Trick, But NO Treat - REDUX!

I recently blogged about a new e-card spam run coming from the 'Bad Guys and Girls' known as the 'Storm Worm Gang', the last run was using fake Halloween e-card notifications, as this was happening just before Halloween it was a reasonable trick to use, but as I mentioned in that posting, it was all 'Trick' and 'No Treat'.

It has been rather quiet since then, as far as the 'Storm Worm Gang' have been concerned. That is until last night when a new wave of fake e-card notification e-mails started to appear. So I checked out the latest offering from them, clicked on the link, went to the site, and it looked exactly the same as the previous run, even the fake e-card filename was the same; this being 'halloween.exe'. So, I tried to grab a sample to see if they had repacked it or otherwise modified the malware file, and all I got was a file that contained an error message from the server that the file didn't exist, most odd!

However, this morning it seems that they have now fixed the problem, and are now offering a new file 'dancer.exe' instead, which is not only a new name, but the file is a new malware variant too.

My only though is, why are they starting to spam out another wave of Halloween e-card notifications, is it laziness or are they just getting a jump on the festivities for next years Halloween? ;-)

I suspect, however, that this is merely a stop-gap until they find a new theme to use, such as a new media event or the upcoming festive season of Christmas.

Here's a screenshot of what just one of these new e-mails look like now:



The body text can be one of a number of text strings and the link, at the moment, is one composed of numbers [IP Address].

Of course, when you click on the link you go to another site, not the one you expect to go to. Here's a screenshot of one of the web pages you could end up on if you click on the link in one of these 'fake e-card' e-mails.

Here's a screenshot taken this morning:


What you don't see happening in the background is that just by you visiting the site it is letting the Bad Guys and Girls run exploit code against your system, if your system isn't fully patched, you'll get infected. If that fails [because your system is fully patched, or otherwise protected] they can always use social engineering to get you to infect your own computer by clicking on the link or graphic and running the file.

The main problem with the recent waves of fake e-card e-mails we have been seeing is that the link to the 'fake e-card' takes you to is often a website that contains the following payloads that can automatically infect your computer just by visiting it with a system that isn't fully patched:

• Various Browser Exploits.


• Various Windows Exploits.


• A download [fake e-card] which is actually malware.

It also appears that the so-called Storm-Worm Gang are constantly looking for new angles and ways to get you to add your computer to their botnet. This doesn't bode well for the upcoming festive season as that is when social engineering seems to work best. Why this is the case is not clear, it could be due to good will or a drop of the good-stuff? ;-) Maybe, it is just because people are more willing to spare a thought for others at this time of year, and in return expect them to spare a thought for them?

As I've often mentioned here, the 'Bad Guys and Girls' seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you...don't make their job even easier.

Just to make it crystal clear, the file offered on these sites will NOT show you a dancing skeleton; the only one dancing will be you, to the tune of the botmasters! Any sinister/mad laughter you imagine you hear are the same people laughing all the way to the bank.

More details on the file, including the level of detection by products at the time I submitted a copy to them can be found here on my VSUB blog.