You may be the target of emailed spyware Easter Eggs variously posing as images from a National Geographic article by Tolstoy Ilia, imitating a "UNPO Statement of solidarity" or otherwise masquerading as useful documents.

      Ei Spirale

Public Domain

Pro-human rights groups and individuals, especially those sympathetic with the anti-China protests in Tibet, are under cyberfire from targeted, sophisticated spyware, which is being systematically altered to evade protective software.

The malware is a feat of social and software engineering which appear to be aimed at stealing not only the usual passwords, but also the activities and identities of participants in the targeted networks.

Their social engineering techniques include:

• Messages about a well-known but unnamed individual or group, with an attachment named after the individual or group, and thus inviting action.
• Superficially valid messages which are well-researched and as a result are generally believable throughout.
• Attachments which are also well-crafted and, for example, actually open as .pdf documents while also installing a keylogger. The keylogger thereafter forwards everything typed on the machine to a Chinese server.

In addition to logging and forwarding key strokes, they're collecting and forwarding passwords and other data. According to the MacAfee Avert Labs Blog those include:

• Microsoft Windows Version
• Windows Environment Strings
• MAC address
• List of the active processes, their PPID and PID
• Outlook Passwords
• Hotmail Passwords
• Deleted Outlook Account passwords
• IE Password-Protected sites passwords
• MSN Explorer Signup passwords
• IE AutoComplete Passwords
• IE Auto Complete Fields
• Cached passwords

The goal of this attacks is not vandalism, but spying.

As the author of an remarkably well-detailed F-Secure Weblog entry put it:

Somebody is trying to use pro-Tibet themed emails to infect computers of the members of pro-Tibet groups (in order to) to spy on their actions.

The identity of the attacker or attackers has apparently not been established, although Computer World reports that the FBI is investigating a possible China connection to the related Save Darfur Coalition site breakin earlier this week.

It is in fact important not to rush to a conclusion, lest we waste resources and even make new enemies defending ourselves against the wrong foe. And the available data does not appear to identify the culprit, even by defensible implication.

Greg Walton, who provides IT support for Tibetans and researches Chinese computer espionage at the University of Sunderland in the United Kingdom, put it to Information Week this way:

These attacks are sophisticated. We can only speculate where they're coming from. We can say the control servers are based in China. But these servers can just be stepping stones.

The origin of the attacks matters less than being sure you are well-protected from them. Ordinary anti-virus software is of questionable value against this foe, assuming they continue to manipulate the signature of their malware and adjust their attacks as targets harden themselves.

Yet the email-attached files must be opened by someone in order to install themselves. Sound security practice forbids opening email attachments that are not both expected and clearly identified as originating from a trusted source.

Analysis of this malware in this case clearly says that when these attacks have succeeded, it is because sound policy has either not be followed or was not implemented.

So this is a good time to review security policies and make sure everyone in your network of trust understands and adheres to them.

Attacks like these first surfaced more than half a decade ago, with the attacks since becoming steadily more sophisticated. Even if you have thus far dodged the bullet, chance favors the prepared mind (individual, organization and network). Prepare, for they will come for you good time.