As night follows day, the Storm guys are doing their thing for the U.S. Independence Day holiday, July 4th:

Subject: Celebrations have already begun

The email message is a simple sentence, such as "Happy Fourth of July" followed by a numeric IP address. The destination page is the same format as the phony Beijing earthquake malware lure:

Content is a false video player image, which is a link to download fireworks.exe, a malware load that VirusTotal shows identification by 15 of 33 antivirus systems. But the page also includes the same hidden iframe element and ind.php program described in Love Hurts Even More. Check the scripting analysis document linked from that post to learn more about this multiple-exploit drive-by attack.

Don't let this M-80 explode inside your PC.

UPDATE (4 July 2008): Just saw this subject line variant: "Stars and Strips forever." Ooh, so close. Sounds more like an ad for a Las Vegas adult revue.

Back in May, my blog entry Love Hurts told the quick story of a Storm-like email message that tried to lure victims to a site that automatically downloaded an executable Windows program. A month later, a new wave of such messages started flowing, but the destination at the end of the email links is far more insidious.

As before, the range of message Subject: lines, while all in a romantic vein, are all over the place. Here is a sampling of ones I've seen:

• Can't stay away from you
• Lucky to have you
• My heart belongs to you
• I want to be with you
• I Wanna Be With You
• Crazy in love with you
• Lost In Love
• For you...Sweetheart!
• You make my world beautiful
• My heart beats just for you
• I'll Still Love You More
• Love me tender, love me true

Ugh. I'm getting that bad taste one gets from having eaten one-too-many of those chalky candy hearts with ooey-gooey phrases on them. "I Wuv You."

Message bodies are a continuation of the one-sentence theme employed by not only a lot of recent malware lures, but recent medz and knockoff brand-name goods spammers who use the same address lists. I'd repeat some of the message bodies here, but reciting too many lines in the spirit of "Missing you with every breath" will make me vomit.

What these messages want you to do is visit the URLs at the end of the sickly sweet lines. Some email clients turn anything they recognize as a URL into a clickable link, unfortunately making it easier to go in search of your untrue love. The URLs are to a bunch of plain-language .com domain names, such as makinglovedirect.com (now suspended the last time I checked).

Visiting any of those sites with an unpatched Internet Explorer could land you in a world of hurt. If you ever see the following page, it could be too late for you:

No, I really wasn't the lucky 10,000th visitor. Everyone is the lucky 10,000th visitor. Just as I've written that the assertion "this is not spam" means that it's spam, the assertion that "this is not a joke" means that it's a joke.

Although two downloads require clicking on either the image or "click here" link, there is an unseen iframe element that automatically targets numerous vulnerabilities. The malware distributor uses obfuscated JavaScript to make the initial delivery. Because I've been a JavaScript nut since before Day One, I spent some time deconstructing the delivery mechanism of this iframe. Rather than bore non-scripting blog readers with the gory details, I've created a separate document that shows my findings. You can download the 374KB PDF file here (Creative Commons licensed).

Almost all of us want to be wanted and loved. Malware distributors exploit that desire by making us believe we have secret admirers and might even get lucky with the right connection. With this malware campaign, you won't get laid, but you might well be screwed.

For many years now, malware distributors have sent email messages telling recipients that they have received an e-card, and that they should "click here" to retrieve it. The links to, and bogus identities of, the e-card holders were typically lesser-known e-card businesses—usually a legitimate Mom & Pop type online business whose name had been abused by the crooks.

One of the best known greeting card brands in North America, Hallmark, is being used today in a lure to get unsuspecting victims to load a well-known Trojan onto their systems:

From: "hallmarkonline.com" <cards@hallmarkonline.com>
Subject: A Hallmark E-Card from your Friend

If you display the message's image, you see this:

It's rich that the message shows steps to follow if "you're concerned about online security," because if you click anywhere on the image, you actually click a link directly to the Trojan file (card.exe) located on a hijacked web server in the U.K. Clicking the link downloads the file, which, if then opened by you, will install a backdoor for crooks to take over your machine.

Not only do you not get a card from "a friend," but you've just given a great gift to a criminal gang. And it's exactly what they wanted.

