Re: Fake e-card viruses getting harder to stop in Security

Re: Fake e-card viruses getting harder to stop

Wed, 22 Aug 2007 15:22:50 EDT

exocet_cm : I just cleaned up a laptop which the user got infected by an e-card. "John, I got a e-mail card from my mom and opened it up. After that a window poped up near the clock and my computer is really slow. What happened?"

Doh!

At least this one was easy to clean, the "usual" programs removed everything.
--
"I have measured out my life with coffee spoons..." - T.S Eliot
Check Out the Tech Bench »johnball.wordpress.com/tech-bench/
Ma blog: »www.johndball.com

Re: Fake e-card viruses getting harder to stop

Wed, 22 Aug 2007 14:42:29 EDT
mq8 :
said by kpatz :

Now they're sending out fake "login" or "membership" information emails.

Yep. I have stopped receiving the e-card e-mails and have began receiving a ton of different sites that I supposedly signed up at.

Re: Fake e-card viruses getting harder to stop

Tue, 21 Aug 2007 16:28:34 EDT
Tommyastro : I've got a couple in the past 3 weeks but I use Macs so......meh!

Re: Fake e-card viruses getting harder to stop

Tue, 21 Aug 2007 08:08:44 EDT
kpatz : Now they're sending out fake "login" or "membership" information emails.

quote:
Welcome Member,

Thank You for Joining Web Joker.

Membership Number: 378812391
Temorary Login: user3138
Temorary Password: on858

For security purposes please login and change the temporary Login ID and Password.

Click here to enter our secure server: hxxp://xx.x.xxx.xxx/

Enjoy,
Membership Services
Web Joker

quote:
Greetings,

Welcome To Ringtone Heaven.

User Number: 734983749618
Your Login ID: user9105
Temorary Password: no358

Be Secure. Change your Login ID and Password.

Use this link to change your Login info: hxxp://xx.xx.xx.xx/

Welcome,
New Member Services
Ringtone Heaven

quote:
Welcome Member,

Thank You for Joining Web Joker.

Membership Number: 378812391
Temorary Login: user3138
Temorary Password: on858

For security purposes please login and change the temporary Login ID and Password.

Click here to enter our secure server: hxxp://xx.x.xxx.xxx/

Enjoy,
Membership Services
Web Joker

If I hadn't already created a filter on IP URLs I could filter on "temorary". :D

The site shows:

quote:
If you do not see the Secure Login Window please install our Secure Login Applet.
which links to an "applet.exe". Here's scan results using the scanners I have on my Linux box:

quote:
kpatz@zuul:~/Desktop$ f-prot -ai applet.exe
Virus scanning report - 21 August 2007 @ 8:11

F-PROT ANTIVIRUS
Program version: 4.6.7
Engine version: 3.16.15

VIRUS SIGNATURE FILES
SIGN.DEF created 20 August 2007
SIGN2.DEF created 20 August 2007
MACRO.DEF created 20 August 2007

Search: applet.exe
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER -AI

/home/kpatz/Desktop/applet.exe Infection: Possibly a new variant of W32/Fathom.2-based!Maximus

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Infected: 0
Suspicious: 1
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:00
kpatz@zuul:~/Desktop$ clamscan applet.exe
applet.exe: Trojan.Small-3614 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 148124
Engine version: devel-20070413
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.11 MB
Time: 141.254 sec (2 m 21 s)

kpatz@zuul:~/Desktop$ avgscan applet.exe
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.47, engine 442
Virus Database: Version 269.12.1/963 2007-08-20
License type is FREE.
applet.exe Trojan horse Downloader.Tibs.7.D
Tested: 1 files, 0 sectors
Infections: 1
Errors: 0

--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 20:34:39 EDT
BIGbadjohn : I have a problem with it myself. For some reason most of it comes through my DSLR email address.
I also took a chance with one and got away with it. Good old Nod32 was sitting waiting for the pounce and saved the day. I don't do it anymore, too much like playing with fire. :D

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 14:41:17 EDT
kpatz :
said by robo_geek :

I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it.

Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh)
This is why I only click the links from Firefox on a Linux box. ;)

Someone should develop a tool that will pull the sender's IP address (which is a zombie), as well as the IP address in the embedded URL (also a zombie), and submit them to some central clearinghouse or the ISPs owning the IPs in question so they can be addressed. A central clearinghouse could also produce an IP blacklist from the data culled from these emails.

