I've been busy this week looking at the various defacements (see ComputerWorld, and ABC News) and other cyber attacks (see yesterday's blog) going on against Israel, so I hadn't had a chance to look at my New Years Cards yet!
Sadly, all of my New Years Cards were viruses (although I did get two real Christmas Cards by email.)
The most recent ones I looked at arrived this morning, pointing me to the websites:
bestyearcard.com
youryearcard.com
I decided to see what computers were currently hosting the website "youryearcard.com", because, sure enough, it was hosted with Fast Flux.
24.24.70.135
61.24.107.220
66.178.64.133
67.9.192.176
69.47.115.180
86.200.201.148
88.179.125.249
98.230.55.8
131.113.162.29
160.36.19.235
217.210.150.100
221.214.134.26
were some of the computers which recently hosted this domain name. Next we looked at some of those IPs to see what other domains they had also been hosting:
blackchristmascard.com
cardnewyear.com
decemberchristmas.com
directchristmasgift.com
freechristmasworld.com
freechristmassite.com
freedecember.com
funnychristmasguide.com
holidayxmas.com
itsfatherchristmas.com
livechristmascard.com
newlifeyearsite.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
superyearcard.com
whitewhitechristmas.com
yourchristmaslights.com
youryearcard.com
All of those sites seem to have been distributing malware pretending to be a card. They are all related to each other (based on the fact they resolve to the same hacked computers.)
The New Years site that we visited just now looks like this:
Although that looks like a website, it turns out the entire thing is a single file called "img.jpg". Clicking anywhere on the image causes the same result - you are prompted to download "postcard.exe".
postcard.exe is of course a virus. We submitted the virus to Virus Total, and got this Virus Total Analysis indicating that only 16 of 38 anti-virus products knew this was malware. Most of them called it either a version of "ElDorado", or gave it a new name of "Waledac", the latter being the name used by McAfee, Microsoft, and Symantec.
McAfee has a Nice Technical Report on what Waledac does, but basically it harvests all of the email addresses from your computer, sends them to one of many different machines, downloads some spam templates, and begins sending spam.
McAfee's report is from December 26th, and includes subject lines such as:
Merry Christmas greetings for you
You have received an Ecard
A Christmas card from a friend
Happy Xmas !
The domain names listed in the McAfee report of December 26th are all still live and all still distributing the current version of the virus, which has been modified many times since that report to try to prevent detection. So, visting:
justchristmasgift.com
or
yourdecember.com
gives you the same virus that visiting the current New Years domains would give you.
I know you are probably getting tired of this advice, but it still applies:
DO NOT CLICK ON LINKS IN EMAIL MESSAGES!!!
My malware team is still enjoying their vacation. If this is still a threat on Monday, we'll dig deeper to determine if the malware performs other actions.
In the meantime, Happy New Year!
Gary Warner
Director of Research
UAB Computer Forensics
The University of Alabama at Birmingham
No comments:
Post a Comment