The two go hand-in-hand: holidays and a new batch of Storm Trojans (aka Storm worm). The latest run started out as 'happy-2008.exe', changing days later to 'happynewyear2008.exe'. The latter, like many previous variants of the Storm family, included a rootkit to mask its presence on the system. In general, most Storm variants include the following capabilities:

1. Peer-to-peer communications;
2. A backdoor component;
3. SMTP relay for sending spam;
4. Downloader / dropper to install additional malware;
5. Email address harvester; and
6. (Frequently), a rootkit.

During the outbreak, it was pretty cool to watch OI's Zero-Day protection go to work - we heuristically started blocking the Trojans a full 48 hours before signature-based detection was available. During the course of the run, 26% of the Trojans were detected by OI Zero-Day heuristics, compared to 74% (eventually) detected by traditional signature-based methodology.

The attackers also got more creative, hosting the malware on sites with festive names like "merrychristmasdude.com", "uhavepostcard.com", "happycards2008.com", "newyearcards2008.com", and "newyearwithlove.com".

Earlier in December, a run of greeting card scams disguised as Christmas cards came bearing a backdoor Trojan. These cards used a URL tricked out to look like a Yahoo or American Greetings link and the download masqueraded as a Flash plug-in (allegedly to view the 'card'). The links used look like the following:

yahoo.americangreetings.com.realdomain.com/

One way to quickly spot these fakes - look for the last occurrence of '.com' in the URL. Immediately to the left of that is the real domain. You can see this in the example above. The attackers want you to think that yahoo.americangreetings.com is the actual domain, but the real domain is further on in the URL. (I bolded that part of the URL to make it a bit more obvious).

Overall, greeting card delivered Trojans represented approximately 1% of all ScanSafe blocks in the month of December.

Of course, Valentine's Day will be the next big target. Remember, a legitimate greeting card will always include (in the body of the email) the email address and often the name of the sender as well. If you receive a card that does not include these details, or you don't recognize the name/email that's included, don't click through to get the card. Absent those critical identifying details, chances are near 100% that it's a Trojan.