As it is, my home-brew greylister/spam blocker will do this at least within my domain. If IP 1.2.3.4 sends me an email with a hyperlink pointing to 5.6.7.8, both 1.2.3.4 and 5.6.7.8 would be perma-banned from ever sending email to my domain, ever again. ;)
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 14:34:55 EDT
deke40 : robo_geek

Glad to know I wasn't the only one that got curious about one of the ecards.

Clicked on the link and my old Acer started humming to beat the band. My free AVG jumped up and grabbed the evil devil and I deleted it from the vault.

Just swithched to a Comcast email address and the ecards have went to 0 until my computer illiterate friends who don't know how to Bcc: get my new address passed around to everybody on their mailing list. :mad:

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 14:33:27 EDT
Midak : Wow, I thought this was just the new trend in spam selling bootleg drugs. I get a few every day.

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 14:17:36 EDT
tomazyk : That's why I use Firefox with Noscript. You never know what you'll get clicking those links.

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 13:13:56 EDT
NetFixer : Hmmm, perhaps I should have included the following standard boilerplate disclaimer/warning with my previous post. ;)

said by NetFixer :

The preceding test was done by an IT professional on an isolated test computer.
The results displayed may not be repeatable for different emails or payloads.
Do not try this on your computer!

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 13:04:14 EDT
DataDoc : Even easier, in Outlook, just junk any sender not in your Contacts list.

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 12:55:00 EDT
robo_geek : I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it.

Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh)

It literally crashed my web browser when I hit the page (Internet Explorer 6) and installed a stealth trojan downloader virus which was unknown to my WebRoot SpySweeper and MacAfee AV. (despite daily updates) I use a product called Cisco Security Agent which stopped the virus from executing, but could not remove it.

Thus I did not click on any executable, download or view anything. Simply visiting the page would crash the browser and infect the computer.

I went to Trend Micro's 'House Call' website and was able to detect and remove the virus. I sent a sample to MacAfee and they sent me back an updated AV signature which could detect this. After getting the new AV signature I gleefully navigated to the page again, watched my browser crash and then heard the pathetic screams of the virus getting devoured by the AV software.

Re: Fake e-card viruses getting harder to stop

Mon, 20 Aug 2007 08:51:24 EDT
kpatz : An even better way to filter this crap out is to filter any email with an IP address URL in it... in other words, http colon slash slash followed by numeric digits. Some of the newer ones make no mention of e-card or greeting card whatsoever, so subject line filters are no longer effective.

If you can filter using regular expressions:
http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/(\?.*)?$ will do the trick.

If you can't use wildcards or regular expressions (say, in Outlook), set up a rule that filters on:

http://1 or http://2 or http://3 or ... http://9
If you legitimately receive emails with IP address URLs to internal servers (say in a work environment), set up an exception for those, such as

http://192.168.1
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.

Re: Fake e-card viruses getting harder to stop

Sat, 18 Aug 2007 19:36:33 EDT
Bane75 : We got rid of all of these last week. I put a rule into McAfee Groupshield for Exchange, to delete any emails mentioning E-cards, E-greetings, etc. It is currently deleting about 200 e-mails a day. Pretty much any gateway spam filter or gateway mail scaning AV should be able to take care of this.

Re: Fake e-card viruses getting harder to stop

Sat, 18 Aug 2007 03:13:47 EDT
tomazyk : I get a couple of this ecards every day to a Gmail account, where I never got spam before. I download each piece of malware to see if NOD catches it. If not I submit it to Eset and upload a copy to Virustotal for other vendors to get a copy. I don't execute it though :)

Re: Fake e-card viruses getting harder to stop

Sat, 18 Aug 2007 02:50:59 EDT
margaf77 : I have seen a couple sent to emails I have that get 1-2 pieces of spam every 6 months lately, it definitely becoming a big problem if Im getting them on these accounts.

Has anyone started getting pdfs from bogus email address lately. Ive been seeing this and my wife has at her work email lately. I figure there must be an exploit they are trying to use.

Re: Fake e-card viruses getting harder to stop

Sat, 18 Aug 2007 01:01:20 EDT
La Luna :
said by koam :

said by La Luna :

I'm insulted, I haven't received one of these emails...

