Valentine's Flash - Tainted Love

Filed Under: Malware, SophosLabs, Spam

It made a change today to see malware in a Valentine's-based spam run that wasn't related to Dorf. Nor was it a Pushdo, nor even a Zapchas (though we've seen some of those this week too).

Today's spam looked very similar to something we've actually seen before, but last time with a Christmas theme - a flash-based ecard attack.

The email itself doesn't look that different from all the other ecard-based campaigns we've been seeing recently, but it's what happens when you eagerly try to get your card that's slightly more interesting.

Clicking on the link takes you to a page that immediately redirects you to the page maln.php at the same domain, detected by Sophos as Troj/Flamgo-A. The first time you visit this page it attempts to set a cookie called "vizited", before taking you to view.htm. If you go back to the page later it looks for that cookie, and if it finds it then it knows it's already tried to infect you and it takes you directly to the real AmericanGreetings.com website - if you have the cookie, it won't try to infect you again.

In fact it does more than this - if you visit maln.php from the same IP twice, it won't even load the code that checks and sets the cookie - it knows your IP, and it knows you've visited before, so it takes you directly to the legitimate AmericanGreetings.com page. So if you visit the page twice from the same fixed IP address, or if you change your IP but save the "vizited" cookie, then you won't be taken to the next link in the malware chain. Good job analysts like us have ways around this sort of thing.

The page view.html (also detected as Troj/Flamgo-A) looks pretty clean at first glance, with repeated references to the legitimate domain all over the place, and it's almost difficult to spot that one reference to the file ultrashim.cab is actually linking to www.americangreetings.malicious domain.com.

Ultrashim.cab is normally a valid Macromedia Flash filename, and is a very good example of why you can't trust files based on name alone. It's pointed to in a similar way to last time so that it appears that Flash is asking you to download an update. But don't be fooled, you definitely don't want this "update".

The cab file is detected specifically Troj/Zbot-E or proactively as Mal/Behav-191, and it contains the files update.exe and install.inf, both also detected as Troj/Zbot-E. At Christmas the cab was Cimuz-related, so I'd definitely suggest that these malware are by the same author.

The file update.exe is the main bot component, while install.inf contains a line that launches Microsoft Internet Explorer and causes it to load, you guessed it, AmericanGreetings.com.

You clicked on a link that you thought pointed you to an ecard website, and after okaying a regular-looking update-request you actually ended up at that website. All this means that, without adequate protection, you might not even notice that your love-filled message carries a nasty surprise ...

, , , ,

You might like