January 23, 2006 7:54 AM PST
British parliament attacked using WMF exploit
- Related Stories
Microsoft to hunt for new species of Windows bugJanuary 9, 2006
Week in review: Glitches, gadgets ruleJanuary 6, 2006
Experts question Windows win in flaw tallyJanuary 6, 2006
Microsoft pushes out Windows patch ahead of timeJanuary 5, 2006
New Windows Trojan causes confusionNovember 10, 2005
MessageLabs, the e-mail-filtering provider for the U.K. government, told ZDNet UK that targeted e-mails were sent to various individuals within government departments in an attempt to take control of their computers. The e-mails harbored an exploit for the Windows Meta File vulnerability.
The attack occurred over the Christmas period and came from China, said Mark Toshack, manager of antivirus operations at MessageLabs, who added that the e-mails were intercepted before they reached the government's systems.
"The attack definitely came from China--we know that because we log the IP addresses. The U.K. Government was targeted but none (of the e-mails) got through. No one was affected. They were attacked, but they (the government) didn't know about it until we told them," Toshack said.
The vulnerability with the way that WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via e-mail or instant messages.
The British parliament attack occurred on the morning of Jan. 2, before Microsoft's official patch was available. The hackers tried to send e-mails that used a social-engineering technique to lure people into opening an attachment containing the WMF/Setabortproc Trojan horse.
The Trojan, had it been downloaded, would have allowed the attackers to view files on the PC. The hackers may also have been able to install keylogging malicious software, said Toshack, enabling attackers to see classified government passwords.
The attack was individually tailored and sent to 70 people in the government, MessageLabs said. It played on people's natural curiosity by purporting to come from a government security organization. The Trojan was hidden as an attachment called "map.wmf".
The body text of one of the e-mails read:
"Attached is the digital map for you. You should meet that man at those points separately. Delete the map thereafter. Good luck. Tommy"
The hackers could have been successful if the e-mails had reached their destinations, said Toshack. "It's like something you get from 'Spooks'--you can think 'I'm suddenly an MI5 agent.' You can see how it could work--it plays on people's romanticism about spies," Toshack suggested.
Speaking last November, Alan Paller, director of the SANS Institute, claimed that the Chinese government was employing malicious hackers.
"Of course it's the government. Governments will pay anything for control of other governments' computers. All governments will pay anything. It's so much better than tapping a phone," Paller said.
Toshack could not confirm whether the Chinese government had been involved. "It is a Chinese hacker gang. I don't know if it is the Chinese government, and I don't know if it's the Chinese government paying a hacker gang," he said.
According to a Home Office source, the U.K. government is concerned about the threat posed by Trojan attacks. A Home Office representative would not confirm or deny that an attack took place over Christmas.
"We do not comment on security matters, but have had discussions with many governments and computer emergency response teams from around the world on the matter of targeted Trojan attacks," the Home Office representative told ZDNet UK.
The attempted attack on Parliament was first reported by The Guardian last week.
Tom Espiner of ZDNet UK reported from London.
6 commentsJoin the conversation! Add your comment