You're insulted? All my spam is about my small cock.

So is mine....and I don't even have one, I guess they think I must know someone who needs help, lol.... :D

Seriously, these spammers are a joke, I can't imagine that anyone would fall for the blatant spam (as opposed to the more *creative* stuff), but sadly, I guess they do or the spammers wouldn't be bothered. :hmm:
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~

Re: Fake e-card viruses getting harder to stop

Sat, 18 Aug 2007 00:45:37 EDT
mq8 : I've been getting plenty of it for the past couple weeks. Within the past couple days, I've noticed a couple of formats for it:

quote:
I`m in hurry, but i still love you...
(as you can see on the ecard)
»24.xx.xx.32/

quote:
Good day.

Your Neighbor has sent you birthday card from ecard4all.com.

Click on your birthday card link below:

»24.xx.xx.58/

Copyright (c) 1997-2007 ecard4all.com All Rights Reserved

quote:
Hi. Class mate has sent you an ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

»24.xx.xx.22/?ea95523893748ae5680c1a02b54ce75

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Postmaster,
greetingcard.org

Re: Fake e-card viruses getting harder to stop

Sat, 18 Aug 2007 00:12:39 EDT
Gooiool :
said by astirusty :

said by La Luna :

I'm insulted, I haven't received one of these emails, in either my primary ISP email account or my gmail account (I get tons of spam in gmail daily, but none of those "cards").
Just so you don't feel left out, I can "bounce" you several I have gotten. :D Just post your e-mail address and I will get right on it. :o

A big ol' lol for that !
--
As always thank you Gooiool ©2005.Team Discovery
Please join us in the fight against cancer and juvenile diseases.Project Hope

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 22:12:07 EDT
jbob :
said by koam :

said by La Luna :

I'm insulted, I haven't received one of these emails...

You're insulted? All my spam is about my small cock.

That would be a chick! ;)

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 22:06:37 EDT
koam :
said by La Luna :

I'm insulted, I haven't received one of these emails...

You're insulted? All my spam is about my small cock.

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 21:43:35 EDT
Pichin : can someone forward one to me salpiche at cfl.rr.com

thanks :D
--
What's the speed of dark?

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 21:40:49 EDT
Pichin : I am not insulted but feeling like...LEFT OUT!!!

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 20:33:53 EDT
E_V : I feel badly for the legitimate ecard biz but personally I detest ecards as much as I do chain emails.

I've got a crapload of malware quarantined after looking into these. At least educated users can have some control over the installation for the majority of them. I'm more annoyed by the boatloads of efax spam I get.

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 18:25:31 EDT
redsonrising : I'm getting them on my pacbell account. When I log into it via Yahoo about 90% are classified as spam. When I check via outlook its about 50-50. I just don't open them.

The cards I'm waiting to get/open are the condolence cards from the Nigerian Viagra/Offshore Pharmacy companies (with Pron pictures of course on the cover) expressing their sorrow over the death of my 35 family members on that one cursed stretch of highway. I already gave them my bank account #'s to tranfer my share of the money they are laundering...why havn't I seen it yet though? *lol*

r_r
--
Admit nothing, deny everything!

Gmail FTW

Fri, 17 Aug 2007 18:10:07 EDT
PolarBear : I still have never gotten one. Anyone have one? Forward it to me:

aaron8301 (at) gmail.com

and PM me to let me know you sent it. I'd like to know how Gmail handles it, and if I do indeed get it, how Kaspersky handles it.
--
A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 16:55:38 EDT
La Luna :
said by astirusty :

said by La Luna :

I'm insulted, I haven't received one of these emails, in either my primary ISP email account or my gmail account (I get tons of spam in gmail daily, but none of those "cards").
Just so you don't feel left out, I can "bounce" you several I have gotten. :D Just post your e-mail address and I will get right on it. :o

Sure.... La Luna@BiteMe.net :D
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 16:33:11 EDT
NetFixer :
said by Cudni :

don't click disappoint them instead :)
»Selema must really love me...

I just couldn't resist seeing what the payload and delivery method looked like for that one. Since that email made it past my outsourced primary and in-house secondary spam perimeters (only to be flagged as spam by my email client), I felt it deserved special attention.

