Malware Reunion

The new year is upon us and for some that means a walk down memory lane, reminiscing about college or high school friends and perhaps anticipating a reunion with your former classmates. Scammers are taking advantage of this season of nostalgia, sending out bogus email invites disguised as a classmates reunion notice. One such email reads:

Your Classmates request the Pleasure of your Company at the Celebretion of our 2009 year Reunion.
Registration, Hosted Bar, and Reception at six o'clock Savoy Room.
You have received new messages to your classmates inbox centre.

Hopefully the obvious misspellings and strange capitalization are enough to tip off the recipient that it's a scam. If not, the link should be a dead giveaway. Instead of classmates.com, it points to flashplayerforwindows.com. According to ThreatExpert, the downloaded malware consists of a rootkit-enabled backdoor that also acts as a trojan downloader.

Firefox users (particularly those who use the NoScript addon) should be aware that a visit to the site will initiate the download of a malicious executable. That's because attackers are taking advantage of too-forgiving behavior in Firefox which allows even poorly formed instructions in the http header to be acted upon. In the classmates reunion scam, attackers are simply specifying the binary as part of a meta http-equiv="REFRESH" tag, which Firefox merrily accepts. At least Firefox 3 does allow you to change this behavior, (previous versions did not so this is a good reason to upgrade). Here's how to disable http header refresh in Firefox.