April 15, 2006Social Engineering and Spyware
Imagine receiving an email message that begins as follows:
Subject: Your computer is infected
From: Microsoft Corporation
Date: Sat, 15 Apr 2006 00:58:40 -0700 (PDT)
Your Computer is Infected with Spyware!
Please make updates to your antivirus.
After that comes some marketing blah blah about a product called TrustSoft AntiSpyware. You are then urged to "click here" to "be redirected to the TrustSoft AntiSpyware product page." Unless you look into the source code of the email message, you probably won't see the URL that you'll visit by "clicking here":
That link is directly to a Windows executable file, which will either download or run on your machine (depending on your settings and dialog box choices). My source for evaluating malware is not working at the moment, so I can't definitively tell you which piece of garbage this Setup.exe file is. I'll append an update if I find out more.
This email message is intriguing for a couple of reasons.
First, whatever the initial payload is, it is not being served directly from TrustSoft's Web site. Instead, somebody has hijacked a Web site in much the same manner that so many Web sites around the world get hijacked to host phishing pages and identity data capture software. The dead giveaway is the use of directory names that begin with a period. Directories with these names probably would not show up in directory listings viewed by the site's owner. Phishing hijackers do this all the time, making it difficult for less-than-geeky Web site administrators to even believe that their sites have been compromised.
Second, at this point, it's hard to know if this spamming campaign is being done by a TrustSoft affiliate (who is breaking numerous CAN-SPAM law provisions), or if it's someone simply abusing the TrustSoft name in the email message to spread some completely unrelated chunk of malware. TrustSoft has, in the past, run afoul of U.S. law, so it makes them an easy target for a Joe Job.
But let's just take another look at this message through the eyes of an unsuspecting and non-technical email user. You've probably heard that spyware is bad ("mmkay"). And here you get a message that says it's from Microsoft advising you that your computer is infected. "Oh dear," you say, "I'd better click the link to get a free download of this antispyware program!"
Click, you're dead.
UPDATE: Analysis of the payload reveals it to be a Trojan that uses Internet Relay Chat (IRC) channels to communicate with its "controllers." The precise activity that your PC would be called upon to do would be up to the controller du jour, but likely one or more of the following: keylogging, spam relay, adware, email address harvesting.Posted on April 15, 2006 at 10:40 AM