Published in News

Beware the fake holiday greeting card

by on29 December 2008

Image

Storm virus redux

A new malware named “XmasStorm” is spreading a virus through holiday and Christmas online greetings. The malware appears to have originated in China and security researchers claim it works similarly to the tactics of those used last year by the notorious Storm Trojan horse.

It was discovered by researchers at the Bach Khoa Internetwork Security Center in Hanoi, Vietnam, and that it is spreading through holiday-themed spam. It has subject lines such as "Merry Xmas!" and "Merry Christmas card for you!", but is instead spam with links to sites that claim to host electronic greeting cards waiting for the recipients. Instead, when the recipient links are clicked on, they load malware onto the PC that gets hijacked and then a bot is installed that waits for commands from the hacker controllers.

Nguyen Minh Duc, the manager of Bach Khoa's application security group, said that hackers have registered at least 75 domain names relating to the malware campaign's holiday theme in the last month, including "superchristmasday.com" and "funnychristmasguide.com."

According to WHOIS searches, those domains were registered to a Chinese address on both Dec. 1st and Dec. 19th. "Special occasions such as Christmas and New Year’s have always been the periods when hackers distribute viruses via fake e-card with malicious code," said Nguyen in an e-mail Wednesday. "Therefore, users should be careful on receiving greeting e-mail from unknown sources for safety's sake."

Other researchers, including those at ESET LLC, a Slovakian security company with offices in San Diego, California, have reported similar attacks. ESET researcher Pierre-Marc Bureau reported a spike in holiday spam that pointed to sites hosting a file named "ecard.exe" that was malware and not a real greeting card.

"The reason this wave has attracted our attention is that it is very similar to the Storm worm attacks we were seeing last year," said Bureau in an e-mail. "[But] this is not the resurrection of the Storm botnet," Bureau cautioned. "Analysis of the binary proves it to be different. It was programmed using a different programming language and includes different functionalities."

Microsoft claimed that its Malicious Software Removal Tool had beaten the previous Storm malware into submission earlier this year. Some security analysts say that the resurgence of this new and similar acting malware is proof the botnet did instead survive.

"What we are observing today is proof that malware authors are learning from each other's errors and successes," said Pierre-Marc Bureau. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."

Beware those holiday greeting emails. If you don’t know who an electronic greeting is from, don’t open it and, certainly, don’t click on the links that are in an unknown greeting.

Last modified on 29 December 2008
Rate this item
(0 votes)