Greetings Cards - Beware!

From TruSecure

While not directly related to MS security, I figure its about
time I put something out on this issue. TruSecure's TSMalcode
mailing list has been tracking this for a couple of weeks now.

Below are a list of URLs which are being presented in emails sent
to you from someone you know. The email indicates you have
received an on-line greeting from that person and you should
click on the link to check it out.

Here's the twist. This isn't malcode in the strictest sense. The
authors of this thing provide you with proper install and
de-install tools, and don't do anything they don't tell you
they're going to do. The trick is in the End-User License
Agreement (EULA) that you must accept to install the thing. The
EULA explicitly outlines that it will use your email client to
resend itself to everyone you know.

Clearly, a great number of people never bother to read the EULA,
or read it in its entirety. One can easily argue that you were
told what this tool would do, and choose to install it and let it
do its thing. I'd like to be sitting face to face with any of the
100+ people who have installed this on their systems and
subsequently sent an email to NTBugtraq telling us they have a
greeting for us...doh!

I'd love to create one that simply says, "By clicking on the Ok
button you agree to pay Russ Cooper $1000 for the experience ",
and give them an Ok and Cancel button. The email it would be
contained in would be a legal agreement binding them to the
execution of the Ok click. Upon the click, have a copy sent to
me, and my lawyers, and the police. You get charged $1000
for me showing you how stupid you are...;-]

While blocking the links below will help minimize the effects of
this thing, nothing will improve the grey cells of your users who
do click on such a link better than beating them over the head
with a bill. Try sending a message to your users along the lines
of that outlined above and copy their boss' (in the case of the
CEO, copy the Chairman of the Board of Directors or your PR
firm).

These things are bad enough when they fool you, but one that
tells you up front everything about it and still gets traction
just goes to show that patches and security devices are, by and
large, virtually useless in an environment full of uneducated
users. Policy and Education are the key...;-]

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

URLs found in this thing;

>www.friend-g "RemoveThis "reeting.com
>www.friend-g "RemoveThis "reeting.net
>www.friend-c "RemoveThis "ards.net
>www.friendg "RemoveThis "reetings.com
>www.friend-g "RemoveThis "reetings.com
>www.friend-g "RemoveThis "reetings.net
>www.cool-d "RemoveThis "ownloads.net

the string "RemoveThis" is not part of the real url.

See this thread - the "card" can actually cause a problem or two!

 

Thanks. I know a few people who love sending and receiving those online greeting cards so I passed on the information along with a link to http://securityresponse.symantec.com/avcenter/venc/data/w32.friendgreet.worm.html

 

more on the W32.Friendgreet.worm....

here is a link to an article that contains a piece called "SNEAK ATTACK THROUGH A LICENSE
AGREEMENT" (scroll down a bit to find it)

http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=27157

here is essentially what the piece says:

******************

"When you receive a greeting from FriendGreetings.com, the message says that someone sent you the greeting and that to read it, you must click a URL that takes you to the Web site hosting the greeting. When you click the URL, you're prompted to install an ActiveX control before you view the greeting. As the greeting - card recipient, you would probably assume that you must install the ActiveX control to view the greeting; however, that's not the case. Instead, FriendGreetings.com has designed the ActiveX control, complete with an End User License Agreement (EULA), to interact with your mail client software and harvest information about your email contacts. After the ActiveX control obtains your private contact list information, it sends a similar greeting card to everyone in your contact list, probably unbeknownst to you! "

******************

i received this W32.Friendgreet.worm a few days ago, though the way it came to me was not harmful. my isp's mcafee av program caught it, quarantined the message and sent me an email informing me that i could view it at a site (safely, without infecting my pc) they have set up for such things.

the unfortunate part of it all is that the fellow who sent it to me only had a firewall on his broadband cable connection, no av protection, plus, the friend who "helps" him maintain his computer told him that this was not really a problem to worry about.

but i think i convinced him of his responsibility to others, let alone to himself, and let him know that if he had nav2003, it would have stopped the worm on the way in and would never have let it leave had it somehow gotten through.



mark

 

Here's a nasty E-card that messes up your system.

This one is not just a nusiance, it does make a mess for you to clean up too.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BAT_DGAM.A

Alicia