Feeds

An Outlook worm to jam NSA's Echelon

Well, sort of....

  • alert
  • submit to reddit

3 Big data security analytics techniques

UK-based anti-virus outfit Sophos is reporting a new variant of the LoveBug Outlook worm which contains a large amount of hidden text, apparently designed to attract the US National Security Agency's Echelon spy satellite network and overload it.

Comments within the executable file include large swaths of text such as:

"NSA national security agency code PGP GPG satellite cia yemen toxin botulinum mi5 mi6 mit kgb .mil mil base64 us defence intelligence agency admiral diplomat alert! BATF," and so on.

As for social engineering, this worm looks like a total non-starter. The subject line reads, !!!; the body reads, :-) MuCuX...; and then there's an attached file: echelon.vbs. We don't expect it to get very far.

Which is sort of a pity, really; the author has a few pertinent observations to make and questions to ask, such as "Stop Violence Pentagon. Why are you testing your new weapons on iraq? You are trying to protect children from porn but you are also killing them and other innocent people in iraq... ...and another thing... why are you using echelon type stupid things to listen around...?"

Why indeed, many reasonable people will wonder.

The virus was "written By Extirpater and beyin. (i am NOT from iraq, and not protecting iraq/islamic anyway)."

After introducing themselves, the authors then suggest, "hey others, lets fl00d the echelon..." and from there the whole slew of keywords commences.

These are believed to initiate an Echelon snoop session; but as we reported back in 1999, it's likely that Echelon relies on pattern-recognition rather than dictionaries, so loading millions of e-mails with tantalizing keywords really won't attract the machinery and bring the system down.

The new Outlook worm is also mildly destructive, and will over-write MP2 and MP3 files and .jpeg files by modifying their extensions; and, like the LoveBug which it resembles, mail itself to everyone on a victim's address list.

Also, "if the worm determines that mIRC (Internet Relay Chat) is installed on the system it will drop a mIRC script that will send the worm on via mIRC," Sophos says.

The company says they've had only one report of the worm in the wild, which is hardly a surprise considering its weak inducements to open the attachment.

Still, it's an amusing piece of work, if not much of a threat. And anyone who fears they might just be stupid enough to activate the attachment of an e-mail bearing the message, :-) MuCuX... is welcome to download Sophos' latest definitions here. ®

Below is the full text of the file's comments, as reported by Sophos:

Written By Extirpater and beyin. (i am NOT from iraq, and not protecting iraq/islamic anyway) Stop Violence Pentagon. Why are you testing your new weapons on iraq? You are trying to protect children from porn but you are also killing them and other innocent people in iraq... ...and another thing... why are you using echelon type stupid things to listen around...?< Hey others, lets fl00d the echelon... .gov @ NSA national security agency code PGP GPG satellite cia yemen toxin botulinum mi5 mi6 mit kgb .mil mil base64 us defence intelligence agency admiral diplomat alert! begin pgp message cert HQ password secret information Shamil Basaev BATF Tactical information broadcasting service netsec DEA Ayman Al Zawahiri RADINT ETA Fort Meade explosive gun conspiracy primer detonator initiator unicos al amn al-askari cray arpanet node backdoor mi-6 mi-5 terrorism SSCI sairi islamic revolution assembly not for public private korea diplomat wiretap Usame bin Laden DF ZARK SERT VIP ARC S.E.T set ssl hezbollah hizbullah afiwc compusec M51 phsical security division MOSSAD DDos denial of sevice don't try to contact me astel DH breaking machine Xu Yongyue agent agents national infrastructure air command control facility nm info Lieutenant tactical defcon mortars rpg7 propellants defensive evasion boobytraps secure internet rsa uzi buy hrt hk33ke aks-74 galil arm detcord pmk40 silencers timing devices information security naval yard sao reno jics computer terrorism NAIA SAPM ASU ECHELON ASTS RSP ISS JDF NAAP RSO encryption ASWS USDOJ SAMU COSMOS DATTA e99ll bill clinton george bush nash asis seal team 3 MSEE M.P.R.I top secret mossberg sursat 5926 telint fraud analyzer b61-7 sbu err SO13 reojdykarna airframe 510 EuroFed Avi shelter Cryto AG IDP RHL MP5K-SD sniper gign exon shell masuda eada shs NSWF sabotage nitrate Counter terrorism RCMP CTU CQB CONUS BOP CID thief NCSA ISACA ASVC spook words flashbangs magnum resta 777 666 MD2 MD4 MDA 747 boing domestic disruption smuggle Z-200 Security Consulting Keyhole NABS Kilderkin covert video pathfinders oscor merlin ntt sl-1 sr-71 sr71 f117 f-117 cornflower TNT rdx amfo hmtd lead azide styphante ddnp nitrostarch mines grenades rockets fuses nitrocellulose c4 ambush sniping spoof sniff sniffing sniffer motorcade assassination jtf-6 psyops privacy

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.