Posted: June 12, 2005
by: Shawn K. Hall
It's been one heck of a month so far. First we helped my mother move to the middle of nowhere with just about zero help - nearly a week of carrying boxes and furniture up and down stairs and driving 3 hours back and forth. Yuck. :(
Then I had the pleasure of dealing with mytob.
It's a monster. Not so much that it's a CodeRed or anything like that - it's just that it's a really convincing phishing attack. Outside of that it uses the same methods as every other paypal or eBay phishing attack. I believe it is one of the new strains of viruses which are built open source by virus-writing communities, which is the only way I can conceive of that would allow for the number of variants this thing has already, even though it's as young as it is.
It's getting worse every day, and since it uses various different mechanisms to cloak itself from the common scanning engines, it's going to be with us until the authors get bored with it (which is very unlikely).
Mytob is not going to go away anytime soon. It's a very well-written "social engineering" (also known as "phishing") virus. Basically, viruses on computers today can infect your computer in two ways:
The social engineering aspect of this is that it tries to convince you that you have to read their message and perform some action urgently in order to either maintain your account, services, privacy, or something else, and failure to do so could cause great duress or harm. They often provide alternative contact methods or what appear to be valid credentials, like logos, security validation mechanisms or even telephone numbers or postal addresses.
By including these they increase the trust level of a message and are able to convince the many people that just needed a "little bit of evidence" before doing whatever a message asks. Sometimes even opening a phishing message like these can infect your computer, but usually they require you to open an attachment or visit a certain link - the message might even tell you not to click the link from the email, but to copy and paste it into your browser!
That these security warnings are included in the actual phishing attack is what really convinces people that they are legitimate, and to trust the link anyway. Sigh.
Mytob primarily sends itself to known and likely addresses on domains using forged sender addresses. People from your YahooGroups or on your Contact List will not receive mytob from your email address. Instead they'll receive it from "admin@" or "security@" or "accounts@" or something else equally as legitimate-sounding, at their own domain. So when you, or them, receive email from "email@example.com" or "mail@YOUR-ISP" then you should delete it immediately!
Do not even look at the message. Currently mytob requires you to open an attachment. I estimate, at most, a week before variants exploit email program bugs that enable the viruses to spread without having to manually open the attachment.
A good virus scanner will help alleviate this. But it will not prevent you from infecting yourself. There are too many variants of this thing, and there will be too many more come tomorrow, for your antivirus to do more than play second fiddle. Second fiddle to what?
User education. Get a clue and use it. As always, the best way to ensure this doesn't affect you is to know better than to fall for it. It's harder to validate the legitimacy if you are using your ISP's email services (@aol.com, @earthlink.net or whatever), but you should be able to easily look at the sender of a message from your own domain and know if it's even possibly valid.
If you're getting email claiming to be from admin@ your own domain, delete it! Then call your host to make sure it wasn't valid. Do not open it. Do not open attachments. When that hair on the back of your neck is standing up and getting that fuzzy feeling, Don't do it. :)
As time permits I'm happy to help, however I can It's best if you email my group so others can benefit from the discussion.
There's also SaferPC:
It's written to be simple enough and provides links to online resources, virus scanners and describes the steps everyone should take to protect themselves.
Shawn K. Hall is a homeschool dad and a security consultant providing solutions for local businesses in the Tuolumne County, CA area. He owns and operates 12 Point Design, a professional web development company, providing hosting and security solutions in addition to website creations and maintenance. In his "spare time" Mr. Hall is also very active in many online forums where he freely gives of his time and talents to assist struggling web developers.