With the London 2012 Olympics due to open in just a few days time, the expected push by the bad guys has started. No, I don't mean the banning of wearing Pepsi T-Shirts in the Olympic Stadium as it might upset official sponsors Coke, or the fact that nobody is allowed to sell chips other than McDonalds or even the undemocratic powers given to law enforcement in the UK to prevent people using certain combinations of 'Olympic-related' words in their advertising. No, as if all that were not bad enough, the bad guys in question are the cyber-criminals looking to exploit the intense interest in the London 2012 event in order to distribute malware and steal data.

dweb-london2012

It's all too easy to let your guard down and slip up with regards to which links are being clicked when faced with a torrent of information to choose from surrounding an event such as the Olympic Games. The use of London 2012 themed content to distribute data stealing malware is ramping up now, and is perhaps best exampled by those using social media as the distribution channel. Take the as yet un-named, and un-detected by the vast majority of antivirus solutions, Pushbot variant which has been highlighted by a Polish CERT advisory (translated into English here) and uses Facebook, MSN and Skype as the attack vector. Obviously the folk behind this malware are serious about the money making potential it has, with code obfuscation to prevent easy and therefore speedy debugging by the security research labs, as well as the encryption of all network traffic including DNS queries to prevent network traffic analysis and detection. That said, some are already calling this the cvc-v105 malware courtesy of the HTTP header User-Agent string it uses.

The malware uses a three-step attack using chat messages and wall postings on Facebook, this is followed by a Skype message and then a MSN message for good measure. It's really trying to ring all the social media bells in one go. Your Facebook, MSN and Skype contacts are used to further spread the malware message.

Anyone who is tempted to click on a link in any of these messages has the malware, disguised as a JPG image, downloaded. Click on what appears to be an image file, and the application itself will be installed. Once it is installed and running, the malware establishes the Command and Control server domain within the Windows DNS cache by sending a whole bunch of varied queries. This is quite clever, as it means that when that domain is requested again there is no evidence of which server was being used within the network traffic. Combine this with the encryption of the retrieved IP addressing, and traffic analysis is made very difficult indeed. All of which adds up to a long enough attack window for the bad guys to steal the data and make the money.

The Websense security labs has a detailed analysis of the malware here including screenshots of the code. In the meantime, to quote Sergeant Phil Esterhaus from Hill Street Blues "let's be careful out there".

316 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar
Member 949455

The malware uses a three-step attack using chat messages and wall postings on Facebook, this is followed by a Skype message and then a MSN message for good measure. It's really trying to ring all the social media bells in one go. Your Facebook, MSN and Skype contacts are used to further spread the malware message.

It didn't really interrupt with the games. It was a good Olympics. London was a good host.