February 20, 2007Another "Drive-By" Malware Infection Plot
From what I've seen in movies and on the local news, a "drive-by" shooting usually means that the shooter is the one doing the driving, while the victim is stationary. But in the PC malware world, a "drive-by" means that the victim does the driving—driving right into a web site that then silently loads bad, bad, bad software into the visitor's computer.
The Internet Storm Center relayed a report of email messages claiming to be news items about the Australian Prime Minister suffering a heart attack. Such an email message has a link that the recipient is meant to follow. This email attack became sufficiently widespread for the Australian Computer Emergency Response Team to issue an alert about this event.
Today, a couple of these messages found their way to my server, but with new destination URLs in Hong Kong. The domains were registered only a few days ago, and the URLs are to the root address, suggesting to me that the domains and sites were created explicitly for this attack.
If you were tricked into clicking the link and visited the site, you see the following message on the screen:
502 Service Temporarily Overloaded
Server congestion; too many connections; high traffic.
Keep trying until the page loads. This can be a common occurrence at peak news times.Also try to shutdown your firewall and antivirus software.
It's no mistake or server overload: That is the page you were intended to see. What the casual visitor won't see is that this very page contains a Visual Basic Script (VBScript) program that loads software onto your computer. If the visitor sees the above text in his or her Internet Explorer (for Windows) browser, the script has already run. According to the AUSCERT item, most antivirus products don't yet catch the bad stuff as it is being installed. The advice on the page to try again after turning off your firewall and antivirus software is extra cruel.
I don't know how many Americans know who John Howard is (although he made the news here last week) or would care enough about the Australian Prime Minister to follow the link, but what if the item substituted George W. Bush as the heart attack victim? How many people (who love him or hate him) would rush to click on that link?
This is serious, folks. Very serious. The criminals are working faster than the Good Guys. To bridge the gap, we've got to train the world's email users not to click on links arriving in messages from unknown sources.Posted on February 20, 2007 at 12:01 PM