E-card slimeware delivers pr0n

Trojan routes surfers to racy sites

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

It's no coincidence that one of the most recent Trojan horse programs to enter the FBI's bi-weekly rogues gallery of malicious code is named after an Internet porn company.

The program, dubbed "Cytron" by the bureau's National Infrastructure Protection Center (NIPC) and some anti-virus vendors, is a covert browser plug-in that gives Internet Explorer users something they probably don't want: more pop-up ads, promoting a slew of adult websites.

Users are lured into accepting the program through a wholesome e-mail from egreetings@yahoo.com -- a forged return address. The mail looks convincingly like an electronic greeting card notification, with a cute smiley face background and the text "You have received an e-card" in squiggly block letters.

Clicking on the graphic of a cartoon hand holding an envelope takes the recipient to surprisecards.net, where the surprise is an "e-card viewer plug-in" that they have to accept to read the card. If the user accepts the ActiveX control, which is signed with a credibility-boosting digital certificate, Internet Explorer will begin selectively feeding them racy full-sized pop-up ads for adult websites, mostly operated by Canada-based Cytron Communications Ltd. They never do get a greeting card.

Small touches like the convincing domain name and the authentic digital certificate make the ruse smarter than the average covert adware delivery mechanism. "A lot of people see that it's an authentic certificate... and will just mindlessly click okay," says Jonathan Zdziarski, a Georgia software developer who was among the first to detect the spammy scam late last month after receiving one of the e-mails. "I can certainly see how your average doctor or oil change technician or anyone who's not in the technology field would fall for something like that."

The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.

"There some perfectly legitimate Internet porn operators, but it is a ruthlessly competitive industry that's constantly looking for new ways to get the click," says Jason Catlett, president of the anti-spam company Junkbusters. "They've always been at the leading edge of tactics, legitimate and illegitimate, for getting more traffic."

Key Phrase Matching

The Cytron program works by scanning the Web sites the victim views for key phrases like "hot sex" or "hard core," then serving up ads based on the matches. The technique seems designed to target only people in the market for porn, luring them away from Cytron competitors while catering to the user's particular sexual inclinations.

But the covert phrase-matching software suffers from the same problem as keyword-based filtering programs: it's easily triggered by destinations that don't necessarily indicate a taste for adult content. In tests by SecurityFocus, browsing a USA Today story about the constitutionality of Internet porn spawned a window promoting the gay men's adult site "Tyler's Room," complete with thumbnail teaser photos of well-endowed models. Surfing to a Christian website selling the video "Porn: the Tragedy Exposed" exposed the front page of another Cytron site offering "The nets [sic] youngest women online," with a topless photo of one of them.

Though Cytron is based in British Columbia, by luring U.S. netizens into installing the covert adware under false pretenses, the company may run afoul of U.S. computer crime laws and regulations prohibiting deceptive trade practices, says Catlett. "It's very ingenious... But if they're fooling people into downloading software, that's still going to be illegal under the Computer Fraud and Abuse act."

The surprisecards.net site is served from a San Diego hosting company unrelated to Cytron, but the domain name is registered to Cytron president and CEO Richard Oliver.

Reached by telephone Friday, Oliver didn't deny pulling the e-card scam. But Oliver says it's a jungle out there, pointing to the spyware and adware routinely bundled with popular file-swapping applications, without the average user knowing it.

"I can name you about a hundred different companies, publicly traded companies, that are doing far worse than I am," said Oliver. "You've never heard of Kazaa, you've never heard of Morpheus, nobody's ever heard of any of these file-sharing companies that put all kinds of software on your computer?... Well, now you've heard of us."

© 2002 SecurityFocus.com, all rights reserved.

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.