MoMusings

I originally covered this back in October of 2007, but things have, as usual, recently repeated themselves, the spammers that is. This time the stealthed spam is different as new approaches and techniques have been used. However, a quick recap of what I mean by stealth.

“Here’s an interesting trick that the spammers are increasingly using to defeat not only software and hardware anti-spam defences but also “wetware” anti-spam defences; wetware is the geek/nerd term for you, dear reader, the interface between the chair and the keyboard.

Stealth is not a new idea, computer viruses and other malware have been using technique to hide since the very beginning of the problem on IBM and compatible PCs. In fact the very first virus on this platform ‘Brain‘ used stealth. Also, most of you are aware that stealth is widely used by the military, not only to make warplanes invisible [or almost] to radar and other tracking technologies, but also warships.“

So, now you know what I mean by stealth, so what does stealth spam look like, well guess what, you can’t see it at first as it is stealthed [hidden], here’s some recent examples so you can see what I mean:

The first one claims to be from ‘Media Inc.‘:

The second one claims to be from ‘Windows Live Hotmail‘:

The third and final one claims to be from ‘A Credit-Card Company‘:

With all of the above examples, all the URLS [web-links] used in the e-mail point to the spammy site and the To and From e-mail address used tends to be the same, that being yours! All the text is probably taken from real newletters/e-mails/websites. These e-mails pass the tests that most of us use to decide if something is spam or not, in other words they pass the ‘Eyeball‘ test fairly easily as they look like genuine e-mails from real companies. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what do they look like when I enable ‘allow remote images‘ in the e-mail program?

They look like this:

Yes, you aren’t seeing double, the second and third example produce the same result when viewed in an HTML capable e-mail reader or web browser.

Now they all fail the ‘Eyeball‘ test with ease.

Why do I call these ‘Stealthed Spam‘? Well, simply because the spam component is hidden and not in plain view.

The final screenshot shows part of the HTML source of the final example shown above when it is only showing the image:

You can clearly see the other HTML, which doesn’t get shown when rendered in a browser or a HTML e-mail reader.

As they say “Keep ‘em peeled!“, which means keep your eyes open and stay alert. Or, as other might say, “don’t believe everything you see or read“, it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!

EICAR have informed me that my abstract has been selected for the EICAR 2008 conference to be held in Laval, France between the 3rd and the 6th of May.

The abstract for the paper appears below:

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn’t a week ago and that they can’t access the Windows ‘Task Manager’ or open a command prompt any more.

Is this caused by malware or is it a ‘user’ problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the ‘suspect’ system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for ‘odd’ system or network behaviour.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months. However, as usual they need the completed paper by the 17th of March!

I’ve several other ideas for abstracts already sketched out ready for to submit for this years Virus Bulletin conference. Any topics that you think should be covered are most welcome, just drop me a note or leave a comment.

I often receive e-mails from people who are either, just forwarding the latest chain mail, urban legend, hoax or scam e-mail, or they send them to me to ask my opinion as I have seen many of these types of e-mails over the last 15 years and can usually spot the real ones from the fake ones very quickly.

So, yesterday I was sent the following in an e-mail by someone asking me if it was a hoax or not?:

What do you think, real or hoax?

Before I give you my answer, I would like to bring to your attention the following data:

• Most phones use power adapters that step down the voltage from standard mains [usually in the range of 110-240 Volts] to significantly lower [usually in the range of 3-12 Volts], not only that these power adapters usually have very low ampage [a quick look at several of the ones I have on hand shows that 200ma is fairly typical].
• There have been a number of reports of exploding mobile phones [well actually batteries] over the last few years.
• Most phone manufacturer instruction manuals contain information which state that it is perfectly safe to use a mobile phone while it is being recharged.

My conclusion is that if this did happen then the phone and/or the power adapter were faulty or damaged and that this caused the effect allegedly witnessed, either that of the building that the person was in at the time suffered from a lightning strike which fed into the mains circuit. However, no such data is supplied and therefore it is almost impossible to corroborate or give any credence to this report. I therefore conclude that it is a hoax.

