A new way of enticing users to open a Trojan horse called Hackarmy was discovered by antivirus firm Sophos on Friday after it was posted on several Internet news groups.
The message claims to contain pictures taken by CNN journalists of Osama Bin Laden's suicide but, once the file is opened, it installs a Trojan horse that effectively recruits the infected machine into the author's zombie army, which can then be used to distribute spam or launch DDoS attacks.
Hackers and virus writers are trying different tricks to try and get people to download their malicious code, said Graham Cluley, senior technology consultant for Sophos.
"It seems this time the hacker has focused on the public's morbid curiosity and appetite for news on the war against terror," he said.
Richard Starnes, president of security industry group ISSA UK, congratulated Sophos for highlighting the issue because it will allow users to "install preventative measures" before the Trojan becomes a widespread.
Malware writers try to get email users' attention and persuade them to open attachments or click on links even if they have been told not to, Starnes said.
"Anna Kournikova, Catherine Zeta Jones and I Love You are all variations of a theme; they are trying to entice the user into doing something they know they often know they shouldn't do," he added.
Antivirus and antispam companies have updated their software to detect the Trojan, according to Starnes, so users need to make sure they have the most recent version of their software.
"It depends on how long [it takes for] antivirus and anti-spam companies [to] respond by releasing new signatures and how quickly the customers respond by downloading and installing them," he said.
Terrorism has been a popular theme amongst malware writers recently. Last week, a variant of the Atak worm was linked with an Al-Qaeda sympathiser who allegedly threatened to release an "uber worm" if the US attacked Iraq.
Talkback
The authors were lambasted on a couple of the Linux newsgroups this morning... Posting information on a Linux newsgroup for a Windows Trojan shows a lot of intelligence *NOT*.
If this is evidence of their logic, it doesn't bode well for the quality of the logic in the code :-)
quoted from Usenet:
>> Osama Bin Ladin was found hanged by two CNN journalists early Wedensday evening. As evidence they took several photos, some of which i have included here. As yet, this information has not hit the headlines due to Bush wanting confirmation of his identity but the journalists have released some early photos over the internet..
>> http://www.theparadise.x-y.net/OsamaFoundDead.zip
I'm having some difficulty getting the backdoor trojan in that link to run. Perhaps you could link directly to the pictures for those of us who run Linux?
They are at tit again:
The message is as follows (part of the download address has been blacked out):
Arnold Schwarzenegger Commits Suicide
Early this morning Arnold Schwarzenegger was found hanging by his neck from the large oak tree in his Californian garden. In a suicide note found at the scene he tells of his sordid sex life and lack of will to live. A copy of the suicide note which was found by journalists has been included here
http://wwwXXXXXXXXXXXXt/ArnoldSchwarzenegger.zip
i think this should be dubbed the suicide virus. just today i found the virus again as arnold Schwarzenegger committing suicide.
i believe i was able to save myself, even after falling for the osama trap, i was torn between suspicion and curiosity. curiosity won, luckily my sygate firewall (which is free, and in my opinion the best ive seen) was able to block the new generic host process 32 it started, and was able to identify the new service and , keep it from starting this is the start up item i remove from my registry, hope this helps others, i used "regcleaner 4.3"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Winsock32driver"="ZoneLockup.exe"
im still not sure if im totally safe though
if anyone else has more information please post it, thanks
Hey German IT consultant.
Try running it under Wine :D
You other people who downloaded it. Gimme a break! Are you really that dumb ?
Usenet suffers from another poster who keeps posting supposed "Sister caught..." and "sister and mother" and other rubbish purporting to be underage porn where the file extention is .scr (screensaver). Don't be a muppet! Don't download it!
I have a usenet filter. I guess I'm going to add the word "suicide" to it :P
I saw this on Usenet and figured it was something dodgy. Out of curiosity I looked at Google groups and they had it filtered from their messages straight away which I thought was pretty good going.
I too saw the Arnold version. It was on saturday morning and I found it throughout all of the tech group sites at microsoft. There were multiple entries in all of the headings. Most of them were from east coast colleges. The thing that clued me in was the .zip extension at the end of the website address in the link that was provided for reading the article. Sounded like a self unzipping exicutible would run once connected to the site.
Later in the day all of these messages had been removed.
The Arnie one has been removed.
I don't know about the Osama one - I think it
was being hosted from a US broadband IP address.
I actually did a domain lookup and told the administrative contact about the Arnie one, so who knows - it may even have been my email that made it disappear... maybe if you see something stupid like this you should be proactive and report it :D
The sky is not falling!