This is a summary of a popular posting to Mark Russinovich's technical blog
(https://blogs.technet.com/markrussinovich/about.aspx),
which covers topics such as Windows troubleshooting, technologies, and security.
You can read the entire post at https://blogs.technet.com/markrussinovich/archive/2007/04/09/741440.aspx.
I make no effort to hide my email address, which means that I know the instant
a new email-based virus, phishing attack, or penny-stock-pumping scam launches
because my inbox floods. Most such emails are easy to distinguish from legitimate
emails because of their lack of personalization, poor grammar, or low-quality
images that attempt to foil spam filters. On occasion, however, I get a message
that causes me to examine it a little more closely to make sure it's junk. I
also look out for ones that might trick unsophisticated users.
My family uses BlueMountain Greetings to send eCards, so when I received the
email depicted in Figure 3, I took a second
look. There are several immediate clues that the email is a fake. For example,
the body doesn't address me by name, and there's a space between friend and
the exclamation point. Hovering the mouse over the link shows that it masks
an address at a different site, but the presence of BlueMountains and the legitimate-looking
KoKoCards in the name might fool a casual scan.
Curious to see what kind of con the email was perpetrating, I fired up a virtual
machine (VM) that was isolated from the local network and clicked the link.
A Microsoft Internet Explorer (IE) dialog box appeared and asked whether I wanted
to save or run Postcard.jpg.exe. Most users that have followed the ruse this
far would probably be suspicious and not run it, but out of curiosity I started
Process Monitor to watch the action and clicked Run. What I found isn't very
sophisticated, but it's interesting because it's an email virus that's making
the rounds today. You can read the details of my excursion into launching the
malicious file at https://blogs.technet.com/markrussinovich/archive/2007/04/09/741440.aspx.
In a nutshell, I discovered that the email installed a simple botnet client. A few days later I received a similar email, but this time Microsoft's spam
server had stripped the contents and indicated that what I had installed was Trojan-Spy.HTML.Pcard.w, but an Internet search for more information
yielded nothing meaningful.
I'm left wondering how successfully this type of lure brings users into a bot herder's web. There are numerous warnings that something funny is
going on, from the lack of personalization to being asked to run a program and open a port in the firewall. The fact that this Bot herder didn't bother
with more sophistication leads me to believe that it's still unnecessary: Enough people ignore the warnings.
Users will get more wary, however, so we're in store for craftier attacks that
will fool even paranoid users. Exploits of zero-day and unpatched vulnerabilities
can deliver malware without user interaction, and malware can use communication
techniques such as proxy servers, http traffic, or outbound-initiated bidirectional
connections, to avoid causing firewall popups. Windows Vista's User Account
Control (UAC) and Protected Mode IE can help mitigate attacks, but adoption
will take time, and even these technologies give malware a lot of room to play.
Microsoft is working to address these threats, but there's no silver bullet.
The fight against malware continues.