The "Dear darling" email that appeared to come from 123Greetings.com was indeed botnet-related malware. It wasn't especially original; it used mIRC as an IRC client and also tried to drop a copy of desktop.exe (a nasty but known backdoor) into the system folder. Even the "greeting card" graphics idea had been done before in 2003 and 2005. (See http://www.sophos.com/pressoffice/news/articles/2005/06/va_ldpinchbd.html .) So I'd guess that the attackers may have been closer to script kiddies than "elite" hackers. However, judging from the traffic on the botnet channel, it still infected a lot of machines.

There are some related articles on security websites:
http://fortinet.com/VirusEncyclopedia/encysearch.jsp?fid=125163
http://www.security.iia.net.au/australian_resources/security_issues/current_iia_alerts.html
http://www.spamwars.com/

Many geeks actively despise botnets, and some well-intentioned technical people took creative steps to combat this one. I was impressed by their initiative, but dismayed that the "official" response had been so slow. Perhaps one of the most telling things is the fact that the infected .EXE file is still on the machine that has been hosting it (as of this afternoon).

Tags: 1077724866, malware
Current Mood: thoughtful

Based on the comments by simplypeachy, here are some suggestions about how to repair damage caused by the "greeting card" malware discussed in the previous posts. Corrections and suggestions are welcome. ( Read more... )

Tags: 1077724866, malware

It definitely appears to be a botnet. The compromised machines are all connecting to the channel #Scorpi's-world on Undernet. The folks controlling it may be hanging out on channel #CS - when I tried to check that out, I got kick-banned from both #CS and #Scorpi's-world.

Anyhow, some of the users with operator privileges appear to be issuing commands both to the server and to other users. There's one guy who's been doing this both as IRC user "Raphaello" and "ScorpiMAD." I've seen stuff like

12:34 <@ScorpiMAD> !raw //run http://world2.monstersgame.co.uk/?ac=vid&vid=31045345

This appears to be a contest related to the number of views a page gets. So it looks like our boy may have an interest in click fraud.

Here's the whois information for our friend ScorpiMAD:

13:09 -!- ScorpiMAD [~Scorpiutz@Fulgerica.users.undernet.org]
13:09 -!- ircname : Scorpiutz *
13:09 -!- channels : /wjho+#WH #radiodordetara @#miha @#MAD @#linuxteam +#E-MaiL
#desc #de.puta.madre @#cs
13:09 -!- server : *.undernet.org [The Undernet Underworld]
13:09 -!- : Fulgerica
13:09 -!- End of WHOIS

There are so many machines connected right now that the channel is almost full. Someone suggested that I talk to the Undernet admins, so I'll try that.
Update: Please don't attempt to join any of the channels - people are working to deal with the problem.

Tags: 1077724866, malware
Current Mood: hopeful

simplypeachy made an excellent followup comment, which I'm reposting here. He noticed a connection to an IRC channel, which would be consistent with a botnet.
( Read more... )
FWIW, I'm watching #Scorpi's-World on undernet, and it has a LOT of users, and no conversation at this point. Not exactly what you'd expect to see on a legitimate IRC channel. I'm logging it to a file called "scorpiscum" and can post if anyone's interested.
Update: Please don't attempt to join any of the channels - people are working to deal with the problem.

Tags: 1077724866, malware

David Stein and I both got curious about the "Greeting Card" trojan file, and took closer a look at http://1077724866/e-card.html (specifically http://64.60.198.194/GreetingCardNr0410112528543.flash.exe). He used a hex editor, and I used REC 2.0, a decompiler. We noticed some things that definitely weren't consistent with a Flash greeting card application.

There are some strings that look like registry keys {"Software\Microsoft\Windows\CurrentVersion","Microsoft\Internet Explorer\Quick Launch") and it appears to query and set Windows registry values.

But some of the procedures and system calls are even more fascinating. It does appear to display graphics and play sounds, sort of like you'd expect from a greeting card. But that's not all it does. It takes quite an interest in the system security, making calls related to auditing, file security, accounts, and privileges. There's also quite a bit of stuff apparently related to the keyboard, which makes me wonder if there's some keylogger software. There's also a lot of networking code, both WinAPI and "generic" C calls.

Another site (http://www.spamwars.com) has submitted the file to the SANS Internet Storm Center, and they'll probably be able to study it in more depth than we did.

Update: Someone else received the spam from 32.120.54.176 (an AT & T IP)

Tags: 1077724866, malware
Current Mood: calm

Today, I got a "greeting card" that appeared to be from 123Greetings.com. There were a few suspicious things about it. For one thing, the header was a little strange.

To: Dear darling,

Message: i hope you like this card that i have made only for you

Uh huh. The links didn't point to 123Greeting.com at all. Rather, the link looked like http://1077724866/e-card.html , which would translate to 64.60.198.194 . Sho 'nuff, when I checked that out, the "greeting card" itself was at http://64.60.198.194/GreetingCardNr0410112528543.flash.exe . Riiiiight.

The IP itself mapped to 64-60-198-194.cust.telepacific.net , so I decided to do my good deed for the day by calling Telepacific customer support and reporting an apparent phishing/Trojan scheme associated with a machine on their network. The tech support technician insisted that it was no problem at all; someone had just sent me a greeting card, and I didn't have to open it. I tried explaining that why this *did* seem like a problem, but he didn't seem to be too concerned. Would he have taken me more seriously if I were male? I don't know.

Note: The sender was apparently 80.57.9.62 (g9062.upc-g.chello.nl), which is not designated as a permitted sender by the e-cards@123greetings.com domain.

Tags: 1077724866, malware
Current Mood: irate