Xombe Trojan Spoofs Microsoft Patch To Steal Personal Info

A new Trojan horse computer program, which secretly steals personal information by tricking users into visiting a malicious Web site, is trying to duplicate the devious success of the Swen worm, which infected more than a million machines last September.

Known as "Xombe," the Trojan horse program mirrors Swen by masquerading as a critical update from Microsoft (Nasdaq: MSFT), advising users to visit a bogus Web site and install code that is actually a malicious program intended to steal users' personal data.

The new threat alludes to a trend that will be among the biggest risks to computer users this year -- Trojan horses -- as attackers secretly seek to take control of machines for activities such as denial-of-service (DoS) attacks or spam campaigns that can clog e-mail servers and congest the Internet.

Ken Dunham, iDefense malicious code director, told TechNewsWorld that although Xombe so far may have tricked only a handful of users and their computers, Trojans represent one more guerilla attack that he expects to see more of in 2004.

"The problem is that this is just one of thousands of Trojan attacks taking place," Dunham said. "Trojans are the underestimated enemy -- you don't realize it and you don't see it coming until it destroys something important to you."

Same Tactic, Different Tech

While Xombe is an attempt to repeat the success of Swen, which tricked users into visiting a spoofed site and downloading malicious code, it is not nearly as technically sophisticated as Swen was, security experts said.

MessageLabs CTO Mark Sunner told TechNewsWorld that Swen was a highly complex computer worm capable of "polymorphism" -- changing its identifying characteristics to avoid detection.

Dunham called Xombe a different beast than Swen. Technically, Xombe is a Trojan because it does not have a worm's ability to spread itself. Dunham said the two are technically miles apart. Still, he cautioned about the power of Trojans. "A lot of things are at risk with the Trojans -- and they're very powerful and trivial to use," he said.

It is only the attempt to dupe computer users -- a strategy sometimes called social engineering -- that makes Xombe a play on Swen's success, Dunham said.

Under the Radar

Dunham argued that the number of computers affected by Trojans is significantly underestimated by antivirus and other security experts, who might not be extremely focused on this threat because it is not as high profile as worm attacks.

While large worm outbreaks typically garner headlines, high numbers of Trojan attacks are quietly rounding up networks of "zombies" or "bots" -- terms used to describe compromised computers -- that could include hundreds of thousands of machines, according to Dunham.

"The problem is how many of these do we know about, how many don't we know about and how many are being investigated," he said. "You can have a bot system or network of several thousand very quickly."

Beyond Denial-of-Service Attacks

Once machines are compromised by a worm or Trojan, attackers no longer use them just for bragging rights and for DoS attacks to knock servers offline, but also for banking or identity theft, spamming or other financially motivated crimes.

Dunham said the zombie networks hijack computers for other purposes -- including setting up child pornography networks -- and indicated that Trojan attacks are on the upswing.

"Swen has encouraged virus writers everywhere to put the effort into creating official-looking e-mails and Web sites to fool users into executing a malicious attachment," he said. "This type of social engineering will only increase in 2004, as we have seen in this most recent Trojan attack."