By Andrew K. Burger TechNewsWorld Part of the ECT News Network
04/22/08 4:00 AM PT
Watch out if you receive an e-mail with a Flash animation ridiculing a Chinese gymnast and calling for a free Tibet. It's likely the entertaining little clip is hiding a piece of malware that will log your keystrokes. Security experts are warning that malware creators are taking advantage of the news coverage of the Tibet freedom protests to get you to let your guard down.
Malware creators are taking advantage of the controversy over the upcoming Olympic Games to spread their wares for illicit financial gain. Latching onto the Free Tibet political demonstrations that have spread around the world, would-be thieves have embedded a piece of rootkit malware that logs keystrokes in an executable Flash movie file called "RaceForTibet."
IT security experts have issued alerts warning people to be extra cautious when clicking on links that download executable files from Web sites, as well as opening unsolicited e-mails from unknown senders.
Putting the Word Out
Experts at McAfee warned a little over a week ago that malware creators were hacking into pro-Tibet Web sites and infecting them with malware that could then be injected into site visitors' PCs.
A Trojan dubbed "Fribet" with sophisticated features that enabled it to access end users' databases had been embedded in hacked Web sites and subsequently downloaded to site visitors' PCs by exploiting a Windows vulnerability.
The "RaceForTibet" rootkit malware surreptitiously installs a keystroke logger on end users' PCs once they open the Flash movie file, which uses a cartoon to mask its malware payload. The captured data is reportedly sent to a computer in China. The cartoon ridicules the effort of a Chinese gymnast and then displays images supporting a free Tibet.
The latest round of malware discoveries exploiting the attraction of high-profile international news and events further defines a trend that has been in the making for quite some time, one that relies on the most basic social engineering as well as the growing use of multimedia files, the growing popularity of social networks and the latest wrinkles in malware delivery mechanisms. They also add to the ballooning body of evidence that today's malware creators are in it for the money.
A Growing Trend
"In the very early days of viruses we saw examples of politically motivated malware. The 'Stoned' virus displayed a marijuana leaf and had a message about legalizing marijuana. In the past, the reason for using viruses was because they spread ... it helps get the message out," recounted Randy Abrams, director of technical education at security specialist ESET. "A politically motivated virus is not likely to include a damaging payload as that would not help generate sympathy for the cause. Additionally, in the early days most people had not figured out how to monetize malware."
That's all changed, however. It wouldn't make sense for authentic pro-Tibet advocates to send out malicious software with a pro-Tibet message. Though there are likely to be some pro-China proponents that would view such an effort positively, it doesn't make good sense for them either, Abrams pointed out.
"The problem is that there are enough people sophisticated enough to assume it was a ruse by the pro-China faction, and this cannot escape notice by those folks. Most intelligent people on the pro-China side would realize the high potential for such malware to make them look bad," he theorized.
To Abrams' mind, this leaves the cybercriminal element as the most probable perpetrator of malware attacks such as the RaceForTibet Flash movie-keylogger and Fribet Trojan.
"This leaves the same criminal element that sends fake e-cards, fake porn videos, and uses other social engineering attacks. The criminals who are trying to engage in identity theft and financial theft don't really care who looks god or bad," he told TechNewsWorld.
More to Come
Plugged into the ever-expanding global media machine, cybercriminals have a wealth of subjects that can serve as masks for their malware attacks. "The criminals are watching the news. Anything newsworthy is social-engineering worthy," Abrams warned.
"The one political attack I have seen involved a spam run that appeared to come from one of the presidential candidates a few months ago. A candidate's server was hacked and the spam sent to make them look bad. In this case there was no attempt to infect computers or steal money, though.
"It really isn't so much about politically-charged events as it is about anything that is big news.
Since politics is often big news, it will be used as part of social engineering attacks. The fallout, aside from theft, is that some groups will be tarnished by actions not associated with them. They are collateral damage and not even likely to be considered by the actual malware authors."
Expert: Domain Name Redirects Open Door for Hackers April 21, 2008
When you make a typo in a domain name, many ISPs re-direct you to a page with sponsored links. It's a way for the ISP to make a little extra cash from your mistake, and it had been considered relatively harmless. However, a security researcher has found a way to exploit the arrangement, and it could create an opening for malicious attacks.
Related Stories
Teach a Man to Phish and He'll Feed on Fools for a Lifetime March 29, 2008
Phishing -- trying to trick an e-mail recipient to click here, download that file go to this Web site -- is one of the oldest social engineering tricks in the book. It's been around so long mostly because it still seems to work -- and it's getting increasingly sophisticated. "This isn't malware for the masses anymore," said Jeff Green, senior vice president of McAfee's Avert Labs.
Hannaford: Malware Caused Massive Data Breach March 28, 2008
Malware is the culprit behind the Hannaford Bros. data breach that compromised about 4.2 million credit and debit card accounts, the company confirmed in a Boston Globe story. The breach has been linked to about 2,000 cases of fraud.
Apple's 'Malware' Tactics, Motorola's Split, BitTorrent's New Friend March 28, 2008
In this episode: Comcast, BitTorrent bury the hatchet; Vista SP1 leaves users disappointed; Microsoft opens Windows Live Contacts API; flaw makes Word vulnerable; Mozilla chief takes a dig at Apple; Motorola calls it splits.
Related News Alerts
More by Andrew K. Burger
Mobile Enterprise Apps: The Next Security Frontier September 19, 2008
More enterprises are embracing mobility, and as a result, there are more devices out there, each one a potential vulnerability waiting to be exploited. Security experts warn that enterprise IT departments must be aware of the threats looming on the horizon.
HP Targets SMBs With Infrastructure in a Box September 16, 2008
HP's new Adaptive Infrastructure in a Box targets midsize businesses, which it defines as 100 to 999 employees. The lineup, introduced Tuesday, includes server and storage functions with integrated power and temperature management all in one blade enclosure.
In the Wireless World, 3 Things Matter: Location, Location, Location September 11, 2008
As more devices come embedded with GPS chipsets, wireless providers are trying to differentiate themselves through the location-based services they offer. Want to find the cheapest gas nearby? No problem. Hungry? Find a good restaurant and some of your friends to enjoy it with you.
Headline Feeds
Talkback: 
