The Social Graph of Malware

Recently a PDF-based exploit was discovered – it was possible for a time to turn a PDF file into a virus. With pinpoint focus, attackers were sending these engineered files to target groups they wanted to attack. Two lines of attack were pursued.

For one type of attack an attacker would intercept a legitimate email sent by someone in a target group. Let’s say from a Tibetan exile. The attacker would then create an infected DOC or PDF, and send the infected file to as many of that individual’s contacts as possible. The trick was to add custom content that the recipient might believe – like “here’s the latest news from Tibet.”

The key question is, how does the attacker know whom to send the infected file to? ^[1]

---

[1] I don’t actually know the answer to my question. But, since I’ve received a couple such viruses, I will make a guess. It makes sense that there are groups that target other groups. In the case of Tibet Support Groups [TSGs] there are people interested in hindering the TSG activities. The attackers can assemble a list of email addresses from among their potential targets. Then, when the opportunity arises, they can send their virus out to their list. Usually the virus is sent from a yahoo, hotmail or gmail account that was created just for the purpose, with a likely-sounding name — manufactured just for the attack. The account can just be abandoned after the attack.

For more information, see The Snooping Dragon.