Beware of "New Year" email "Postcard" threats
This is a heads up to you all to beware of a new round of Storm Trojan email threats, now making the rounds. They contain a New Year subject and one line of body text and a link on the second line that contains the word postcard, or a variation thereof. Do not click on this link. Delete the message. The destination is a Storm Worm Trojan infected computer, running an Nginx small web server, with but one page. The page contains code to instantly redirect you to an automatic download location, where you will receive your very own copy of the Storm Trojan. If you visit the first page with JavaScript disabled, you will be presented with an enticement to manually install the Trojan; to view your "postcard." Not! The three spammed email messages I analyzed this morning all contained variations of the following two lines of deactivated text:
As the new year...
h**p://uhavepostcard.***/
That URL was spammed out on Christmas day, three days ago. The current Storm Trojan spam messages now have links to happycards2008.com, or newyearcards2008.com, or familypostcards2008.com, which are different URLs than in the attacks that began on Christmas Day and more changes are expected over this weekend.
The emails I have analyzed so far today led to infected computers, with web pages containing a clickable link to a locally hosted file named "happy-2008.exe," or "happynewyear.exe," which is the Storm Trojan itself. The infected host computers are zombie members of the Storm Botnet and are all over the World. The redirects in them lead to exploited servers, similarly all over the World. These servers have been compromised over the year in anticipation of serving up payloads on demand. They are zombie servers in that no unusual activity would be noticed from them until people start arriving from redirects on infected PCs. Unless people report these infected servers they will remain online long enough to do a lot of damage. One way to report them is to become a reporting member of SpamCop.
If, like me, you use an anti spam front end for your email client, such as MailWasher Pro, and it allows you to create regular expression spam filters, try adding these rules to detect the Storm Postcard threats:
UPDATED 12/30/2007 to add new target domain names and shorter RegExpr.
The subject contains any of these words: "(e-) card, or greeting, or postcard, or New Year, or New 2008 Year"
AND, The body contains any of the same words; AND
The body contains a hyperlink containing this regular expression:
http://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)
Here is that entire updated rule, in MailWasher Pro format, for use in the MailWasher filters.txt file (This code should be on one long line):
[enabled],"Postcard Trojan Scam","Postcard Scam",16711680,AND,Delete,Automatic,Subject,containsRE,"\b(e-?)?(card|greeting|postcard|new\ year|Happy\ 2008!|New\ Hope\ and\ New\ Beginnings|new\s.*year)",Body,containsRE,"\b((e-?)?(post|greeting\s)?card)|new\ year\b",Body,containsRE,"\bhttp://(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/|(.+postcards?|newyearwithlove|.+cards2008)\.com)"
I am posting updates as I detect changes to the target domain name or subject/body text. Remember, the authors of the Storm Trojan are constantly altering the text and payload URLs, to fool spam filters and people. If you are not screening your incoming POP email you leave your computer at risk, should one of these threats fool you into clicking on a link to an infected computer, or server. I have a full page describing the email screening program - MailWasher Pro, with links where you can download it for a free trial. It is very inexpensive to license, for the life of the product. You don't have to pay for version updates like you do with most security programs these days. The only recurring charge associated with MailWasher Pro is voluntary membership in their managed spam reporting group, called FirstAlert.
MailWasher Pro is free to try for 30 days, and still costs only $37.00 to register, which includes a one year, renewable subscription to the FirstAlert! spam reporting system, plus, FREE Mailwasher program updates for life.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.