There is a new version of the Storm Trojan on the loose, disguised as an e-postcard, but is actually recruiting zombies for a botnet. The attack arrives as a spam with the subject line, “You’ve received a postcard from a family member!” and contains links to one of several malware hosting sites.
The interesting part is just how multi-layered the attack
is - it uses several different exploits, both technical and social. It
starts by testing to see if JavaScript is enabled, and if it’s not, it
prompts you to download a file called “ecard.exe” and run it. If that
fails, it tries three different exploits in sequence until it finds one
that works, starting with a QuickTime attack, then a WinZip attack, and
finally what the “hail Mary” WebViewFolderIcon exploit.
The aim
is to get the user to download a Trojan. If executed, this calls home
to a malware hosting server which has been active since December 2006,
and attempts to install zombie software. The software that is installed
then ties the PC into a spam botnet.
The email looks like this :
Good day.
Your family member has sent you an ecard from 123greetings.com.
Send free ecards from 123greetings.com with your choice of colors, words and music.
Your ecard will be available with us for the next 30 days. If you wish
to keep the ecard longer, you may save it on your computer or take a
print.
To view your ecard, choose from any of the following options:
--------
OPTION 1
--------
Click on the following Internet address or copy &paste it into your browser's address box.
http://8x.xx.xx.xx/?<a_random_number>
--------
OPTION 2
--------
Copy &paste the ecard number in the "View Your Card" box at http://8x.xx.xx.xx/
Your ecard number is
<a_random number>
Best wishes,
Postmaster,
123greetings.com
Remember the following tips when dealing with suspicious e-mails:
- NEVER open a link when you don't know the sender.
- NEVER click on an e-mail link that only has an IP address.
- NEVER run a program or allow a plug-in when you can't absolutely trust where it came from.
|
