Flaws in the W32/Gibe mass-mailing worm have prevented it from becoming anything like the Internet epidemics of Melissa and LoveBug. But the recent malicious code has introduced a new technique that could help future worms spread fast and wide, experts said Tuesday.
Gibe, which masquerades as a security update from Microsoft, is the first Internet worm to harvest e-mail addresses of potential victims from online directories, according to researchers at McAfee's Anti-Virus Emergency Response Team (AVERT).
The technique has helped Gibe, first identified in late February, to infect thousands of people in 39 countries, according to statistics kept by MessageLabs.
Like many garden-variety Internet worms, Gibe also attempts to propagate by automatically sending copies of itself to addresses in the victim's Microsoft Outlook address book.
However, testing by AVERT researchers has uncovered coding flaws in the worm that appear to prevent Gibe's Outlook-spreading component from working reliably.
Clever "social engineering" has played a big part in enabling Gibe to snare unwary computer users, experts said. The Trojan horse travels as an attachment named Q216309.EXE in a message forged to appear to come from Microsoft -- despite the fact that the big software company never sends updates by e-mail.
But Gibe's novel technique for scouting potential victims has captured the attention of virus researchers, despite the worm's low-risk rating.
News source: Newsbytes - 'Microsoft' E-Mail Trojan Harvests New Victims
Gibe, which masquerades as a security update from Microsoft, is the first Internet worm to harvest e-mail addresses of potential victims from online directories, according to researchers at McAfee's Anti-Virus Emergency Response Team (AVERT).
The technique has helped Gibe, first identified in late February, to infect thousands of people in 39 countries, according to statistics kept by MessageLabs.
Like many garden-variety Internet worms, Gibe also attempts to propagate by automatically sending copies of itself to addresses in the victim's Microsoft Outlook address book.
However, testing by AVERT researchers has uncovered coding flaws in the worm that appear to prevent Gibe's Outlook-spreading component from working reliably.
Clever "social engineering" has played a big part in enabling Gibe to snare unwary computer users, experts said. The Trojan horse travels as an attachment named Q216309.EXE in a message forged to appear to come from Microsoft -- despite the fact that the big software company never sends updates by e-mail.
But Gibe's novel technique for scouting potential victims has captured the attention of virus researchers, despite the worm's low-risk rating.
News source: Newsbytes - 'Microsoft' E-Mail Trojan Harvests New Victims
Born with a three-letter last name like Aod or Doe or maybe even Zap? If you've also registered your e-mail address with Yahoo's People Search directory, the odds of getting a copy of Gibe in your in-box are much higher than those of people with multisyllabic last names, experts said.
According to AVERT research engineer Craig Schmugar, a component program installed by Gibe named WinNetw.exe attempts to dig random, three-letter last names out of public e-mail databases operated by Yahoo and Massachusetts-based Switchboard.
In studies by AVERT, the worm failed to retrieve any addresses from Switchboard.com, apparently because the service's search page requires both a first and last name.
However, Gibe has considerable success at Yahoo's e-mail directory, according to Schmugar.
The worm appears to generate searches in which the first and third letters are random consonants, with the middle letter a random vowel, he said.
And Gibe's harvesting component is nothing if not persistent. When it conducts a search at Yahoo, Gibe "just keeps searching and searching. It does not appear that there is a finite number of times," said Schmugar.
When it's lucky enough to hit on a last name that produces several pages of search results, Gibe has the smarts to gobble all of them up, he said.
When notified of the Gibe worm's use of the company's People Search directory today, Yahoo officials implemented unspecified "preventative measures" according to spokeswoman Mary Osako.
While Gibe's e-mail harvesting technique can potentially produce a huge list of possible victims, the method may not necessarily generate lots of new infections, experts said.
Unlike worms that snarf e-mail addresses from Outlook or the Windows address book, or from rummaging in the victims' browser cache file, Gibe's technique produces addresses with no obvious connection to the victim.
According to Roger Thompson, malicious code analyst with TruSecure Corp., many of the most successful mass-mailing worms achieved their results because incoming infected messages often arrived from friends, co-workers, or other trusted parties.
When it successfully infects a Windows computer, Gibe creates a "back door" on the system on TCP port 12378 that enables a remote attacker to take control of the victim's computer.
Fortunately, the Gibe worm does not appear to travel well. Many corporations follow the advice of experts and reject executable attachments at their e-mail gateways. And filters in the latest versions of Outlook can shield users from malicious Trojans such as Gibe.
What's more, over half of the samples of Gibe received by AVERT have been damaged in transit such that their file headers are corrupt.
As a result of this bug, the booby-trapped Gibe attachments often do not run or infect a system even if recipients double-click on them. That's good news for gullible computer users everywhere -- regardless of their last names.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.