The magazine of the Melbourne PC User Group Editorial Gary Taig editor@melbpc.org.au |
 |
Today a press release arrived from a public relations company acting for Trend Micro, the Internet Security organisation. I didn't know the name and I'm so damn suspicious these days that I immediately sorted the inbox on the senders name to see if any other mail had arrived from this agency named "Infinity Communications". In doing that of course I simply proved the point they were making, that you must be careful of literally every message. Note, I'm viewing messages that survived SpamAssassin and MailWasher Pro. Between them, those filters still delete in excess of 200 messages a day.
This e-mail, one of many daily surprises, contains a story about a message that purports to be from Microsoft and since we already have Internet fraud and related material in this issue I though it was worth mentioning as an accompaniment, especially for those trusting souls who have a mental nap while downloading email and attending to security matters.
Sydney, 13 June, 2006—We all know the importance of keeping systems patched with the latest Microsoft updates, to avoid security threats that seek to exploit known vulnerabilities in the Microsoft Operating System. But what if the patch, itself was a security threat? Trend Micro detected a trojan earlier this week with social engineering that begged precisely that question.
It all started with an e-mail, purportedly from Microsoft, claiming that a new worm was spreading — and that immediate action was required from the user, to install a security patch to prevent infection. And due to some problems with the Microsoft Automatic Update site, as the message claimed, the patch was attached to the e-mail.
Sound suspicious? It should. According to Adam Biviano, Premium Services Manager at Trend Micro, this technique is used pretty regularly, but infrequently — and convincingly — enough to be successful. "Since 2003, we have seen a number of instances where a Microsoft patch or update message was used to trick users into infecting their systems", said Biviano. "The code itself is really different, so it's likely the work of different writers each time, but the technique is similar — and gaining popularity"
According to Biviano, instead of installing a patch, the attachment was actually the malware executable. Therefore, launching the attachment would actually install a commercially-available key logger; which can be freely downloaded from the Internet. Additionally, the user's system would have been infected with at least three different trojan spyware components, which are well-known to security vendors, but have been reused in modular fashion for this malware. Biviano recognises that this particular sample represents a failed attempt, but cautions on the need to remain vigilant. "Luckily, this particular malware was damaged, so the attachment failed to execute as planned", said Biviano. "But it's not uncommon for us to see copycats in the near-term future who write malware that does work, so we want to get the word out now, to avoid potential infections."
Utilising a technique popularised with phishing scams, the writer of this malware attempted to give the e-mail an authentic appearance by appending the familiar white Microsoft logo on a blue background to the top of the message —likely copying the actual legitimate logo from Microsoft's own Web site. As with modern-day phishing scams, the technique employs professional-looking, HTML-based e-mails that include company logos, font styles, colours, graphics, and other elements to successfully spoof the supposed sender — and a call to action that prompts recipients of the e-mail to react immediately. The only difference here is that the malicious code is attached to the e-mail, rather than including a link to another site, where the crime will be committed.
Biviano also advises users that, in addition to ensuring their systems contain the most recent security patches and updated antivirus definitions, it's absolutely essential to remain vigilant. "As with just about any social engineering technique, user education is by far and away the best defense", said Biviano. "Microsoft, security vendors, banks—just about any legitimate business — would never include security patches or sensitive information in an e-mail attachment. That's simply not the way business is done."
Internet Fraud
There is a story in this issue about Internet Fraud and author Bob Schneider shows a message he received from a bunch of thieves who pretend to be PayPal. I recognised it immediately as being similar to a few that arrived here recently and I've printed a screen dump of one of them.
You will notice the genuine PayPal logo; it's important to understand that as with most HTML messages, the logo is not embedded in the message — its Web address is, yes — but not the image itself. The message arrives as plain text and the logo is "collected, over the Internet" as you display the message. We should always avoid displaying or reading messages after a download until Internet activity is blocked. When this particular message is displayed the logo is retrieved from Romania —that's where the thieves are located, hiding behind a catering Web site. You cannot be too careful; the logo might also be malicious program code. It downloads quickly and silently and from that moment onwards, your system is in jeopardy.
Reprinted from the July 2006 issue of PC Update, the magazine of Melbourne PC User Group, Australia
 |