There's a new version of the Storm Trojan on the loose, disguised as an e-postcard but actually recruiting zombies for a botnet, according to the SANS Institute's Internet Storm Centre.

The attack arrives as a spam with the subject line "You've received a postcard from a family member!" and contains links to one of several malware hosting sites, said SANS researcher Lorna Hutcheson in a SAN ISC security alert (http://isc.sans.org/diary.html?storyid=3063). The interesting part is just how multi-layered the attack is - it uses several different exploits, both technical and social.

It starts by testing to see if Javascript is enabled, and if it's not, it prompts you to download a file called ecard.exe and run it. If that fails, it tries three different exploits in sequence until it finds one that works, starting with a QuickTime attack, then a WinZip attack, and finally what the ISC calls the "hail Mary" WebViewFolderIcon exploit.

The aim is to get the user to download a Trojan. If executed, this calls home to a malware hosting server which SANS says has been active since December 2006, and attempts to install zombie software. That then ties the PC into a spam botnet.

Perhaps the most dangerous part is that, when SANS ran it through 30 different anti-virus programs, only a quarter of them picked up ecard.exe as a suspect download.®

Related stories

Guessing at compromised host numbers (25 September 2007)
http://www.theregister.co.uk/2007/09/25/microsoft_malicious_software_removal_tool/
Fast flux foils botnet takedown (11 July 2007)
http://www.theregister.co.uk/2007/07/11/fast_flux_botnet/
Trojan creates bogus webmail accounts to punt drugs (6 July 2007)
http://www.theregister.co.uk/2007/07/06/webmail_trojan/
Storm Trojan feeds on Independence Day (4 July 2007)
http://www.theregister.co.uk/2007/07/04/july_4_storm_trojan/
MPack malware exposes cheapskate web hosts (3 July 2007)
http://www.theregister.co.uk/2007/07/03/mpack_reloaded/
Talking Trojan taunts victims (3 July 2007)
http://www.theregister.co.uk/2007/07/03/talking_trojan/
Senior execs targeted in 'precision' malware attacks (2 July 2007)
http://www.theregister.co.uk/2007/07/02/personal_malware/
Fake flash player site used to spread malware (22 June 2007)
http://www.theregister.co.uk/2007/06/22/shockwave_social_engineering_ruse/
Anti-spam sites weather DDoS assault (11 June 2007)
http://www.theregister.co.uk/2007/06/11/anti-spam_ddos/
Stormy weather for malware defenses (7 March 2007)
http://www.theregister.co.uk/2007/03/07/storm_malware_defenses/
Imperfect Storm aids spammers (19 February 2007)
http://www.theregister.co.uk/2007/02/19/storm_worm_stockpatrol/
Anatomy sheds new light on Storm Worm (9 February 2007)
http://www.theregister.co.uk/2007/02/09/storm_worm_anatomy/
Storm Trojan gang declare start of World War III (22 January 2007)
http://www.theregister.co.uk/2007/01/22/trojan_madness/