New Frontiers In Blended Threats

 
 
By Larry Seltzer  |  Posted 2003-07-21 Email Print this article Print
 
 
 
 
 
 
 

Big league spammers and the authors of Trojan horses and worms now have taken pages from each other's books. Security Supersite Editor Larry details the new threats you may have recently seen in your mailbox.



We all know about e-mail worms: youre infected and then copies are sent to everyone in your address book as well as to any other e-mail addresses the worm can find on your system. On the other hand, there are customer service scams, most of them seemingly from PayPal. These scams try to sucker you into fixing a problem that doesnt exist. What if these two methods got together?

Its not a major scientific combination like chocolate chips and cookies, but this weeks emerging threat is what Symantec calls Trojan.Download.Berbew. This advance in the hackers art caught my eye and you should keep your eyes peeled for it as well. Some friends of mine received it and asked my advice; I bet yours will too. Berbew does some interesting stuff. The more you understand how these attacks work the better a position youre in to protect yourself against them.

Berbew appears as a customer service message. Symantecs description includes messages from "Citibank Accounting" and "E-Loan Consumer Department" thanking the recipient for opening an account and stating that the account information is included in the attached document. My friend also got one that said it was from Wells Fargo.
As I hope you could guess by now, the attachment is actually a .PIF executable that launches its attack. Just for completeness, the core of the attack is to attempt to download and execute Backdoor.Berbew (to no surprise, Symantec declines to specify the download location, but I doubt the file is still there by now). The Trojan horse that it executes does some moderately sophisticated programming in its attempt to steal passwords and then to open up the system to remote hackers.

Incidentally, since I use Outlook 2002, which automatically blocks executable attachments, I couldnt have launched this particular attack. The same applies to Outlook 98 and Outlook 2000 users who have installed the Outlook Security Update, now probably 2 or 3 years old. Users of relatively recent versions of Outlook Express can also turn on this feature in Tools-Options on the Security tab by clicking "Do not allow attachments to be saved or opened that could potentially be a virus."

The Symantec write-up vaguely claims that Berbew was initially "spammed" into the wild. This would add a third leg to the table and more evidence of recent speculation that spammers and malicious code authors are sharing techniques.
Two recent stories illustrate how coders are taking this stuff to the next level:

First, theres the Sobig worms. Like many others, Sobig worms contain an SMTP engine so that they can propagate themselves without relying on the victims mail client. The series also had an odd characteristic that they were all time-bombed; Sobig.E, for example, died out on July 14. Some have speculated that the Sobig worm itself also sends out spam and even that it was created on contract. According to this theory, each variant is a new contract for fresh spam. The advantage to the spammer is that the spamming engines run on unsuspecting users computers. While I have yet to see any real evidence that this ever happened, its an intriguing possibility and makes it all the more essential that people block these attacks before they become infected.

Another example is the Trojan horse called Migmaf, which acts as a reverse proxy for pornography. This means that when the HTTP request is made, it is made through the unsuspecting infected system, hiding the true location of the data. The requests, so they say, usually come from the sort of porno-spam we all know too well. After the initial reports, the security industry declared that Migmaf attacks were actually quite rare. But the real danger could be in the future: Migmaf is a precursor of things to come and eventually these coders will get things right.

So, its not exactly the apocalypse, but these worms are not good news. The evildoers—hard at work ruining the Internet for the rest of us—have been refining their techniques and learning from each other. The good news, if you can call it that, is that the answer to these new threats is the same answer given to every other security threat in recent years: Use common sense! Be aware that this stuff is out there; keep your antivirus and other defensive software up-to-date; be skeptical of e-mail you receive; and be very, very skeptical of attachments. Follow these rules and your odds of being part of problem are very low indeed.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel