Beware Bogus E-Valentines

Discussion in 'other security issues & news' started by ronjor, Feb 13, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    Brian Krebs
     
  2. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    Just a hint: That e-valentine from the IRS is probably a fake. ;)
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    LOL, I checked my gmail spam folder and got one valentine's greeting card.

    I haven't opened it yet, but it seems that it points to an IP known for malware drive-by's. Googled the IP and I saw an article about some malware named storm, which used to travel by christmas greeting cards....

    more info:
    http://asert.arbornetworks.com/2007/12/storm-is-back-dude/

    I'll try it later on a VM.... it will be my first real malware test, so wish me luck (I have a backup, plus returnil enabled, but you never know...).
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Good luck ;)
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I finally received one of these, thanks to Hurst.

    I purports to be a drive-by download triggered by redirect/refresh. However, it is not
    a drive-by (remote code execution) in the classic sense, since it triggers a
    download prompt:

    Code:
    <meta http-equiv="refresh" content="5;url=valentine.exe">
    
    valentine-1.gif
    _________________________________________________________________

    A true remote code execution exploit code would download/run the
    executable in the background.

    As with the other storm cards, the valentine image itself is a trigger to download if clicked:

    Code:
    <a href="valentine.exe"><img border=0 src="1.gif">
    
    valentine-2.gif
    _________________________________________________________________

    This will also bring up the download Prompt. So, the user must be tricked into thinking
    that an e-card can be an executable file.

    The Krebs article is updated with two links, one to Sunbelt,

    http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html

    In this exploit, the user has to be tricked into updating Flash for the e-card to work.

    The original article by Mr. Krebs is strange: he begins with his own aversion to e-cards because they
    At the end of the article, he lays out an effective procedure for dealing with e-cards.

    One doesn't have to be "conditioned" to clicking on everything, and there is no reason
    for those who wish to use e-cards not to enjoy them if dealt with in the proper manner.


    ----
    rich
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Social engineering works well ;)
     
  7. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Reminds me of the old days, when for some reason it took Hallmark (of all people) ages to learn not to use exe-links in their e-cards. Even a youngster with just a hint of security awareness learned to trust Yahoo greetings rather than Hallmark because of that.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.