Tomb Raider Strikes Back
Last week we blogged about the mass-spamming of a Trojan masquerading as pornographic pictures of various female celebrities. During the analysis of that Trojan, we noticed some similarities with some other recent Trojans we have received. So, in efforts to improve proactive detection, and protect customers from future variants, we published generic detection as Mal/Dropper-L (last Friday).
Today saw another mass-spamming by the same group. Pleasingly, the Trojan is proactively detected as Mal/Dropper-L so customers are already protected. Exactly as in previous attacks, the Trojan drops two rootkit components (already detected as Troj/NTRootK-BY and Troj/Agent-FVT) designed to stealth its subsequent downloading activity.
Today’s mass-spamming used a similar (and somewhat predictable) theme to that in previous attacks, with female celebrities providing the lure. Subject lines and message bodies vary, but are along the ‘hot’, ‘new’, ‘game’ theme. Subject lines include:
Hot gameHot picturesSomething hot
An example message body is as follows (offensive word obscured):
Amusing game. Angelina Jolie ***** Luke Skywalker... In your attachment.
The file attachment is a ZIP file (game.zip) containing just a copy of the Trojan (game.exe).
Interestingly, looking at statistics for the past 24 hours from our email appliances, Mal/Dropper-L accounts for over 20% of malware blocked. This case provides a perfect example of how important it is to continually improve generic detections to combat current and persistent threats. In the past 5 days (ie. since Mal/Dropper-L was published), SophosLabs have already harvested 6 different binaries (all variants of this same dropper).
Posted on August 8th, 2007 by Fraser Howard, SophosLabs UKFiled under: Malware
Windows 7 security - A great leap forward or business as usual?
