Unfortunately, a handful of legitimate online greeting card sites continue to be spoofed as parts of the ongoing successful Waledac threat.
While it is similar to the Storm threat, the shameless ripoff of multiple greeting card sites are even more blatent than Storm’s crafted web sites in 2007. Here is a snapshot of one of the legitimate sites:
And here is an example message spammed out by the Waledac worm:
“Jeff has mailed a e-card.
Just click on the following Internet address:
hxxp://your regards.com/ ?ID=5b830b13b073c19cabc3a06878d
Brought to you by 123Christmas-Greetings!”
Spammed message here using the Christmasbuzz name:
“Thomas has sent an e-card.
Click on the following link or copy and paste the following link into your web
browser’s address bar: hxxp:// smart cardgreeting.com/ ?code=844e643ab7
Legitimate Christmasbuzz site looks like this snapshot:
Another spammed message from the worm:
“Thomas sent you a ecard.
Click on the following link to see your Ecard:
hxxp://world greetingcard.com/ ?id=1025025ecd
Thanks for Using Card Fountain!”
And the corresponding legitimate Card Fountain web site here:
Do not randomly click on links emailed to you, as pointed out previously. Ecards and greetings can be a sore spot for a lot of users before and after the holiday seasons, but it can be nice to receive holiday wishes when they come from legitimate sites.
Also note that most of the legitimate sites provide users with flash movies and other animated cards, instead of the “card.exe” malcode.
Current malicious sites are serving exploit pages and “card.exe” at the following domains, do not visit them. Some were registered by the botherders earlier today, along with a slew of domains that are now hosting online canadian pharmacy sites:
The guys over at Shadowserver posted a writeup on the worm to close out 2008, and included a list of domains being used by the botherders at the time. The distributors continue to be active.
And why might this Storm copycat scheme come back in vogue? Spam, of course!
In addition to the links to malicious attacking sites being sent out (posted in the description above), holiday-themed, seasonal spam containing links to online Canadian pharmacies peddling viagra and “enhancement” drugs are being blasted by infected systems as well:
“Subject: When going on holiday take bluepills with you to ensure potence!
We have everything to make your love more passionate.
hxxp:// thank believe.com/”
“Be ready for spring love marathon! hxxp:// character effect.com/”
“Start enjoying your xxxlife! hxxp:// grew ten.com/”
“Subject: How intresting is your bedroom life?
Dont put your health at stake! hxxp:// what least.com/”
“Subject: Latest news from your doctor.
Our experts recommend! hxxp:// steam coast.com/”
It appears to be a fairly international spamming effort with DNS domains rapidly being registered in China and Latvia, exploit pages served in the U.S., and pharma sales coming out of Canada off of servers hosted in China.