[nfbwatlk] Fw: Interesting Article:

Mike Freeman k7uij at panix.com
Thu Aug 16 21:20:20 CDT 2007 

----- Original Message ----- 
From: Don Moore
To: Multiple recipients of NFBnet GUI-TALK Mailing List
Sent: Thursday, August 16, 2007 9:43 AM
Subject: [gui-talk] Interesting Article:


Greetings! Someone has sent you an e-card virus

Todd R. Weiss

August 15, 2007 (Computerworld)

Think you got a cheery greeting card from a friend via e-mail?

Well, think again, and be careful before opening it. A new form of fake 
e-card notification e-mails are unleashing nasty viruses and 
virus-carrying Trojan horses on unsuspecting users.

While e-card-triggered viruses and Trojan horses are not new, the latest 
versions are becoming more difficult for typical antivirus and antispam 
defenses to detect, according to alerts issued today by security 
software vendors Avinti Inc. and F-Secure Corp.

The new complication, said Dave Green, chief technology officer at 
Lindon, Utah-based Avinti, is that the latest slew of fake e-card e-mail 
notifications are using plain text in their messages, which don't get 
scanned and scrutinized by antivirus and antispam defense applications. 
While the e-mails don't contain pasted links or attached files that a 
recipient can click on to get a computer infection, many e-mail clients 
automatically convert the included text into a clickable link when the 
e-mail clients recognize a Web address in the text.

"It appears they have done that to get around a lot of the parsing used 
by antivirus and antispam applications" to fight such attacks, Green 
said. "It's an interesting cat-and-mouse game between the bad guys and 
the good guys."

"Apparently, they've found that they can be very successful in getting 
these through by not having it be formatted as an HTML message," Green 
said.

All recipients have to do to trigger the virus is to click on the link 
created by the e-mail client once they have read the message, he said.

Adding to the confusion and the potential seriousness of the problem, he 
said, is that the perpetrators sending these e-mails are using the names 
of some of the most popular electronic greeting card companies in their 
messages and Web links.

Avinti said it has updated its Avinti Isolation Server product to 
protect against such attacks, while other vendors are still updating 
their own products.

Avinti's alert said the links to the fake e-greeting cards lead to IP 
addresses in various locations, including the U.S. and Eastern Europe, 
and many are registered to U.S. Internet service providers. The damaging 
payload files are new variants of the Storm Worm virus that was first 
detected in January, the company said.

In its alert today, Helsinki, Finland-based security vendor F-Secure 
said the fake e-card messages from one group of online criminals appear 
to have changed since last night, when they dropped the use of attached 
files and went to plain-text messages.

An included link then tells the recipient to install a free "Microsoft 
Data Access" application to retrieve the e-card, but that file --  
msdataaccess.exe -- is a damaging virus. F-Secure said it has identified 
the virus as Email-Worm.Win32.Zhelatin.gg.

Danny Allan, director of research at security analysis vendor Watchfire 
Corp. in Waltham, Mass., said he has seen similar all-text e-greeting 
mailings before, but the numbers have increased lately.

For antivirus and antispam vendors, the theory had been that if the 
message includes plain text without links and attachments, it could 
cause no harm, he said. That approach has to change, Allan said.

User need to be cautious and not click on links they find in e-mails, 
Allan said. Instead, they should go directly to a Web site by typing its 
address into a Web browser and go there on their own, bypassing links 
that could be malicious.

Vendors will have a tough time making the problem go away completely, he 
said, because they can't devise ways of evaluating every Web link or 
instance in an e-mail. However, they can improve detection of suspicious 
encoded characters and domain names in messages.

"If there was a silver bullet that could solve the problem, the 
antivirus companies would have done it," Allan said.

Zully Ramzan, a senior principal researcher at Cupertino, Calif.-based 
security vendor Symantec Corp.'s security response team, said Symantec 
has seen plain-text attacks before and doesn't view them as a new 
problem.

"There's been a bit of a resurgence lately" with e-card notification 
messages, possibly because of last month's July 4 holiday or because 
criminal groups have been organizing mailing campaigns, he said.

Andrew Jaquith, a security analyst at Boston-based Yankee Group Research 
Inc., said the latest e-greeting attacks are an example that criminals 
"are going to be coming up with more and more ingenious ways of tricking 
people or exploiting ways of tricking your e-mail client. This is just 
one of any number of ways that these guys are going to try to lure users 
to do something they shouldn't."