Look at this well-designed phishing email message:

Its goal is to capture login names and passwords for Google AdWords accounts. The bogus destination page is (except for one busted image) an identical twin sister of the actual Google AdWords login page. The page is also written with an added script that uses a browser cookie to prevent your browser from visiting the fake page a second time—if you try, it immediately redirects you to the real page.

If you perform the rollover test of the clickable link in the message (shown in the image above), the link isn't to Google's site, but to a domain that has what may be a convincing alternate name. I mean, it has "ads" in the name, right? That domain, by the way, was created waaaay back on Wednesday. The domain registration has information from someone in Paris, but no crook in his right mind would leave a trail of bread loaves. The fake site is hosted through a Spanish ISP.

The lesson to learn here is that obvious financial targets, such as financial institutions (banks, credit unions, PayPal) and popular e-commerce sites (Amazon, eBay, Best Buy), aren't the only ones that phishers have their eyes on. If there is an account anywhere on the Internet that has one thin dime in it (or has data that can be turned into a dime), you can be sure phishers will root through your emotional defenses for that dough like a pig hunts for truffles.

Automated systems can be just so damned dumb (I must reserve the word "stupid" for other purposes in this posting).

It appears that Sony Style's Customer Care system allows any Tom, Dick, and Harry Z. Robot to submit an issue via email without any kind of authentication or proof that the sender is human. I know this because earlier today I received an automated response from Sony, acknowledging "my" request for help:

Allow me to translate. At 01:54 PM today, a Sony email account user name of sonystyle-[removed] received a question from a customer whose name is Kimball Shigeo, and whose email address is...one of my email addresses. The question consisted of a URL to a German web site hosting a file named video1.exe.

In our last episode, you remember, I wrote about the "You look really stupid [so-and-so]" malware lures flooding message space in the last couple of days. Sony received one of these, complete with a forged From: address, and entered it into their system. Their system (actually, a system belonging to the customer relationship management company they use) then spit out the confirmation above.

Stee-rike One.

Since they provided a link to view the question and answer thread and after verifying that the link was legit, I clicked to see what, if anything, they'd show. Oddly enough, I couldn't view it because to do so required an account and password—theoretically one that I would have had to set up to submit the question in the first place.

Hmmm. Something tells me that the Sony email address targeted by the botnet isn't the normal way to submit support questions. It might be some kind of back door address that sneaks past the account-creation process.

Stee-rike Two.

At 4:00 on the button, Sony Style issued another e-missive. This one was titled:

Subject: Your recent Sony Style Customer Care experience

Some relevant excerpts:

Recently you contacted Sony Style Customer Care. In order to enhance the Sony Style customer experience, we invite you to complete a short survey that specifically targets your Customer Care experience. ... You received this email because our records show you contacted Sony Style Customer Care and we wish to improve our service.

Because I understand what's going on here, I simply get pissed off, rant about it in a blog entry, and load up a customer service survey with vitriol. But I'd wager that almost anyone else receiving a confirmation like the one above would be confused beyond belief. Worse still, they might venture to that URL to download and run the Trojan installer. Yikes!

Stee-rike Three. Yer out!

Yes, that is the Subject: line of a malware lure. It arrives appended by your email account name. Thus, if your email address is johndoe@example.com, the Subject: line reads:

You look really stupid johndoe

The message body is simply a URL to a file named video1.exe, located on a hijacked web site. If your email client turns that URL into a clickable link, then clicking it (or copying and pasting the URL into your browser) begins the download of that Windows executable file to your machine. If you fear that the video caught you in a less-than-intelligent act, and you open the file on your PC, you've just enlisted your PC into a botnet army.

Congratulations.

NOT!

The Chinese earthquake (not the real one, but a later 9.0 one that never occurred) malware lure (here and here) has revved up again, but this time with links to numeric IP addresses, rather than domain names. Although the linked sites look the same, the payload (still called beijing.exe) has apparently morphed a bit, as VirusTotal didn't recognize it as previously scanned when I passed it through for analysis. Some AV programs that caught the earlier version didn't catch this one; while others that didn't catch the first one caught this one. Total score at the moment: 10 of 33.