 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
January 2004
January Evil Top Ten from BitDefender -- Posted by Igor_Donchenko on Saturday, January 31 2004
This month's Evil Top Ten is stunning and sobering in some respects.
First off, the much-talked-about MyDoom virus has managed to eke into our monthly top 10 - not an easy achievement, considering that it has been released just a few days ago (on the 26th of January, to be more precise). Not only that, but this nasty critter has managed to show up on our radar
one million (that is right, 10^6) times over a period of 24 hours. That says something about how well some people have internalized last year's lessons, doesn't it?
Actually, at the top of our top sits a virus which makes a good textbook case of widespread (and distributed) negligence. It's been months since it was first released, but hey, who's to say it's antiquated? BitDefender has released a sig update and a free cleanup tool within the first few hours,
the people at Microsoft have taken some of their precious time to release a cleanup tool of their own, but...
Ladies, gentlemen and other good folk, this month's highest spreading virus is, well, like it or not, Msblast.A; it seems to be heading swiftly for a dishonorable mention in the virus hall of shame, there to lie along such olden goldies as the Morris worm and the Brain virus.
The entire top ten for this month looks like this:
| Ranking | Virus Name | Percentage | | 1 | Win32.Msblast.A | 18.58% | | 2 | Backdoor.Agobot.3.Gen | 17.03% | | 3 | Win32.Parite.B | 12.96% | | 4 | Backdoor.SDBot.gen | 10.87% | | 5 | Trojan.Downloader.Dyfuca.J | 8.78% | | 6 | Trojan.Downloader.Dyfuca.V | 8.12% | | 7 | Win32.Msblast.B | 7.82% | | 8 | Win32.HLLP.Hanta.A | 5.66% | | 9 | Win32.Msblast.F | 5.16% | | 10 | Win32.Mydoom.A@mm | 4.96% |
Based on past experiences, and the emergence of MyDoom B, which has yet to make the rounds, we strongly suspect that next month will see a peak of activity on the virus front, but until then BitDefender prefers to keep users interested and perfectly protected.
This report, called the "Evil Top Ten", is based on the number of virus occurrences confirmed through BitDefender Response Team tracking.
Source: http://www.bitdefender.com
Novarg.B threatens SCO and Microsoft -- Posted by Igor_Donchenko on Wednesday, January 28 2004
BitDefender antivirus experts detected a new version of the very much discussed Novarg computer virus (also called Mydoom). The Novarg.B is slightly different from the first virus variant, with only a few technical variations.
"Still, we can expect a new wave of infections, as the author already has a base-target", says Mihai Neagu, Virus Researcher at BitDefender. "It seems, by the sheer amount of the first version that got sent through the networks at this point, that many users will inadvertently cause a new major outbreak", Mihai concluded.
Besides, it seems that the virus author just enlarged its target base, as the new version launches DoS attacks both to SCO and Microsoft websites.
Source: http://www.bitdefender.com
|
A New Service for Kaspersky®Anti-Spam users -- Posted by Igor_Donchenko on Wednesday, January 28 2004
Kaspersky Labs, an information security software developer, and the company's technological partner, "Ashmanov and Partners", linguistic analysis experts, present a new schedule for the release of anti-spam database updates. The updates will now be released 12 times a day, increasing protection against spam and providing a proactive response to new spam epidemics.
This new schedule for the release of anti-spam updates is superior in frequency to all analogous solutions offered on the international market. Kaspersky Labs' continual efforts to provide protection against the very latest types of spam mean that the solution is unique on the international market. The new update schedule will, at the same time, offer Kaspersky® Anti-Spam users the most effective defence possible against spam.
Today spam accounts for, on average, 20% of global Internet traffic, and on some days reaches 70%. According to Kaspersky Labs' estimates, in 2002 the world economy lost approximately $15 billion as a result of spam. If current trends are maintained, in 2005 every second email will be spam. Taking contemporary developments into account, it is clear that protection spam is of keen interest to all concerned.
