Fake Microsoft Service Pack is Xombe Trojan

By Sean Michael Kerner

Another day, another virus.

Unsuspecting Internet users were greeted Friday with an e-mail message purportedly from windowsupdate@microsoft.com to update their computers. The message has the subject line: Windows XP Service Pack 1 (Express) – Critical Update. Problem is, the message isn’t from Microsoft and the patch is actually a back door Trojan.

Initially, security firms reported this virus as a variant of the Swen worm of last September, but later reports identified it as a new Trojan.

“The confusion early on that this was a version of Swen is just an example that this has been used before,” Ian Hameroff, Computer Associate’s director of eTrust Security Solutions told internetnews.com. The new Trojan has now been named and identified as Xombe, which has no worm capabilities. Xombe is a downloader Trojan, which downloads an executable file from a Web site that’s programmed to launch a DDoS attack against another server.

Spotting the difference between what is legitimate and what’s a fake or ‘spoofed’ e-mail has become increasingly difficult. “The sophistication and the degree of effort being put into these types of attacks has gone up. You used to be able to spot these by spelling errors and grammar,” said Ken Dunham, director of malicious code at security firm iDefense.

Dunham told internetnews.com the Xombe attack was part of the continuing evolution
of social engineering attacks. Social engineering attacks appear to come from a legitimate source and
convince gullible users to perform an action, such as opening an attachment or clicking a link to activate or download the virus package. Dunham contends that there are large numbers of home users that have no anti-virus software and are regularly exploited.

“This is the malicious attackers playground of choice. It’s a heyday for them to have so many gullible non-security conscious computer users to attack that have no security on their computers or very little at all.”

Simply running anti-virus software may not always be enough. Xombe, for example, was designed to
avoid detection by most anti-virus programs. There is a small window of vulnerability that sometimes exists between the time a virus is discovered and when definitions and signatures are put out by anti-virus vendors.

“There is no gain in writing a virus that is caught by the virus centers. They’re always trying to find ways to avoid what we’re doing to stop them,” according to Kevin Haley, group product manager at Symantec .

Verifying the validity of e-mail is a complicated issue. The average computer user is bombarded on a daily occurrence by spam, potential viruses and spyware.

“I would venture to say that you don’t need to have a paranoid view of e-mail,” CA’s Hameroff said. “You should have an enlightened view of how you read your e-mail messages.” He recommends a combination of tools and best practices for e-mail usage and viewing.