Trojan Horse Poses As Windows XP Update - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Trojan Horse Poses As Windows XP Update

Trojan.Xombe loads infected machines with an infection that can steal passwords and help hackers launch denial-of-service attacks.

A new Swen-style Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the E-mail message may find their machines loaded with a back-door Trojan that can steal passwords or be used in conjunction with other systems to conduct major denial-of-service attacks.

Dubbed Trojan.Xombe, as in zombie, by most security firms, the Trojan shares some characteristics of the Swen worm line in that it masquerades as a message from Microsoft and purports to carry a security update in its file attachment. However, unlike Swen, a worm that first appeared last September, Trojan.Xombe doesn't self-replicate.

"This Trojan was spammed out to a large number of computers overnight," said Ken Dunham, director of malicious code at iDefense, a security-intelligence firm. By using spamming strategies, attackers hope to infect hundreds, even thousands, of machines before users realize what's up--or before anti-virus companies can update their definition files.

The faux message, which sports a spoofed sending address of [email protected], uses the subject line "Windows XP Service Pack 1 (Express)--Critical Update" to trick recipients into opening the attached file.

"Window [sic] Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)," the message's text reads in part. "To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1." The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation."

"The Trojan definitely downloads malicious code and installs it on the system," confirmed Dunham. By his analysis, Trojan.Xombe downloads a back-door IRC Trojan horse to the compromised machine. Once that's installed, attackers can access the PC undetected, add other code--such as key trackers for acquiring passwords--to the computer, and use the machine to launch denial-of-service attacks on other machines.

Trojan.Xombe, and socially engineered attacks like it--including phishing expeditions such as the MiMail worm, another exploit that pretends to be something it isn't in the hope that people will open the file attachment--are the confirmation security professionals were looking for that 2004 will be a rough year.

"Attackers use the social engineering trends of the moment," said Vincent Weaver, senior director of Symantec Corp.'s security response center. Touting a security update is only natural for hackers, he added, because of the increased awareness among many computer users of ongoing security issues with Windows.

Trojan.Xombe is also a good example of another trend first spotted in 2003, but certain to continue this year, said Dunham. "Trojans are being integrated into almost every piece of malicious code," he said. More than anything, hackers want to amass an army of compromised machines--typically called zombies--that they can use for other purposes.

"A lot of people are worried about the next super worm," he said, "but that's not the real threat we'll see in 2004. The real threat is in Trojan horses. The goal of attackers is really about Trojans and remote control of other computers, for stealing passwords and targeted DoS attacks. It's not about fun and notoriety anymore. It's about money and power."

Security vendors, including Symantec, Network Associates, and Sophos, have posted alerts on their Web sites warning users of Trojan.Xombe, but disagree on the severity of the problem. Symantec ranks the Trojan as a level 2 threat in its 1-through-5 rating system, while Network Associates tags Xombe with a "low" threat assessment.

The best defense against bogus E-mails carrying nasty payloads? "A lot of people see an E-mail and think that it's true," said Dunham. "But everything should be looked at with a degree of skepticism and concern, rather than trust."

Symantec's Weafer also notes that Microsoft never delivers security updates via E-mail. He urged people to scan suspicious messages for tell-tale signs of a scam, such as misspelled words and awkward syntax, both of which are evident in the message loaded with Trojan.Xombe.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
How COVID is Changing Technology Futures
Jessica Davis, Senior Editor, Enterprise Apps,  7/23/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
Register for InformationWeek Newsletters
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll