Trojan Horse Poses As Windows XP Update - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

Trojan Horse Poses As Windows XP Update

Trojan.Xombe loads infected machines with an infection that can steal passwords and help hackers launch denial-of-service attacks.

A new Swen-style Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the E-mail message may find their machines loaded with a back-door Trojan that can steal passwords or be used in conjunction with other systems to conduct major denial-of-service attacks.

Dubbed Trojan.Xombe, as in zombie, by most security firms, the Trojan shares some characteristics of the Swen worm line in that it masquerades as a message from Microsoft and purports to carry a security update in its file attachment. However, unlike Swen, a worm that first appeared last September, Trojan.Xombe doesn't self-replicate.

"This Trojan was spammed out to a large number of computers overnight," said Ken Dunham, director of malicious code at iDefense, a security-intelligence firm. By using spamming strategies, attackers hope to infect hundreds, even thousands, of machines before users realize what's up--or before anti-virus companies can update their definition files.

The faux message, which sports a spoofed sending address of [email protected], uses the subject line "Windows XP Service Pack 1 (Express)--Critical Update" to trick recipients into opening the attached file.

"Window [sic] Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)," the message's text reads in part. "To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1." The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation."

"The Trojan definitely downloads malicious code and installs it on the system," confirmed Dunham. By his analysis, Trojan.Xombe downloads a back-door IRC Trojan horse to the compromised machine. Once that's installed, attackers can access the PC undetected, add other code--such as key trackers for acquiring passwords--to the computer, and use the machine to launch denial-of-service attacks on other machines.

Trojan.Xombe, and socially engineered attacks like it--including phishing expeditions such as the MiMail worm, another exploit that pretends to be something it isn't in the hope that people will open the file attachment--are the confirmation security professionals were looking for that 2004 will be a rough year.

"Attackers use the social engineering trends of the moment," said Vincent Weaver, senior director of Symantec Corp.'s security response center. Touting a security update is only natural for hackers, he added, because of the increased awareness among many computer users of ongoing security issues with Windows.

Trojan.Xombe is also a good example of another trend first spotted in 2003, but certain to continue this year, said Dunham. "Trojans are being integrated into almost every piece of malicious code," he said. More than anything, hackers want to amass an army of compromised machines--typically called zombies--that they can use for other purposes.

"A lot of people are worried about the next super worm," he said, "but that's not the real threat we'll see in 2004. The real threat is in Trojan horses. The goal of attackers is really about Trojans and remote control of other computers, for stealing passwords and targeted DoS attacks. It's not about fun and notoriety anymore. It's about money and power."

Security vendors, including Symantec, Network Associates, and Sophos, have posted alerts on their Web sites warning users of Trojan.Xombe, but disagree on the severity of the problem. Symantec ranks the Trojan as a level 2 threat in its 1-through-5 rating system, while Network Associates tags Xombe with a "low" threat assessment.

The best defense against bogus E-mails carrying nasty payloads? "A lot of people see an E-mail and think that it's true," said Dunham. "But everything should be looked at with a degree of skepticism and concern, rather than trust."

Symantec's Weafer also notes that Microsoft never delivers security updates via E-mail. He urged people to scan suspicious messages for tell-tale signs of a scam, such as misspelled words and awkward syntax, both of which are evident in the message loaded with Trojan.Xombe.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll