Internet Security Systems - AlertCon(TM)

Another wave of ZIP attachment spam

Posted by Ralf Iffert on May 03, 2011 at 9:02 AM EDT.

On May 1st, spammers started another huge wave of ZIP attachment spam. After two waves of ZIP attachment spam in April, gathering 4 percent and 6 percent of the total spam volume, we are now seeing 16 percent ZIP spam on May 1st and May 2nd.

Figure 1: Percentage ZIP Spam per day from April 1st until May 2nd 2011

When looking at the ZIP attachments of the latest threat,  we find in 93.3 percent of those spams the TrojanDownloader:Win32/Chepvil.K (an earlier example: TrojanDownloader:Win32/Chepvil.I). As a Trojan downloader, it downloads malware, rather than having intrinsic malicious capabilities. And, it may download not just one piece of malware but multiple malware applications with different intentions.


To get the users clicking on the ZIP attachment some typical variants are used. In one case it is a fake order confirmation including the message that the user’s credit card will be charged for an amount over one-hundred USD.


 Figure 2: Faked order confirmation

In another case it is argued that the user’s IP address was logged on to several illegal Websites. The "fake sender", the FBI, requests that the user answer the attached questions.


Figure 3: Faked FBI email

In terms of spam volume the question arises, whether there is a connection to the Rustock takedown on March 16th.  Interestingly, we have not seen a recovery despite the two ZIP attachment spam waves of April.



Figure 4: Spam Volume per week from February to April 2011

Maybe since this takedown, the botnet capacities have run short dramatically.  Therefore, the bad guys focus their botnets on some other – more profitable – tasks like spear-phishing or other criminal activities. But this is only a suspicion. It will be interesting to see whether the spam volume recovers in the next days and weeks following this; the largest spam threat with malicious attachments in recent months.

However today, it seems a short-term threat, appearing that it might be over? The ZIP spam levels have returned to about 1 percent. 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.