A Trojan horse posing as a Microsoft Windows XP update and able to steal passwords or conduct major denial-of-service attacks has been detected in cyberspace.
Most security firms are calling it Trojan.Xombe (read: zombie) and, like the Swen worm family, portrays itself as a Microsoft message carrying a security update in its attachment - even though, as Symantec reminded users, Microsoft never e-mails such messages and update notices. But unlike Swen, Trojan.Xombe does not self replicate, experts told TechWeb.
Ken Dunham, malicious code director at iDefense in Virginia, told TechWeb Trojan.Xombe was spammed out to a large number of computers overnight, with the Trojan's maker apparently hoping spam techniques will help infect "hundreds, even thousands" of computers before their users get wise.
Symantec, Network Associates, and Sophos have alerts on their Websites against Trojan.Xombe, though they differ on the severity of its problems, TechWeb said, with Symantec ranking it Level 2 and Network Associates rating it a low threat.
The Trojan arrives in a message claiming a sending address of [email protected], using as a subject line "Windows XP Service Pack 1 (Express)...Critical Update," to fool recipients into opening the attachment, TechWeb said January 12.
"Window [sic] Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)," says part of the message. "To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1." The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation."
Lies, said Dunham. "The Trojan definitely downloads malicious code and installs it on the system," he said. He told TechWeb Trojan.Xombe downloads a backdoor IRC Trojan horse to the compromised computer and, once installed, lets attackers use the machine undetected, add other code like password-acquiring key trackers, or use the machine for DoS attacks.
"Attackers use the social engineering trends of the moment," Symantec senior director of security response Vincent Weaver to TechWeb. He said trumpeting security updates are natural ruses for hackers, given heightened computer security awareness especially with so many worms and viruses making their way around cyberspace through Microsoft programs in recent months.
Dunham thinks Trojan horses could become 2004's major computer threat.
"Trojans are being integrated into almost every piece of malicious code," Dunham said. More than anything, hackers today want to amass an army of compromised machines ? typically called zombies ? that they can then use for other purposes. A lot of people are worried about the next super worm, but that's not the real threat we'll see in 2004. The real threat is in Trojan horses. The goal of attackers is really about Trojans and remote control of other computers, for stealing passwords and targeted DoS attacks. It's not about fun and notoriety anymore. It's about money and power."
