Symantec's MessageLabs tells WebProNews there is a new targeted attack using emails pretending to be from the New York Times. MessageLabs Intelligence tracked the attack yesterday, which used emails pretending to come from the NYT's "Times Reader" software, hitting six different domains. One domain was a public sector domain, one was a law firm, and three were to chemical companies, and one was an online gambling company in the UK.
"The email attacks originated from Greece from IP address 22.214.171.124 (aiolos.otenet.gr)," a MessageLabs representative tells us. "MessageLabs Intelligence can't see this being used as a botnet."
"When executed the "Times Reader Plugin.exe" uses iexplore.exe to send encrypted data over port 443 to 126.96.36.199," she continues. "It resolves to an address in Denmark, which looks like a computer on a home network. It doesn't display anything when you run the exe, so the victim wouldn't know they have been infected. The only indication is an iexplore.exe process running when there is no IE browser session open. It drops 2 files in the C:\windows\system32 directory as rundl32.exe and also rundl32. This dropped virus is a keylogger with rundl32 file containing what it is you are writing. After a while, the virus shuts down and deletes itself."
While the attack appears to be very targeted, it may prove to be a good idea to watch for such emails, particularly if you are a user of Times Reader.