Monkeying around with postcards and ecards

Filed Under: Malware, SophosLabs

The predictability of the social engineering used by malware authors is one of the few things that we can be certain about at Christmas (see Samir's post here). True to form, over the past days and weeks a variety of malware spammed using Christmas or New Year themed social engineering have been floating around. This post serves as a warning to those who are not already aware of the risks of blindly running attachments or clicking links in such email.

Aside from the usual postcard and e-card malware, this year we have a Flash driven Happy Christmas greetings cartoon known as 'Christmas Monkeys'. The malware authors have taken innocent Flash content (available online), and combined it with a backdoor Trojan in a dropper using the filename Christmas Monkeys.exe. The dropper then appears to have been spammed out to victims.

When run however, you get more than a couple of harmless cartoon monkeys for your trouble. The backdoor Trojan is extracted to the temp folder (as b.exe) and silently executed. The harmless Flash cartoon runs via a Macromedia Flash Player binary, extracted as a.exe to the same folder.

Of course, the victim is so wrapped in the monkeys, they are unlikely to notice any suspicious activity on the machine.

That is, unless they have Sophos installed, in which case, they would have been alerted to the writing of the backdoor Trojan (b.exe) to the temp folder.

Thanks to the proactive detection of the backdoor component (Mal/Rootkit-A), the malware will never get installed. Detection for the top level dropper has also been added (as Troj/Agent-IMV).

Users should not just be suspicious of email attachments. Another family we have seen active over the past few days is W32/Waled, a worm that sends emails containing a link to a spoof greeting card site.

Clicking on the link takes the victim to the malicious drop site (a variety of domains are being used).

Clicking on the image will result in getting prompted to download and run a copy of the worm (as postcard.exe). This is detected as W32/Waled-D. Additionally, a malicious script on the page attempts to load malicious content from another remote site in order to exploit a whole variety of browser vulnerabilities. Effective insurance against common sense switching back on, and not clicking on the image.

In summary, the same old predictable tricks. After a couple of days there should be a respite, before it all begins again in a few weeks in time for Valentine's day.

You might like