Bogus Greetings Spread Holiday Malware
Researchers at the Bach Khoa Internetwork Security Center in Hanoi, Vietnam reported today that a new piece of malware, dubbed "XmasStorm" by the center, is spreading through holiday-themed spam.
Touting subject lines such as "Merry Xmas!" and "Merry Christmas card for you!", the spam includes links to sites that purportedly host electronic greeting cards waiting for the recipients. In fact, the sites are serving up malware that hijacks the visiting PC, then installs a bot which waits for commands from the hacker controllers.
Nguyen Minh Duc, the manager of Bach Khoa's application security group, said that XmasStorm originated in China. Hackers have registered at least 75 domain names relating to the malware campaign's holiday theme in the last month, including "superchristmasday.com" and "funnychristmasguide.com." According to WHOIS searches, those domains were registered to a Chinese address on Dec. 1 and Dec. 19, respectively.
"Special occasions such as Christmas and New Year have always been the periods when hackers distribute viruses via fake e-card with malicious code," said Nguyen in an e-mail Wednesday. "Therefore, users should be careful on receiving greeting e-mail from unknown sources for safety's sake."
Similar attacks have been monitored by other researchers, including those at ESET LLC, a Slovakian security company that has offices in San Diego. Monday, ESET researcher Pierre-Marc Bureau reported a spike in holiday spam that pointed to sites hosting a file named "ecard.exe" that was not, of course, a greeting card, but instead malware.
"The reason this wave has attracted our attention is that it is very similar to the Storm worm attacks were seeing last year," said Bureau in an e-mail.
Although Storm used a wide variety of stratagems during 2007 and early 2008, a year ago it rode on the back of a spam campaign based on New Year's greetings . Just before those messages flooded inboxes, Storm's creators had tried to tempt computer users into clicking on links promoting Christmas-themed pornography .
"[But] this is not the resurrection of the Storm botnet," Bureau cautioned. "Analysis of the binary proves it to be different. It was programmed using a different programming language and includes different functionalities."
Although Microsoft Corp. researchers said that their company's Malicious Software Removal Tool (MSRT) had beaten Storm into submission earlier this year, other security analysts had disputed the botnet's demise .
"What we are observing today is proof that malware authors are learning from each other's errors and successes," said Bureau. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."