Spam is distinguished by the variability of its characteristics and the wide range of linguistic and technical traps deployed in order to avoid spam filters. In order to combat spam, constant updating of spam recognition technology is required.
The new service for Kaspersky Anti-Spam users is an impressive counter-move to the growing activity of spammers. The updates are developed by a linguistic laboratory, which has a fully functional system for collecting information about new types of spam at its disposal. The system includes data from control mailboxes throughout the world and messages from users of major mail systems and Internet providers, including Kaspersky Anti-Spam users. All in all, the linguistic laboratory processes more than 100,000 messages per day. Since messages are sorted and analysed automatically, analysts remain free to rapidly develop effective protection,
Each update undergoes comprehensive testing in order to exclude false positives; the updates are made available to customers, who can download them remotely via the Internet, only after rigorous testing is complete.
Source: http://www.kaspersky.com
|
Novarg: New Worm - New Epidemic -- Posted by Igor_Donchenko on Tuesday, January 27 2004
Kaspersky Labs, an information security software developer has detected that a dangerous new Internet worm, Novarg (also known as Mydoom). In just a few hours this malicious program caused a global epidemic, infecting approximately 300 thousand computers throughout the world. This incident is the most serious outbreak so far this year, and shows every sign of breaking replication records set in 2003.
An explosion in malicious program activity undoubtedly points to serious preparations made by virus writers. This included the creation of a network of infected computers; when the number of computers in the network reached critical mass a command was sent to mail out Novarg. This is the same approach used previously by the email worm Sobig.F
Detailed analysis of the geographic spread of the worm leads to the assumption that Novarg was created in Russia.
Prevention, diagnosis and protection
Novarg spreads via the Internet in two ways: via email and via the KaZaA file-sharing network.
Infected messages have a random, falsified sender's address, 8 possible message headers, 18 possible attachment names and 5 possible extensions to attached files. Additionally, the worm spreads in messages where the message header, message body and attachment name contain a nonsensical collection of random characters. Such variability makes it far more difficult for users to independently identify infected messages.
Novarg appears in the KaZaA network under various names, including winamp5, icq2004-final and with various extensions, such as bat, exe, scr, pif and others.
If a user is thoughtless enough to launch the infected file, either from an email or downloaded from the KaZaA network Novarg initiates installation procedures and propagation routines.
Immediately after being launched Novarg opens a Notepad window which shows a series of random characters.
At the same time Novarg creates two files in the Windows folder: taskmon.exe (the worm carrier) and shimgapi.dll (a Trojan program to remotely control the infected machine). The worm registers these files in the system registry auto run key to ensure that the malicious program is activated every time the computer is restarted.
Novarg then initiates its propagation routine. The worm scans the disk for email addresses (files with extensions such as htm, wab, txt and others) and, unbeknownst to the user, sends infected emails to these addresses. In addition, Novarg checks whether or not the infected machine is connected to the KaZaA network: if a connection is open, the worm copies itself into the public folder for file exchange.
Novarg carries a very dangerous payload. Firstly, the worm installs a proxy server on the infected computer. Malefactors can then use this module in spamming or in mass-mailing new versions of the malicious program.
Secondly, Novarg installs a backdoor (a utility for unauthorized remote control) thus allowing the virus writer to control the infected machine. The backdoor makes it possible to steal, change or delete data, install third-party programs and so forth.
Thirdly, Novarg contains an inbuilt module for organizing a DoS attack on www.sco.com. This module will be activated between 1st February and 12th February 2004. During this period all infected machines will query this site, which may cause it to crash.
Source: http://www.kaspersky.com
|
Panda Software reports the new Mimail.Q worm -- Posted by Igor_Donchenko on Tuesday, January 27 2004
PandaLabs has detected the new Mimail.Q (W32/Mimail.Q.worm) worm. This new variant is very similar to its predecessors and according to data collected by Panda Software’s international support network, has already caused some incidents. Mimail.Q spreads via e-mail and its most dangerous effect is that it has been designed to try to steal confidential data. It does this using a form that simulates a form belonging to Microsoft warning the user that the Windows license has expired.
