It's no coincidence that one of the most recent Trojan horse programs to enter the FBI's bi-weekly rogues gallery of malicious code is named after an Internet porn company.

The program, dubbed "Cytron" by the bureau's National Infrastructure Protection Center (NIPC)and some anti-virus vendors, is a covert browser plug-in that gives Internet Explorer users something they probably don't want: more pop-up ads, promoting a slew of adult websites.

Users are lured into accepting the program through a wholesome e-mail from [email protected] -- a forged return address. The mail looks convincingly like an electronic greeting card notification, with a cute smiley face background and the text "You have received an e-card" in squiggly block letters.

Clicking on the graphic of a cartoon hand holding an envelope takes the recipient to surprisecards.net, where the surprise is an "e-card viewer plug-in" that they have to accept to read the card. If the user accepts the ActiveX control, which is signed with a credibility-boosting digital certificate, Internet Explorer will begin selectively feeding them racy full-sized pop-up ads for adult websites, mostly operated by Canada-based Cytron Communications Ltd. They never do get a greeting card.

Small touches like the convincing domain name and the authentic digital certificate make the ruse smarter than the average covert adware delivery mechanism. "A lot of people see that it's an authentic certificate... and will just mindlessly click okay," says Jonathan Zdziarski, a Georgia software developer who was among the first to detect the spammy scam late last month after receiving one of the e-mails. "I can certainly see how your average doctor or oil change technician or anyone who's not in the technology field would fall for something like that."

The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.

"There some perfectly legitimate Internet porn operators, but it is a ruthlessly competitive industry that's constantly looking for new ways to get the click," says Jason Catlett, president of the anti-spam company Junkbusters. "They've always been at the leading edge of tactics, legitimate and illegitimate, for getting more traffic."

Key Phrase Matching
The Cytron program works by scanning the Web sites the victim views for key phrases like "hot sex" or "hard core," then serving up ads based on the matches. The technique seems designed to target only people in the market for porn, luring them away from Cytron competitors while catering to the user's particular sexual inclinations.

But the covert phrase-matching software suffers from the same problem as keyword-based filtering programs: it's easily triggered by destinations that don't necessarily indicate a taste for adult content. In tests by SecurityFocus, browsing a USA Today story about the constitutionality of Internet porn spawned a window promoting the gay men's adult site "Tyler's Room," complete with thumbnail teaser photos of well-endowed models. Surfing to a Christian website selling the video "Porn: the Tragedy Exposed" exposed the front page of another Cytron site offering "The nets [sic] youngest women online," with a topless photo of one of them.

Though Cytron is based in British Columbia, by luring U.S. netizens into installing the covert adware under false pretenses, the company may run afoul of U.S. computer crime laws and regulations prohibiting deceptive trade practices, says Catlett. "It's very ingenious... But if they're fooling people into downloading software, that's still going to be illegal under the Computer Fraud and Abuse act."

Full article and source:

Security Focus