Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious E-Cards - An Analysis of Spam

Posted by Hemos on from the dissecting-the-spam dept.

smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."

28 of 482 comments (clear)

  1. Spylog is not spyware! by tgma · · Score: 5, Informative

    While I commend the original article as an interesting dissection of an attempted attack via spam, the heading is a little sensational. It mentions Russian spyware sites, but the site in question is Spylog.com, a reputable Russian monitoring site. Not everything on the Russian internet is malicious, and Spylog does some good work on reporting statistics about the Russian internet.

    Just a minor correction.

  2. Don't run ActiveX as Administrator, simple. by gfecyk · · Score: 4, Informative

    Win98 is supposed to be gone, or no longer supported.

    Assuming that, and that your WinLusers are running current versions of Windows with actual security, and they're running as regular users, a web page CAN'T overwrite anything because regular users don't have write permissions in %systemroot% or in Program Files.

    Problem solved. Without a script blocker or any other third-party garbage.

    --
    Use Evolution instead of Outlook? Bewa
    1. Re:Don't run ActiveX as Administrator, simple. by 0123456 · · Score: 3, Informative

      Yep. Even for video editing I have to run as Administrator, and I really don't want to have to keep changing users in order to run different programs. I did try to set up a non-Administrator user for my GF to use on the same PC, but half the programs she wanted to run wouldn't work without Administrator priviledge, so I gave up.

      "Security" in Windows is just broken, it's that simple.

  3. Re:A little bit unfair to Outlook by GigsVT · · Score: 5, Informative

    How do you think Outlook displays mail? Last I checked, it embeds the IE control.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  4. Re:The most frightening bit here by ggvaidya · · Score: 5, Informative

    I think you have to be Administrator for the re-write to work. Then again, most of the people I know run as administrator, so ...

  5. noHTML for Outlook Express by TasosF · · Score: 5, Informative

    Quote from that article:

    Conclusion

    If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.

    Or alternatively,

    you can use an HTML disabler like noHTML for Outlook Express

    --

    Massive by Design

  6. Re:The most frightening bit here by bhtooefr · · Score: 4, Informative

    There's Trend Micro's HouseCall, which is an ActiveX applet that runs virus scans. Actually, most diagnostic web sites have ActiveX. Also, PowerLeap's InSPECS system requires IE with ActiveX enabled.

  7. Re:Turn off HTML viewing in your email client! by ackthpt · · Score: 4, Informative
    I've been usuing The Bat (www.ritlabs.com) for about 5 years now, and it's great. No worms, no virii, no pop-ups, no crap. I view all my email as text. And they've been continuously improving the product.

    Support shareware :-)

    --

    A feeling of having made the same mistake before: Deja Foobar
  8. Re:Redndant, I know. Don't run as Administrator. by krray · · Score: 5, Informative
    I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."

    Tell you what sparky -- YOU try that across a enterprise type installation. Actually there is ONE (1) remaining application running across any of my networks that requires Windows (2K) boxes to remain until something else is phased in: AUTOCAD.

    Go ahead -- try to install and run AutoCAD (2004 release) with Architectural and Mechanical desktops loaded ... as a regular user. I'd love to see you get AEC content networked and working on a local machine as a regular user. Good luck.

    Fortunately the engineering types are special. They've got TWO computers now. 90% of their work is done on CAD which is Windows right now -- the other 10% they tap the Mac for services (file processing, email, web, word, whatever).

    Every other sub-system requiring Windows has been replaced (for us -- started in 2000) and I have to agree with you 100% otherwise: regular users have no reason to run anything as administrator or "root". Just can't do that in the Windows world...

  9. If you use Outlook for your mail.. by JasonUCF · · Score: 5, Informative
    You need SpamBayes. The beautiful folks behind it have included an Outlook plugin. Now you can knock your bayesian filter self out with a self contained easily run end-client solution. In smaller words, no need for anything fancy from your ISP, just install, plug, and play. In the few days I have used it my spam has literally dropped to 0. Spams are nailed before I even see them show up in the INBOX (it's that fast).

    Go check it out. It's really, really, good, and free, as in, well, um, beer?

    I have spent too many hours building elaborate rule sets, banning Class A IP's, keyword filters, etcetera. The spam still gets through and it carries nasty payload half the time. Bayesian...bayesian... bayesian...

  10. Re:Turn off HTML viewing in your email client! by simp · · Score: 5, Informative

    Switch off HTML formating for Outlook.

    See http://support.microsoft.com/default.aspx?scid=kb; EN-US;307594 on how to do it.

