New Year greeting card spam (Dec 30, 2009)

SonicWALL UTM Research team observed a new spam campaign starting on December 29, 2009 which involves a fake greeting card e-mail pretending to contain a link to New Year card. The e-mail looks like following:

Subject: Your have received a greetings card

Email Body:
————————
Have a happy and colorful New Year!

http://cpz.gumen(REMOVED)/2010.html -> leads to the malicious website that is still live
————————

The e-mail message looks like below:

If the user clicks on the link in the e-mail, it leads to a malicious website that displays a happy new year image as seen below:

The site has an obfuscated javascript code that executes when it loads. It tries to exploit multiple vulnerabilities including 0-day in Microsoft DirectShow (msvidctl.dll) and Adobe Acrobat Reader. If the exploit attempt is successful then it injects the shellcode shown below:

The shellcode leads to download and execution of a new variant of Bredolab and Mebroot Trojan.

SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Pdfka.ASD (Exploit), GAV: Tedroo.gen (Trojan),and GAV: Bredolab.SME_2 (Trojan) signatures

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.