http://www.technewsworld.com/story/62679.html
'Free Tibet' Message Masks Rootkit Malware
By Andrew K. Burger
TechNewsWorld
04/22/08 4:00 AM PT
Watch out if you receive an e-mail with a Flash animation ridiculing a
Chinese gymnast and calling for a free Tibet. It's likely the
entertaining little clip is hiding a piece of malware that will log
your keystrokes. Security experts are warning that malware creators
are taking advantage of the news coverage of the Tibet freedom
protests to get you to let your guard down.
Malware creators are taking advantage of the controversy over the
upcoming Olympic Games to spread their wares for illicit financial
gain. Latching onto the Free Tibet political demonstrations that have
spread around the world, would-be thieves have embedded a piece of
rootkit malware that logs keystrokes in an executable Flash movie
file called "RaceForTibet."
IT security experts have issued alerts warning people to be extra
cautious when clicking on links that download executable files from
Web sites, as well as opening unsolicited e-mails from unknown
senders.
Putting the Word Out
Experts at McAfee warned a little over a week ago that malware
creators were hacking into pro-Tibet Web sites and infecting them with
malware that could then be injected into site visitors' PCs.
A Trojan dubbed "Fribet" with sophisticated features that enabled it
to access end users' databases had been embedded in hacked Web sites
and subsequently downloaded to site visitors' PCs by exploiting a
Windows vulnerability.
The "RaceForTibet" rootkit malware surreptitiously installs a
keystroke logger on end users' PCs once they open the Flash movie
file, which uses a cartoon to mask its malware payload. The captured
data is re****tedly sent to a computer in China. The cartoon ridicules
the effort of a Chinese gymnast and then displays images sup****ting a
free Tibet.
The latest round of malware discoveries exploiting the attraction of
high-profile international news and events further defines a trend
that has been in the making for quite some time, one that relies on
the most basic social engineering as well as the growing use of
multimedia files, the growing popularity of social networks and the
latest wrinkles in malware delivery mechanisms. They also add to the
ballooning body of evidence that today's malware creators are in it
for the money.
A Growing Trend
"In the very early days of viruses we saw examples of politically
motivated malware. The 'Stoned' virus displayed a marijuana leaf and
had a message about legalizing marijuana. In the past, the reason for
using viruses was because they spread ... it helps get the message
out," recounted Randy Abrams, director of technical education at
security specialist ESET. "A politically motivated virus is not likely
to include a damaging payload as that would not help generate sympathy
for the cause. Additionally, in the early days most people had not
figured out how to monetize malware."
That's all changed, however. It wouldn't make sense for authentic pro-
Tibet advocates to send out malicious software with a pro-Tibet
message. Though there are likely to be some pro-China proponents that
would view such an effort positively, it doesn't make good sense for
them either, Abrams pointed out.
"The problem is that there are enough people sophisticated enough to
assume it was a ruse by the pro-China faction, and this cannot escape
notice by those folks. Most intelligent people on the pro-China side
would realize the high potential for such malware to make them look
bad," he theorized.
To Abrams' mind, this leaves the cybercriminal element as the most
probable perpetrator of malware attacks such as the RaceForTibet Flash
movie-keylogger and Fribet Trojan.
"This leaves the same criminal element that sends fake e-cards, fake
**** videos, and uses other social engineering attacks. The criminals
who are trying to engage in identity theft and financial theft don't
really care who looks god or bad," he told TechNewsWorld.
More to Come
Plugged into the ever-expanding global media machine, cybercriminals
have a wealth of subjects that can serve as masks for their malware
attacks. "The criminals are watching the news. Anything newsworthy is
social-engineering worthy," Abrams warned.
"The one political attack I have seen involved a spam run that
appeared to come from one of the presidential candidates a few months
ago. A candidate's server was hacked and the spam sent to make them
look bad. In this case there was no attempt to infect computers or
steal money, though.
"It really isn't so much about politically-charged events as it is
about anything that is big news.
Since politics is often big news, it will be used as part of social
engineering attacks. The fallout, aside from theft, is that some
groups will be tarnished by actions not associated with them. They are
collateral damage and not even likely to be considered by the actual
malware authors."
|
