Zombie builders send out phone texts

Hackers are trying a cell phone approach to try to dupe people into downloading a Trojan horse program.
Written by Tom Espiner, Contributor

Hackers are trying to lure people to a malicious Web site using cell phone text messages, a security company has warned.

The blended attack uses social engineering techniques in its attempt to trick people to the site, security vendor Websense said in an advisory. An SMS text message is sent to the targets' cell phones, thanking them for subscribing to a fictitious dating service. The message states that they will be automatically charged a fee of US$2.00 per day via their phone bill, unless their subscription is cancelled online.

The same message has also been sent multiple times to the comments section of numerous bulletin boards, Websense said. The attack began on Friday in the United States and was first detected by Sunbelt Software, a security software vendor, Websense said.

Once victims visit the purported dating site to unsubscribe, they are prompted to download a Trojan horse program. (A Trojan horse is malicious software that disguises itself as another kind of application.) The attackers provide instructions on how to bypass security warnings in Internet Explorer, Websense said.

After the Trojan horse--a variant of a program Websense calls "Dumador"--is installed, it turns the computer into a "zombie," allowing it to be remotely controlled by the hackers. The compromised machines then become part of a "bot" network, which can then be used to launch distributed denial-of-service attacks.

"This is definitely the first time we've seen this specific approach," said Ross Paul, a senior product development manager at Websense. "Basically, they're taking a social engineering attack vector with a lot of users."

Websense said it had been monitoring the attacks, but couldn't divulge the identity of those responsible or say whether it was collaborating with the authorities on the case.

"In general, these kinds of attack are perpetrated by organized rings of people. In some cases we know their nicknames, which we share with law enforcement. We regularly share information with the police, when that makes sense," Paul said.

Websense could not say how many users had been affected by the attack. Monitoring botnet activity is "very difficult" to do because of the crossborder nature of the networks, Paul said.

The Dumador Trojan allows hackers to use HTTP to control the bots and trigger them to upload information. Typically, the most popular method of bot control is through Internet Relay Chat (IRC).

Editorial standards