If you have an email account, you probably received at least one of those e-cards with links to nasty websites, in the last couple of months.

Several security vendors flag those malicious e-cards as part of the Storm Worm attack.

Well, it now appears that sending e-cards is not the only attack vector those criminals chose in order to own you computer and add it to their botnets.

During the past month, we here at MCRC, have encountered several legitimate websites which include an injected iframe (Figure 1). The injected iframe refer to malicious websites with random domain names, which use the MPack crimeware. Up until here nothing was suspicious. We see this kind of malicious iframe injection almost every day.

But, the strange thing is that those websites refer to ind.php as the malicious page (Figure 2), instead of the formal index.php.

Figure 1: Legitimate web design company website with an injected iframe, referring to ind.php malicious page.

Figure 2: The source code of ind.php file, using the MPack 0.94 crimeware exploit.

So, the first thing we did was to check whether index.php also exists.

Surprisingly, not only that the index.php file exists, it also contains the same content of those websites that the malicious e-cards links to (Figure 3).

Figure 3: The source code of index.php file, with the new invitation to download msdataacess.exe file, and the MPack 0.94 exploit.

So, not opening a link from a suspicious e-card might not be enough to protect yourself from the Storm Worm.

Posted by Aviv Raff