|
|
|
 |
|
|||||||||||||
|
IT Security Topic — Phishing |
||
Don't Click that Link!A new variety of e-mail mischief has been arriving in some inboxes. In the past, malicious worms would consist of an urgent, often alarming, e-mail message accompanied by an attachment that you would be directed to open. But, what if a means of infection could come to your machine without any malicious code for a virus scanner or filter to catch? That is exactly what has begun to happen with the new MyDoom variants some of us saw last week. First, a word about worm and virus naming conventions. There is not yet a universally accepted taxonomy - different vendors may call a worm by different names. So, you might see a strain of Mydoom also called Bofra. Symantec lists the following names for W32.Mydoom.AH.mm: W32/Mydoom.ah@MM [McAfee], WORM_MYDOOM.AH [Trend Micro], W32/Bofra-B [Sophos], MyDoom.AH [F-Secure], Win32.Mydoom.AG [Computer Associates], W32/MyDoom.AH@mm [Norman], I-Worm.Mydoom.ad [Kaspersky]. What we are discussing is a variant with no attachment that contains an urgent message directing you to click on an Internet address. The specific message we saw (used by more than one version of the new Mydoom) looked like this: "Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days. To see details please click this link." Clicking the link would contact a previously infected machine that this worm had turned into a malware server from which the actual worm code would then be installed on your machine. Then your machine would become such a server too, and the worm would search for e-mail addresses on your machine and mail itself out to everyone it could find. Previous versions of this technique relied on a fixed server set up by the worm writers to give out the malicious code, but this new process is dynamic, making malware code servers out of every machine the worm infects. According to the security firm Clearswift, not only is there no attachment, but the e-mail contains no malicious HTML code. Thus, there is little material to be analyzed, making it hard to filter out. And, because the method of spreading does not rely on a central source for malicious code, there is no single malware server to block - every infected machine becomes a malware server. A final note of alarm is that this technique exploits proof-of-concept code that was posted to the Full Disclosure security list just seven days previously. That's how fast the creators of malicious exploits are working! Now for the good news. The message this exploit used made it look just like a phishing attempt to get your PayPal account information. Because everyone has become so savvy about phishing, most people assumed that this was another phishing incident, ignored it, and little damage was done. That won't always be the case, of course. Still, this was a classic attempt to alarm the recipient and overwhelm their normal caution with emotional urgency. That is something we can defend ourselves against no matter what the worm writers come up with. As long as an exploit requires our cooperation, but we don't cooperate, then our caution becomes an effective layer of defense, even if other layers of defense are breached. What we can do as worm and virus technology advances is to continue to pay attention to security threats and trends, and to always be suspicious of unexpected e-mail.
Get HelpIT Service Center |
|||
 |
|||||||||||
| Support | | | Training | | | Facilities | | | About ITS | | | ITS Home | |||
|
|||||||||||
