Infectious Greetings: Ecards, Storms and Dorfs

I read a very good summary on ZDNet’s website of the ecard campaigns we have been discussing for what seems like months now.

The evolution of this particular family of malware is interesting, not least because of how long it has been going on and the evolving social engineering techniques used.

The malware campaign started with fake news stories about storms which hit Europe back in January, then evolved into headlines about missiles shooting down satellites. The attackers then moved on to sending expressions of love around St Valentine’s day.  At this point the malware was still being distributed as an email attachment.

The change came when the malware author shifted to hosting his malicious code on compromised machines, so that the spam messages simply contained a link. Then came a stream of ‘greetings cards’ proporting to celebrate any event conceivable.

This shift, and the migration away from email attachments to web-based threats, illustrates a growing trend across all malware, and not just the Ecard/Storm/Dorf ‘family’.

As well as seeding a campaign with spam, malware authors are shifting towards so-called ‘drive by’ infections. Around 80% of the webpages hosting malicious code that we find are legitimate websites that have been hacked.  Effectively, the malware authors are letting the search engines direct users to the malware. A user searching for information about their favourite football team or TV show, risks getting infected when they visit the website. Hundreds of compromised webpages have small ‘iframes’ inserted in their HTML code that direct the user silently to a single piece of malware.

For enterprises this means that traditional productivity filtering of websites – in other words, stopping users visiting certain categories of website such as adult, gaming, etc – is not enough to provide security.

The Sophos approach is different in that we block sites by security risk before productivity, so if a website is hosting malicious content, it will be blocked regardless of the category.

As previous blog entries have shown, some of these websites are not ones that would normally be blocked for productivity reasons.