Trojan Horse Poses As Windows XP Update

A new Swen-style Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the e-mail message may find their machines loaded

January 10, 2004

3 Min Read
Network Computing logo

A new Swen-style Trojan horse posing as a critical update from Microsoft has been detected on the Internet, and users who open the e-mail message may find their machines loaded with a back-door Trojan that can steal passwords or be used in conjunction with other systems to conduct major denial-of-service (DoS) attacks.

Dubbed Trojan.Xombe (as in zombie) by most security firms, the Trojan shares some characteristics of the Swen worm family in that it masquerades as a message from Microsoft and purports to carry a security update in its file attachment. However, unlike Swen -- a worm which first appeared last September -- Trojan.Xombe doesn't self-replicate.

"This Trojan was spammed out to a large number of computers overnight," said Ken Dunham, the director of malicious code at iDefense, a Reston, Va.-based security intelligence firm. By using spamming strategies, attackers hope to infect hundreds, even thousands, of machines before users realize what's up, or anti-virus companies can react with updated definition files.

The faux message, which sports a spoofed sending address of [email protected], uses the subject line 'Windows XP Service Pack 1 (Express) -- Critical Update' to trick recipients into opening the attached file.

"Window [sic] Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1)," the message's text reads in part. "To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1." The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation."Lies. All lies.

"The Trojan definitely downloads malicious code and installs it on the system," confirmed Dunham. By his analysis, Trojan.Xombe downloads a back-door IRC Trojan horse to the compromised machine. Once that's installed, attackers can access the PC undetected, add other code to the computer -- such as key trackers for acquiring passwords -- and use the machine to launch DoS attacks on other machines.

Trojan.Xombe, and socially engineered attacks like it -- including phishing expeditions such as the MiMail worm, another exploit that pretends to be something it isn't in the hope that people will open the file attachment -- are the confirmation security professionals were looking for that 2004 will be a rough, rocky year.

"Attackers use the social engineering trends of the moment," said Vincent Weaver, senior director of Symantec's security response center. Touting a security update is only natural for hackers, he added, what with the increased awareness of many computer users of ongoing security issues with Windows.

Trojan.Xombe is also a good example of another trend first spotted in 2003, but certain to continue this year, said Dunham."Trojans are being integrated into almost every piece of malicious code," he said. More than anything, hackers today want to amass an army of compromised machines -- typically called zombies -- that they can then use for other purposes.

"A lot of people are worried about the next super worm," he said, "but that's not the real threat we'll see in 2004. The real threat is in Trojan horses. The goal of attackers is really about Trojans and remote control of other computers, for stealing passwords and targeted DoS attacks. It's not about fun and notoriety anymore. It's about money and power."

Security firms, including Symantec, Network Associates, and Sophos, have posted alerts on their Web sites warning users of Trojan.Xombe, but disagree on the severity of the problem. Symantec, for instance, currently ranks the Trojan as a level '2' threat in its 1 through 5 rating system, while Network Associates tags Xombe with a 'low' threat assessment.

The best defense against bogus e-mails carrying nasty payloads? "A lot of people see an e-mail and think that it's true," said Dunham. "But everything should be looked at with a degree of skepticism and concern, rather than trust."

Symantec's Weafer also reminded users that Microsoft never delivers security updates via e-mail, and urged people to scan suspicious messages for tell-tale signs of a scam, such as misspelled words and awkward syntax, both of which are evident in the message loaded with Trojan.Xombe.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights