1

With the London 2012 Olympics due to open in just a few days time, the expected push by the bad guys has started. No, I don't mean the banning of wearing Pepsi T-Shirts in the Olympic Stadium as it might upset official sponsors Coke, or the fact that nobody is allowed to sell chips other than McDonalds or even the undemocratic powers given to law enforcement in the UK to prevent people using certain combinations of 'Olympic-related' words in their advertising. No, as if all that were not bad enough, the bad guys in question are the cyber-criminals looking to exploit the intense interest in the London 2012 event in order to distribute malware and steal data.

dweb-london2012

It's all too easy to let your guard down and slip up with regards to which links are being clicked when faced with a torrent of information to choose from surrounding an event such as the Olympic Games. The use of London 2012 themed content to distribute data stealing malware is ramping up now, and is perhaps best exampled by those using social media as the distribution channel. Take the as yet un-named, and un-detected by the vast majority of antivirus solutions, Pushbot variant which has been highlighted by a Polish CERT advisory (translated into English here) and uses Facebook, MSN and Skype as the attack vector. Obviously the folk behind this malware are serious about the money making potential it has, with code obfuscation to prevent easy and therefore speedy debugging by the security research labs, as well as the encryption of all network traffic including DNS queries to prevent network traffic analysis and detection. That said, some are already calling this the cvc-v105 malware courtesy of the HTTP header User-Agent string it uses.

The malware uses a three-step attack using chat messages and wall postings on Facebook, this is followed by a Skype message and then a MSN message for good measure. It's really trying to ring all the social media bells in one go. Your Facebook, MSN and Skype contacts are used to further spread the malware message.

Anyone who is tempted to click on a link in any of these messages has the malware, disguised as a JPG image, downloaded. Click on what appears to be an image file, and the application itself will be installed. Once it is installed and running, the malware establishes the Command and Control server domain within the Windows DNS cache by sending a whole bunch of varied queries. This is quite clever, as it means that when that domain is requested again there is no evidence of which server was being used within the network traffic. Combine this with the encryption of the retrieved IP addressing, and traffic analysis is made very difficult indeed. All of which adds up to a long enough attack window for the bad guys to steal the data and make the money.

The Websense security labs has a detailed analysis of the malware here including screenshots of the code. In the meantime, to quote Sergeant Phil Esterhaus from Hill Street Blues "let's be careful out there".

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
1
Reply
3
Views
5 Years
Discussion Span
Last Post by LastMitch
0

The malware uses a three-step attack using chat messages and wall postings on Facebook, this is followed by a Skype message and then a MSN message for good measure. It's really trying to ring all the social media bells in one go. Your Facebook, MSN and Skype contacts are used to further spread the malware message.

It didn't really interrupt with the games. It was a good Olympics. London was a good host.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.