Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have added detection for a "proof-of-concept" spyware worm which poses as a patch for Google's popular Gmail email service.
The W32/Gfail-A worm has been designed to spread via email, but appears to have been intentionally crippled by its author. The worm uses social engineering to entice recipients into clicking on a malicious attachment purporting to be a security update for Gmail's notifier, but actually attempts to steal usernames and passwords from users of the email service.
The emails have the following characteristics:
Subject line: Critical patch for Gmail Notifier and Gmail web services!
,due to the recent discoveries of a password vulnerability in Gmail Notifier and a HTML-weakness on the Gmail website, we've after due consideration decided to release an update by e-mail to ensure that our customers are updated with the latest protection.
Please consult the attachment for more information. The details can be found below.
The Gmail Team
Attached to the email is a copy of the worm (using a filename chosen from GmailFix.rar, GmailUpdate.rar, GmailHotfix.rar, GmailPatch.rar, GmailUpdate.exe, gnotify.exe, GmailHotfix.exe, GmailUpdater.exe, or gmailupd.exe). Running this program displays a messagebox claiming that installation was successful, and that users should now log into their Gmail account.
When executed the Gfail worm displays a bogus installation message.
However, the login screen displayed is fake and computer users who enter their details risk having their Gmail username and password stolen. The worm also attempts to turn off security-related programs, leading to the possibility of further hacker intrusion onto infected PCs.
"The guys at Google would never use email to get a security fix to their users, so clued-up internet users should be instantly suspicious if they receive this kind of message in their inbox," said Graham Cluley, senior technology consultant for Sophos. "If hackers manage to steal your Gmail username and password then they could not only spy on you and read your past messages, but also potentially commit identity fraud that could lead to serious financial consequences. The good news is that this worm isn't capable of spreading successfully, but future incarnations may pose a greater danger. People need to be more aware of the risks connected to running unsolicited email attachments."
The Gfail worm displays a fake login screen to steal usernames and passwords.
According to experts at Sophos, more and more malicious software is being written with the intention of spying on innocent users and stealing information from them for financial gain.
"With people increasingly living their lives online, it's essential that people secure their computers and behave safely when on the internet," continued Cluley. "Hackers who gain access to your web email account may not only be able to send emails in your name, but may also stumble across usernames and passwords for other websites you have registered with, past purchases and credit card information, and even have access to your calendar and diary."
Interestingly, hidden inside the worm's code is the following message from the malware's author which never gets displayed to infected users:
To AVers and the Gmail team - this project isn't and will never be intended to steal any account details from ANYBODY, instead it's just demonstrating an implementation of social-engineering for a software used by thousands or maybe even millions of people around the world with not much work. Thanks. ;)
Although the worm does not appear to spread successfully and cannot be considered a serious threat in its present form, Sophos has been automatically protecting its customers against the W32/Gfail-A worm since 7:40 GMT on 2 November 2006.
Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses, spyware and spam, as well as secure their desktop and servers with automatically updated protection.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.