Don’t Fall for “Human Engineering”

by Ira Wilsker
Golden Triangle PC Club
From the July, 2005 issue of the I/O Port Newsletter

You receive the following urgent email from someone you will likely know with the subject line “Finally Captured! You open this intriguing email and see the message: "Turn on your TV. Osama Bin Laden has been captured. While CNN has no pictures at this point of time, the military channel (PPV) released some pictures. I managed to capture a couple of these pictures off my TV. Ive (sic) attached a slideshow containing all the pictures I managed to capture." Attached to the email is a file “Pictures.zip”. Eager to see the proof that the number one most wanted person in the world has been captured finally, you click on the attachment. No photos appear, so maybe you click on it again. It is now too late, because that first click on the attachment rather than opening a zip file and displaying the photos, planted a nasty backdoor Trojan on your computer, Nibu.D. Through a process known in the industry as “Human Engineering”, an innocent victim was tricked into installing unwanted software onto his computer. In this particular case, the Nibu.D backdoor just installed a “keylogger” intended to capture usernames, passwords, account numbers, and other sensitive information.

Nibu.D is also listed by Norton as a “bank info scarfer”, a type of malware that explicitly looks for banking information when entered, and sends that information to parties unknown. If you were one of the countless victims of this trick, and have since opened the attachment and unknowingly installed Nibu.D, you have done online banking, checked your credit card accounts, logged onto EBay or other shopping sites, your personal information may have been compromised, and you may become a victim of identity theft.

Every day for the past several weeks I have received some apparently urgent emails seemingly from my internet service provider (ISP). They come addressed from “administrator”, “support”, “customer service”, or some similar official sounding individual at the ISP. They carry dire warnings in the subject line that my email account will be or has been suspended for a variety of infractions, ranging from failure to follow an unspecified rule, sending excessive spam, or some other major infraction. The poorly worded message is “Once you have completed the form in the attached file, your account records will not be interrupted and will continue as normal” and has a 65k attachment “document.zip”. Another slight variation refers to following directions in a file ranging from 43k to 65k in size with the file name “instructions.zip.” I depend on my email, reading and sending dozens per day. Email is important to me, and since it is from my ISP, I go ahead and click on the attachment. Bad choice; one or more of the dozens of variants of the Mytob worm is now infesting my computer, possibly killing or deactivating my antivirus and firewall software, preventing access to antivirus and other helpful websites, and creating a multitude of new threats to my cyber safety. Once the computer is infected, Mytob searches the hard drive for address books, and sends infecting emails to addresses found, geometrically increasing its distribution and degree of damage.

Recently, variations of Mytob in aggregate have made it to the top of the threat lists compiled by antivirus companies. In one recent day, antivirus company Sophos reported that over half of all new virus infestations detected were variants of Mytob. Mytob is a product of a group of miscreants going by the name “HellBot”, who have allegedly stated that they are trying to develop some type of “SuperBug”, according to a recent article in Computerworld. On some days, several versions of Mytob have appeared; in recent months, slight variations have appeared so rapidly, that Mytob has spread more quickly than antivirus companies’ ability to protect against it, leaving even recently updated antivirus software vulnerable to attack.

Mytob, first discovered in February, and its many variants, are especially nasty based on what they do. One factor in common is the ability, as mentioned above, to deactivate or destroy the antivirus software and firewall installed on the infected computers. It also blocks access to security websites that may provide information and utilities to kill Mytob. This malware may also prevent the running of the free online antivirus scans, which could (if allowed to run), detect and remove Mytob, making it a self-protective piece of malware. Some versions also lower or remove other security settings on the computer, making it even more vulnerable to attack. Some versions also may install spyware, adware, zombies, or other undesirable software, as well as broadcast over the internet that the infected computer is vulnerable to further attacks. Trend Micro, the provider of the online free antivirus scan Housecall (housecall.antivirus.com), and PC-Cillin antivirus software, has stated that some variants of Mytob use the infected computers as a source of revenue for HellBot by placing adware and spyware on the infected computer.

Nibu and Mybot are just two of the thousands of currently circulating viruses, worms, and Trojans. Netsky, Bagel, Sober, and their many variations are a major threat to our computing security. As the virus writers continue to make more productive (for them) and destructive malware, it is now more imperative than ever that we all keep our antivirus software updated constantly. Be suspicious about emails even from known sources, and check out any suspicious email from possibly known sources by checking directly with that source prior to opening the email or any attachments.

As I have pleaded in the past, we must be responsible for our own cybersecurity.



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 7/01/2005
Don Singleton, President