Tuesday, January 10, 2006

The "Exploding Car" Phishing scam


Photo
Phishing email as seen in Gmail (image courtesy BadBlue)

The image at right illustrates a relatively new type of phishing scam that's making the rounds. What ever you do, don't try and click on the hyperlink (well, okay, you can click on the one pictured at right -- it's harmless -- but don't try to click on a real link).

Trying to display that image, tempting though it may be ("hey, Clem, it's a splodin' car!"), may install a malicious trojan on your machine. And we don't want that, do we?

So: how can simply displaying a picture cause such catastrophic damage? Typically, vulnerabilities in the rendering algorithms are at fault. For example, Trojan.Moo is malware that exploits Microsoft's GDI+ library (and, specifically, its JPEG renderer) to wedge an executable payload onto a target PC.

It's fascinating to watch reports of how these vulnerabilities get discovered and then increasingly exploited. Trojan.Moo had a typical genesis:

First, someone determined that a corrupted JPEG image could cause an application to crash. That turned into a denial-of-service exploit.

Next, someone else was able to kick off a local command shell to execute some pre-canned commands. No remote access was present, however.

The third generation expanded the hack: just hours after the prior version was released, another person claimed that they gotten TCP/IP access through the command-shell for the purpose of remote access.

The final generation went whole-hog: reports indicate that when GDI+ attempts to render the JPEG , it first connects to a malicious external FTP site. It then downloads a 2MB payload and installs a complete Trojan service. In addition, it installs radmin.com, which could permit a remote user to take control of the machine (e.g., think a malicious version of VNC or Terminal Services). Reportedly, the trojan also downloads a suite of hacker tools including netcat, nmap, etc.

The recently disclosed Microsoft WMF bugs are another example of parsing and rendering algorithms gone wild. These vulnerabilities manifest themselves in particularly vicious "zero-day" exploits: hackers can attack defenseless users, who have no patches or virus definitions.

So... word to the wise. Don't bother clicking on fun-looking links from unknown sources. That is, not unless you really want some cybercrook in a foreign land watching you logon to your brokerage and banking services.

No comments: