Monday, January 24, 2005

Worm Steals CNN Headlines To Stay Timely, Fool Users

TechWeb News , 24-Jan-2005

A new worm uses breaking news -- and a devious technique to keep itself up-to-date -- to dupe recipients into opening attachments, an anti-virus firm said Friday.

U.K.-based security vendor Sophos said that the Crowt.a worm grabs its subject lines, message content, and attachment names from headlines culled in real-time from CNN's Web site.

The worm's subject and attachment filename constantly change to mirror the top headline on CNN.com, while the e-mail message's text is also hijacked from CNN.

The idea is to fool recipients into thinking that they're reading a legitimate newsletter or news brief rather than looking at payload-carrying message about to infect their PC.

Crowt.a also slips in a backdoor component that tries to record keystrokes and send the stolen info to the hacker, an element of many worms that are meant not only to give the attacker later access to the infected computer, but also lets them walk off with valuable passwords or bank account information.

"This latest ploy feeds on people's desire for the latest news," said Carole Theriault, a security consultant at Sophos, in a statement. "Many people subscribe to legitimate email news updates...virus writers are always looking for new tricks to entice users into running their malicious code."