Fake Christmas, holiday greetings spread new malware
New malware is spreading via Christmas and holiday greetings, security researchers said today, a tactic reminiscent of those used last season by the notorious Storm Trojan horse.
Researchers at the Bach Khoa Internetwork Security Center in Hanoi, Vietnam reported today that a new piece of malware, dubbed "XmasStorm" by the center, is spreading through holiday-themed spam.
Touting subject lines such as "Merry Xmas!" and "Merry Christmas card for you!", the spam includes links to sites that purportedly host electronic greeting cards waiting for the recipients. In fact, the sites are serving up malware that hijacks the visiting PC, then installs a bot which waits for commands from the hacker controllers.
Nguyen Minh Duc, the manager of Bach Khoa's application security group, said that XmasStorm originated in China. Hackers have registered at least 75 domain names relating to the malware campaign's holiday theme in the last month, including "superchristmasday.com" and "funnychristmasguide.com." According to WHOIS searches, those domains were registered to a Chinese address on Dec. 1 and Dec. 19, respectively.
"Special occasions such as Christmas and New Year have always been the periods when hackers distribute viruses via fake e-card with malicious code," said Nguyen in an e-mail Wednesday. "Therefore, users should be careful on receiving greeting e-mail from unknown sources for safety's sake."
Similar attacks have been monitored by other researchers, including those at ESET LLC, a Slovakian security company that has offices in San Diego. Monday, ESET researcher Pierre-Marc Bureau reported a spike in holiday spam that pointed to sites hosting a file named "ecard.exe" that was not, of course, a greeting card, but instead malware.
"The reason this wave has attracted our attention is that it is very similar to the Storm worm attacks were seeing last year," said Bureau in an e-mail.
Although Storm used a wide variety of stratagems during 2007 and early 2008, a year ago it rode on the back of a spam campaign based on New Year's greetings . Just before those messages flooded inboxes, Storm's creators had tried to tempt computer users into clicking on links promoting Christmas-themed pornography .
"[But] this is not the resurrection of the Storm botnet," Bureau cautioned. "Analysis of the binary proves it to be different. It was programmed using a different programming language and includes different functionalities."
Although Microsoft Corp. researchers said that their company's Malicious Software Removal Tool (MSRT) had beaten Storm into submission earlier this year, other security analysts had disputed the botnet's demise .
"What we are observing today is proof that malware authors are learning from each other's errors and successes," said Bureau. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."
» posted by ITworld staff
Computerworld
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
malware
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
