Anti Rootkit Blog

There is another Storm Worm outbreak at the moment. The attackers are using the same social engineering tactic that was used last April, see Forecast - Massive Storms clouded by Rootkits
The way it works is that after a Storm Worm outbreak such as the 4th of July E-card outbreak users get an emails saying they are infected and should download a patch to fix it or their account will be suspended.

On the 4th of July emails were spammed out to millions of users with a link pretending to be an E-card for the 4th of July celebrations.
The subjects included:

4th Of July Celebration
American Pride, On The 4th
America’s 231st Birthday
Americas B-Day
America the Beautiful
Celebrate Your Independence
Celebrate Your Nation
Fireworks on The 4th
Fourth of July Party
God Bless America
Happy 4th of July
Happy B-Day USA
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday

If a user clicked on the link they would have downloaded Troj/JSEcard-A and this would have in turn downloaded a Nuwar variant ( WORM_NUWAR.HC )

The same attacking spammers have sent out millions of emails warning users that their PC is infected and they should download a patch file to fix the PC.
The email looks like this below ( thanks Dan ).

Worm Alert!
Dear Customer,Our robot has detected an abnormal activity
from your IP adress on sending e-mails. Probably it is connected with the
last epidemic of a worm which does not have official patches at the
moment.We recommend you to install this patch
to remove worm files and stop email sending, otherwise your account will be
blocked.
Administrator

The attackers are playing on the publicity the 4th of July worm got. Many users may have this in the back of their mind as they read the latest email. Many will think that it is a legitimate email and “install” the patch only to be added to the massive bot net that has arisen from these spamming campaigns.
If you feel that you have downloaded your 4th of July Ecard or installed the patch to correct it then you should download some anti-rootkit software from our software page and check your system out as NUWAR is known to contain a rootkit to hide it’s suspicious activity.

Keep Safe
regards
Steo
www.antirootkit.com

References:
4th of July Ecard
Postcards or patches?

Researchers at Exploit Prevention Labs have discovered a large Cyber Criminal gang operating out of Australia. It was found that nearly every bank in Australia had customers who had their bank details used by the criminals. Users in Australia were send what looked like an eCard from Yahoo. The computer user would click on the eCard and be brought to an Exploit server. The Exploit server would check to see what vulnerabilities the users browser had and would use the hole it found to install a Keylogger and a Rootkit to hide the Keylogger. The Exploit Server was using the Webattacker Script which is updated regularly and can be purchased very easily and cheaply.
The user would then be sent to the Yahoo eCard site so as to make it look like a nothing untoward has happened.

Roger Thompson, Exploit Prevention Labs’ CTO, discovered the Australian eCard scam and has been tracking the evolving threat.
“The user receives an eCard in their email inbox,” said Thompson. “The card appears to come through one of the major eCard companies, so it is assumed to be safe, despite the user not recognizing the sender’s name on the card. The user clicks the link to view the card, which doesn’t tell you who it’s really from, so they just close it and continue with whatever they were doing before. Unfortunately, what’s actually happened is that a rootkit has been delivered to the user’s PC before they even pick up the card.”

“We started tracking MDAC back in June, shortly after WebAttacker was upgraded. Initially, it was just a tiny blip on the radar, registering 0.5% in our Exploit Prevalence Survey for that month. In July, it was up to 3.51%, and last month it reached 6.69%. If that pattern continues, we can expect to see both vendors and traditional anti-malware vendors experiencing significant problems in trying to keep up with the threat.”

This attack goes to show that unless users have all the latest security updates and patches on their computer they have a bigger chance of falling victim to such an attack. No amount of Anti-Virus or Anti-Spyware can thwart such an attack. Even if a user has a fully patched computer they can still get caught by what are called Zero Day attacks. These are attacks on program holes that the program maker is not yet aware of.

The best way to avoid Rootkits getting onto your PC is to run as an ordinary user and not to have any administrator rights.

Keep Safe

regards
Steo
www.antirootkit.com