Linux News: Exploits & Vulnerabilities: 'Free Tibet' Message Masks Rootkit Malware

By Andrew K. Burger
TechNewsWorld
Part of the ECT News Network
04/22/08 4:00 AM PT

Watch out if you receive an e-mail with a Flash animation ridiculing a Chinese gymnast and calling for a free Tibet. It's likely the entertaining little clip is hiding a piece of malware that will log your keystrokes. Security experts are warning that malware creators are taking advantage of the news coverage of the Tibet freedom protests to get you to let your guard down.

What’s Linux with a Lineage?
Verio Linux VPS delivers root access, advanced FairShare technology for better performance, and support that's actually supportive. It's all from Verio, the Virtual Private Server technology pioneer with over 500,000 customers. Test-drive Linux VPS here.

Malware creators are taking advantage of the controversy over the upcoming Olympic Games to spread their wares for illicit financial gain. Latching onto the Free Tibet political demonstrations that have spread around the world, would-be thieves have embedded a piece of rootkit malware that logs keystrokes in an executable Flash movie file called "RaceForTibet."

IT security experts have issued alerts warning people to be extra cautious when clicking on links that download executable files from Web sites, as well as opening unsolicited e-mails from unknown senders.

Putting the Word Out

Experts at McAfee warned a little over a week ago that malware creators were hacking into pro-Tibet Web sites and infecting them with malware that could then be injected into site visitors' PCs.

A Trojan dubbed "Fribet" with sophisticated features that enabled it to access end users' databases had been embedded in hacked Web sites and subsequently downloaded to site visitors' PCs by exploiting a Windows vulnerability.

The "RaceForTibet" rootkit malware surreptitiously installs a keystroke logger on end users' PCs once they open the Flash movie file, which uses a cartoon to mask its malware payload. The captured data is reportedly sent to a computer in China. The cartoon ridicules the effort of a Chinese gymnast and then displays images supporting a free Tibet.

The latest round of malware discoveries exploiting the attraction of high-profile international news and events further defines a trend that has been in the making for quite some time, one that relies on the most basic social engineering as well as the growing use of multimedia files, the growing popularity of social networks and the latest wrinkles in malware delivery mechanisms. They also add to the ballooning body of evidence that today's malware creators are in it for the money.

A Growing Trend

"In the very early days of viruses we saw examples of politically motivated malware. The 'Stoned' virus displayed a marijuana leaf and had a message about legalizing marijuana. In the past, the reason for using viruses was because they spread ... it helps get the message out," recounted Randy Abrams, director of technical education at security specialist ESET. "A politically motivated virus is not likely to include a damaging payload as that would not help generate sympathy for the cause. Additionally, in the early days most people had not figured out how to monetize malware."

That's all changed, however. It wouldn't make sense for authentic pro-Tibet advocates to send out malicious software with a pro-Tibet message. Though there are likely to be some pro-China proponents that would view such an effort positively, it doesn't make good sense for them either, Abrams pointed out.

"The problem is that there are enough people sophisticated enough to assume it was a ruse by the pro-China faction, and this cannot escape notice by those folks. Most intelligent people on the pro-China side would realize the high potential for such malware to make them look bad," he theorized.

To Abrams' mind, this leaves the cybercriminal element as the most probable perpetrator of malware attacks such as the RaceForTibet Flash movie-keylogger and Fribet Trojan.

"This leaves the same criminal element that sends fake e-cards, fake porn videos, and uses other social engineering attacks. The criminals who are trying to engage in identity theft and financial theft don't really care who looks god or bad," he told TechNewsWorld.

More to Come

Plugged into the ever-expanding global media machine, cybercriminals have a wealth of subjects that can serve as masks for their malware attacks. "The criminals are watching the news. Anything newsworthy is social-engineering worthy," Abrams warned.

"The one political attack I have seen involved a spam run that appeared to come from one of the presidential candidates a few months ago. A candidate's server was hacked and the spam sent to make them look bad. In this case there was no attempt to infect computers or steal money, though.

"It really isn't so much about politically-charged events as it is about anything that is big news.

Since politics is often big news, it will be used as part of social engineering attacks. The fallout, aside from theft, is that some groups will be tarnished by actions not associated with them. They are collateral damage and not even likely to be considered by the actual malware authors."