BA e-ticket malware spam

Starting yesterday evening I’ve been seeing hundreds of emails sent to normally spam-free addresses claiming to be British Airways e-tickets. They are, of course, some new malware. It’s coming for a network of freshly compromised servers around the world (with a slight preference for Italy), so spam detection software won’t pick it up, and it’s new malware so virus scanners won’t find it either. As usual it’s a ZIP file containing an EXE, written in Borland Delphi I think.

The spambot code itself appears to be compiled on whatever Linux target the script attack has succeeded on, masquerading as “crond”.