Mimail.Q reaches computers in an e-mail message with an extremely variable sender, subject, message body and attachment. An example of the characteristics of an e-mail message carrying this worm is the following:
Subject: very nice picture
Message:
Good evening Ella
I shocked
My boss had best sex last evening with the mom of Jeremy!
I turned on my hp device and make cool pictures!
Please don't show it to somebody, I rely on you.
Attachment: privateimgs.gif.exe
The attached file is polymorphic and actually contains a dropper. When this file is run, it installs Mimail.Q on the computer in a file called outlook.exe.
When it has been installed on a computer, Mimail.Q looks for e-mail addresses to send itself to in different types of files. It stores the addresses it finds in a file called outlook.cfg.
Mimail.Q also tries to steal confidential information from affected computers. In order to do this, it displays a fake form that warns users that their Windows license has expired, and prompts them to renew it. This form requests personal data including a credit card number, its expiry date and its PIN.
Finally, the worm creates an entry in the Windows Registry to ensure that it is run whenever the affected computer is started up.
http://www.pandasoftware.com
|
Mimail.q: The Return Of A Calculating Email Blackmailer -- Posted by Igor_Donchenko on Tuesday, January 27 2004
Kaspersky Labs, an information security software developer has detected a new version of the notorious Internet worm Mimail. Mimail.q has a built in encrypted key against anti-virus programs and reports of infections are already coming in. Kaspersky Labs predicts that the outbreak will gain momentum over the next few days and recommends that all users update their anti-virus protection immediately.
Mimail.q spreads via email in messages with varying content (there are about 30 variations) with random attachment names. The worm consists of two components: the dropper (the module which installs the core) and the carrier (the core).
If a user is thoughtless enough to launch the file attached to the infected email, the dropper proceeds to open a window with a fake error message. The dropper copies itself into the Windows registry under the name sys32.exe and registers itself in the system registry auto run key. Finally, the dropper unpacks the main component, a file named outlook.exe and launches it in order to execute it.
The most important modification in Mimail.q are the polymorphic encryption keys inbuilt to fool anti-virus programs. Every time the infected machine is restarted Mimail.q changes the encryption key so that the copies of itself that Mimail sends look different every time. This means that anti-virus programs must have a decryption routine in order to contend with Mimail.q successfully.
The main component of the worm performs several functions at once. Firstly, it sends copies of Mimail.q by scanning the contents of disks and extracting email addresses. Infected messages are then sent to these addresses by using the inbuilt mailing mechanism.
Secondly, the main component opens the infected computer to the creator of the worm using ports 80, 1433, 1434, 3000, and 6667. The worm receives commands via these ports and sends information about the execution of these commands to a variety of public email system addresses.
Thirdly, Mimail.q gathers information about PayPal and E-Gold accounts on the computer in exactly the same way as previous versions of Mimail do, and sends the information needed to access these accounts to the addresses mentioned above.
Finally, the worm's code contains the following text, which is addressed to public email services as a threat if email addresses used by Mimail.q should be closed by the service provider.
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***
Source: http://www.kaspersky.com
|
Don't Believe Your Browser - It Could Be Dumaru -- Posted by Igor_Donchenko on Tuesday, January 27 2004
Kaspersky Labs, an information security software developer, warns users about three new modifications of Dumaru, an email worm: versions j, k and l. The unusual propagation techniques and high dissemination rate have resulted in infections worldwide, causing a new global outbreak.
Dumaru was first detected in September 2003 and has remained among the most active malicious programs ever since. The original worm was written in Russia, but subsequent versions appears to come from Germany.
The latest versions of Dumaru contain only minor modifications. However, the multi-tier propogation method used to disseminate the malicious program has caused a worldwide outbreak within a matter of days.
