E-card slimeware delivers pr0n

Trojan routes surfers to racy sites

It's no coincidence that one of the most recent Trojan horse programs to enter the FBI's bi-weekly rogues gallery of malicious code is named after an Internet porn company.

The program, dubbed "Cytron" by the bureau's National Infrastructure Protection Center (NIPC) and some anti-virus vendors, is a covert browser plug-in that gives Internet Explorer users something they probably don't want: more pop-up ads, promoting a slew of adult websites.

Users are lured into accepting the program through a wholesome e-mail from egreetings@yahoo.com -- a forged return address. The mail looks convincingly like an electronic greeting card notification, with a cute smiley face background and the text "You have received an e-card" in squiggly block letters.

Clicking on the graphic of a cartoon hand holding an envelope takes the recipient to surprisecards.net, where the surprise is an "e-card viewer plug-in" that they have to accept to read the card. If the user accepts the ActiveX control, which is signed with a credibility-boosting digital certificate, Internet Explorer will begin selectively feeding them racy full-sized pop-up ads for adult websites, mostly operated by Canada-based Cytron Communications Ltd. They never do get a greeting card.

Small touches like the convincing domain name and the authentic digital certificate make the ruse smarter than the average covert adware delivery mechanism. "A lot of people see that it's an authentic certificate... and will just mindlessly click okay," says Jonathan Zdziarski, a Georgia software developer who was among the first to detect the spammy scam late last month after receiving one of the e-mails. "I can certainly see how your average doctor or oil change technician or anyone who's not in the technology field would fall for something like that."

The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.

"There some perfectly legitimate Internet porn operators, but it is a ruthlessly competitive industry that's constantly looking for new ways to get the click," says Jason Catlett, president of the anti-spam company Junkbusters. "They've always been at the leading edge of tactics, legitimate and illegitimate, for getting more traffic."

Key Phrase Matching

The Cytron program works by scanning the Web sites the victim views for key phrases like "hot sex" or "hard core," then serving up ads based on the matches. The technique seems designed to target only people in the market for porn, luring them away from Cytron competitors while catering to the user's particular sexual inclinations.

But the covert phrase-matching software suffers from the same problem as keyword-based filtering programs: it's easily triggered by destinations that don't necessarily indicate a taste for adult content. In tests by SecurityFocus, browsing a USA Today story about the constitutionality of Internet porn spawned a window promoting the gay men's adult site "Tyler's Room," complete with thumbnail teaser photos of well-endowed models. Surfing to a Christian website selling the video "Porn: the Tragedy Exposed" exposed the front page of another Cytron site offering "The nets [sic] youngest women online," with a topless photo of one of them.

Though Cytron is based in British Columbia, by luring U.S. netizens into installing the covert adware under false pretenses, the company may run afoul of U.S. computer crime laws and regulations prohibiting deceptive trade practices, says Catlett. "It's very ingenious... But if they're fooling people into downloading software, that's still going to be illegal under the Computer Fraud and Abuse act."

The surprisecards.net site is served from a San Diego hosting company unrelated to Cytron, but the domain name is registered to Cytron president and CEO Richard Oliver.

Reached by telephone Friday, Oliver didn't deny pulling the e-card scam. But Oliver says it's a jungle out there, pointing to the spyware and adware routinely bundled with popular file-swapping applications, without the average user knowing it.

"I can name you about a hundred different companies, publicly traded companies, that are doing far worse than I am," said Oliver. "You've never heard of Kazaa, you've never heard of Morpheus, nobody's ever heard of any of these file-sharing companies that put all kinds of software on your computer?... Well, now you've heard of us."

© 2002 SecurityFocus.com, all rights reserved.

Sponsored: Today’s most dangerous security threats