Fame At Last, Or Under Attack?

Here’s an example of how social engineering can be more important than technical sophistication.

It’s an email with a credible from address, credible header, credible subject line, credible contents:

From: john@flexiprint.co.uk
Subject: Photo Approval Needed


Your photograph was forwarded to us as part of an article we are publishing for our May edition of Business Monthly.  Can you check over the format and get back to us with your approval or any changes you would like.  If the photograph is not to your liking then please attach a preferred one.

Kind regards,

John Andrews
Dept Marketing

Attached is a zip file, photo-approval-needed.zip. Inside the zip file is a screen-saver executable, which, according to CodePhish’s Daniel McNamara, is an IRC trojan for building a botnet. In English this means compromising the victim’s computer so it can be controlled remotely to send spam, viruses and stuff. The compromised computer is called a zombie and the big collection of remotely controlled zombies is called a botnet.

While Daniel says the trojan is not that sophisticated it does do a pretty good job of turning off Windows XP’s firewall turning it, in his words, “into Swiss cheese”.

I’m more impressed, however, at the social engineering. Who wouldn’t wonder whether the picture might contain a picture of them, and why wouldn’t they be written up in Flexiprint’s Business Monthly? Only by opening the zip file, or by checking out Flexiprint’s website (which resolves to business Internet solutions provider altoHiway), would the recipient start sniffing a rat.

This goes to underline a point that is sometimes skated over in advice given to the casual Internet user: It’s not enough to scour a suspicious email for bad grammar, odd formatting or strange header fields. Sometimes these give up few clues. Best rule of thumb is: If you’re not expecting an email from the sender, be suspicious.

Do Viruses Really Cost This Much?

Mi2g, the British-based security consultancy that seems to court controversy and a fair amount of ridicule, has issued a press release (it doesn’t seem to be up yet) that is likely to prompt similar reactions: “USD 166 billion malware damage in 2004”, the headline reads:

The total economic damage from malware – viruses, worms and trojans – in 2004 is estimated to lie between USD 169 billion and USD 204 billion, making 2004 the worst year on record by a wide margin according to the mi2g Intelligence Unit, the world leader in digital risk. 2003 did not log even half of the malware economic damage figures attributable to 2004. With an installed base of around 600 million Windows based computers worldwide, this works out roughly as average damage per installed machine of between USD 281 and USD 340.

Certainly viruses and worms are damaging computers, business and nerves but I’m not sure it stretches to $300 billion. That is the same as(from a quick search of recent news articles):

So I guess it’s not impossible. But it seems to be a bit over the top. Mi2g says it calculates damages “on the basis of helpdesk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. When available, Intellectual Property Rights (IPR) violations as well as customer and supplier liability costs have also been included in the estimates.” You could pretty much throw any old figures in there.

I would agree with them, however, when they point to the recent “proliferation of Bagle malware variants worldwide” as a sign that, like last year, “there could be a choppy cyber-sea ahead, made all the more complex by new and more dangerous malware families that are yet to emerge.” It may not be costing quite the equivalent of a major war, eradicating global poverty or how much Americans spend on sneakers and baseball games, but a virus sure can muck up your day.

Anatomy Of A Phishing Trojan

Phishing emails don’t need to be sophisticated to lure the unwary. Indeed, there’s some evidence those behind the more convincing looking emails masquerading as bank emails are also behind a spate of key-logging trojans, which use basic methods to fool the recipient into making them active.

Australian Daniel McNamara of anti-phishing website Code Fish has found a new trojan that does a scary amount of work; he believes it’s the same phishing gang which recently launched attacks against his website and which targeted Westpac and ANZ banks. The emails themselves contain no special tricks, just plain text mentioning something newsy about Australia and offering a link to read more.

In this case it’s not the emails themselves that are sophisticated (in fact, their very simplicity may be the lure); it’s the website they link to (the website in question, apparently, is a cracked Windows XP machine sitting on a broadband link in Canada). All the user sees there is a blank page, whereas in fact, for unpatched Internet Explorer users, the website quickly uploads a trojan into the user’s computer using a Java applet built into the web page. All it takes is a second, and all the user might see, if his eyes are quick, is a message appearing for a few seconds in the status bar at the bottom of the browser window: “Applet intialising..” Now his computer is infected.

