Date: 18 August 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0069 -- AUSCERT ALERT
[Win]
"John Howard tragedy" email attachment installs Torpig
credential stealing trojan
18 August 2006
===========================================================================
OVERVIEW:
AusCERT has received reports of a series of malicious emails falsely
reporting the death of Australian Prime Minister John Howard with a
variety of subject lines, including:
John Howard Tragedy
John howard funeral
John howard necrologue
John howard murder
John howard terrorism
Similar 'hooks' appear to be targeting Italy and the UK at least with
messages of their government leaders' reported assassination [1].
The emails include a zip attachment containing a malicious file which
installs a Torpig credential stealing trojan.
IMPACT:
This trojan steals personal data and in particular online banking
credentials.
Torpig (also known as Sinowal or Anserin) is a sophisticated
credential capturing trojan which uses stealthing (rootkit) techniques,
can disable anti-virus products and can inject arbitrary content into
legitimate web pages. Further information on this malware is available
from anti-virus vendors [2].
MITIGATION:
Users should always be wary of any emails containing attachments.
System administrators may consider monitoring their proxy logs or
blocking access completely to the following URLs that this Torpig
variant initiates connections to:
h**p:// zhmbscwdgk, biz
h**p:// rafer71, com
h**p:// sacromento, net
h**p:// 81.95, 147.41
Note: the above URLs have been deliberately modified to avoid
accidental clicking as they are malicious.
DETAILS:
Emails received appear similar to:
----
Subject: John Howard Tragedy
From: <bbc.australia2006@bbc.com>
Latest BBC News: John Howard was killed by Israeli soldier, Lyvian
terrorist.
The Prime Minister Hon John Winston Howard
Born: 6 May 1953
KILLED: 16 August 2006
Biography
The Hon John Winston Howard was sworn in as Prime Minister of
Australia on 11 March 1996, becoming the 25th person to occupy the
office of Prime Minister since Federation. This followed the
Coalition's decisive Federal election
victory on 2 March 1996.
...
[a lengthy biography follows which appears to have been taken from
http://www.pm.gov.au/your_pm/biography.html]
---
The email contains a zip file attachment containing two files:
howard01.gif - a non-malicious picture of Australian Prime Minister
John Howard
howard02.pif - a malicious executable file
REFERENCES:
[1] http://www.sophos.com/security/analyses/trojdloadralm.html
[2] http://www.sophos.com/security/analyses/trojtorpigbf.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBROUb9Ch9+71yA2DNAQIcGgP7B9pic/MH6SgeLqZNGUDnhz0ugCa20Sol
pV/+X5VmAMmbtvME/Ly6Z73ZoalS71KRKRM4IBmn4kTIqR3RjWIr5dcPv5KT0DFZ
r0hRe+5fJJ/6Eb3vbB7KyCROOnXXs/VobNqSQFhumM+tCbe1PV2ClNMZDkilyYk/
S9LfD+7KLqY=
=bOYJ
-----END PGP SIGNATURE-----
|