New worm claiming to be Christmas e-card makes rounds

Share this article:
Security researchers this week are warning about a new email worm that is relying on old tricks to dupe users into infecting their machines with malware.

The Waledac worm spreads when users are duped into visiting a website claiming to contain a Christmas card, according to a SANS Internet Storm Center blog post Thursday. However, the card doesn't appear, and users are asked to click on a link, which is actually the malware executable.

First signs of the attack emerged on Sunday, but the malware writers began registering their host domains weeks ago, SANS incident handler Maarten Van Horenbeeck said in the blog.

Pierre-Marc Bureau, a researcher at anti-virus vendor ESET, said the worm contains some similarities to the Storm Worm -- which was known to spread via fake greeting cards during popular holidays -- including using a redirection site and fast-flux capabilities to hide its IP addresses.

However, unlike Storm, Waledac does not use a peer-to-peer network to communicate. It instead uses an open source executable packer and cryptography to hide its tracks, Bureau said Sunday on the ESET Threat Blog.

"What we are observing today is proof that malware authors are learning from each other's errors and successes," he wrote. "After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success."

Once installed on a user's machine, the worm searches for email addresses and then spams copies of itself to those addresses, according to anti-virus provider F-Secure. It also can steal online banking passwords and has targeted a number of banks across the globe.

Van Horenbeeck, though, said the number of infections should remain low because the attack requires human interaction and arrived on the scene "fairly late in the holiday cycle." Still, he suggested businesses block the download of "ecard.exe," as well as the domains being used in the attack. His SANS blog post listed a number of affiliated domains.

Also, enterprises should ensure their anti-virus and anti-spam solutions are up to date, Van Horenbeeck said. IT personnel at companies additionally should educate their users about scam emails and implement bans on untrusted code being able to execute on corporate machines.

Share this article:

Sign up to our newsletters

More in News

Russian hacker Seleznev ordered to remain in custody

Roman Seleznev's attorneys requested that the hacker be released on bond, but their pleas were rejected this past week.

Bug in iOS Instagram app fixed, impacts Facebook accounts

The vulnerability comes into play when Instagram users search for Facebook friends to "follow."

AP denied security docs on HealthCare.gov, a risk to private information

AP denied security docs on HealthCare.gov, a risk ...

The Associated Press was denied a request made under the Freedom of Information Act for documents that contain security information on HealthCare.gov.