If you still think it is real and not a hoax, then I’d suggest you read the full debunk which can be found here:
http://www.snopes.com/horrors/techno/cellcharge.asp

December was another busy month for me as I was writing abstracts for conferences, doing presentations and trying to take some of my holiday entitlement as well as dealing with my usual workload. This meant that I didn’t have quite as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We’ve also seen lots of activity from scammers and cyber-criminals once more during the month.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 573 samples during December, which have been catalogued as just 27 distinct families and variants. In comparison during November I captured 476 samples which were also catalogued as 27 distinct families/variants. As you can see the captures in December are up once more, but this time of year is usually quite busy.

As shown, once more, by December’s statistics the general trend is still downwards. It still appears that social-engineering has been the technique of choice and that 2007 should be now known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During December I reported 65 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 80 percent of the samples captured in December, just short of the high points of 82 percent it had in August.

As in the top tens for September, October, and November there are still eight members of the Opaserv.worm family in December’s chart. These are variants: AE, D, AJ, K, AC, AD, AI and I in second, third, fourth, fifth, sixth, seventh, eighth and tenth places respectively.

The final slot left is occupied by a re-entry, this being our old friend Dupator who returns to the top ten in ninth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Netsky.q [aka P] is back into the top 10, straight back in at pole position, what a comeback! It is joined by another member of the family, AA which is also a re-entry back in at eighth place.

November’s pole sitter, Scano.gen has had to settle for fifth place in December’s chart after falling down the chart.

In the runner-up spot, we have a new entry, this being Diehard.dc, which is not the only member of this new family, as it is joined by Diehard.db and Diehard.dd which are also new entries, straight in to the chart in fourth and seventh place respectively.

Trojan-Spy.HTML.Fraud.ay has slipped further down the chart from fourth to ninth.

This month’s chart is packed with new entries, the next one is Warezov.xd, straight in to the chart and stealing the final podium place; third.

And to complete the top ten, we have two more re-entries, these being, Bagle.gt and Nyxem.e [aka MyWife.D] in to the top ten in sixth and tenth places respectively.
Kaspersky had this to say about December’s chart:

“At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It’s true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic – that’s almost an epidemic, and it’s unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day.”

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

IIn the SOPHOS chart we see a different pattern; Netksy has once more regained the runner-up position it last held in October’s chart. Last months pole-sitter Troj/Pushdo has further managed to consolidate its hold on pole position.

Mytob has reversed its slide down the chart, once more climbing back up from sixth to third place. W32/Zafi has continued it progress sliding further down the chart from fifth to sixth place.

Mydoom which was a re-entry in October’s chart has climbed up one place from eighth to seventh place.

There are two re-entries in December’s chart, these are, Troj/Dloadr, back in to the chart in eighth place, and W32/Sality back in to the chart in tenth place.

W32/Bagle is up one place from tenth to ninth and to complete the chart we have W32/Strati up from ninth to the fourth and finally Mal/Dropper is down one place from fourth to fifth place.

Here is some commentary on December from Sophos:

“Overall, 0.09 percent of emails, or one in 1111, had malicious attachments in December 2007, with Pushdo retaining its position as the most prevalent email-based malware detected in December.”

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is once more occupied by our old friend Dupator.

Win32.Zhelatin has managed to consolidate its hold on the final place in the chart; tenth, Win32.Agent falls a single place down from eighth to ninth, and IRC.Zapchast has bucked the trend and climbs up from ninth to fourth place.

We have three re-entries in December’s chart, these are: mIRC-Based back in to the chart in fifth, Hidrag grabs sixth place and W32.Tibs takes seventh place.

The final place in December’s chart is occupied by our old friend Netsky, which has fallen from grace; down from third to eighth place.

If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 – 2007 [up to the end of December] here. This clearly shows that December was busier than both October and November. As shown in the figures for December, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas; which can be seen in the What’s New section of this blog postine.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the ‘Storm Worm’ gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 358,873 at the end of December. That’s a growth of 136,400 new malware strains and/or variants for the whole of 2007. Just in December, the number of new malware found was 9,022.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during December 2007.

