Clever Virus Attack

Just received this e-mail message, with an attachment entitled "schneier@counterpane.com." The file is really an executable .com file, presumably one harboring a virus. Clever social engineering attack, and one I had not seen before.

From: ((some fake address))
To: schneier@counterpane.com
Subject: Message could not be delivered

Dear user schneier@counterpane.com,

Your email account has been used to send a huge amount of spam messages during the last week. Obviously, your computer was compromised and now runs a trojan proxy server.

Please follow our instruction in the attached file in order to keep your computer safe.

Virtually yours,
counterpane.com user support team.


Posted on November 1, 2004 at 11:44 AM • 15 Comments

Comments

Bryan SamisNovember 1, 2004 12:26 PM

Virus writers seem to be getting more clever. There are fewer and fewer messages going around these days with the atrocious spelling and clearly forged layout that used to easily make viruses/hoaxes stand out from legitimate e-mail. Not that it's really necessary, since people still fall for the 419 scam...

The danger is that too many people rely on anti-virus products and not enough on their own intuition and knowledge. Just don't open ANY attachment you weren't expecting!

Lorrin NelsonNovember 1, 2004 1:16 PM

"Just don't open ANY attachment you weren't expecting!"


You make it sound so simple. I receive many unexpected legit attachments at work. Furthermore an expected attachment isn't a guarantee that the attachment won't still contain a virus. Many of us have acquaintances who can't keep their computers clean.

Eddie the JediNovember 1, 2004 1:38 PM

I got this one a while back, ostensibly from the administrators of a domain where I'm the sole administrator. Hm...

In the version I received the attachment was an encrypted ZIP file, with the password in the body of the email. I suppose this would serve to get it past a virus scanner.

AkakieNovember 1, 2004 3:21 PM

I got these often for a while. "Undeliverable mail" messages were particularly annoying, but anything coming in from mail systems, administrators of [whatever], usually get special attention. Now I just dump them unless I can tie the message from the subject to something I recognize. Internet, email and web are so useful that I suppose some people feel compelled to trash them for the rest of us.

What will the world be like when these small time terrorists get big?

Israel TorresNovember 1, 2004 3:42 PM

... clicking on anything that comes through a mail port regardless if it is a known sender calls for trouble.

Israel Torres

J. B. LevinNovember 1, 2004 4:41 PM

Re "clicking on anything that comes through a mail port regardless if it is a known sender calls for trouble.": I'm a bit of a sucker and like to look at the pictures; but I always check the full name of an object. I use a simple text-based mail reader that presents the complete name of attachments and doesn't try to interpret any content; hence a file named "foo.gif.pif" can't fool me. Saving is always safe, and I let Norton/Symantec vet the saved file.

I often look at .jpg and .gif attachments received this way; mucking about with those to make them dangerous is hard, and I was appalled to learn of a recent vulnerability with .jpg files (of course I immediately installed the fix). I still think that with care it is possible to open certain attachments with a sufficiently high degeree of safety.

JojoNovember 2, 2004 5:19 AM

I've seen these for quite some time. K9 picks them up as spam and they get automatically deleted.

Jose Marcio Martins da CruzNovember 15, 2004 10:40 AM

Last year there were a virus named W32.MyParty, with this message, and with a link to www.myparty.yahoo.com. Which was, in fact an executable virus.

*****************************

Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!


**************************

Tom LiottaNovember 15, 2004 8:18 PM

Received one a couple weeks back, but after a period where I was daily getting multiple warnings from remote e-mail systems that messages I'd sent were infected. I knew that those e-mails had been sent in my name from someone's PC that had my address in their address book, so I mostly ignored the notices.

Then along comes the e-mail ostensibly from the service that hosted my @zap.to e-mail account. I looked over the headers before doing anything more, and, boy, it sure _looked_ like it came from the hosting service.

Trusted source with _apparently_ valid message content probably by pure coincidence! Why wouldn't I click the attachment? I mean, sometimes attachments really are useful files. Yow. Good thing AVG was active.

FoxyshadisNovember 30, 2004 9:44 AM

I have a question: Why is .com still a registered extension? I mean, really, when was the last time you saw a real com file, which would still run somehow under NT/2K/XP? It should be a banned extension to eliminate just this kind of clever problem. Too bad the only way to make this happen for most people is a windows update.

robMarch 20, 2006 9:57 PM

I believe that this problem will persist until the society will create proper legal infrastructure. Consider what happens if bunch of kids get into a car drive on your street at night with a hose of red paint and spray every house. In 20 minutes they can vandalize 20 houses. The owners will spend each 4 hours to have the house repainted or cleaned. So, the kids in 20 minutes of work, extracted 80 hours of labor. So, the kid, destroyed 80 hours of collective lifetime of people, who would rather play with their kids or cats. If caught, the vandals would be forced to perform 80 hours of public service.
Now consider a virus writer or forwarder who infects 100,000 computers in 1 minute. The owners of teh computers will spend each 40 hours cleaning the system. 40 hours times 100,000 = 4M hours. That means, the vandal destroyed 4M hours of collective lifetime of people. That is equivalent to roughly 400 years of life lost, or five lifetimes. I believe that the legal system should punish the vandal appropriately -- meaning she/he took five lifetimes, hang the vandal four times, resurect him and then, hang him for good.

Secret PatrolJune 25, 2009 3:32 PM

Another good example why companies still fail massively at security. There is still nothing to protect against well executed social engineering attacks.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..