Fake Christmas, holiday greetings spread new malware
Last year's Storm tactic resurfaces in attacks from China, say researchers
Computerworld - New malware is spreading via Christmas and holiday greetings, security researchers said today, a tactic reminiscent of those used last season by the notorious Storm Trojan horse.
Researchers at the Bach Khoa Internetwork Security Center in Hanoi, Vietnam, reported today that a new piece of malware, dubbed "XmasStorm" by the center, is spreading through holiday-themed spam.
Touting subject lines such as "Merry Xmas!" and "Merry Christmas card for you!" the spam includes links to sites that purportedly host electronic greeting cards waiting for the recipients. In fact, the sites are serving up malware that hijacks the visiting PC, then installs a bot that waits for commands from the hacker controllers.
Nguyen Minh Duc, manager of Bach Khoa's application security group, said that XmasStorm originated in China. Hackers have registered at least 75 domain names relating to the malware campaign's holiday theme in the last month, including "superchristmasday.com" and "funnychristmasguide.com." According to WHOIS searches, those domains were registered to a Chinese address on Dec. 1 and Dec. 19, respectively.
"Special occasions such as Christmas and New Year have always been the periods when hackers distribute viruses via fake e-card with malicious code," said Nguyen in an e-mail Wednesday. "Therefore, users should be careful on receiving greeting e-mail from unknown sources for safety's sake."
Similar attacks have been monitored by other researchers, including those at ESET LLC, a Slovakian security company that has offices in San Diego. On Monday, ESET researcher Pierre-Marc Bureau reported a spike in holiday spam that pointed to sites hosting a file named "ecard.exe" that was not, of course, a greeting card, but instead malware.
"The reason this wave has attracted our attention is that it is very similar to the Storm worm attacks we were seeing last year," said Bureau in an e-mail.
Although Storm used a wide variety of stratagems during 2007 and early 2008, a year ago it rode on the back of a spam campaign based on New Year's greetings. Just before those messages flooded in-boxes, Storm's creators had tried to tempt computer users into clicking on links promoting Christmas-themed pornography.
"[But] this is not the resurrection of the Storm botnet," Bureau cautioned. "Analysis of the binary proves it to be different. It was programmed using a different programming language and includes different functionalities."
Although Microsoft Corp. researchers said that their company's Malicious Software Removal Tool had beaten Storm into submission earlier this year, other security analysts had disputed the botnet's demise.
"What we are observing today is proof that malware authors are learning from each other's errors and successes," said Bureau. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!