Avinti, a developer of proactive e-mail security solutions, has issued a security alert about a new e-mail attack that disguises malicious code behind a seemingly harmless e-greeting. This latest e-mail attack is part of a recent increase in spam-like greetings that encourage users to click on a link in the body of the e-mail to view an apparently legitimate site, but instead links to malicious code or malware. The latest version of this type of blended threat includes the subject line “Movie-quality ecard” and provides an e-mail address of the sender to trick the recipient into clicking on the harmful link.
“Clicking on the Web site address link in the e-mail triggers an installation of one or two files on the user’s machine, designed to capture user data. There is no user intervention required; the download is automatic,” said Dave Green, Avinti’s CTO. “The e-mail appears as plain text but most e-mail clients pick up the plain-text URL and highlight it for the user to click on,” he added. “So the e-mail, as plain text, will pass through other antivirus (AV) gateways completely undetected. In case the Web address doesn’t get highlighted, the e-mail also encourages users to copy and paste the URL into their browser.”
The links lead to IP addresses in various locations, including the U.S. and Eastern Europe, and many that are registered to U.S. Internet Service Providers (ISPs). Some addresses have been associated with previous exploits, and others from ISPs are actually personal computers that have been infected with the malicious code to execute this exploit. The downloaded files are new variants of the Storm Worm that was first detected in January 2007. “Online scanner Virustotal.com shows about one-third of AV vendors tested do not detect the malware,” said Green. “However, because this comes through as a blended threat e-mail, it will completely bypass AV products because there is no attached file to scan.”
Blended threat attacks have risen, as hackers have increasingly used the tactic to circumvent detection by traditional signature-based AV products. Several versions of e-mails have been used in the last few weeks, all carrying URL-based blended threats, under subject lines such as Animated Postcard, Greeting eCard, and Neighbor Sent You a Greeting. The e-mails often include highlighted domains of reputable Web sites, including postcards.com, egreetings.com, netfuncards.com, hallmark.com, and 2000greetings.com. Other versions will certainly appear as hackers are quickly changing e-mail names, domain names, URLs, and IP addresses to avoid detection.
“This shouldn’t be classified as spam,” said Green. “There is no motivation to get the user to buy anything or pump up stock prices. These e-mails should be considered malware attacks as they are attempts by hackers to infect machines with malware to steal data and propagate their network of bots. Users should take caution with any variations of these e-mails and should never click on the URLs or IP addresses highlighted in the e-mail.”
Avinti’s iSolation Server, a proactive e-mail security solution, stops stealthy, complicated threats such as this attack and other zero-day malware attacks, targeted threats, blended threats, and mass variants. Its patent-pending technology complements existing security solutions by detecting threats without having to rely on signatures. Avinti’s approach is unique because it safely observes actual behavior of potentially threatening messages, rather than relying on reactive signature-based approaches.Anti virus, Avinti, Security web
Popularity: 12% [?]