By David Utter
Bad puns on movie titles aside, the various components of a recently spotted computer threat uses images from Tibet to entice people to accept an attack on their systems.
Seven Virus Pieces In Tibet
Tibet seems to be a popular topic for criminals seeking a route into people's computers. The country regularly receives a modest amount of press coverage over efforts to free Tibet from Chinese rule.
Malware distributors may be taking advantage of that mindset, as they chose a set of National Geographic photographs from 1940's-era Tibet to try and distract the viewer from the infection taking place. Security vendor Sophos
displayed a pair of the fantastic photos, which arrived in a CHM (compressed help file) attachment to an email.
"While you were busy looking at pictures of Tibet from the 1940's, a lot of things have been happening on your computer," wrote Sophos researcher Numaan Huq, who described the connections, downloads, and launches taking place in the background.
Researcher Elodie Grandjean at security vendor McAfee
broke down the infection process into a seven-part flowchart, after noting how this set of Tibet photos closely followed another Tibet-oriented spam campaign from a week earlier.
"Both are linked to the same remote servers and involve the same family of malware (Spy-Agent.cp), which is a multi-part trojan composed of a loader, an infostealer, a backdoor component and an update installer," said Grandjean.
The lesson remains the same: don't open attachments from unknown senders. Skidmore College
has the photo collection for those interested in a look at these images.