Unwanted e-card conceals a Storm
Print storyDon't download it - as if you needed to be told...
Posted in Security, 29th June 2007 13:03 GMT
Free Download - Security Web 2.0
There's a new version of the Storm Trojan on the loose, disguised as an e-postcard but actually recruiting zombies for a botnet, according to the SANS Institute's Internet Storm Centre.
The attack arrives as a spam with the subject line "You've received a postcard from a family member!" and contains links to one of several malware hosting sites, said SANS researcher Lorna Hutcheson in a SAN ISC security alert. The interesting part is just how multi-layered the attack is - it uses several different exploits, both technical and social.
It starts by testing to see if Javascript is enabled, and if it's not, it prompts you to download a file called ecard.exe and run it. If that fails, it tries three different exploits in sequence until it finds one that works, starting with a QuickTime attack, then a WinZip attack, and finally what the ISC calls the "hail Mary" WebViewFolderIcon exploit.
The aim is to get the user to download a Trojan. If executed, this calls home to a malware hosting server which SANS says has been active since December 2006, and attempts to install zombie software. That then ties the PC into a spam botnet.
Perhaps the most dangerous part is that, when SANS ran it through 30 different anti-virus programs, only a quarter of them picked up ecard.exe as a suspect download.®
An Improved Architecture for High-Efficiency, High-Density Data Centers [WP126]
Implementing Energy Efficient Data Centers [WP114]
Blind SQL Injection [3-2APYM5E]
The Evolving Security Landscape
The Register Guide to Extended Validation
Inmate hacked prison network, broke into employee database
Miscreants hijacking machines via (freshly patched) Adobe flaw
Martial law planned for Craigslist's red-light district
Cocaine addicted IT manager hacks ex-employer's mail servers