Dorf trojan spreads wiretapping scare, warns Sophos
November 2007 by Sophos
IT security and control firm Sophos is warning of a new Trojan horse that tries to dupe recipients into believing that their telephone conversations are being recorded, in a ruse to ultimately scare people into buying bogus security software for their computer.
According to Sophos, the Dorf-AH Trojan horse has been spammed out attached to an email claiming that the sender is a private detective listening to your phone calls. This ’detective’ claims that he will reveal who has paid for the surveillance at a later date, but in the meantime the recipient should listen to a recording of a recent phone call (attached to the email as a password-protected RAR-archived MP3 file). In reality, however, the MP3 file is not an audio file of a telephone conversation, but a malicious executable program that installs malware, which it downloads from a dangerous website, onto the victim’s computer.
An extract from a typical email reads as follows:
’I am working in a private detective agency. I can’t say my name now. I want to warn you that i’m going to overhear your telephone line. Do you want to know who is the payer? Wait for my next message.
P.S. I’m sure, you don’t believe me. But i think the record of your yesterday’s conversation will assure you that everything is real.’
Amongst the malware downloaded is a piece of scareware which displays a fake Windows Security Center alert and tries to convince the victim to purchase bogus security software. Sophos experts note that a hacking gang has been making numerous attempts to infect people using this ruse over the past few weeks - however, initial attempts failed to work properly.
"This attack has gone from defective to detective - these private dicks failed first time round because they made fundamental mistakes in their malware code. Now, in this latest case, the authors’ emails are more than capable of infecting the unwary," said Graham Cluley, senior technology consultant at Sophos. "If you fall for the trick and try to listen to the alleged recordings of your phone conversations, you’ll actually install malware directly onto your PC. Home users and businesses need to defend their email gateways with protection against the latest virus and spam attacks."
More information about the Dorf Trojan can be found on the SophosLabs blog: http://www.sophos.com/security/blog/2007/11/798.html
"It may seem hard to believe that anyone would fall for a trick like this, but it wouldn’t be a surprise if people tried to run the attachment just out of curiosity," continued Cluley. "Some may even assume it is a joke recording and not realise they are putting their computer, and indeed their wallet, in danger."
Sophos products proactively protect users against this latest version of the Dorf malware. Users of solutions from other vendors are advised to update their protection.
Sophos recommends companies protect themselves with a consolidated solution which can control network access and defend against the threats of spam, hackers, spyware and viruses.