Olympic Targeted Attacks Hidden in PDFs
Olympic Targeted Attacks Hidden in PDFs
SYDNEY, Australia – August 13, 2008 - MessageLabs has uncovered evidence of targeted malware being distributed in legitimate looking International Olympic Committee (IOC) emails, that have been sent to participating nation’s national sporting organisations and athlete representatives.
In this latest attack, at least 9 domains were targeted with 57 emails, which contained press release and media information relating to the International Olympic Committee. The content for the messages appears to have been taken from the IOC website. A sample of one of the emails can be found here.
The malware was hidden within an Adobe Acrobat PDF file attachment, using embedded JavaScript to drop a malicious executable program onto the target’s computer. This then compromises the infected computer allowing confidential information to be leaked to an external party. Although the initial PDF is blank, when opened, the dropped executable presents the user with a non-blank PDF that contains similar information to the press release used in the email body, thus convincing the user that the PDF is genuine. Most traditional signature based anti-virus systems are unable to detect and stop targeted attacks such as this one. The original emails appear to have come from a number of Google Mail accounts, international.olympic@gmail.com and international.olympic2008@gmail.com.
In addition to the initial direct distribution of the infected emails, as the email and its attachment appeared legitimate to many recipients, it was subsequently innocently forwarded on to other news and sporting organisations.
Worldwide interest in the Beijing Olympic
Games is now reaching a high-point and MessageLabs expects
to intercept more additional targeted attacks and more
general malware distribution that simply capitalises on
people’s interest in the Olympics. A variety of more
general Olympic themed malware distribution has been
intercepted by MessageLabs in recent weeks, including emails
containing malicious attachments as well as web links to
malware hosting sites. Examples of Olympic-themed subject
lines include the following:
• Beijing Olympics
cancelled, moved to Atlanta
• Emailing: Beijing
takes dog off the menu for Olympics - Yahoo! News
• Obama buys 10 million Olympics ad
•
2008 Olympic Games will possible not take place
• Athletes ponder wearing masks to fight pollution
- Olympics - Yahoo! Sports
• 2008 Olympic Games
are under the threat
• FW: Learn Chinese for
the Olympics
The online threat landscape and
China
Broadband adoption in China reportedly exceeded
that in the US earlier this year, with more than 71.6
million subscribers compared with 70.2 in the US, 21 million
in Germany and 16.4 million in the UK (according to
DITTBERNER, June 2008).
China Internet Network Information Centre (CNNIC) reported the country now had more than 253 million internet users, at the end of June. It is believed that China now has more web surfers than the US. Also, with 12.18 million ‘.cn’ domain names in circulation, China can now boast the largest top-level country code domain, next to Germany (.de).
The majority of the 12 million .cn domains are registered overseas. The domain is often favoured by malware authors as well as spammers. One of the attractions of a .cn domain is partly down to aggressive price reductions for domain purchases, making it one of the least expensive domains to own, and also because it is much harder to close down a malicious site hosted in China. With the world’s eyes focusing on the Olympic Games in Beijing, this booming marketplace is expected to become an increasingly attractive target for cybercriminals.
Web
Threats in China
With China now seeing huge Internet
user growth and broadband adoption, and the increased demand
for cn domains, China is now an attractive target for
cybercriminals. It is interesting to note that there are
1.92 million websites hosted in China (according to CNNIC),
with 71.3% actually hosted under the .cn top-level country
code domain.
Analysis of the MessageLabs Web Security activity during July 2008 identified that 4.4% of all web-based malware was hosted on .cn domains, making it the third most-popular domain globally behind .com and .mobi, as can be seen in the chart found here.
The majority of malicious web security threats in July were a result of a recent rise in the number of legitimate sites being compromised through SQL injection attacks. Many such attacks were also hosted on .cn domains in July. For more information on this topic, please refer to the MessageLabs Intelligence Report for July 2008 (http://www.messagelabs.com/intelligence.aspx)
Spam
in China
Internet use in China has grown
significantly in recent months, allowing users to access the
very latest information such as breaking news stories
online, as well as increase use of online shopping and
online banking. Although email use in China takes second
place to Instant Messaging, with 81% of Chinese Internet
users favouring IM, compared with 56% who use email
(according to CNNIC in January 2008); this does not dissuade
the spammers. At 72.9% of all email, spam in China compares
with that of other countries such as 79.8% in the US, 69.9%
in the UK and 64.1% in Australia. As can be seen in the
chart here, spam levels in China have
increased in recent months.
As in a typical example below, more spam is now targeting Chinese domains written in the Chinese language, rather than the ubiquitous language of spam, English. During the first half of 2008, approximately 0.03% of all spam worldwide was in the Chinese language. Interestingly, less than 1% of global spam actually emanates from China.
To see an example of this Chinese spam click here. In this particular example, the sender’s company purportedly has a presence in different parts of China and has extra invoices for sales, transportation, advertising, construction, etc. If you need invoices (e.g. for your tax bill), then you are invited to contact them.
Email Malware in China
In 2007 the
level of email-borne malware targeting Chinese businesses
peaked, reaching 2.26% (1 in every 44.2 emails) of emails
comprised some form of malware in July 2007. Since the end
of last year, the level of email threats has diminished. In
2007, the malware landscape in China was dominated by
mass-mailers such as Warezov, which also included an IM
component used to spread itself. By July 2008, 0.07% (1 in
1,428 emails) of emails were malicious, this decline is
largely due to the dwindling of mass-mailer email viruses,
including Warezov coupled with the transition from malware
being spread via email to being spread via
drive-by-downloads on websites that have been compromised
for the purpose. To see a graph of this trend, click here.
About
MessageLabs
MessageLabs is a leading provider of
integrated messaging and web security services, with over
18,000 clients ranging from small business to the Fortune
500 located in more than 86 countries. MessageLabs provides
a range of managed security services to protect, control,
encrypt and archive communications across Email, Web and
Instant Messaging.
These services are delivered by MessageLabs globally distributed infrastructure and supported 24/7 by security experts. This provides a convenient and cost-effective solution for managing and reducing risk and providing certainty in the exchange of business information. For more information, please visit www.messagelabs.com
ENDS