  11. Re:Using Mozilla on Windows won't protect you ... by Anonymous Coward · · Score: 4, Informative
    Wscript is the default app for .js and .vbs files. All you have to do is change the launching program. You could set them to open with notepad instead. Here's a batch file, save it with a .bat extension:
    ftype JSFile=%SystemRoot%\notepad.exe "%1"
    ftype VBSFile=%SystemRoot%\notepad.exe "%1"
  12. Re:e-cards by Anonymous Coward · · Score: 3, Informative

    How do e-card services make money?
    The less moral ones sell the email addresses they hervest from every ecard- both sender and destination.

    To prove this, get 2 fresh email addresses. send an ecard from one to the other. Watch the spam roll in.

  13. Re:Turn off HTML viewing in your email client! by JPriest · · Score: 5, Informative
    There is a client called pocomail that I use that is pretty safe. It has an intuitive spam filter, you can script it to do about anything with mail, and it has a simple filter setup for sending messages from X to folder Y.

    spam filter:
    "viagra", +9
    "herbal", +6
    "natural", +6
    "to be removed", +5
    "free", +2
    "!!!", +2

    You get the point. You can toggle things like loading external graphics etc. It is really a mail client for power users. Shareware, but one of the few programs I ever purchased.

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  14. Re:The most frightening bit here by jodio · · Score: 3, Informative

    XP does have "power user"

  15. Re:Spam in Outlook by MooCows · · Score: 5, Informative

    This argument has been going on forever.
    And, IMHO, is only partly correct.
    Windows and it's apps have many "by design" security flaws.

    Short list:
    - Horrible data-binding in many apps (IE/Outlook/etc)
    - Enabling scripts in emails to run in the local zone
    - No warnings for insecure passwords
    - NetBIOS open by default for the internet
    - IIS, period
    - Null sessions
    - Password hashing flaw (l0pth)

    Some of these are fixed, some are not.

    Apache runs on the majority of servers, and it isn't by far hacked as much... just figure.

    --
    The path I walk alone is endlessly long.
    30 minutes by bike, 15 by bus.
  16. Re:The most frightening bit here by LostCluster · · Score: 3, Informative

    ActiveX is not sandboxed at all like Java is. So, like any powerful tool, it can be used for both good and bad.

    Windows Update depends on ActiveX to determine which updates a user already has. Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.

    When it comes down to it, ActiveX controls are just as powerful as any other executable, which is why the user is presented with a security certificate before they run. I think the critical flaw in ActiveX is right there at that dialog box, because the default answer is "Yes" and users don't read the whole thing to understand what it means.

  17. Re:Turn off HTML viewing in your email client! by RetroGeek · · Score: 3, Informative

    features of HTML mail ... paste screenshots

    And pasting a screen shot into a word processing document, then attaching that is not OK? Yes, a little more work, but the benefit is safer Internet use for the rest of us.

    Email is Email. HTML is for Web pages. The marriage of the two (Thanks Bill!) makes SPAM more dangerous, lets the email sender track you (via 1x1 images), and makes email messages MUCH larger thereby wasting bandwidth.

    --

    - - - - - - - - - - -
    I am a programmer. I am paid to produce syntax not grammar. Deal with it.
  18. My spam with full header database by leoaugust · · Score: 4, Informative

    .
    I have been putting my spam with full headers here, and hope that people investigating can use the info in the headers like IP addresses, gateways, aliases etc. As it is cached in Google so the results should show up for specific keywords.

    If you are spam hunters, please be my guest and fry some spammers a***

    .

    --
    To see a world in a grain of sand, and then to step back and see the beach where the sand lies ...
  19. Re:Turn off HTML viewing in your email client! by Endive4Ever · · Score: 3, Informative

    The image being part of the message is supposed to be a good thing?

    I never, ever, send mail in an HTML format. But I always send photographs and other stuff like that as urls (plaintext URLs, which most modern mail readers sense and interpret as web-links) to images I store on my webspace somewhere.

    Why shuttle around bloated email attachments?

    --
    ---
  20. Re:Ugly is what ugly does by CTachyon · · Score: 3, Informative

    Actually, that bit of code just downloads the malicious .EXE. It's a bit dodgy that it's allowed to do it automatically (after all, it could be asking for http://spy.malware.com/cgi-bin/report?firstname=Jo hn&lastname=Doe&underwear_type=boxers...), but it's not an instant security breach itself. The actual bug is...

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

    ...which overwrites Media Player with the downloaded malware using ADODB.Stream (which probably never should have been enabled as a trusted ActiveX control in the first place, and certainly shouldn't be automatically overwriting files without user intervention).

    --
    Range Voting: preference intensity matters
  21. Re:Frightening by Cecil · · Score: 3, Informative

    I still use IE because Mozilla doesn't SHIFT+Click with the same behavior (open in new window) as IE ... I won't even talk about that stupid dinosaur splash screen.

