In a throwback to the Storm campaigns that we heavily reported on in 2007, another group has been spamming out links to malicious Season’s Greetings’ sites (a list of domains previously serving up “ecard.exe” variants can be found here), attempting to fool users into running “postcard.exe”. Here is a screenshot of one server currently up this afternoon on an infected host on the Comcast network at 71.233.193.xx:
A visit to this page results in multiple client side exploits, delivered by multiple redirected web pages, which TF prevents. ThreatFire also stops the attacking executable file as Trojan.Waledac.
The attackers make it obvious what web site they are attempting to mimic in their social engineering scheme. The entire HTML header for the attacking web page on the malicious site was ripped directly from 123greetings.com, a popular ecard site. Here is some of the header from the malicious web page:
Title: New Year Cards, Free New Year eCards, Greeting Cards
meta name =”keywords” content=”new year cards,free new year ecards,greeting cards,greetings,wishes for the new year,free e cards for new year,christmas and new year wishes,free new year greetings,free ecards for new year”
meta name=”description” content=”2009 is here! Fill your heart with new hopes, reach out for new opportunities and celebrate the New Year! Reach out to your friends, family,…”
Keep in mind that the legitimate www.123greetings.com site appears to send out ecards as Flash videos, and not as “postcard.exe” files.
Update (1/5/2008): Waledac variant card.exe continues to be distributed — we’re seeing hxxp://direct christmas gift.com as an offending server up and running with the same card store front.