A Thrill-Packed Tale Of A Virus Near-Miss - InformationWeek
11:51 AM
Mitch Wagner
Mitch Wagner

A Thrill-Packed Tale Of A Virus Near-Miss

I just got hit with my very first instant-message attack, the Oscarbold/Doyorg Trojan. I'm sure I'll see more. One thing I found interesting about the experience was the way that the attack circumvents our normal mental security defenses.

I just got hit with my very first instant-message attack, the Oscarbold/Doyorg Trojan. One thing I found interesting about the experience was the way that the attack circumvents our normal mental security defenses.

Like most of you, I pride myself on having developed a fairly good ear for phishing and other forms of e-mail attacks. I follow some common-sense rules:

- Nobody at Washington Mutual, eBay or PayPal really wants to have my login and password information. I don't even do business with WaMu, and I hardly ever use eBay or Paypal.

- If I get an e-mail seeking valuable information like a credit-card number or Social Security number, the first thing I ask myself is whether I was expecting this e-mail. Is it coming from a company I actually do business with? Did I just do a transaction with these guys recently? Does it make sense they'd be e-mailing me now? If the e-mail is expected, I check the URL carefully to see if it matches the legitimate URL I know.

So far, no e-mail message has ever passed the previous test. I rarely get e-mail purporting to be from a company I actually do business with seeking my Social Security number or credit number. And when I do get such a message, it turns out the URL in the message is obviously fraudulent.

- In addition to those tests, I rely quite a bit on writing style to determine whether a message is legitimate. When Microsoft sends a security alert, it doesn't read like it was written by a 17-year-old from Eastern Europe with only a rudimentary grasp of English.

You should also rely on technical security barriers, of course, including anti-virus, anti-spyware, anti-spam, and firewall software and hardware. But don't disregard the importance of the security wetware between your ears.

But the Oscarbold/Doyorg Trojan almost got through my defenses anyway.

The attack came to me in the form of an AOL IM message that appeared to come from a co-worker. "i thought youd wanna see this," is what the message said, and the word "this" was a hyperlink to an external site.

This guy usually sends me valuable stuff. And the message seemed legit. So I clicked the link. And was sent to a page in my Firefox browser that said the Web page was sending me a file — did I want to download it, or open it right away? I spoke the words of the immortal Lt. Uhura: "Sorry, neither," and I clicked "cancel."

And avoided a major pain in the neck.

If I'd been running different software, I'd be cleaning the mess off my computer right now. One of my colleagues is. Like me, he runs the Firefox browser, so we can't blame this one on Internet Explorer. The difference between his set-up and mine: he runs the America Online instant message client, and I run the GAIM IM client. GAIM saved me.

Lessons learned: Think about giving up public instant-messaging networks like AOL's. Instead, use a private network for business instant messaging. If you must use a public network, avoid the standard client if you can; use a multi-purpose client like GAIM (the one I use) or Trillian.

More importantly: We have to start using our mental security defenses on IM messages now. With e-mail, we can be careful of messages that seem to come from illiterate people. In IM, it's trickier because people often write IMs in haste, and neglect to proofread, capitalize, correct spelling and use proper punctuation. So the usage errors in the earlier IM wouldn't have clued me in even if I were on the lookout for them.

One clue that I'll watch for in future IMs: Hyperlinks in the message, like this. Nobody I know sends hyperlinks like that, we all just send links as plain text, like this: http://www.securitypipeline.com/.

This was my first personal encounter with an instant message infection. I'm sure I'll be seeing more.

Mitch Wagner is editor of Security Pipeline

(Permanent link to this article.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll