New Frontiers In Blended Threats

Big league spammers and the authors of Trojan horses and worms now have taken pages from each other's books. Security Supersite Editor Larry details the new threats you may have recently seen in your mailbox.

We all know about e-mail worms: youre infected and then copies are sent to everyone in your address book as well as to any other e-mail addresses the worm can find on your system. On the other hand, there are customer service scams, most of them seemingly from PayPal. These scams try to sucker you into fixing a problem that doesnt exist. What if these two methods got together?

Its not a major scientific combination like chocolate chips and cookies, but this weeks emerging threat is what Symantec calls Trojan.Download.Berbew. This advance in the hackers art caught my eye and you should keep your eyes peeled for it as well. Some friends of mine received it and asked my advice; I bet yours will too.

Berbew does some interesting stuff. The more you understand how these attacks work the better a position youre in to protect yourself against them.

Berbew appears as a customer service message. Symantecs description includes messages from "Citibank Accounting" and "E-Loan Consumer Department" thanking the recipient for opening an account and stating that the account information is included in the attached document. My friend also got one that said it was from Wells Fargo.

As I hope you could guess by now, the attachment is actually a .PIF executable that launches its attack. Just for completeness, the core of the attack is to attempt to download and execute Backdoor.Berbew (to no surprise, Symantec declines to specify the download location, but I doubt the file is still there by now). The Trojan horse that it executes does some moderately sophisticated programming in its attempt to steal passwords and then to open up the system to remote hackers.

Incidentally, since I use Outlook 2002, which automatically blocks executable attachments, I couldnt have launched this particular attack. The same applies to Outlook 98 and Outlook 2000 users who have installed the Outlook Security Update, now probably 2 or 3 years old. Users of relatively recent versions of Outlook Express can also turn on this feature in Tools-Options on the Security tab by clicking "Do not allow attachments to be saved or opened that could potentially be a virus."

The Symantec write-up vaguely claims that Berbew was initially "spammed" into the wild. This would add a third leg to the table and more evidence of recent speculation that spammers and malicious code authors are sharing techniques.

Two recent stories illustrate how coders are taking this stuff to the next level:

First, theres the Sobig worms. Like many others, Sobig worms contain an SMTP engine so that they can propagate themselves without relying on the victims mail client. The series also had an odd characteristic that they were all time-bombed; Sobig.E, for example, died out on July 14.

Some have speculated that the Sobig worm itself also sends out spam and even that it was created on contract. According to this theory, each variant is a new contract for fresh spam. The advantage to the spammer is that the spamming engines run on unsuspecting users computers. While I have yet to see any real evidence that this ever happened, its an intriguing possibility and makes it all the more essential that people block these attacks before they become infected.

Another example is the Trojan horse called Migmaf, which acts as a reverse proxy for pornography. This means that when the HTTP request is made, it is made through the unsuspecting infected system, hiding the true location of the data. The requests, so they say, usually come from the sort of porno-spam we all know too well. After the initial reports, the security industry declared that Migmaf attacks were actually quite rare. But the real danger could be in the future: Migmaf is a precursor of things to come and eventually these coders will get things right.

So, its not exactly the apocalypse, but these worms are not good news. The evildoers—hard at work ruining the Internet for the rest of us—have been refining their techniques and learning from each other.

The good news, if you can call it that, is that the answer to these new threats is the same answer given to every other security threat in recent years: Use common sense! Be aware that this stuff is out there; keep your antivirus and other defensive software up-to-date; be skeptical of e-mail you receive; and be very, very skeptical of attachments. Follow these rules and your odds of being part of problem are very low indeed.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.