I got this from my work I work at a state agency and thought it may be usefull to everyone here. This advisory is just to caution you about a recent email you may have received at home regarding a Windows XP Update. This is unlikely to be a problem here at the CPA because you would never initiate a system update unless you were specifically instructed by someone in authority at our agency. But I think it is a good idea to share this report with you so you can be aware of this particular threat and ways to avoid having your home computers compromised. You may have seen something in the news about "Trojan.Xombe". Xombe, the latest in a string of backdoor programs designed to compromise Windows PCs, is capable of stealing passwords or turning compromised machines into components of an attack network under the control of unknown crackers. Infectious emails appear to come from windowsupdate@microsoft.com, containing the subject line: "Windows XP Service Pack 1 (Express) - Critical Update". The Xombe trojan downloader was sent as an email to some people (probably using spamming software) last Friday. Like the Swen worm, infectious emails contaminated by Xombe pose as a Windows security update. The message goes on to urge the user to run the winxp_sp1.exe file attachment to re-install SP1, and recommends that anti-virus software be disabled, as it "may interfere with the installation." "This Trojan was spammed out to a large number of computers overnight," said Ken Dunham, the director of malicious code at iDefense, a Reston, Va.-based security intelligence firm. By using spamming strategies, attackers hope to infect hundreds, even thousands, of machines before users realize what's up, or anti-virus companies can react with updated definition files. "A lot of people are worried about the next super worm," he said, "but that's not the real threat we'll see in 2004. The real threat is in Trojan horses. The goal of attackers is really about Trojans and remote control of other computers, for stealing passwords and targeted DoS attacks. It's not about fun and notoriety anymore. It's about money and power." In the case of Xombe, the infectious payload is designed to download another Trojan from the Internet and to load this malware onto a victim's computer. Once that's installed, attackers can access the PC undetected, add other code to the computer--such as key trackers for acquiring passwords--and use the machine to launch denial of service (DoS) attacks on other machines. The site housing this trojan (gamemaniacs.org) was disabled on Saturday, according to Finnish AV firm F-Secure. Even so, infected machines still need to be cleaned. Also, users should still be wary of suspicious-looking emails in their in-boxes. The best defense against bogus e-mails carrying nasty payloads? "A lot of people see an e-mail and think that it's true," said Dunham. "But everything should be looked at with a degree of skepticism and concern, rather than trust." Remember... Microsoft never delivers security updates via e-mail. You should look at suspicious messages for tell-tale signs of a scam, such as misspelled words and awkward syntax, both of which are evident in the message loaded with Trojan.Xombe. If you want to verify whether an emailed notice is valid, *do not click on a link in the email*. Open your Internet browser and go to the Microsoft web site directly to look for any reference to the update. Only download from web sites that you know are valid - never from a website you get to from a link in an email. If you want to check out the origin of the link, you can type in the first portion of the link in your browser or use a search engine (like www.google.com) to research the link. You can also contact Microsoft directly to ask about the validity of the notice. And be sure to keep your anti-virus and personal firewall software up-to-date!! I hope this information is useful to you. The security industry is anticipating more of this type of effort from hackers trying to dupe the public into giving them access to their computers or sensitive and confidential information that can be used for fraud and other malicious activity. We want to help you to avoid becoming a victim.