• Rent-a-Spammer [Wednesday, 5 December 2007]
• The Six Million Dollar Relative [Thursday, 6 December 2007]
• UPS Delivery of Over ONE MILLION US Dollars! [Wednesday, 12 December 2007]
• Don’t Let Mrs. Santa Get Her Claus… [Monday, 24 December 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January – November has continued during December, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer. In fact after Christmas the Storm Worm gang were working flat out producing new malware, web-sites and spam runs, but more on that, another time.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven’t been idle during December as they are still trying out other file formats which they hope will bypass anti-spam defences.

The phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during December, especially Natwest, Nationwide and Barclays, again.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality ‘fake’ websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this blog entry.

As expected December and the run up to Christmas and the New Year was a very busy time of the year for all the bad guys and girls as they took advantage of the season of goodwill to claim even more victims.

I would like to wish you all a very happy new year, stay safe!

Links:

• Virus Top Twenty for December 2007 [Kaspersky]
• Top ten viruses and hoaxes for December 2007 [Sophos]

Please note: December’s report may well be the last one I do for the forseable future due to changes in my role.

It seems that the Storm Worm Gang have decided that you all need some loving, so they are now sending out fake e-card e-mail notifications informing you how much they love you, because you make their job of building botnets so easy

Either that or their calendar is screwed up again; they almost missed Christmas and were then very early for New Year!

Here’s a screenshot of what just one of these new With Love based emails look like:

The body text can be one of a number of text strings. The rest of the e-mail is usually a link, this time they have gone back to using IP addresses rather than actual domain names, not sure why? The IP addresses used are varied, so don’t just think that they use just the one shown in the example here.

Of course, when you click on the link you go to a very nice, but fake e-card site.

Here is a screenshot of the web page you could end up on if you click on the link in one of these fake With Love themed e-mails.

Here’s a screenshot showing the HTML source for the page, does it look familiar? It should as this is almost exactly the same code used during the New Year campaign.

The message shown is fake, the ‘withlove.exe‘ file offered isn’t an ecard offering words of love from an admirer, partner or colleague, in other words, if you are unwise enough to download the file and run it you won’t get to see an ecard, in fact you will get a bot installed instead and your computer will join one of the many Storm Worm botnets.

At the time of publishing this entry detection was almost non-existent, with most of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

More details on the file currently being offered can be found here on my VSUB blog, complete with detection results at the time of publishing.

It seems that the Storm Worm Gang have finally changed their social engineering tactic from the New Year e-cards that we have been seeing since the 26th of December until the 2nd of January when they sent out their last new version of that particular tactic!

So, what are they now using to get you to infect your computer? They are using fake MySpace invite e-mails which contain links to phishing quality fake MySpace websites.

This seems rather spooky as I was blogging about social network engineering on the 4th of January!

Here’s a screenshot of what just one of these new MySpace based emails look like:

The body text can be one of a number of fake names and text strings. The rest of the e-mail including the links appear to be fairly static, at the moment, anyway. Once more the link is an actual domain name, rather than the more usual IP address based links that the Storm Worm gang used to use.

Of course, when you click on the link you go to a very professional, but fake MySpace site.

Here is a screenshot of the web page you could end up on if you click on the link in one of these fake MySpace themed e-mails.

In fact there are several links in the e-mail which take you to different domain names, all under the control of the Storm Worm gang.

Here’s another example showing another domain name in use.

The message shown is fake, the ‘install_flash_player.exe‘ file offered isn’t genuine, in other words, if you are unwise enough to download the file and run it you won’t get a copy of Flash Player installed, in fact you will get a bot installed instead and your computer will join one of the many Storm Worm botnets.

Just to make it crystal clear, the file offered on this site will NOT install or update Flash Player; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

More details on the file currently being offered can be found here on my VSUB blog, complete with detection results at the time of publishing.

No doubt I’ll be updating this post in the next day or so, as the Bad Guys and Girls tinker with their latest social engineering technique, or they change it to a new one…

As I post this I have now received over FIFTY of the fake MySpace invite e-mails!