_______________________________________________
gui-talk mailing list
gui-talk at nfbnet.org
http://www.nfbnet.org/mailman/listinfo/gui-talk
-------------- next part --------------
----- Original Message -----
From:
mailto:don.moore48 at comcast.net Don Moore
To:
mailto:gui-talk at nfbnet.org Multiple recipients of NFBnet GUI-TALK Mailing List
Sent:
Thursday, August 16, 2007 9:43 AM
Subject:
[gui-talk] Interesting Article:
Greetings! Someone has sent you an e-card virus
Todd R. Weiss
August 15, 2007 (Computerworld)
Think you got a cheery greeting card from a friend via e-mail?
Well, think again, and be careful before opening it. A new form of fake e-card notification e-mails are unleashing nasty viruses and virus-carrying Trojan horses on unsuspecting users.
While e-card-triggered viruses and Trojan horses are not new, the latest versions are becoming more difficult for typical antivirus and antispam defenses to detect, according to alerts issued today by security software vendors Avinti Inc. and F-Secure Corp.
The new complication, said Dave Green, chief technology officer at Lindon, Utah-based Avinti, is that the latest slew of fake e-card e-mail notifications are using plain text in their messages, which don't get scanned and scrutinized by antivirus and antispam defense applications. While the e-mails don't contain pasted links or attached files that a recipient can click on to get a computer infection, many e-mail clients automatically convert the included text into a clickable link when the e-mail clients recognize a Web address in the text.
"It appears they have done that to get around a lot of the parsing used by antivirus and antispam applications" to fight such attacks, Green said. "It's an interesting cat-and-mouse game between the bad guys and the good guys."
"Apparently, they've found that they can be very successful in getting these through by not having it be formatted as an HTML message," Green said.
All recipients have to do to trigger the virus is to click on the link created by the e-mail client once they have read the message, he said.
Adding to the confusion and the potential seriousness of the problem, he said, is that the perpetrators sending these e-mails are using the names of some of the most popular electronic greeting card companies in their messages and Web links.
Avinti said it has updated its Avinti Isolation Server product to protect against such attacks, while other vendors are still updating their own products.
Avinti's alert said the links to the fake e-greeting cards lead to IP addresses in various locations, including the U.S. and Eastern Europe, and many are registered to U.S. Internet service providers. The damaging payload files are new variants of the Storm Worm virus that was first detected in January, the company said.
In its alert today, Helsinki, Finland-based security vendor F-Secure said the fake e-card messages from one group of online criminals appear to have changed since last night, when they dropped the use of attached files and went to plain-text messages.
An included link then tells the recipient to install a free "Microsoft Data Access" application to retrieve the e-card, but that file -- msdataaccess.exe -- is a damaging virus. F-Secure said it has identified the virus as Email-Worm.Win32.Zhelatin.gg.
Danny Allan, director of research at security analysis vendor Watchfire Corp. in Waltham, Mass., said he has seen similar all-text e-greeting mailings before, but the numbers have increased lately.
For antivirus and antispam vendors, the theory had been that if the message includes plain text without links and attachments, it could cause no harm, he said. That approach has to change, Allan said.
User need to be cautious and not click on links they find in e-mails, Allan said. Instead, they should go directly to a Web site by typing its address into a Web browser and go there on their own, bypassing links that could be malicious.
Vendors will have a tough time making the problem go away completely, he said, because they can't devise ways of evaluating every Web link or instance in an e-mail. However, they can improve detection of suspicious encoded characters and domain names in messages.
"If there was a silver bullet that could solve the problem, the antivirus companies would have done it," Allan said.
Zully Ramzan, a senior principal researcher at Cupertino, Calif.-based security vendor Symantec Corp.'s security response team, said Symantec has seen plain-text attacks before and doesn't view them as a new problem.
"There's been a bit of a resurgence lately" with e-card notification messages, possibly because of last month's July 4 holiday or because criminal groups have been organizing mailing campaigns, he said.
Andrew Jaquith, a security analyst at Boston-based Yankee Group Research Inc., said the latest e-greeting attacks are an example that criminals "are going to be coming up with more and more ingenious ways of tricking people or exploiting ways of tricking your e-mail client. This is just one of any number of ways that these guys are going to try to lure users to do something they shouldn't."
_______________________________________________
gui-talk mailing list
mailto:gui-talk at nfbnet.org gui-talk at nfbnet.org
http://www.nfbnet.org/mailman/listinfo/gui-talk http://www.nfbnet.org/mailman/listinfo/gui-talk

More information about the nfbwatlk mailing list