    Wow, are you trolling or what? First of all, as of this writing, shift-clicking on a link in FireFox (formerly Firebird) does open it in a new window, although god knows why you'd want to do that when you can middle-click to open it in a tab in the background instead.

    Secondly, the "stupid dinosaur splash screen" (which I loved) has been gone for about 4 release versions of Mozilla now, to be replaced with a hideously drab orange box with 'Mozilla' written in it. Now that we've compromised on an ugly splash screen, no one's happy. Hooray for attempting to pander to everyone!

    --
    Random and weird software I've written.
  22. Check out Qwik-Fix. by autechre · · Score: 4, Informative

    Remember Pivx Labs, the folks that used to host the "21 unpatched vulnerabilities in IE" page and has since switched to being a slight MS apologist? They've got a nice product which is (currently) free. What they basically did was to tighten down Windows via things from standard settings to registry tweaks to a degree which most users won't notice. Several of the recently discovered IE vulnerabilities wouldn't have worked, and Blaster wouldn't have worked either under these settings.

    After trying it on my workstation for a couple of weeks, I've started deploying it to others. It seems to interfere with Norton Antivirus, though not McAffee (which is what UMBC machines should be using anyway).

    I also send out the desktops with Mozilla, Media Player Classic, RealAlternative, etc. If people want IM, I try to recommend GAIM. Open source apps tend to have been "written in a more paranoid age" as another poster put it, and also can't as easily get away with doing dumb crap. I also remove the IE and Outlook shortcuts from the desktop (but leave the IE shortcut in the start menu, because the eternally pending PeopleSoft requires it).

    --
    WMBC freeform/independent online radio.
  23. Re:Turn off HTML viewing in your email client! by corbettw · · Score: 3, Informative

    Clickety click.

    --
    God invented whiskey so the Irish would not rule the world.
  24. Re:Turn off HTML viewing in your email client! by EasyTarget · · Score: 5, Informative

    I've been usuing The Bat (www.ritlabs.com) for about 5 years now, and it's great. No worms, no virii, no pop-ups, no crap. I view all my email as text. And they've been continuously improving the product.

    Where to start.. I finally ditched the Bat! after my five years last week.. and good riddance.

    The UI has not evolved, sure lots of new features get added over the years, but they all end up as hacks into an already clumsy interface.

    The UI is a classic case of a few -really- good features (I do appreciate them) surrounded by poo. Auto-formating in the text is useless, NEVER paste some code and try to annotate it, turning it off leaves everything else looking ugly. Even Outlook manages to format it's messages better.

    The UI displays a classic 'designed by the developers' illness. They can't see it's flaws because they're too embedded in the development. If they'd just employ a professional UI designer to re-jig it, and actually do the things suggested, then it would be a world-beater.

    And you now have to upgrade ($$$) to the latest version to stay current. It's just the same as the old one, hardly any worthwhile new features. A money-spinning enforced upgrade of the most cynical sort.

    If you want it's fantastic filtering systems, wonderful templates, clever widgets, superb PGP support etc.. and are prepared to put a lot of effort and patience into learning and using it, then I heartily recommend it.

    If all you want to do is write emails to people, and read ones you receive, save yourself time and money by looking elsewhere.

    --
    "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  25. Re:The most frightening bit here by badzilla · · Score: 3, Informative

    I try and make my kids run using an account without Administrator rights on their games machine, unfortunately that is a complete nightmare. Every few minutes it's "Dad... I can't install Megablaster 2 Railgun Edition" or "Dad... Flopsy Bear Print Studio says access denied".

    And this is after spending a great deal of time putting friendly NTFS permissions onto their "c:\games" directory. If only makers of entertainment software would clean up their act! Surely these things don't actually NEED to have root all over the place.

    --
    "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
  26. Keep HTML ditch activex by gad_zuki! · · Score: 4, Informative

    The only real "exploit" here is the activeX installer. Most email clients render plain-text URLs clickable anyway.

    There's a reason why this stuff is written with activex controls - they look official like they're from the operating system. Disable activex and watch the spyware go away. It seems most people know not to download an .exe but think activeX, expecially when its "signed," means that its safe.

  27. Payload by Bob+Ince · · Score: 4, Informative

    I'm amazed that no-one has yet posted an analysis of the final payload 'a.exe'.

    This decompresses and drops 'ra32.exe', 'lanext.dll' and 'lanman.dll' into the Application Data\Microsoft folder, and sets ra32.exe to run on startup through a HKCU\Software\MS\Win\CV\Run registry entry.

    These files act as a keylogger. When they sees one of a built-in list of online bank sites being used, it logs keypresses for a bit and uploads the result via FTP to a server controlled by the attacker.

    Bizarrely, for me in Windows 2000, it also opens an alert box with the message 'timediff' every 60 seconds. Bug?