Greetings! Someone Has Sent You an E-Card Virus

Think you got a cheery greeting card from a friend via e-mail?

Well, think again, and be careful before opening it. A new form of fake e-card notification e-mails are unleashing nasty viruses and virus-carrying Trojan horses on unsuspecting users.

While e-card-triggered viruses and Trojan horses are not new, the latest versions are becoming more difficult for typical antivirus and antispam defenses to detect, according to alerts issued today by security software vendors Avinti Inc. and F-Secure Corp.

The new complication, said Dave Green, chief technology officer at Lindon, Utah-based Avinti, is that the latest slew of fake e-card e-mail notifications are using plain text in their messages, which don't get scanned and scrutinized by antivirus and antispam defense applications. While the e-mails don't contain pasted links or attached files that a recipient can click on to get a computer infection, many e-mail clients automatically convert the included text into a clickable link when the e-mail clients recognize a Web address in the text.

"It appears they have done that to get around a lot of the parsing used by antivirus and antispam applications" to fight such attacks, Green said. "It's an interesting cat-and-mouse game between the bad guys and the good guys."

"Apparently, they've found that they can be very successful in getting these through by not having it be formatted as an HTML message," Green said.

All recipients have to do to trigger the virus is to click on the link created by the e-mail client once they have read the message, he said.

Adding to the confusion and the potential seriousness of the problem, he said, is that the perpetrators sending these e-mails are using the names of some of the most popular electronic greeting card companies in their messages and Web links.

Avinti said it has updated its Avinti Isolation Server product to protect against such attacks, while other vendors are still updating their own products.

Avinti's alert said the links to the fake e-greeting cards lead to IP addresses in various locations, including the U.S. and Eastern Europe, and many are registered to U.S. Internet service providers. The damaging payload files are new variants of the Storm Worm virus that was first detected in January, the company said.

In its alert today, Helsinki, Finland-based security vendor F-Secure said the fake e-card messages from one group of online criminals appear to have changed since last night, when they dropped the use of attached files and went to plain-text messages.

An included link then tells the recipient to install a free "Microsoft Data Access" application to retrieve the e-card, but that file -- msdataaccess.exe -- is a damaging virus. F-Secure said it has identified the virus as Email-Worm.Win32.Zhelatin.gg.

Danny Allan, director of research at security analysis vendor Watchfire Corp. in Waltham, Mass., said he has seen similar all-text e-greeting mailings before, but the numbers have increased lately.

For antivirus and antispam vendors, the theory had been that if the message includes plain text without links and attachments, it could cause no harm, he said. That approach has to change, Allan said.

User need to be cautious and not click on links they find in e-mails, Allan said. Instead, they should go directly to a Web site by typing its address into a Web browser and go there on their own, bypassing links that could be malicious.

Vendors will have a tough time making the problem go away completely, he said, because they can't devise ways of evaluating every Web link or instance in an e-mail. However, they can improve detection of suspicious encoded characters and domain names in messages.

"If there was a silver bullet that could solve the problem, the antivirus companies would have done it," Allan said.

Zully Ramzan, a senior principal researcher at Cupertino, Calif.-based security vendor Symantec Corp.'s security response team, said Symantec has seen plain-text attacks before and doesn't view them as a new problem.

"There's been a bit of a resurgence lately" with e-card notification messages, possibly because of last month's July 4 holiday or because criminal groups have been organizing mailing campaigns, he said.

Andrew Jaquith, a security analyst at Boston-based Yankee Group Research Inc., said the latest e-greeting attacks are an example that criminals "are going to be coming up with more and more ingenious ways of tricking people or exploiting ways of tricking your e-mail client. This is just one of any number of ways that these guys are going to try to lure users to do something they shouldn't."

recommended for you

Downloads FAQ

Read more »

Subscribe to the Security Watch Newsletter

Comments