Parliament attacked with WMF exploit

Parliament was attacked late last year by hackers who tried to exploit a recent serious Microsoft Windows flaw, security experts confirmed on Friday.

MessageLabs, the email-filtering provider for the UK government, told CNET.co.uk's sister site ZDNet UK that targeted emails were sent to various individuals within government departments in an attempt to take control of their computers. The emails harboured an exploit for the Windows Meta File vulnerability.

The attack occurred over the Christmas period and came from China, said Mark Toshack, manager of antivirus operations at MessageLabs, who added that the emails were intercepted before they reached the government's systems.

"The attack definitely came from China -- we know that because we log the IP addresses. The UK government was targeted but none of the emails got through. No one was affected. They were attacked, but the government didn't know about it until we told them," Toshack said.

The vulnerability with the way that WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via email or instant messages.

The first exploit code targeting the flaw was detected on 29 December, but Microsoft did not issue a patch until 5 January, after a security researcher released his own unofficial patch.

The Parliament attack occurred on the morning of 2 January, before Microsoft's official patch was available. The hackers tried to send emails that used a social-engineering technique to lure people into opening an attachment containing the WMF/Setabortproc Trojan horse.

The Trojan, had it been downloaded, would have allowed the attackers to view files on the PC. The hackers may also have been able to install keylogging malicious software, said Toshack, enabling attackers to see classified government passwords.

The attack was individually tailored and sent to 70 people in the government, MessageLabs said. It played on people's natural curiosity by purporting to come from a government security organisation. The Trojan was hidden as an attachment called 'map.wmf'.

The body text of one of the emails read:

"Attached is the digital map for you. You should meet that man at those points separately. Delete the map thereafter. Good luck. Tommy"

The hackers could have been successful if the emails had reached their destinations, said Toshack. "It's like something you get from Spooks -- you can think, 'I'm suddenly an MI5 agent.' You can see how it could work -- it plays on people's romanticism about spies," Toshack suggested.

Speaking last November, Alan Paller, director of the SANS Institute, claimed that the Chinese government was employing malicious hackers.

"Of course it's the government. Governments will pay anything for control of other governments' computers. All governments will pay anything. It's so much better than tapping a phone," Paller said.

Toshack could not confirm whether the Chinese government had been involved. "It is a Chinese hacker gang. I don't know if it is the Chinese government, and I don't know if it's the Chinese government paying a hacker gang," he said.

According to a Home Office source, the UK government is concerned about the threat posed by Trojan attacks. A Home Office representative would not confirm or deny that an attack took place over Christmas.

"We do not comment on security matters, but have had discussions with many governments and computer emergency response teams from around the world on the matter of targeted Trojan attacks," the Home Office representative told ZDNet UK.

The attempted attack on Parliament was first reported by The Guardian last week.