Tibet Photos: A New Trick to Entice Potential Victims
Cyber criminals seem to be frequently using the topic of Tibet to make entry into others' computers. The nation regularly gets some coverage from the press about efforts to liberate Tibet from Chinese rule, according to software security vendors, McAfee and Sophos, as reported by Securitypronews on March 12, 2008.
Researchers from the two companies say that malware distributors might be exploiting this feeling, as they select a collection of photographs from National Geographic relating to the 1940-era Tibet, in attempts to distract the recipient from an ensuing infection.
Security firm Sophos displayed two fantastic photos that arrived via a Compressed Help File (CHM) attachment in e-mail.
Describing the downloads, launches and connections taking place at the back of the computer screen, Sophos Researcher, Numaan Huq, said that while users remain occupied in viewing the pictures of Tibet, a number of things simultaneously happen on their systems, as reported by Securitypronews on March 12, 2008.
Researchers at Sophos pointed out that the CHM file dropped an executable file named, music.exe. This file in turn dropped two more files named, zipfldr.dll and conime.exe and then erases itself. The new files connected to a remote system from where they download yet two more files named, photos-downloaded1.exe and photos-downloaded2.exe. These downloaded files further connected to another remote system.
Sophos, which proactively detected the two files, described them as Mal/Emogen-AA and Mal/Emogen-Y. The remaining files were identified as Troj/CHMDrop-B. The particular malicious CHM file was sent out as spam in a targeted scam.
Also, Elodie Grandjean, Researcher at Security Company, McAfee, divided the process of infection into a flowchart having seven parts. Grandjean also noted that another Tibet-related spam campaign in early March 2008 following the current Tibet pictures, as reported by Avertlab on March 11, 2008.
Grandjean further said that both the campaigns remotely connected to the common servers and used the same malware namely, Spy-Agent.cp, a Trojan composed of multiple parts such as an infostealer, a loader, a backdoor and an installer for update.
Security researchers from both, McAfee and Sophos, have, therefore, suggested computer users to avoid attachments from strangers and also to update their security software.
Related article: TPD Assists Residents in Evading Internet Scams
» SPAMfighter News - 19-03-2008