By Gregg Keizer
June 28, 2007
A new round of greeting card spam that draws users to attack sites
relies on a sophisticated multi-pronged, multi-exploit strike force to
infect machines, security professionals said late today.
Captured samples of the spam have all borne the same subject line --
"You've received a postcard from a family member!" -- and contain links
victim's browser has scripting enabled or turned off.
on to exploit yourself," said an alert posted Thursday afternoon by SANS
Institute's Internet Storm Center (ISC). Some users turn off scripting
are simply fed a two-part package of downloader and malware.
The quick browser status exam in this attack is somewhat similar to one
used in a different exploit tracked by Symantec Corp. since Tuesday, but
the two are not connected, said Oliver Friedrichs, director of
Symantec's security response group. "They're using two different
toolkits," said Friedrichs, "but they're both prime examples that
exploits against browsers are more and more prevalent."
Today's greeting card gambit tries a trio of exploits, moving on to the
second if the machine is not vulnerable to the first, then on to the
third if necessary. The first is an exploit against a QuickTime
vulnerability, the second an attack on the popular WinZip compression
utility and the third, dubbed "the Hail Mary" by ISC, is an exploit for
the WebViewFolderIcon vulnerability in Windows that Microsoft Corp.
patched last October.
ISC said several antivirus vendors had tentatively pegged the executable
disabled -- as a variation of the Storm Trojan, an aggressive piece of
malware that has been hijacking computers to serve as attacker bots
since early this year. According to ISC's warning, computers already
compromised by Storm -- a.k.a. Peacom -- are hosting the malware, and
the attackers are rotating those machines' IP addresses in the spam
"Every Storm-infected system is potentially capable of hosting the
malware and sending the spam, but only a few will be used in any given
run," said the alert, "depending on how many e-mails they want sent and
how many Web hits they're expecting."
Hackers haven't abandoned the practice of attaching malware to e-mail,
then counting on naive users to open the file, said Friedrichs. But
malware hosting sites are the trend. "It's much more difficult to send a
full malicious file," he said, because of users' learned reluctance to
open suspicious files and filtering and blocking tactics by security
"This is widespread, and leads the user to multiple IP addresses," said
Shimon Gruper, vice president with Aladdin Knowledge Systems Inc., a
security company known for its eSafe antivirus software. "There's not a
single server, there are multiple exploits [and the e-mail] has no
attachments. This will be very difficult to detect."
Two days ago, a Symantec honeypot captured a similar Web site-hosted
attack that had an arsenal of multiple exploits at its disposal. That
attack, however, featured an unusual, if rudimentary, browser detector
that sniffed out whether the target computer is running Microsoft's
Internet Explorer (IE) or Mozilla Corp.'s Firefox. If the attack detects
IE, it feeds the machine a Windows animated cursor exploit. If it finds
Firefox, however, the sites spits out a QuickTime exploit.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com