Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Christmas Ecard Malware InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Christmas Ecard Malware

Published: 2008-12-25
Last Updated: 2009-01-09 19:23:00 UTC
by Maarten Van Horenbeeck (Version: 3)
0 comment(s)

For years, Storm was the threat most commonly associated with malicious Christmas cards and other "timely announcements". Their techniques have gradually been adopted by other organized crime groups, and over the last days there has been an increase in malicious Christmas cards distributing the Waledac worm.

The e-mails consist of a hyperlink to a "Christmas card". When the user visits this site, he will see the following. The user will need to click on either button, get a Security Warning and will need to accept the fact that an executable is being run.

Most likely because of this, and because the cards are coming in fairly late in the holiday cycle, the threat has not been wildly succesful at propagating. Interestingly, even though the first reports of this threat we have are dated December 21st, many of the domains were already registered on December 1st.

Some of the domains that were reported to us by readers (thanks Mike and the Shadowserver foundation) include:

bestchristmascard.com
blackchristmascard.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
livechristmascard.com
livechristmasgift.com
superchristmasday.com
superchristmaslights.com
whitewhitechristmas.com
yourchristmaslights.com
yourdecember.com

Update: Shadowserver published a full list of the domains they've seen for this worm.

For now, we recommend:

  • Blocking the download of 'ecard.exe', or the affiliated domains on your corporate proxy;
  • Ensure that your anti virus and anti spam solutions are updated frequently as the AV vendors build coverage for this new threat. Given the mass mailing nature, spam protection is likely to be the first to pick up on this.

In the long run, we recommend educating your users on the risk involved with gratuitous "warning" e-mails related to events, or greeting cards that look even the slightest bit suspicious. In addition, consider investigating solutions that control which untrusted code, originating from the internet, can be executed on corporate desktops.

Arbor Networks has an interesting blog entry up on the flux tactics involved with this threat here. For further data on the worm itself, visit Symantec's writeup.

0 comment(s)
Diary Archives