Posted on August 12, 2008 - by CDS, 2 Comments

With the Olympics Festivities come a Slew of Cyber Attacks and New Phishing, Virus, and Spyware problems

The fellas over at Boing Boing posted this information regarding the Beijing Olympics Screensavers. PLEASE READ THIS IF YOU’VE DOWNLOADED ONE.

Boing Boing reader Bruce Satow tells us:

“I’m a Systems Administrator at a large university and I think I may of found something important, but not sure, but I think it is worth reporting. One of my friends said that it would be a good idea maybe to post this information somewhere that is popular, like boing boing.I’m a big olympics fan so I often check the official Beijing 2008 olympics page.

One of the sections is called the “fun page.”

This page has wallpapers and screensavers for your computer. I have reason to believe that the screensavers are keystroke logging programs hidden inside the Flash animation.

On my Windows XP workstation, I run Symantec Corporate Anti-virus, Zone Alarm Pro, as well as Spybot manually. I do many scans and security checks to make sure that my computer is never infected or compromised because of the type of work that I do.

Today I put on a wallpaper and installed one of the screensaver. The one I installed is called “The Spring of Beijing”. It is a flash based screensaver.

I set my screensaver to autolock the console so when it is running, you have to type in a password to unlock the screen. I had left my workstation unattended to do some work on another computer and when I came back to my computer, the screensaver was active and running. Normally, I just hit a key or move my mouse and the screensaver stops and then the login prompt appears requesting for my password. However, this time the screensaver was still running, but I could not interrupt it. So I did a cntrl-alt-del to stop the screensaver and I noticed that my Zone Alarm had gone off. A message balloon came up saying that the FlashForge Screensaver has a keylogger type program running and it had blocked access to the internet.

Then I thought — how clever. You have to type in your password to disable the screensaver, so basically it was sending the password and other information somewhere.

I did an anti-virus scan with the latest defs and a spybot scan with the latest updates, but it did not detect anything. I am not a Flash programmer so I really can’t validate my findings. I figure there are probably thousands of people who have downloaded this screensaver, and if they are not running some type of security program such as Zone Alarm Pro, it would go completely unnoticed and undetected. I am hoping that you guys might know someone who could dissect the screensaver and validate my findings. I hope that I am wrong about this, but somehow I feel that my finding is correct. I just don’t know enough about Flash programming to investigate it further.

The detection was made by Zone Alarm Pro with advanced settings. After the screensaver ran for a while, I came back to my computer and it was still running, tried to interrupt it, it would not stop, I did a cntrl-alt-del to kill the screensaver and notice the warning and process block from my Zone Alarm Pro.

Someone with some time might be able to setup a computer on an isolated network and to monitor packets coming from a Win XP pro computer with that screensaver installed to see what the heck it is doing. I normally don’t get excited about things like this, but I thought it maybe too important to just ignore.”

Regarding Mr. Satow’s testimony here to Boing Boing, Infowar Monitor editor Greg Walton tells us:

Such tactics are not only political weapons. The start of the Beijing Olympics last week kicked off a slew of malicious internet activity. Some are relatively indiscriminate – using malicious software embedded in innocent websites, often of news organisations with audience numbers boosted by their sports coverage, which then infects the visitor’s computer. Some are more sophisticated.MessageLabs, a security company, detected a bogus email sent to at least 19 national sporting organisations that purported to be International Olympic Committee information on media plans for the Games, but was actually carrying a trojan which takes control of the PC and scans all files and networks to steal information.

See this related news story in the Independent.

Related: Update on China/Tibet cyberattacks (and Russia/Georgia), and call for testimonials.