Katrina Scammers Try To Infect PCs, Steal IDs
"[We knew] it would only be a amount of time before someone did this," said Ronnie Manning, a spokesperson for Web security firm Websense in an e-mail to TechWeb.
Websense was researching a malicious Web site posing as a Katrina news site, added Manning, saying that the site included encoded JavaScript that tries to exploit a pair of Internet Explorer vulnerabilities. If successful, a Trojan horse is surreptitiously installed on machines of people who surf to the site. By mid-day Websense had posted an official alert on the scam.
"[The code] is almost verbatim with what we saw in early August used in an Iraqi news scam," said Dan Hubbard, Websense's senior director of security and research.
Two Web sites were hosting the malicious code, one based in Mexico, another out of the U.S., and both, said Websense, were up and running as of noon PDT Thursday.
"One of the unique things about this Trojan is that it appears to be using a toolkit called Yoda that allows the author to create pseudo-polymorphic code," added Hubbard. A polymorphic virus or worm changes the contents of the file it installs each time it infects a computer. "It's a way to thwart anti-virus signatures," Hubbard said.
U.K.-based Sophos, on the other hand, called the same Trojan "Cgab.a" and said that it's installed on users' PCs after they receive e-mail with subject headings such as "Re: q1 Katrina killed as many as 80 people." If the recipients click on the embedded link to reach the malicious site, the site exploits the IE vulnerabilities to install a backdoor Trojan which in turn adds other malware, including spyware- and phishing-style keyloggers.
If this sounds familiar, it should.
"Similar to the [SE Asian] tsunami tragedy, this hurricane is another dreadful natural disaster that these ruthless hackers are exploiting in order to break into computers for spamming, extortion, and theft," said Gregg Mastoras, a senior security analyst for Sophos, in a statement.
Secure Computing, a Seattle-based security firm, found yet another site, this one hosted in Poland, that the Katrina news spam points to. The routine is slightly different on the Polish site, however, because it also includes a manual "social engineering" infection tactic. While the IE-exploiting Trojan attempts to automatically compromise any PC visiting the site, if the user's anti-virus software detects and destroys that Trojan, there's still another way for the hacker to victimize systems.
"Clicking on the Zotob ad [on the site] offers 'You can check your computer for Zotob worm using small removal tool,'" said David Burt, a spokesperson for Secure Computing. But clicking on the included "Download" link loads a Trojan horse, not any anti-Zotob utility.
It's likely, said Websense's Hubbard, that more Katrina scams are on the horizon. Every two days, he said, Websense imports all new registered domain names for evidence of possible phishing trends.
"We found more than 100 sites that were registered using various combinations of the words 'katrina' and 'donate' or 'disaster' in the last two days," said Hubbard.
While some of those are legit, Hubbard said, many aren't, or have been cached by criminals in anticipation of using them as phishing sites. "We see this all the time. As soon as a hurricane is named, a few sites get registered. It picks up if the hurricane gets stronger."
Some of these domain names have been placed for sale on eBay, with claims by their sellers that part or all of the proceeds will go to the American Red Cross relief effort, or those of other charities.
One such auction listed two domains, "hurricanekatrina.com" and "hurricanekatrinasdevastation.com," at a starting bid of $3,999. Although the first domain was registered more than 18 months ago, the second, hurricanekatrinasdevastation.com, was registered only Wednesday, August 31. Another auction, with an opening bid of $4,800, is for a typo-afflicted site, katrinareleif.com that the seller boasted "If you owned the correct spelling of this .com name your traffic would be huge. As a typo this name will get more traffic then every domain name that is not the properly spelled katrina relief name."
The misspelled domain was registered Tuesday, August 30.
"These people, they're on top of things," said Hubbard.