British parliament attacked using WMF exploit

The British Parliament was attacked late last year by hackers who tried to exploit a recent serious Microsoft Windows flaw, security experts confirmed on Friday.

MessageLabs, the e-mail-filtering provider for the U.K. government, told ZDNet UK that targeted e-mails were sent to various individuals within government departments in an attempt to take control of their computers. The e-mails harbored an exploit for the Windows Meta File vulnerability.

The attack occurred over the Christmas period and came from China, said Mark Toshack, manager of antivirus operations at MessageLabs, who added that the e-mails were intercepted before they reached the government's systems.

"The attack definitely came from China--we know that because we log the IP addresses. The U.K. Government was targeted but none (of the e-mails) got through. No one was affected. They were attacked, but they (the government) didn't know about it until we told them," Toshack said.

The vulnerability with the way that WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via e-mail or instant messages.

The first exploit code targeting the flaw was detected on Dec. 29, but Microsoft did not issue a patch until Jan. 5, after a security researcher released his own unofficial patch.

The British parliament attack occurred on the morning of Jan. 2, before Microsoft's official patch was available. The hackers tried to send e-mails that used a social-engineering technique to lure people into opening an attachment containing the WMF/Setabortproc Trojan horse.

The Trojan, had it been downloaded, would have allowed the attackers to view files on the PC. The hackers may also have been able to install keylogging malicious software, said Toshack, enabling attackers to see classified government passwords.

The attack was individually tailored and sent to 70 people in the government, MessageLabs said. It played on people's natural curiosity by purporting to come from a government security organization. The Trojan was hidden as an attachment called "map.wmf".

The body text of one of the e-mails read:

"Attached is the digital map for you. You should meet that man at those points separately. Delete the map thereafter. Good luck. Tommy"

The hackers could have been successful if the e-mails had reached their destinations, said Toshack. "It's like something you get from 'Spooks'--you can think 'I'm suddenly an MI5 agent.' You can see how it could work--it plays on people's romanticism about spies," Toshack suggested.

Speaking last November, Alan Paller, director of the SANS Institute, claimed that the Chinese government was employing malicious hackers.

"Of course it's the government. Governments will pay anything for control of other governments' computers. All governments will pay anything. It's so much better than tapping a phone," Paller said.

Toshack could not confirm whether the Chinese government had been involved. "It is a Chinese hacker gang. I don't know if it is the Chinese government, and I don't know if it's the Chinese government paying a hacker gang," he said.

According to a Home Office source, the U.K. government is concerned about the threat posed by Trojan attacks. A Home Office representative would not confirm or deny that an attack took place over Christmas.

"We do not comment on security matters, but have had discussions with many governments and computer emergency response teams from around the world on the matter of targeted Trojan attacks," the Home Office representative told ZDNet UK.

The attempted attack on Parliament was first reported by The Guardian last week.

Tom Espiner of ZDNet UK reported from London.

Well

That the problem you get in the windows world; a lot more exploit than the Linux world.

[203129769353146603573853850462]

Others got this e-mail...

...so there's no msytery here. I was a popular social-engineering trick.

[203129769353146603573853850462]

Others got this e-mail...

...so there's no msytery here. It was a popular social-engineering trick.

[Marcus Westrup]

Misinformation

The comment: "The attack definitely came from China--we know that because we log the IP addresses", is not worthy of a security professional.
Why must a group intent on espionage stage an attack from their home country? It's easy to hack into Chinese networks these days, and anyone in the world (including groups in the UK) can use this to disguise where attacks really originate. It's an old trick that works well.
Where is the hard evidence?

Classified Info on the Internet?

The claim made in this story proves to me that the author has no clue of how the government protects classified data. "The hackers may also have been able to install keylogging malicious software, said Toshack, enabling attackers to see classified government passwords." Sorry - but I seriously doubt that the Brits are storing classified data on their systems connected to the public Internet.

[Loknar54]

Bravo to Message Labs
I don't know how many of the five that wrote a comment were CF Inspectors but I think the point of the whole thing was to bring to lite the vigilance of Message Labs in preventing a major disaster. No matter what operating system you have, or program or application, there is going to be flaw in it! You have to be smarter than the average bear and catch the crook before he can cause damage... and Message Labs did just that! WTG