open to a raft of other malware. Which also means you may have a serious cleanup job to do,” said Mendrez.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews