A series of "Prime Minister " spam emails has lead to the infection of about 1,000 computers in Australia jeopardising the confidentiality and integrity of all personal data and passwords contained or entered on those computers.

Australia's national computer emergency response team, AusCERT first noticed the spam emails in circulation on Monday 19 February. Since then, further related spam emails using the Australian Prime Minister, John Howard, as the hook have continued to be released.

AusCERT issued a warning [1] to its members and the public about the threat on Monday, 19 February 2007. Analysis of the trojan malware has revealed that the trojan is capable of capturing keystrokes, passwords and private keys stored on the computer used for digital certificates, digital signatures and decryption.

"While compared to many virus and worm infections the infection rate may seem low, people need to understand this malware does not self-propagate", said Graham Ingram, AusCERT's general manager.

"The volume of infections in Australia therefore reflects the number of people who were fooled into clicking on the links in the spam email and who had computers which were vulnerable to infection because they had failed to keep their computer software such as the operating system and browser software patches up to date", he said.

"As such, these are serious compromises - the computers are now effectively controlled by overseas based criminals and will be used for illegal purposes at the owners' expense."

"It is concerning that when AusCERT first tested the malware sample it was not detected by most AV products. People therefore should not think that they can rely on anti-virus software as their only form of defence", he said.

AusCERT's analysis of the online attack shows that there are multiple separate pieces of malware associated with this infection. Each piece of malware performs a different function, including the ability to disable any security features on the computer such as anti-virus software and firewalls and rootkit features designed to hide evidence of the infection. This means that it may be extremely difficult, if not impossible, for the user to detect that they have been infected.

"While the spam email about the 'Prime Minister' seen on Monday and Tuesday seems to have captured the broad interest of the media in the last few days, people need to understand these types of attacks occur on a daily basis. If it is not a spam email about the PM, it is some other hook such as a false bad weather forecast, an environmental disaster or another unfortunate situation designed to raise a person's curiosity to click on the link", Mr Ingram said.

AusCERT, which has been monitoring various forms of online identity theft since early 2003, including phishing attacks and trojan attacks such as this, recommends users and organisations take appropriate steps to protect themselves. AusCERT has published a set of minimum security steps [2] to be taken to substantially reduce the risk of compromise.

"However, even then there is no room for complacency", Mr Ingram said.

"In the last six to eight months we have noticed a much greater use of zero-day exploits being used to compromise Internet-connected computers. This means that a user can have all their patches and anti-virus software up to date but - if they are fooled into clicking on a link such as this, they will still get infected and they won't know about it. However, this was not the case in this incident", he said.

[1] AL-2007.0026 -- [Win] -- "Prime Minister heart attack" trojan, http://www.auscert.org.au/7314

AU-2007.0006 -- AusCERT Update - [Win] - Variations on the "Prime Minister heart attack" trojan run, https://www.auscert.org.au/7318

[2] Protecting your computer from malicious code, http://www.auscert.org.au/3352