Trojan Horse Poses As Windows XP UpdateTrojan Horse Poses As Windows XP Update

A new Swen-style Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the E-mail message may find their machines loaded with a back-door Trojan that can steal passwords or be used in conjunction with other systems to conduct major denial-of-service attacks.

Dubbed Trojan.Xombe, as in zombie, by most security firms, the Trojan shares some characteristics of the Swen worm line in that it masquerades as a message from Microsoft and purports to carry a security update in its file attachment. However, unlike Swen, a worm that first appeared last September, Trojan.Xombe doesn't self-replicate.

"This Trojan was spammed out to a large number of computers overnight," said Ken Dunham, director of malicious code at iDefense, a security-intelligence firm. By using spamming strategies, attackers hope to infect hundreds, even thousands, of machines before users realize what's up--or before anti-virus companies can update their definition files.

The faux message, which sports a spoofed sending address of [email protected], uses the subject line "Windows XP Service Pack 1 (Express)--Critical Update" to trick recipients into opening the attached file.

"Window [sic] Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)," the message's text reads in part. "To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1." The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation."

"The Trojan definitely downloads malicious code and installs it on the system," confirmed Dunham. By his analysis, Trojan.Xombe downloads a back-door IRC Trojan horse to the compromised machine. Once that's installed, attackers can access the PC undetected, add other code--such as key trackers for acquiring passwords--to the computer, and use the machine to launch denial-of-service attacks on other machines.

Trojan.Xombe, and socially engineered attacks like it--including phishing expeditions such as the MiMail worm, another exploit that pretends to be something it isn't in the hope that people will open the file attachment--are the confirmation security professionals were looking for that 2004 will be a rough year.

"Attackers use the social engineering trends of the moment," said Vincent Weaver, senior director of Symantec Corp.'s security response center. Touting a security update is only natural for hackers, he added, because of the increased awareness among many computer users of ongoing security issues with Windows.

Trojan.Xombe is also a good example of another trend first spotted in 2003, but certain to continue this year, said Dunham. "Trojans are being integrated into almost every piece of malicious code," he said. More than anything, hackers want to amass an army of compromised machines--typically called zombies--that they can use for other purposes.

"A lot of people are worried about the next super worm," he said, "but that's not the real threat we'll see in 2004. The real threat is in Trojan horses. The goal of attackers is really about Trojans and remote control of other computers, for stealing passwords and targeted DoS attacks. It's not about fun and notoriety anymore. It's about money and power."

Security vendors, including Symantec, Network Associates, and Sophos, have posted alerts on their Web sites warning users of Trojan.Xombe, but disagree on the severity of the problem. Symantec ranks the Trojan as a level 2 threat in its 1-through-5 rating system, while Network Associates tags Xombe with a "low" threat assessment.

The best defense against bogus E-mails carrying nasty payloads? "A lot of people see an E-mail and think that it's true," said Dunham. "But everything should be looked at with a degree of skepticism and concern, rather than trust."

Symantec's Weafer also notes that Microsoft never delivers security updates via E-mail. He urged people to scan suspicious messages for tell-tale signs of a scam, such as misspelled words and awkward syntax, both of which are evident in the message loaded with Trojan.Xombe.