Experts at SophosLabsâ„¢, Sophos's global
network of virus, spyware and spam analysis centers, have added
detection for a "proof-of-concept" spyware worm which poses as a
patch for Google's popular Gmail email service.
The W32/Gfail-A
worm has been designed to spread via email, but appears to have
been intentionally crippled by its author. The worm uses social
engineering to entice recipients into clicking on a malicious
attachment purporting to be a security update for Gmail's notifier,
but actually attempts to steal usernames and passwords from users
of the email service.
The emails have the following characteristics:
Subject line:
Critical patch for Gmail Notifier and
Gmail web services!
Message text:
Dear User,
,due to the recent discoveries of a password vulnerability in Gmail
Notifier and a HTML-weakness on the Gmail website, we've after due
consideration decided to release an update by e-mail to ensure that
our customers are updated with the latest
protection.
Please consult the attachment for more information. The
details can be found below.
Sincerely,
The Gmail Team
Attached to the email is a copy of the worm (using a filename
chosen from GmailFix.rar, GmailUpdate.rar, GmailHotfix.rar,
GmailPatch.rar, GmailUpdate.exe, gnotify.exe, GmailHotfix.exe,
GmailUpdater.exe, or gmailupd.exe). Running this program displays a
messagebox claiming that installation was successful, and that
users should now log into their Gmail account.
When executed the Gfail worm displays a bogus
installation message.
However, the login screen displayed is fake and computer users
who enter their details risk having their Gmail username and
password stolen. The worm also attempts to turn off
security-related programs, leading to the possibility of further
hacker intrusion onto infected PCs.
"The guys at Google would never use email to get a security fix
to their users, so clued-up internet users should be instantly
suspicious if they receive this kind of message in their inbox,"
said Graham
Cluley, senior technology consultant for Sophos. "If hackers
manage to steal your Gmail username and password then they could
not only spy on you and read your past messages, but also
potentially commit identity fraud that could lead to serious
financial consequences. The good news is that this worm isn't
capable of spreading successfully, but future incarnations may pose
a greater danger. People need to be more aware of the risks
connected to running unsolicited email attachments."
The Gfail worm displays a fake login screen to
steal usernames and passwords.
According to experts at Sophos, more and more malicious software
is being written with the intention of spying on innocent users and
stealing information from them for financial gain.
"With people increasingly living their lives online, it's
essential that people secure their computers and behave safely when
on the internet," continued Cluley. "Hackers who gain access to
your web email account may not only be able to send emails in your
name, but may also stumble across usernames and passwords for other
websites you have registered with, past purchases and credit card
information, and even have access to your calendar and diary."
Interestingly, hidden inside the worm's code is the following
message from the malware's author which never gets displayed to
infected users:
To AVers and the Gmail team - this project isn't and will
never be intended to steal any account details from ANYBODY,
instead it's just demonstrating an implementation of
social-engineering for a software used by thousands or maybe even
millions of people around the world with not much work. Thanks.
;)
Although the worm does not appear to spread successfully and
cannot be considered a serious threat in its present form, Sophos
has been automatically protecting its customers against the
W32/Gfail-A worm since 7:40 GMT on 2 November 2006.
Sophos recommends that companies protect their email gateways
with a consolidated solution to defend
against viruses, spyware and spam, as well as secure their desktop
and servers with automatically updated protection.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.