By Tom Espiner
Tuesday, January 24 2006 04:15 PM
URL: http://www.zdnetasia.com/news/security/0,39044215,39307229,00.htm

The British parliament was attacked late last year by hackers who tried to exploit the WMF flaw within Windows, security experts confirmed last week.

MessageLabs, the email filtering provider for the U.K. government, told ZDNet UK that targeted e-mail were sent to various individuals within government departments in an attempt to take control of their computers.

The attack occurred over the Christmas period and came from China, according to Mark Toshack, manager of antivirus operations at MessageLabs, who added that the e-mail were intercepted before they reached the government's systems.

"The attack definitely came from China--we know that because we log the IP addresses. The U.K. government was targeted but none [of the e-mail] got through. No-one was affected--they were attacked but they (the government) didn't know about it until we told them," said Toshack.

The vulnerability with the way that WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via e-mail or instant messages.

The first exploit code targeting the flaw was detected on 29 December, but Microsoft did not issue a patch until 5 January, after a security researcher released his own, unofficial patch.

The attack occurred on the morning of 2 January, before Microsoft's official patch was available. The hackers tried to send e-mail that used a social-engineering technique to lure users into opening an attachment containing the WMF/Setabortproc Trojan.

The Trojan, had it been downloaded, would have allowed the attackers to view files on the PC. The hackers may also have been able to install keylogging malware, said Toshack, enabling attackers to see classified government passwords.

The attack was individually tailored, and sent to 70 people in the government, according to MessageLabs. It played on people's natural curiosity by purporting to come from a government security organization. The Trojan was hidden as an attachment called "map.wmf".

The body text of one of the e-mail read:

"Attached is the digital map for you. You should meet that man at those points separately. Delete the map thereafter. Good luck. Tommy"

The hackers could have been successful if the e-mail had reached their destinations, said Toshack. "It's like something you get from spooks--you can think 'I'm suddenly an MI5 agent.' You can see how it could work--it plays on people's romanticism about spies," Toshack suggested.

Speaking last November, Alan Paller, director of the SANS Institute, claimed that the Chinese government was employing malicious hackers.

"Of course it's the government. Governments will pay anything for control of other governments' computers. All governments will pay anything. It's so much better than tapping a phone," Paller told ZDNet UK.

Toshack could not confirm whether the Chinese government had been involved. "It is a Chinese hacker gang. I don't know if it is the Chinese government, and I don't know if it's the Chinese government paying a hacker gang," he said.

According to a Home Office source, the government is concerned about the threat posed by Trojan attacks. A Home Office spokesman would not confirm or deny an attack took place over Christmas.

"We do not comment on security matters, but have had discussions with many governments and computer emergency response teams from around the world on the matter of targeted Trojan attacks," a Home Office spokesperson told ZDNet UK.

The attempted attack on Parliament was first reported by The Guardian last week.