New worm claiming to be Christmas e-card makes rounds

Share this article:
Security researchers this week are warning about a new email worm that is relying on old tricks to dupe users into infecting their machines with malware.

The Waledac worm spreads when users are duped into visiting a website claiming to contain a Christmas card, according to a SANS Internet Storm Center blog post Thursday. However, the card doesn't appear, and users are asked to click on a link, which is actually the malware executable.

First signs of the attack emerged on Sunday, but the malware writers began registering their host domains weeks ago, SANS incident handler Maarten Van Horenbeeck said in the blog.

Pierre-Marc Bureau, a researcher at anti-virus vendor ESET, said the worm contains some similarities to the Storm Worm -- which was known to spread via fake greeting cards during popular holidays -- including using a redirection site and fast-flux capabilities to hide its IP addresses.

However, unlike Storm, Waledac does not use a peer-to-peer network to communicate. It instead uses an open source executable packer and cryptography to hide its tracks, Bureau said Sunday on the ESET Threat Blog.

"What we are observing today is proof that malware authors are learning from each other's errors and successes," he wrote. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."

Once installed on a user's machine, the worm searches for email addresses and then spams copies of itself to those addresses, according to anti-virus provider F-Secure. It also can steal online banking passwords and has targeted a number of banks across the globe.

Van Horenbeeck, though, said the number of infections should remain low because the attack requires human interaction and arrived on the scene "fairly late in the holiday cycle." Still, he suggested businesses block the download of "ecard.exe," as well as the domains being used in the attack. His SANS blog post listed a number of affiliated domains.

Also, enterprises should ensure their anti-virus and anti-spam solutions are up to date, Van Horenbeeck said. IT personnel at companies additionally should educate their users about scam emails and implement bans on untrusted code being able to execute on corporate machines.

Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.