Olympic Targeted Attacks Hidden in PDFs
SYDNEY, Australia – August 13, 2008 - MessageLabs has uncovered evidence of targeted malware being distributed in legitimate looking International Olympic
Committee (IOC) emails, that have been sent to participating nation’s national sporting organisations and athlete
representatives.
In this latest attack, at least 9 domains were targeted with 57 emails, which contained press release and media
information relating to the International Olympic Committee. The content for the messages appears to have been taken
from the IOC website. A sample of one of the emails can be found here.
The malware was hidden within an Adobe Acrobat PDF file attachment, using embedded JavaScript to drop a malicious
executable program onto the target’s computer. This then compromises the infected computer allowing confidential
information to be leaked to an external party. Although the initial PDF is blank, when opened, the dropped executable
presents the user with a non-blank PDF that contains similar information to the press release used in the email body,
thus convincing the user that the PDF is genuine. Most traditional signature based anti-virus systems are unable to
detect and stop targeted attacks such as this one. The original emails appear to have come from a number of Google Mail
accounts, international.olympic@gmail.com and international.olympic2008@gmail.com.
In addition to the initial direct distribution of the infected emails, as the email and its attachment appeared
legitimate to many recipients, it was subsequently innocently forwarded on to other news and sporting organisations.
Worldwide interest in the Beijing Olympic Games is now reaching a high-point and MessageLabs expects to intercept more
additional targeted attacks and more general malware distribution that simply capitalises on people’s interest in the
Olympics. A variety of more general Olympic themed malware distribution has been intercepted by MessageLabs in recent
weeks, including emails containing malicious attachments as well as web links to malware hosting sites. Examples of
Olympic-themed subject lines include the following:
• Beijing Olympics cancelled, moved to Atlanta
• Emailing: Beijing takes dog off the menu for Olympics - Yahoo! News
• Obama buys 10 million Olympics ad
• 2008 Olympic Games will possible not take place
• Athletes ponder wearing masks to fight pollution - Olympics - Yahoo! Sports
• 2008 Olympic Games are under the threat
• FW: Learn Chinese for the Olympics
The online threat landscape and China
Broadband adoption in China reportedly exceeded that in the US earlier this year, with more than 71.6 million
subscribers compared with 70.2 in the US, 21 million in Germany and 16.4 million in the UK (according to DITTBERNER,
June 2008).
China Internet Network Information Centre (CNNIC) reported the country now had more than 253 million internet users, at
the end of June. It is believed that China now has more web surfers than the US. Also, with 12.18 million ‘.cn’ domain
names in circulation, China can now boast the largest top-level country code domain, next to Germany (.de).
The majority of the 12 million .cn domains are registered overseas. The domain is often favoured by malware authors as
well as spammers. One of the attractions of a .cn domain is partly down to aggressive price reductions for domain
purchases, making it one of the least expensive domains to own, and also because it is much harder to close down a
malicious site hosted in China. With the world’s eyes focusing on the Olympic Games in Beijing, this booming marketplace
is expected to become an increasingly attractive target for cybercriminals.
Web Threats in China
With China now seeing huge Internet user growth and broadband adoption, and the increased demand for cn domains, China
is now an attractive target for cybercriminals. It is interesting to note that there are 1.92 million websites hosted in
China (according to CNNIC), with 71.3% actually hosted under the .cn top-level country code domain.
Analysis of the MessageLabs Web Security activity during July 2008 identified that 4.4% of all web-based malware was
hosted on .cn domains, making it the third most-popular domain globally behind .com and .mobi, as can be seen in the
chart found here.
The majority of malicious web security threats in July were a result of a recent rise in the number of legitimate sites
being compromised through SQL injection attacks. Many such attacks were also hosted on .cn domains in July. For more
information on this topic, please refer to the MessageLabs Intelligence Report for July 2008 (http://www.messagelabs.com/intelligence.aspx)
Spam in China
Internet use in China has grown significantly in recent months, allowing users to access the very latest information
such as breaking news stories online, as well as increase use of online shopping and online banking. Although email use
in China takes second place to Instant Messaging, with 81% of Chinese Internet users favouring IM, compared with 56% who
use email (according to CNNIC in January 2008); this does not dissuade the spammers. At 72.9% of all email, spam in
China compares with that of other countries such as 79.8% in the US, 69.9% in the UK and 64.1% in Australia. As can be
seen in the chart here, spam levels in China have increased in recent months.
As in a typical example below, more spam is now targeting Chinese domains written in the Chinese language, rather than
the ubiquitous language of spam, English. During the first half of 2008, approximately 0.03% of all spam worldwide was
in the Chinese language. Interestingly, less than 1% of global spam actually emanates from China.
To see an example of this Chinese spam click here. In this particular example, the sender’s company purportedly has a presence in different parts of China and has extra
invoices for sales, transportation, advertising, construction, etc. If you need invoices (e.g. for your tax bill), then
you are invited to contact them.
Email Malware in China
In 2007 the level of email-borne malware targeting Chinese businesses peaked, reaching 2.26% (1 in every 44.2 emails) of
emails comprised some form of malware in July 2007. Since the end of last year, the level of email threats has
diminished. In 2007, the malware landscape in China was dominated by mass-mailers such as Warezov, which also included
an IM component used to spread itself. By July 2008, 0.07% (1 in 1,428 emails) of emails were malicious, this decline is
largely due to the dwindling of mass-mailer email viruses, including Warezov coupled with the transition from malware
being spread via email to being spread via drive-by-downloads on websites that have been compromised for the purpose. To
see a graph of this trend, click here.
About MessageLabs
MessageLabs is a leading provider of integrated messaging and web security services, with over 18,000 clients ranging
from small business to the Fortune 500 located in more than 86 countries. MessageLabs provides a range of managed
security services to protect, control, encrypt and archive communications across Email, Web and Instant Messaging.
These services are delivered by MessageLabs globally distributed infrastructure and supported 24/7 by security experts.
This provides a convenient and cost-effective solution for managing and reducing risk and providing certainty in the
exchange of business information. For more information, please visit www.messagelabs.com
ENDS