Beware Bogus E-Valentines

Discussion in 'other security issues & news' started by ronjor, Feb 13, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Brian Krebs
     
  2. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    Just a hint: That e-valentine from the IRS is probably a fake. ;)
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    LOL, I checked my gmail spam folder and got one valentine's greeting card.

    I haven't opened it yet, but it seems that it points to an IP known for malware drive-by's. Googled the IP and I saw an article about some malware named storm, which used to travel by christmas greeting cards....

    more info:
    http://asert.arbornetworks.com/2007/12/storm-is-back-dude/

    I'll try it later on a VM.... it will be my first real malware test, so wish me luck (I have a backup, plus returnil enabled, but you never know...).
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Good luck ;)
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I finally received one of these, thanks to Hurst.

    I purports to be a drive-by download triggered by redirect/refresh. However, it is not
    a drive-by (remote code execution) in the classic sense, since it triggers a
    download prompt:

    Code:
    <meta http-equiv="refresh" content="5;url=valentine.exe">
    
    valentine-1.gif
    _________________________________________________________________

    A true remote code execution exploit code would download/run the
    executable in the background.

    As with the other storm cards, the valentine image itself is a trigger to download if clicked:

    Code:
    <a href="valentine.exe"><img border=0 src="1.gif">
    
    valentine-2.gif
    _________________________________________________________________

    This will also bring up the download Prompt. So, the user must be tricked into thinking
    that an e-card can be an executable file.

    The Krebs article is updated with two links, one to Sunbelt,

    http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html

    In this exploit, the user has to be tricked into updating Flash for the e-card to work.

    The original article by Mr. Krebs is strange: he begins with his own aversion to e-cards because they
    At the end of the article, he lays out an effective procedure for dealing with e-cards.

    One doesn't have to be "conditioned" to clicking on everything, and there is no reason
    for those who wish to use e-cards not to enjoy them if dealt with in the proper manner.


    ----
    rich
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Social engineering works well ;)
     
  7. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Reminds me of the old days, when for some reason it took Hallmark (of all people) ages to learn not to use exe-links in their e-cards. Even a youngster with just a hint of security awareness learned to trust Yahoo greetings rather than Hallmark because of that.
     
Loading...
Thread Status:
Not open for further replies.