A devious new attack has debuted largely unnoticed and is infecting computers with trojans worldwide. The new attack, first discovered by anti-virus experts at BitDefender, uses fake e-Ticket emails to deliver malware to unsuspecting users.
With the advent of online ticket sales, many users have given little hesitation to opening the .ZIP attachment to the messages, which generally bear the subject line "Buy Airplane Ticket Online". After all, the emails look legitimate and use the names and logos of major national or regional North American airlines.
When the users download the file, it infects their computers with malware. The Trojan.Spy.Zbot.KJ and Trojan.Spy.Wsnpoem.HA are among the malware used. The Trojan.Injector.CH family of threats is also beginning to be used with the messages.
A similar, but less ambitious, attack was developed in July using JetBlue's logo and identity. It is suspected that the two hacks may be connected to the same malware gang. The gang may also be connected to other recent attacks which used a similar attachment scam, in which viruses delivering files were disguised as overnight shipping reports.
Security experts warn that these recent attacks may help black hats gain access to corporate networks, whose users are typically savvy enough to avoid less official looking schemes. BitDefender researchers describe the attacks stating, "The viruses in this campaign have rootkit components that help them to install and hide themselves on the compromised machine either in the Windows or Program Files directory. They inject code in several processes and add exceptions to the Microsoft Window Firewall, providing backdoor and server capabilities."
The trojans sit listening on several Windows ports. They also try to download files from servers with domain names in the Russian Federation, indicating the attacks may be Russian in origin. Russia is gaining a reputation as a center for organized cyber-crime. The attackers may be seeking to use the infected computers to create a botnet for large-scale cyber attacks.
Sorin Dudea, head of the Antimalware Research Lab at BitDefender, warns "Users should be aware that without the appropriate security solution the integrity of their systems is at an extremely high risk. The Trojans this new malware distribution campaign delivers and the high rate of infections prove once again not just the [involved] cybercriminals' ingenuity, but also the lack of interest users show in terms of [maintaining appropriate] systems' defense and sensitive data protection."
Estimates of the number of computers infected by this latest round of scams are not yet widely available.