E-Mail Hoaxes Spread Latest Threats

Virus writers attempt to lure victims with phony news and celebrity gossip, but today's users are less likely to take the bait.

Celebrity trials and current events are again the vector for virus and malware writers hoping to infect distant computer systems.

This week, e-mails claiming Pope John Paul II was murdered, Michael Jackson has died, and Osama bin Laden has been captured all tempt recipients to open the attached file or link for details, which launches the W32/Kedebe-F worm.

First reported Tuesday by security firm Sophos Plc. in the United Kingdom, the worm disables security software and then creates its own messaging engine to spread itself via e-mail and peer-to-peer networks.

Sophos also said a separate e-mail scam appeared this week, which poses as a virtual postcard but in fact infects users with several Trojan horse programs that can record and pass on personal details and bank passwords.

Although if a system is infected, the results can be devastating, for the most part the hoaxes are utilizing code thats been used previously and hence users are protected if they have updated virus definitions and Microsoft Corp. patches.

/zimages/1/28571.gifRead details here about a smart-phone Trojan horse that poses as an anti-virus application.

"These arent that much different in behavior from a lot of the others we see, and theyre again using some sort of hook to get people to open them," said Ted Anglace, a senior security analyst in Sophos Boston office. Anglace said enterprises could be a bit more vulnerable, as most do not typically use automatic updates from vendors, leaving a slight window in which systems can be infected.

The postcard e-mails tell recipients theyve received a postcard and give a Web site link where the user can view the postcard. The site hosts the malicious code and installs the Clsldr-D Trojan and six others that can exploit Microsoft software vulnerabilities.

A third e-mail hoax purports to be a Microsoft Security Bulletin, encouraging users to immediately install the update, which spreads an SDBot variant, potentially giving attackers full unauthorized access to the computer.

The SDBot is designed to help establish botnets, which can be used to send spam or launch distributed denial-of-service attacks against corporations and Web sites. Security firm Websense Inc. reported the scam Tuesday as well.

Social engineering scams have long been a favorite tool of virus writers hoping to create widespread havoc. Mentioning everything from the FBI to famous figures like Paris Hilton and Anna Kournikova, the hoaxes often prey on the fears, desires and popular-culture interests of computer users to draw them into the scams.

And this is definitely not the first time Microsofts name has been used to lure users. The company been educating customers on how to identify false e-mails since at least 2003.

/zimages/1/28571.gifA fake Microsoft patch triggers a virus attack. Click here to read more.

It appears that typical users are becoming a bit more savvy, as these latest threats arent spreading wildly. Security experts also say most anti-virus vendors have updated their software to catch the malicious code before it can be installed. And, as always, experts recommend that users run the latest anti-virus software from their respective vendors.

"Have people gotten smarter?" Anglace said. "Sure, but its a cat and mouse game with virus writers constantly trying new tricks and going back to old ones that worked before."

Anglace said technology vendors have also gotten more proficient at catching most of these viruses and malware earlier, which is helping to thwart the massive propagation that wouldve certainly occurred if threats like these had gone around just a few years ago.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.