Select Page

A run of spam this weekend looks something like this:

From: Martha [fake email address]

Sent: Monday, June 16, 2008 2:56 PM

To:

Subject: Martha sent you a endeny(d0t)hk! Greeting

Surprise! You’ve just received a endeny(d0t)hk! Greeting from from “Martha” [fake email address]

To view this greeting card, click on the following Web address at anytime within the next 30 days.

[malware link]

Enjoy!

The endeny(d0t)hk! Greetings Team

[endeny(d0t)hk is a live exploit site. Do not visit it unless in a virtual machine, etc.]

If you click on the link, you get to a website which attempts to exploit your system (the one we analyzed use the now-patched Ani cursor exploit). A link is also provided on the web page to download the malware yourself.

It’s a new technique that one group is using to deploy the “Storm Worm” P2P bot net.

Alex Eckelberry
(thank Adam Thomas for his research help on this)