Exploiting the Dalai Lama to Spread Malware

Given the penchant of online scammers to exploit high-visibility events for their own malignant purposes, security experts were unsurprised this week to learn that Myanmar has became a vehicle for planting malware on unsuspecting users of personal computers.

The e-mail scam publicized by endpoint security and control firm Sophos uses a Microsoft (Nasdaq: MSFT) Word file purportedly originating with His Holiness the Dalai Lama of Tibet to open a back door in a PC and download a malware Trojan.

The e-mail containing the infected Word document tries to persuade recipients to open the malicious file with the message:

Dear Friends & Colleagues, Please find enclosed a massage [sic] from His Holiness the Dalai Lama in support of the recent pro-democracy demonstrations taking place in Myanmar. This is for your information and can be distributed as you see fit.

Office of His Holiness the Dalai Lama

"It's a pretty sad state of affairs, but unfortunately it's not surprising," Sophos Senior Technology Consultant Graham Cluley told TechNewsWorld.

"Whenever there's a really big story in the news the hackers often follow quite quickly with their attempts to exploit it," he said.

Slave of Hackers

Once a PC is infected through the Word file, he continued, the machine becomes a slave to hackers.

"They can do whatever they like with it really," he noted. "They can send spam. They can steal information from you. They can log your keystrokes and steal your passwords."

The exploit, he explained, only works on machines with Word installed on them. If the Word file is opened by another program -- WordPerfect, Wordpad, OpenOffice and such -- the malicious code in the file won't execute.

Microsoft is investigating reports of malware being spread via e-mail that claims to come from the Dalai Lama, the company said, though it noted that none of the reports have come to Microsoft directly from customers.

Sneaking Through Filters

The use of attachments in e-mail messages has fallen into disfavor among hackers because many systems strip them from messages before they can arrive in a user's inbox. However, as a rule, it's difficult to zap all attachments.

"A lot of companies have filters in place that drop all executable attachments, but they usually still have to let Word, Excel and other Office formats through because people use so many of them," Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, told TechNewsWorld.

"That's how you can sneak past some of the filters people put in place," he added.

Luring Users

Using recognizable file formats also induces users to lower their guard when handling attachments, maintained Paul Henry, vice president for technology evangelism at Secure Computing.

"They're socially acceptable files," he told TechNewsWorld. "You'd expect to receive a Word file, a PDF, an Excel spreadsheet from other business people."

To counter the inclusion of malevolent code in respectable files and Web sites, Henry continued, white hats have started using anti-malware scanning.

"It's a step above what anti-virus software does," he said.

Anti-malware scanning, he explained, reads the code that will be executed by a Web site or contained in an e-mail attachment, and it analyzes the intent of that code: Is it trying to write to the Windows Registry? Is it trying to connect to the Internet to download a file?

"If it finds too much risk," he observed, "it simply blocks access to that information."

What to Do?

How can users protect themselves from attacks like the one in the Dalai Lama letter?

"First and foremost, make sure your operating system and applications have up-to-date patches," Shane Coursen, senior technical consultant with Kaspersky Labs, told TechNewsWorld.

"And don't open attachments in unsolicited e-mails," he added.