As a customer of Barclays Bank in the UK, I do occasionally receive e-mails from them, so I wasn’t that surprised, or unduly alarmed when I received the e-mail shown in the screenshot below:

A quick look at it had my Phish Sense tingling, can you see why?

However, as usual I decided to take a look at the URL in the e-mail in more detail, as it was pretty believable, this is what I found:

This could easily be the real Barclays Bank site, it is very well done and very believable. In fact all the links, bar one, on the web page actually do go to the real Barclays web site. So, what happens if you enter data in the page and click on the Next button, where do you go next?

The next page shown is:

You are then prompted for the rest of your personal login details for Barclays. However, once filled in and having clicked on the Login button, you will end up on the real Barclays site, so this Phish, because that is what it is, no matter how good or believable it appears, is actually carrying out a Man-In-The-Middle attack by harvesting your real login data for your Barclay’s internet banking account.

Last night I also started to see a similar attack aimed at the Halifax, here’s a screenshot of the e-mail:

And here is the website the link takes you to:

This one uses the same technique, although it appears that not only is the page harvesting your Halifax credentials it also goes on to pass them to the real Halifax site, and so, if the data you gave was genuine, it should have logged you in, and you probably would be none the wiser that you have become the latest victim of a phishing attack.

If you put in fake data in the fake Halifax login page (shown above), the real Halifax site will show you an error message.

If you use an e-mail client that doesn’t show you the bracketed e-mail address, then it is not surprising that customers of these banks, using these e-mail clients, actually fall for these latest phishing scams with disasterous results ranging from transferred funds, new loans or mortgages taken out in their name,to their whole identity being stolen.

Did you notice that the links in the e-mail claim to be HTTPS [SSL encrypted link to the website], when in fact they end up on a standard HTTP link which is NOT encrypted, so all data you enter is in CLEAR TEXT.

Please note: Do NOT go to the sites shown as they are real live phishing sites. You have been warned! Stay safe…

Whatever you do, don’t take this threat lightly, as TV presenter and motor-mouth Jeremy Clarkson did after dismissing the threat of identity theft; he foolishly published his bank details and clues to other personal details in his column in The Sun newspaper. More details on this can be found here.

Social networks such as Myspace, LinkedIn, Facebook, Bebo, Xing and all the others are BIG business at the moment, all of them trying to be ‘the one‘ that everyone must be seen on.

So, it isn’t that surprising that the Bag Guys and Girls have started to take an interest in them, is it?

However, it isn’t just Social Networking sites that they are interested in, they are also interested in Virtual Worlds and On-line Games, such as SecondLife and World of Warcraft, amongst others.

This post will cover some of the things the Bad Guys and Girls have so far tried in these areas, many of which may surprise users of these online communities, be they social networks, virtual worlds or on-line games.

Hand up all of you out there that use Facebook? Many, if not most of you, then do use it….not that surprising, so for you Facebook users out there, you need to be aware of something I’ve been expecting for some time on this network, malicious applications (Facebook applications or plugins).

This new application uses social engineering, in this case it uses the same techniques that proved to be so successful for the ILOVEYOU e-mail worm, these being curiosity and sex!
When installed Secret Crush [Created by Secret Crush] will request that you invite five friends before you can see who has a secret crush on you. Needless to say, this is a form or viral marketing, and even if you comply and effectively infect five of your friends [who may shortly no longer be your friends], you still won’t be shown who your secret crush is, because there was no secret crush, it was all a ploy to get you to install it.

You are directed to a Zango [previously known as 180Solutions] website to install Crush Calculator which is a piece of Spyware! This means that Secret Crush is actaully a Facebook Trojan Horse which uses social engineering.

If you think that this is a new phenomenon in social networking sites then you’d be mistaken. Myspace has had a number of malware adventures over the last year or so, with the Sami Worm probably being the most successful.

SecondLife has also seen malicious virtual objects inserted into it, these when interacted with by users, begin to replicate, impacting the performance of the system.

