White House Christmas E-Card Spoof Brings Malware, Espionage
They might have preferred a lump of coal: A bunch of federal workers and contractors got a not-so-nice holiday surprise last week. An e-card that went out Dec. 23 purporting to contain Christmas greetings from the White House was actually the vehicle for a two-pronged cyberattack that targeted users’ financial data and sensitive government documents.
One prong was the well-known ZeuS Trojan, which records users’ keystrokes when they log onto a list of financial websites and then sends those credentials to a server. The more-novel – and more threatening to national security – half scours the infected hard drive and uploads all .doc, .pdf and .xls files to a server in Belarus. Thus far, it has collected more than 2 gigabytes of information, according to security blogger Brian Krebs. As with many threats, it also modifies infected computers’ HOSTS files to prevent users from accessing websites with anti-virus information.
The collected information could be quite sensitive; Krebs hypothesized, based on document cache, that infected users included an employee at the National Science Foundation’s Office of Cyber Infrastructure; an intelligence analyst from Massachusetts State Police, whose computer uploaded documents that appear to be records of court-ordered cell phone intercepts; and an employee at the Financial Action Task Force, an agency that supports policies to prevent money laundering and terrorism financing.
Situations like this present quite a quandary for IT managers. While tech-savvy users would have sniffed outs something suspicious about the source of the faux-card (iphonedevelopersdk.com) the average user likely would not have though twice about clicking “save file.” To the average federal worker who didn’t grow up navigating Windows directories, opening the file wouldn’t have violated any rules: The sender was known (who doesn’t know the president?), and it makes sense that he would want to wish those serving his government a happy yuletide.
And so IT managers are left with the unhappy tension between shepherding these less-experienced users away from malware attacks while still allowing people to download often-critical materials from the Internet and their mail servers without an undue amount of hassle. And when you throw in techies frustrated that they can’t download the browser of their choice, the headache just gets bigger.
The best attempt at resolving this tension I’ve seen so far is a piece of freeware called “Trust-No-Exe,” which prevents users from downloading any type of executable file, including .exe, .com, .scr, .zip, without direct authorization from an IT manager. Such a measure would likely have prevented these attacks. The problem is, malware can lurk in PDFs and Flash videos, too, and both of these are everyday necessities for carrying out business. So what do you do? How do you keep your company’s machines safe while still allowing business to go on?
Posted by Laura Williams on Jan 05, 2011