Botnets by Email

A suspicious email takes Mark on a journey to learn more about it and why these types of malware continue to fool users.

Mark Russinovich

May 29, 2007

3 Min Read
ITPro Today logo in a gray background | ITPro Today

This is a summary of a popular posting to Mark Russinovich's technical blog (https://blogs.technet.com/markrussinovich/about.aspx), which covers topics such as Windows troubleshooting, technologies, and security. You can read the entire post at https://blogs.technet.com/markrussinovich/archive/2007/04/09/741440.aspx.

I make no effort to hide my email address, which means that I know the instant a new email-based virus, phishing attack, or penny-stock-pumping scam launches because my inbox floods. Most such emails are easy to distinguish from legitimate emails because of their lack of personalization, poor grammar, or low-quality images that attempt to foil spam filters. On occasion, however, I get a message that causes me to examine it a little more closely to make sure it's junk. I also look out for ones that might trick unsophisticated users.

My family uses BlueMountain Greetings to send eCards, so when I received the email depicted in Figure 3, I took a second look. There are several immediate clues that the email is a fake. For example, the body doesn't address me by name, and there's a space between friend and the exclamation point. Hovering the mouse over the link shows that it masks an address at a different site, but the presence of BlueMountains and the legitimate-looking KoKoCards in the name might fool a casual scan.

Curious to see what kind of con the email was perpetrating, I fired up a virtual machine (VM) that was isolated from the local network and clicked the link. A Microsoft Internet Explorer (IE) dialog box appeared and asked whether I wanted to save or run Postcard.jpg.exe. Most users that have followed the ruse this far would probably be suspicious and not run it, but out of curiosity I started Process Monitor to watch the action and clicked Run. What I found isn't very sophisticated, but it's interesting because it's an email virus that's making the rounds today. You can read the details of my excursion into launching the malicious file at https://blogs.technet.com/markrussinovich/archive/2007/04/09/741440.aspx.

In a nutshell, I discovered that the email installed a simple botnet client. A few days later I received a similar email, but this time Microsoft's spamserver had stripped the contents and indicated that what I had installed was Trojan-Spy.HTML.Pcard.w, but an Internet search for more informationyielded nothing meaningful.

I'm left wondering how successfully this type of lure brings users into a bot herder's web. There are numerous warnings that something funny isgoing on, from the lack of personalization to being asked to run a program and open a port in the firewall. The fact that this Bot herder didn't botherwith more sophistication leads me to believe that it's still unnecessary: Enough people ignore the warnings.

Users will get more wary, however, so we're in store for craftier attacks that will fool even paranoid users. Exploits of zero-day and unpatched vulnerabilities can deliver malware without user interaction, and malware can use communication techniques such as proxy servers, http traffic, or outbound-initiated bidirectional connections, to avoid causing firewall popups. Windows Vista's User Account Control (UAC) and Protected Mode IE can help mitigate attacks, but adoption will take time, and even these technologies give malware a lot of room to play. Microsoft is working to address these threats, but there's no silver bullet. The fight against malware continues.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like