Beware of a new round of Storm Trojan e-card scams
The infamous Storm Trojan Botnet has reawakened again, after a brief sleep. It last made it's appearance towards the end of January, stayed active until Valentines' Day, then disappeared. Since July of 2007 the Storm Botnet is most well known for sending out spam messages containing links to view e-cards, or postcards. All of the resulting web pages are hosted on other storm infected botnetted computers and all of the links lead to your PC being infected with the same Trojan.
One of the things that made Storm Trojan links stand out last year was that most of them were numeric IP addresses, rather than domain names, in their links. These links resemble this example: ht*p://123.123.123.123/(some garbage characters may follow). During the last quarter of 2007 the Botnet began using actual registered domain names to reach the target host computers, which are managed on what is known as a Fast-Flux DNS network. Most of these domain names were registered within a few days of the spam run and are usually allowed to die shortly thereafter.
The Storm has become active again and is once again spamming out email messages about e-cards and postcards, most containing the good old numeric IP links. All of the targets are infected PCs and if you are duped into clicking on a link to such a target, exploits await you, including an automatic download of the Trojan. Should this fail, you will be enticed to click on a link, or an image to begin your download, supposedly to view your e-card/postcard. At this point, if you are running a Windows based computer, with Administrator level privileges, your PC is about to become a zombie member of the Storm Botnet.
If you receive one of these e-card/postcard notices delete it immediately. If the sender looks like a name you know, check the email address to see if it matches that name. If in doubt, contact that person to see if they knowingly sent you an e-card, from that particular e-card company. Chances are they won't know anything about it. You see, the names and addresses used in the From fields are all harvested from infected computer contact lists and address books. All spam email messages since late 2006 have totally forged From and Reply to email addresses. The people whose names and addresses are being used have no idea this is happening and cannot stop it. If you have sent an email to somebody whose computer gets infected with an email harvesting trojan or Worm, your email address will not only receive spam, but will be used in forged From and Reply To fields of spam messages. There is nothing you can do about this. Even my accounts have been harvested from computers of customers and friends and I see spam coming to me, supposedly From me!
Unwanted E-Card/Postcard = DELETE! Leave the curious George stuff to professionals like me and the anti-exploitation labs.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.