Marshall Brain's Blog

[See Previous]

This article on E-card hijack spam is written by a person who got a piece of spam email. When he clicked on the link in the email he found that the web page he arrived at is malicious. What this points out is that it is now possible to build ordinary web pages that have destructive intent.

In his analysis, the author found that the web page he arrived at tries to do several different things to his machine:

• It attempts to download a file called a.exe and run it. According to the article, the page "includes a hidden textarea which contains ActiveX to download a certain a.exe, and overwrite the Windows Media Player wmplayer.exe with it. Once the file has been replaced, IE is redirected to the mms://, which causes the invocation of wmplayer.exe. The code in this textarea is processed by some javascript after a 5 second timeout, and is run in Internet Explorer's 'Media Sidebar'. Before this 5 second timeout, however, a fake url, error.jsp, is opened in the media sidebar to throw off the user."
  
• It then "tries yet another IE exploit to run a.exe remotely."
  
• It then tries a third way to run a.exe using vbscript. "The vbscript code contains strings which represent, in hex, the binary contents of a certain executable which is saved as x.exe. Once saved, this executable is launched with the url to a.exe as an argument."

Currently, because of spam and email viruses, we have all become suspicious of email. Any email received today has a fairly high probability of being malicious in some way.

Now we are seeing malicious Web pages. You arrive at an innocent-sounding URL and find it able to cause bad things to happen on your computer. If the trend spreads, it could put a big damper on random surfing.

I wonder if Google has technology in place to detect malicious pages in its index? It would also be nice if Google flagged the pages that link to malicious pages.

Here's the author's advice: "If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users."