Has your phone been wiretapped? The Dorf Trojan wants you to think so

November 20, 2007 Sophos Press Release

IT security and control firm Sophos is warning of a new Trojan horse that tries to scare recipients into believing that their telephone conversations are being recorded, in a ruse to ultimately scare people into buying bogus security software for their computer.

The Troj/Dorf-AH Trojan horse has been spammed out attached to an email claiming that the sender is a private detective listening to your phone calls. The "detective" claims that he will reveal who has paid for the surveillance at a later date, but for the mean time the recipient should listen to a recording of a recent phone call (which is attached to the email as a password-protected RAR-archived MP3 file).

A typical email reads, in part, as follows:

I am working in a private detective agency. I can't say my name now. I want to warn you that i'm going to overhear your telephone line. Do you want to know who is the payer? Wait for my next message.

P.S. I'm sure, you don't believe me. But i think the record of your yesterday's conversation will assure you that everything is real.

The emails claim that a private detective is wiretapping your telephone conversations
The emails claim that a private detective is wiretapping your telephone conversations.

In reality, however, the MP3 file is not an audio file of a telephone conversation, but a malicious executable program that installs further malware onto the victim's computer which it downloads from a dangerous website. Amongst these is a piece of scareware which displays a fake Windows Security Center alert and tries to convince the victim to purchase bogus security software.

Scareware installed by the Dorf Trojan tries to fool you into buying fake security software
Scareware installed by the Dorf Trojan tries to fool you into buying fake security software.

Sophos experts note that a hacking gang has been making different attempts to infect people with this ruse for a couple of weeks - however, initial attempts failed to work properly.

"It's a case of from defective to detective for this attack. The first spam-run of this Trojan horse failed for the malware authors because they made fundamental mistakes in their code. Now their emails are capable of infecting the unwary, while posing as a private investigator," said Graham Cluley, senior technology consultant at Sophos. "If you fall for the trick and try and listen to the alleged recordings of your phone conversations then you will actually be unwittingly installing malware directly onto your PC. Home users and businesses need to defend their email with protection against the latest virus and spam attacks."

"It may seem hard to believe that anyone would fall for a trick like this, but it wouldn't be a surprise if people tried to run the attachment just out of curiousity as to what it contained," continued Cluley. "Some may even assume it is a joke recording and not realising they are putting their computer, and indeed their wallet, in danger."

Sophos products protect against this latest version of the Dorf malware, ensuring that customers do not become infected. Users of solutions from other vendors are advised to update their protection.

Sophos recommends companies protect themselves with a consolidated solution which can control network access and defend against the threats of spam, hackers, spyware and viruses.