Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to daveinpoway
Re: Fake e-card viruses getting harder to stop
from link
"..
All recipients have to do to trigger the virus is to click on the link created by the e-mail client once they have read the message, he said. .."
don't click disappoint them instead 
»Selema must really love me...
Cudni
--
"Mercifully, he hit him with the soft end of the pistol." Help yourself so God can help you.MVP, Microsoft Windows Security 2006-2007 |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
3 edits | I just couldn't resist seeing what the payload and delivery method looked like for that one. Since that email made it past my outsourced primary and in-house secondary spam perimeters (only to be flagged as spam by my email client), I felt it deserved special attention.
That particular e-card infection was in fact not a drive-by self installing malware, but simply an old fashioned social engineering scam that required the victim to manually click the download link, and then actually run the downloaded executable.
Here is the simple plain html code from the download site:
The page did not even contain the normal html header information it was so simple. The email itself was equally simple, which is why it made it past two layers of spam filtering.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
robo_geek
join:2007-08-09
Roswell, GA
·AT&T DSL Service
| I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it.
Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh)
It literally crashed my web browser when I hit the page (Internet Explorer 6) and installed a stealth trojan downloader virus which was unknown to my WebRoot SpySweeper and MacAfee AV. (despite daily updates) I use a product called Cisco Security Agent which stopped the virus from executing, but could not remove it.
Thus I did not click on any executable, download or view anything. Simply visiting the page would crash the browser and infect the computer.
I went to Trend Micro's 'House Call' website and was able to detect and remove the virus. I sent a sample to MacAfee and they sent me back an updated AV signature which could detect this. After getting the new AV signature I gleefully navigated to the page again, watched my browser crash and then heard the pathetic screams of the virus getting devoured by the AV software. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
·Vonage
·Cingular Wireless
·AT&T CallVantage
| Hmmm, perhaps I should have included the following standard boilerplate disclaimer/warning with my previous post. 
said by NetFixer  :The preceding test was done by an IT professional on an isolated test computer. The results displayed may not be repeatable for different emails or payloads. Do not try this on your computer!
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
tomazyk
join:2006-12-04 | reply to robo_geek
That's why I use Firefox with Noscript. You never know what you'll get clicking those links. |
|
deke40
Premium
join:2003-01-23
Freeport, Tx
 ·Comcast
| reply to robo_geek
robo_geek
Glad to know I wasn't the only one that got curious about one of the ecards.
Clicked on the link and my old Acer started humming to beat the band. My free AVG jumped up and grabbed the evil devil and I deleted it from the vault.
Just swithched to a Comcast email address and the ecards have went to 0 until my computer illiterate friends who don't know how to Bcc: get my new address passed around to everybody on their mailing list.  |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to robo_geek
said by robo_geek :I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it. Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh) This is why I only click the links from Firefox on a Linux box.
Someone should develop a tool that will pull the sender's IP address (which is a zombie), as well as the IP address in the embedded URL (also a zombie), and submit them to some central clearinghouse or the ISPs owning the IPs in question so they can be addressed. A central clearinghouse could also produce an IP blacklist from the data culled from these emails.
As it is, my home-brew greylister/spam blocker will do this at least within my domain. If IP 1.2.3.4 sends me an email with a hyperlink pointing to 5.6.7.8, both 1.2.3.4 and 5.6.7.8 would be perma-banned from ever sending email to my domain, ever again.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
