Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Christmas Ecard Malware - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Christmas Ecard Malware

For years, Storm was the threat most commonly associated with malicious Christmas cards and other "timely announcements". Their techniques have gradually been adopted by other organized crime groups, and over the last days there has been an increase in malicious Christmas cards distributing the Waledac worm.

The e-mails consist of a hyperlink to a "Christmas card". When the user visits this site, he will see the following. The user will need to click on either button, get a Security Warning and will need to accept the fact that an executable is being run.

Most likely because of this, and because the cards are coming in fairly late in the holiday cycle, the threat has not been wildly succesful at propagating. Interestingly, even though the first reports of this threat we have are dated December 21st, many of the domains were already registered on December 1st.

Some of the domains that were reported to us by readers (thanks Mike) include:

Note that this list is very much incomplete. We may post updates later today.

For now, we recommend:

  • Blocking the download of 'ecard.exe', or the affiliated domains on your corporate proxy;
  • Ensure that your anti virus and anti spam solutions are updated frequently as the AV vendors build coverage for this new threat. Given the mass mailing nature, spam protection is likely to be the first to pick up on this.

In the long run, we recommend educating your users on the risk involved with gratuitous "warning" e-mails related to events, or greeting cards that look even the slightest bit suspicious. In addition, consider investigating solutions that control which untrusted code, originating from the internet, can be executed on corporate desktops.

Arbor Networks has an interesting blog entry up on the flux tactics involved with this threat here. For further data on the worm itself, visit Symantec's writeup.


158 Posts
Dec 25th 2008

Sign Up for Free or Log In to start participating in the conversation!