With the London 2012 Olympics due to open in just a few days time, the expected push by the bad guys has started. No, I don't mean the banning of wearing Pepsi T-Shirts in the Olympic Stadium as it might upset official sponsors Coke, or the fact that nobody is allowed to sell chips other than McDonalds or even the undemocratic powers given to law enforcement in the UK to prevent people using certain combinations of 'Olympic-related' words in their advertising. No, as if all that were not bad enough, the bad guys in question are the cyber-criminals looking to exploit the intense interest in the London 2012 event in order to distribute malware and steal data.
It's all too easy to let your guard down and slip up with regards to which links are being clicked when faced with a torrent of information to choose from surrounding an event such as the Olympic Games. The use of London 2012 themed content to distribute data stealing malware is ramping up now, and is perhaps best exampled by those using social media as the distribution channel. Take the as yet un-named, and un-detected by the vast majority of antivirus solutions, Pushbot variant which has been highlighted by a Polish CERT advisory (translated into English here) and uses Facebook, MSN and Skype as the attack vector. Obviously the folk behind this malware are serious about the money making potential it has, with code obfuscation to prevent easy and therefore speedy debugging by the security research labs, as well as the encryption of all network traffic including DNS queries to prevent network traffic analysis and detection. That said, some are already calling this the cvc-v105 malware courtesy of the HTTP header User-Agent string it uses.
The malware uses a three-step attack using chat messages and wall postings on Facebook, this is followed by a Skype message and then a MSN message for good measure. It's really trying to ring all the social media bells in one go. Your Facebook, MSN and Skype contacts are used to further spread the malware message.
Anyone who is tempted to click on a link in any of these messages has the malware, disguised as a JPG image, downloaded. Click on what appears to be an image file, and the application itself will be installed. Once it is installed and running, the malware establishes the Command and Control server domain within the Windows DNS cache by sending a whole bunch of varied queries. This is quite clever, as it means that when that domain is requested again there is no evidence of which server was being used within the network traffic. Combine this with the encryption of the retrieved IP addressing, and traffic analysis is made very difficult indeed. All of which adds up to a long enough attack window for the bad guys to steal the data and make the money.
The Websense security labs has a detailed analysis of the malware here including screenshots of the code. In the meantime, to quote Sergeant Phil Esterhaus from Hill Street Blues "let's be careful out there".