Fake Christmas, holiday greetings spread new malware
Last year's Storm tactic resurfaces in attacks from China, say researchers
Computerworld - New malware is spreading via Christmas and holiday greetings, security researchers said today, a tactic reminiscent of those used last season by the notorious Storm Trojan horse.
Researchers at the Bach Khoa Internetwork Security Center in Hanoi, Vietnam, reported today that a new piece of malware, dubbed "XmasStorm" by the center, is spreading through holiday-themed spam.
Touting subject lines such as "Merry Xmas!" and "Merry Christmas card for you!" the spam includes links to sites that purportedly host electronic greeting cards waiting for the recipients. In fact, the sites are serving up malware that hijacks the visiting PC, then installs a bot that waits for commands from the hacker controllers.
Nguyen Minh Duc, manager of Bach Khoa's application security group, said that XmasStorm originated in China. Hackers have registered at least 75 domain names relating to the malware campaign's holiday theme in the last month, including "superchristmasday.com" and "funnychristmasguide.com." According to WHOIS searches, those domains were registered to a Chinese address on Dec. 1 and Dec. 19, respectively.
"Special occasions such as Christmas and New Year have always been the periods when hackers distribute viruses via fake e-card with malicious code," said Nguyen in an e-mail Wednesday. "Therefore, users should be careful on receiving greeting e-mail from unknown sources for safety's sake."
Similar attacks have been monitored by other researchers, including those at ESET LLC, a Slovakian security company that has offices in San Diego. On Monday, ESET researcher Pierre-Marc Bureau reported a spike in holiday spam that pointed to sites hosting a file named "ecard.exe" that was not, of course, a greeting card, but instead malware.
"The reason this wave has attracted our attention is that it is very similar to the Storm worm attacks we were seeing last year," said Bureau in an e-mail.
Although Storm used a wide variety of stratagems during 2007 and early 2008, a year ago it rode on the back of a spam campaign based on New Year's greetings. Just before those messages flooded in-boxes, Storm's creators had tried to tempt computer users into clicking on links promoting Christmas-themed pornography.
"[But] this is not the resurrection of the Storm botnet," Bureau cautioned. "Analysis of the binary proves it to be different. It was programmed using a different programming language and includes different functionalities."
Although Microsoft Corp. researchers said that their company's Malicious Software Removal Tool had beaten Storm into submission earlier this year, other security analysts had disputed the botnet's demise.
"What we are observing today is proof that malware authors are learning from each other's errors and successes," said Bureau. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!