LINDON, Utah -- Avinti, a developer of proactive e-mail security solutions, has issued a security alert about a new e-mail attack that disguises malicious code behind a seemingly harmless e-greeting. This latest e-mail attack is part of a recent increase in spam-like greetings that encourage users to click on a link in the body of the e-mail to view an apparently, legitimate site, but instead links to malicious code, or malware . The latest version of this type of blended threat includes the subject line "Movie-quality ecard" and provides an e-mail address of the sender to trick the recipient into clicking on the harmful link.
"Clicking on the Web site address link in the e-mail triggers an installation of one or two files on the user's machine, designed to capture user data. There is no user intervention required; the download is automatic," said Dave Green, Avinti's CTO. "The e-mail appears as plain text but most e-mail clients pick up the plain-text URL and highlight it for the user to click on," he added. "So the e-mail, as plain text, will pass through other antivirus (AV) gateways completely undetected. In case the Web address doesn't get highlighted, the e-mail also encourages users to copy and paste the URL into their browser."
The links lead to IP addresses in various locations, including the U.S. and Eastern Europe, and many that are registered to U.S. Internet Service Providers (ISPs). Some addresses have been associated with previous exploits, and others from ISPs are actually personal computers that have been infected with the malicious code to execute this exploit. The downloaded files are new variants of the Storm Worm that was first detected in January 2007. "Online scanner Virustotal.com shows about one-third of AV vendors tested do not detect the malware," said Green. "However, because this comes through as a blended threat e-mail, it will completely bypass AV products because there is no attached file to scan."