Skip navigation

Botnets by Email

This is a summary of a popular posting to Mark Russinovich's technical blog (, which covers topics such as Windows troubleshooting, technologies, and security. You can read the entire post at

I make no effort to hide my email address, which means that I know the instant a new email-based virus, phishing attack, or penny-stock-pumping scam launches because my inbox floods. Most such emails are easy to distinguish from legitimate emails because of their lack of personalization, poor grammar, or low-quality images that attempt to foil spam filters. On occasion, however, I get a message that causes me to examine it a little more closely to make sure it's junk. I also look out for ones that might trick unsophisticated users.

My family uses BlueMountain Greetings to send eCards, so when I received the email depicted in Figure 3, I took a second look. There are several immediate clues that the email is a fake. For example, the body doesn't address me by name, and there's a space between friend and the exclamation point. Hovering the mouse over the link shows that it masks an address at a different site, but the presence of BlueMountains and the legitimate-looking KoKoCards in the name might fool a casual scan.

Curious to see what kind of con the email was perpetrating, I fired up a virtual machine (VM) that was isolated from the local network and clicked the link. A Microsoft Internet Explorer (IE) dialog box appeared and asked whether I wanted to save or run Postcard.jpg.exe. Most users that have followed the ruse this far would probably be suspicious and not run it, but out of curiosity I started Process Monitor to watch the action and clicked Run. What I found isn't very sophisticated, but it's interesting because it's an email virus that's making the rounds today. You can read the details of my excursion into launching the malicious file at

In a nutshell, I discovered that the email installed a simple botnet client. A few days later I received a similar email, but this time Microsoft's spam server had stripped the contents and indicated that what I had installed was Trojan-Spy.HTML.Pcard.w, but an Internet search for more information yielded nothing meaningful.

I'm left wondering how successfully this type of lure brings users into a bot herder's web. There are numerous warnings that something funny is going on, from the lack of personalization to being asked to run a program and open a port in the firewall. The fact that this Bot herder didn't bother with more sophistication leads me to believe that it's still unnecessary: Enough people ignore the warnings.

Users will get more wary, however, so we're in store for craftier attacks that will fool even paranoid users. Exploits of zero-day and unpatched vulnerabilities can deliver malware without user interaction, and malware can use communication techniques such as proxy servers, http traffic, or outbound-initiated bidirectional connections, to avoid causing firewall popups. Windows Vista's User Account Control (UAC) and Protected Mode IE can help mitigate attacks, but adoption will take time, and even these technologies give malware a lot of room to play. Microsoft is working to address these threats, but there's no silver bullet. The fight against malware continues.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.