Maplesoft Customers Targeted by a Trojan

So you received an email from a software vendor alerting you your system may be vulnerable, unless you install the patch file attached. Eager for protection, you extract the executable file as instructed by the email, click “Install,” then sigh in relief for dodging a bullet. Phew, a close call!

Well, not quite. The so-called patch you just installed is, in fact, a Trojan virus.

This scenario became true for some Maplesoft customers, which prompted the company to publish the following warning:

Maplesoft is investigating a security breach of its administrative database that took place on July 17th, 2012. As a result of the breach, the perpetrators gained access to some email subscription data, including email addresses, first and last names, and company and institution names ... The perpetrators are posing as Maplesoft in an attempt to have individuals they email click on a link or download a malicious piece of software.  Recipients should not respond to these emails and they should not open any attachments or click on any download links. These emails should be deleted immediately. (Read the full text of the warning at “Maplesoft Affected by Security Breach,” published at Maplesoft’s security center.)

You can spot the virus by these telltale signs.

• The fraudulent email originated from maple-soft.com, not operated or controlled by Maplesoft.
• The email contains the attachment called Maple_Patch.zip and MapleFix.exe.
• It urges you to enter the password MapleSecuirityUpdate1707 when extracting the zipped content.

Jim Cooper, CEO of Maplesoft, clarified, “What has been compromised is a partial email subscription list, not our customer database ... Note that the data taken includes older subscription data, which means a significant portion of the list is dated and many of the email addresses it contained are invalid.”

The physical device breached is maintained in-house, not a third-party data storage solution, according to Maplesoft.

According to the timeline of the event published by Maplesoft, the virus was first reported to its customer service at 1 PM on July 17. By 6 PM, the company had determined that was a breach and locked down its system. Roughly 24 hours later, the company began notifying customers affected by the breach.

What made this threat particularly disconcerting was that the email sent by the virus’ author addresses the victim by name, adding a false sense of authenticity. No doubt, the name was obtained from the Maplesoft server breach.

The virus is classified as Zeus Trojan (Zbot). Search Security, a IT security resource portal, described Zbot as follows:

Once a Zeus Trojan infects a machine, it remains dormant until the end user visits a Web page with a form to fill out. One of the toolkit’s most powerful features is that it allows criminals to add fields to forms at the browser level. This means that instead of directing the end user to a counterfeit website, the user would see the legitimate website but might be asked to fill in an additional blank with specific information for “security reasons.”

Zeus gained notoriety in 2006 as being the tool of choice for criminals stealing online banking credentials. The malware can be customized to gather credentials from banks in specific geographic areas and can be distributed in many different ways, including email attachments and malicious Web links. Once infected, a PC can be recruited to become part of a botnet.

The good news is, standard antivirus software can detect and remove the virus. Cooper said, “Depending on the antivirus client used, it will be identified by one of these names: Zbot, ZeroHour, or Zeus. Most up to date antivirus scanners should detect and clean the threat. We have tested and can confirm that the following scanners will remove the threat: Microsoft Security Essentials, AVG, Norton 360.”

Cooper said, “Maplesoft takes the security of our customers’ and contacts’ personal information very seriously. We are in the process of notifying all individuals whose information may have been compromised. We have locked down our systems to prevent further unauthorized access and we are reviewing our security practices and procedures to help ensure this does not happen again.”

Last month, Autodesk customers were subjected to a similar attack, associated with an email address in China.