return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

Don't open any 'storm' attachments - or other socially engineered gems

  #

Don't open any 'storm' attachments - or other socially engineered gems as "U.S. Secretary of State Condoleezza..." and "A killer at 11, he's free at 21 and..."

For readers following European weather, you know that hurricane force winds have battered Europe, killing many (also here). Into this breach poured a botnet Trojan masquerading as a storm update. It spread rapidly across Europe but by the time it hit the US in significant numbers, the major AV vendors had added it to their watch list. But many individuals live in a highly connected world and so had already received the tainted traffic from Europe.

In the US, the storm worm is circulating under titles referring to SecState Rice and murdering juveniles. The worm's key, especially in its storm and Rice variants, is its close coupling to current events. You WANT to click that link...

Johannes Ullrich, chief technology officer of the SANS Institute, said that virus writers capitalizing on current media events is not necessarily unique to the Storm Worm. He pointed out that a Saddam-related virus began to spread in the wake of the former dictator's execution. That virus popped up in e-mail inboxes only two days after his death with what appeared to be video of his hanging... [Virus] writers have begun responding more quickly to top news headlines, rather than using sex and celebrity as a means to ensure their viruses get activated.

An easy prediction and two observations:

  1. Bank on the next major storm or shattering political event in the US to see this Trojan re-released here, but with a different signature.
  2. THINK BEFORE you click! - If it is something you know is designed to short circuit your good judgment, you are likely right.
  3. Remember that you already have news feeds that are unlikely to be taken over by spoofers. Use them, not something that you get in an attachment. Even from me.

As I was adapting this item from an earlier internal note to colleagues and clients, the prediction came quickly true:

Joining only two previous states, the US and USSR, the PRC "successfully carried out its first test of an antisatellite weapon" by downing "an aging Chinese weather satellite" in low earth orbit - the same orbit that many US reconnaissance satellites inhabit. With a potential "antisatellite arms race" in the offing, we shortly received two satellite-related items on Friday evening:

Chinese missile shot down Russian satellite
Mathilda V. Lloyd [owol@planbgroep.nl]
Friday 19 January, 2007 19:42
No message save for attached file "video.exe"

Russian missle shot down USA satellite
participant [oxo@auto-letzi.ch]
Friday 19 January, 2007 23:07
No message save for attached file "Full Video.exe"

While Senator Mark Dayton (D-MN) is in the news as he leaves the Senate and mulls a run for governor, he is not dead. That did not prevent us from receiving two notes, same title, different apparent senders, claiming that terrorists had attacked the Supreme Court and that Dayton was dead on Saturday morning:

The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Carroll Cordelia [yfonpk@mpanell.com]
Friday 20 January, 2007 06:09
No message save for attached file "Read More.exe"

The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Woodard Olivia [jccig@twisted-wonderland.com]
Friday 20 January, 2007 06:10
No message save for attached file "Full Text.exe"

And on Saturday evening, this misspelled item:

The commander of a U.S. nuclear submarine lunch the rocket by mistake.
Alexander [jpvyzc@improve-knit.com]
Friday 20 January, 2007 20:43
No message save for attached file "Read News.exe"

All had that sense of urgency and great events. All had the worm payload. See Déjà vu and A rather significant outbreak.

New 'Storm Worm' Pummels PCs
By Lindsay Martell
Newsfactor.com
January 20, 2007 10:00AM

Storm Worm' rages across the globe
By Dawn Kawamoto, CNET News.com
Published on ZDNet News, January 19, 2007, 8:15 AM PT

Hurricane-Force Winds Hit Northern U.K.
Hurricane-Force Winds and Heavy Downpours Hammer Northern Europe, Killing 27 People
By DANICA KIRKA and RAPHAEL G. SATTER
AP/ABC News
LONDON Jan 19, 2007 (AP)

Europe reels as storms kill at least 47
AP/CNN
POSTED: 1:28 p.m. EST, January 19, 2007

Flexing Muscle, China Destroys Satellite in Test
By WILLIAM J. BROAD and DAVID E. SANGER
New York Times
January 19, 2007

Déjà vu
Authentium Virus Blog
Authentium Malware Information Exchange Portal
January 19th, 2007

A rather significant outbreak
Authentium Virus Blog
Authentium Malware Information Exchange Portal
January 18th, 2007

Gordon Housworth



Cybersecurity Public  InfoT Public  Strategic Risk Public  
 
In order to post a message, you must be logged in
Login
message date / author


There are no comments available.

In order to post a message, you must be logged in
Login