Instead of writing lots of fluff about these I’ll just supply a number of links so that you can get more information about these threats, when you have some time to spare.

Links:

Facebook:

• Nice write-up by Guillaume Lovet on the Secret Crush application http://www.fortiguardcenter.com/advisory/FGA-2007-16.html

Myspace:

• http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html
• http://www.computerworld.com/securitytopics/security/holes/story/0,10801,105484,00.html
• http://www.f-secure.com/v-descs/js_quickspace_a.shtml
• http://www.f-secure.com/weblog/archives/00000930.html

SecondLife:

• http://www.technewsworld.com/story/viruses-malware/54384.html
• http://anti-virus-rants.blogspot.com/2006/10/second-lifes-grey-goo.html
• IBM’s own Morton Swimmer also wrote a paper on the attacks that SecondLife has seen so far: http://www.virusbtn.com/conference/vb2007/abstracts/SwimmerHusemann.xml

World of Warcraft:

• http://www.f-secure.com/v-descs/wow.shtml
• http://www.theregister.co.uk/2006/05/08/wowcraft/
• http://www.theregister.co.uk/2007/09/11/online_games_hacking_trends/

The bottom line is that for the Bad Guys and Girls, this is not about being social, nor is this a game to them as they do not care if the systems or people they socially engineer to infect their avatars or their computer are in the real world or a virtual one, it is all about stealing information, property and making money [or friends], not virtual money but real hard cold currency….

Will 2008 become the year of the Social Network Engineer?

I suppose it was, as the character Agent Smith from the Matrix Trilogy would say, “inevitable” that the cyber-criminals and spam gangs would become rather peeved with me; constantly reporting the latest Storm Worm or other notable spam run…

..and so it came to pass that on the 2nd day of January 2008, they unleashed a massive spam run in which they spoofed the From: address in the e-mails to make them look like they had come from one of my registered domain names.

You can see the result of this action, in the first traffic graph below (the red line is the inbound traffic):

Within the first hour of this attack, I had received almost 5GB of spam bounces, as well as notifications from mail scanning systems and also failed delivery notifications and the odd e-mail from recipients, some telling me to do thing that are anatomically impossible, or at the very least illegal or immoral .

To put this latest ‘Joe Job‘ attack into context, the following traffic graph shows the bigger picture (the red line is the inbound traffic):

As you can see, I also suffered an attack on the 27th of December, although that one was more intense, it was significantly shorter.

I’m still seeing the occasional spike, but nothing like the persistent attack lasting almost twelve hours, before I finally got it under control.

To minimise the possible impact of any future attacks, I’ve beefed up my ‘bounced mail‘ handling filters, these can be enabled within seconds of a new attack starting.

So, once more here’s a plea to those of you that run mail servers. Please, please don’t make innocent parties suffer by bouncing back obvious spam to the address listed as the from address. Almost all spam sent nowadays uses spoofed [stolen] e-mail addresses. The ‘Bad Guys and Girls’ NEVER see these bounces, so why send them, just delete them instead!

Maybe I should start a campaign to get mail server products to remove this functionality, as I can’t believe I’m alone in wishing for this feature to be removed or disabled?

What shall we call it, “The Campaign For Real Mail“? Or have you got a better suggestion?

..There Are Malicious New Year Ecards About!

This is a quick note to all those that have been away over the Christmas and/or the New Year period.

Please be very suspicious of any e-mails that claim you have been sent a New Year Ecard [or Christmas ones too], as these may lead to websites that, instead of offering you a real Ecard, will try and get you to download an executable file that is malicious.

Most of these are the output of the so-called ‘Storm Worm Gang‘ and I have been updating my last blog posting [31/12/2007] when new variants have shown up, and I will continue to do so, so please check back from time to time for the latest information.

However, they are not the only group that are using this technique; others are trying to trick you into downloading ‘plugins‘ which are not the real thing, so that you can view the ecard you have been sent. However, the ‘plugin/viewer/codec‘ being offered is malicious, and there is no real ecard for you.

Please take care over the next few weeks, and I hope you all have a very Happy and Prosperous New Year, and a malware free one too.