It’s worth taking a look more closely at the payload, courtesy of Daniel’s groundbreaking sleuthing. The trojan copies the contents of a file to the Windows directory. It then creates an executable file, which is then launched. It creates a subfolder in the Windows directrory called “ijn” in which it then places two files, nm32.exe and mn32.dll. The executable is then deleted. A small text file is created in the same directory.

This is all so well-hidden from view only a real expert could know it was going on. As far as Windows is concerned the trojan and the directory it created doesn’t exist, even in the Windows Task Manager, even with “show hidden files/directories” turned on. As Daniel says, “somehow the trojan has set up a ‘screen’ so that the overlying Windows GUI denies their existence. Judging from what we found out later it’s because it’s managed to place some hooks into Explorer that allow it to basically become invisible to the average end user.”

Behind the scenes, however, the trojan is busy. As soon as a user visited an Australian banking site it will log all keystrokes to a file, in the same directory, called “kbd.txt”. The results are then emailed to a server in Russia. The ps.txt file, the other file created by the trojan, is delivered via FTP — a standard to send one file from one computer to another over the Internet — which appears to include, Daniel says, passwords stored on the victim’s computer, including those for Outlook Express, AOL and possibly Microsoft’s Passport. The FTP site is hosted on a computer belonging to a web hosting company in the U.S.

In other words, this trojan not only captures your banking passwords, it also trawls around for any kind of passwords on your computer that may prove useful.

So who’s behind it? There are a couple of clues: The email appears to be delivered to a Russian email address (server@mail.ru). There’s also a snippet in one of the files that would seem to indicate the author, or someone involved in the trojan’s creation was Russian, or at least East European.

There are a couple of points worth making here:

  • The weekend attack: These attacks happen too quickly for anti-virus companies, but particularly if they hit at weekends. Daniel says he spotted the trojan on Friday night, but said the website that supported it was not working until midday Saturday, Eastern Australia time (This is Friday afternoon/evening, U.S. time). Within an hour or two he had heard from one person was infected after his anti-virus software failed to stop it. Daniel says he forwarded the trojan to the anti-virus companies late Saturday (Australian time), but so far there’s no sign they’ve updated their libraries, or posted a warning.
  • Phishers are not just after your bank details. They could also make use of your other passwords — remember, the trojan loading website was on a hacked broadband computer (probably a home computer) in Canada, which may or may not have been hacked into. The FTP site was a on a legitimate web hosting server in the U.S., where an account had been hacked into.
  • Phishing is not just fancy graphics. Phishing is about social engineering, but it can be primitive, and still successful. This was a plain text email but with enough appeal to get someone to click on the link. (Indeed, with public awareness of the more sophisticated phishing attacks growing, this may be a deliberate move on their part.) Daniel’s convinced the people behind this one are behind others: He points to the fact they use exactly the same technique to upload the trojan as in previous attacks on Westpac and ANZ customers.
  • Sophistication This trojan does add some elements to the mix that show how, with every attack, the folk behind them get smarter. There’s really no evidence this trojan has gotten onto your computer and resides there unless you take a real, close look.

Bottom line: Phishers use lots of different methods, and lots of different tricks, to get a broad range of information out of you. And, if they hit at weekends, anti-virus companies may be asleep at the wheel, so don’t rely on them.

News: Beware The Trojan

 I got my first password stealing trojan yesterday. My, they’re good. I’ve never shopped at Citibank (sorry, Ditta) but for a moment I thought that maybe I had . This was what the email looked like:
Dear sir,
Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn’t satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time.
*Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
The email came with all the right headers, and my virus checker didn’t notice anything wrong, but the folks at Sophos have identified the attachment as a two component backdoor Trojan, specifically, Troj/Webber-A. The first bit attempts to connect to http://www.joro71.addr.com, download a file to rtdx32.exe in the Windows system folder and execute it. The second bit is a password stealing Trojan that attempts to extract sensitive information from several locations on the system and sends them to CGI scripts at http://weyrauch.addr.com. Yuck. Beware.