Tuesday, June 26, 2007

HK greeting card malware

Beginning this morning we received a torrent of 'greeting card' malware, linking to domains in Hong Kong.

The excellent Chinese Internet Security Response Team has a blog entry on this attack.

Sites today include 'menot', 'notme,' and 'catcher,' all in the .HK tld.

The attack appears highly widespread. Avira detects EXP/iFrame.D.1 in the drive-by javascript included in the site's 'index.html' file, and TR/Small.DBY.DH in ecard.exe (helpfully offered if the drive-by exploit fails, with the text "the We are currently testing a new browser feature. If you are not able to view this ecard, please click here to view in its original format.)

The spams look like this:

---------------------------------------------------------------------
From: "*****.hk"
To:
Subject: You've received a postcard from a family member!
Date: Tue, 26 Jun 2007 19:19:33 -0500

Good day.

Your family member has sent you an ecard from ******.hk.

Send free ecards from ******.hk with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://******.hk/?XXXXXXXXXXXXXXXXXXXXXXX

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://*******.hk/

Your ecard number is
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Best wishes,
Postmaster,
*****.hk

*If you would like to send someone an ecard, you can do so at
http://*********.hk/