Trojan attacks at home cause office headaches

In a refreshing dalliance with reality, IT security companies are warning of king-sized headaches for enterprises customers as home PCs are hijacked and turned into spam and porn servers. A rapid escalation in Trojan attacks aimed at 'mum, dad and the kids' consumers is hitting employees who 'take their work home'. As usual, it is Windows-based machines that are in the frame.

The warnings come after a rash of incidents involving the so-called 'migmaf' Trojan (short for migrating or migrant mafia) where home PCs are backdoored making them into proxy servers and proceeding to dish out all manner of garbage, with enterprise systems frequently on the receiving end.

"Antivirus engines are just not picking this stuff up," says a clearly unimpressed Richard Rundle, Asia-Pacific manager of communication and security software vendor GFi who has resorted to hosting a free Web service where consumer-level users can check to see if they have been thumped by a Trojan.

"I'd say around 50 per cent of my customers have experienced a Trojan attack - not including those who are on the receiving end of the spam it generates. Unfortunately, a lot of people [consumers] download this sort of stuff quite willingly. All is quiet on the western front and then bang! You're a porn server. I don't believe there is anything the antivirus firms can do," Rundle said.

He claims part of the headache for enterprise is consumer perception. "If there's no classic buffer overflow, there's no problem for them. Consumer antivirus vendors really need to lift their game here."

Surf Control's vice president and technical director David Jones says he is seeing a similar phenomenon.

"The problem with firewalls is that this stuff tunnels through port 80. With this sort of spam, we are seeing more hacker and malware techniques. It's been suggested that the [migmaf] porn is a front for collecting credit card numbers. Like any spam you only need very small percentages [of response] to get a return."

An added concern, Jones says, are the number of users who don't realise that spam self-validates itself via the preview pane of mail applications. As the mail is viewed, content is requested from a server, which then logs the mail address as active, automatically escalating its value as a target.

Enterprise incident response director at consultancy Universal Defence, Umar Goldeli, is also unimpressed, saying while malware is getting more sophisticated users are not.

"This is just another Trojan which requires user intervention to get the ball rolling. Is it really that hard not to click on every attachment that arrives in one's inbox purporting to come from a 'Michelle'? Migmaf raises some amusing [legal] questions around 'content providers' and Australian legislation regarding Adult Content - administered by the Australian Communications Authority.

"For a 10-minute period [a migmaf compromised] Mr Joe Average is, technically, a bona fide porn site. The TCP session will initially be terminated at the PC. There are some variables regarding caching of content, and where the physical content actually resides, but I don't believe this has been legally tested yet."

Goldeli said there is an urgent need for end user education about security issues and the various liabilities and responsibilities involved in just being a plain Internet user.

Meanwhile antispam laws, due for imminent release, are starting to look a whole lot more complicated than first imagined.

Copyright © 2003 IDG Communications, Inc.

8 simple ways to clean data with Excel
Shop Tech Products at Amazon