That particular e-card infection was in fact not a drive-by self installing malware, but simply an old fashioned social engineering scam that required the victim to manually click the download link, and then actually run the downloaded executable.

Here is the simple plain html code from the download site:

To view your ecard, you need to have Microsoft Data Access installed on your computer.<br> To obtain a free copy of Microsoft Data Access, please <a href="/msdataaccess.exe">click here</a>.
The page did not even contain the normal html header information it was so simple. The email itself was equally simple, which is why it made it past two layers of spam filtering.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 15:42:54 EDT
roc5955 : They are especially hard to stop, when you have to maintain over 1000 users. No matter how many times you tell them NOT to open something, they will open it.

I even got one several weeks ago from "an admirer." Being a curmudgeon, I can be sure in the fact that ESPECIALLY this one was false. I have no admirers, and if I did, I would have to kill them.

Oh, and now the spam is coming in the form of .PDF files. Be on the lookout for viagra, penile and breast implant, get rich quick, and other schemes coming attached as .PDFs.

And I am sure that those ~~losers~~ users will open them, even though they have been told not to open anything that they were not expecting.

:mad:

--
"Understanding is a three-edged sword."
:mad: :mad:

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 14:05:24 EDT
TheJoker : I had spam in my Gmail account minutes after creating the account, and continue to get tons of it. Their spam filter works well though (at least for me, YMMV). :)
--
Proud ASAP member since 2005

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 12:42:01 EDT
astirusty :
said by La Luna :

I'm insulted, I haven't received one of these emails, in either my primary ISP email account or my gmail account (I get tons of spam in gmail daily, but none of those "cards").
Just so you don't feel left out, I can "bounce" you several I have gotten. :D Just post your e-mail address and I will get right on it. :o
--
Do yourself a favor, just say no to anything Windows.

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 11:36:09 EDT
delenn13 : I have not gotten one single one from my Gmail or my main account. Now with my Yahoo account in the past 4 weeks or more I probably get 7 or 8 a day from a neighbor, school/classmate, friend. You name it. :o
--
"Dismissed. That's a Starfleet expression for 'Get out.'"
Capt. Kathryn Janeway
We CAN Cure Alzheimer's and Cancer. JOIN US HERE

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 11:11:49 EDT
La Luna : I'm insulted, I haven't received one of these emails, in either my primary ISP email account or my gmail account (I get tons of spam in gmail daily, but none of those "cards").

Have no idea what triggers it so that some people get them and some people don't.

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 10:09:06 EDT
MagMan :
said by mouse :

I have been swamped by these cards over the last 3 weeks and it does not seem to ease. What surprises me is that almost simultaneously a number of my email addresses that never had any spam have received these and continue to receive them. This must be an outbreak of much higher proportions than what we saw before, otherwise I don't understand why all of a sudden I actually feel bothered.
In the past I received the odd spam, easily handled by a spam program and some caution as the spam email would stick out like the proverbial thumb. Now I receive more spam than real emails and it does not just affect one address. :(

Agreed these e-mails are getting very annoying!!

I too receive more and more of these everyday.My question to this is,there are legit web sites out there that provide these type of e-mails.Are they not getting a little pissed about all of these phony e-mails going around.It definitely has to have hurt their revenues in some way. ;)
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is."

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 08:50:40 EDT
mouse : I have been swamped by these cards over the last 3 weeks and it does not seem to ease. What surprises me is that almost simultaneously a number of my email addresses that never had any spam have received these and continue to receive them. This must be an outbreak of much higher proportions than what we saw before, otherwise I don't understand why all of a sudden I actually feel bothered.
In the past I received the odd spam, easily handled by a spam program and some caution as the spam email would stick out like the proverbial thumb. Now I receive more spam than real emails and it does not just affect one address. :(

Re: Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 08:32:07 EDT
Cudni : from link
"..
All recipients have to do to trigger the virus is to click on the link created by the e-mail client once they have read the message, he said. .."

don't click disappoint them instead :)
»Selema must really love me...

Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
MVP, Microsoft Windows Security 2006-2007

Fake e-card viruses getting harder to stop

Fri, 17 Aug 2007 08:25:13 EDT
daveinpoway : Read about it here: »www.computerworld.com/action/art···&nlid=38