Initial propagation was assured by the mass mailing of a message purportedly originating from Microsoft in which users were offered updates to their virus protection.
In reality, the message contains the Trojan program UrlSpoof. Once the link in the letter is activated, a new Internet window opens onto a Microsoft look-alike web site. Moreover, "UrlSpoof" utilizes a vulnerability in Internet Explorer, which allows the worm to display www.microsoft.com in the address bar, even though the user is actually on another site.
While the user is browsing this site, the victim machine is transformed into a Dumaru carrier and the worm then initiates the mailing process from the new computer.
"This outbreak has once again demonstrated that virus writers and spammers are joining forces", comments Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs, "Viruses are using spamming techniques more and more in order to increase propagation speed, whereas spammers are using viruses to create networks of infected machines for use in mass mailing campaigns".
Source: http://www.kaspersky.com
|
The Internet is overflown with the Win32.HLLM.MyDoom.32768 mass-mailer -- Posted by Igor_Donchenko on Tuesday, January 27 2004
Virus Alert Service of DialogueScience, Inc. informs on a flash-like spreading on the Internet of a new virus threat represented by the Win32.HLLM.MyDoom.32768 the mass-mailing worm (it has been nicknamed by other antivirus vendors as Mydoom, Shimg or Novarg). Tens of thousands computers round the world have been hit by the worm during the first ours of its release into the Wild..
The program module of the worm is 22, 528 bytes in size. It is packed with UPX compression utility and can arrive to users computers as a ZIP-formatted archive. The mail message distributed by the mass-mailer may have the following subjects:
Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
The text accompanying the message may contain either random garbage or have the following strings:
The message contains Unicode characters and
has been sent as a binary attachment.
The message cannot be represented in
7-bit ASCII encoding and has been sent as a binary attachment.
The viral attachment with the program module of the worm may be furnished with executable files extensions (*.scr, *.bat, *.exe, *.pif); it may also be in the form of a ZIP-archive.
Being released by an unwary user, the worm copies itself to the Windows folder as taskmon.exe and creates a correspondent key in the autorun entry of the system registry so that it secures its automatic restart at every Windows-session launch. At the same time, the worm creates in the Temporary folder a text file with the name, which contains a random garbage. The file is opened with Notepad.exe. Thus the worm makes users think they have opened a really text file.
Then, the worm launches its mass propagation routine and sends its malicious copies to all the addresses harvested in the infected system. It uses its own SMTP engine sorting out possible names of mail servers to distribute the viral messages to correspondent domains. If the attempt to select a relay-server fails, the worm sends its copies through the default SMTP server. Its mass dissemination procedure is multi-threaded and this explains its so high proliferation.
KaZA file-sharing application is another way for the worm to spread.. For this the worm copies itself to the folders shared under the KaZaA network.
But apart from its clever designed mass-mailing routine the worm has a dangerous payload. It uncovers the infected machine for external access for remote users allowing criminals to download and execute programs. The worm opens ports from 3127 to 3198 and waits for instructions from a remote attacker. Presumably, on the first of February all computers infected by the worm and having connection to the Internet will be involved into DoS-attack against SCO group web site known for its copyright suit against UNIX operating system.
The speed of the new worm proliferation is so high that cyber security specialists consider this epidemic outbreak to be much more serious than the Reteras epidemic in August, 2003.
Source: http://www.antivir.ru
|
New mass-mailer outbreak: don't trust a calculator-like attachment! -- Posted by Igor_Donchenko on Tuesday, January 27 2004
Virus Alert Service of DialogueScience, Inc. informs on a quick proliferation on the Internet of a new mass-mailer equipped with a dangerous Trojanized payload. The virus is detected by Dr.Web® antivirus programs as Win32.HLLM.Beagle.15872.
The worm may come to your computer as an attachment to a mail message. The icon of the executable module of the worm is that of a standard Windows application called calc.exe (calculator). The attachment size is 15, 872 bytes.
The laconic message contains "Hi" in the subject field followed by the text: Test =)
[sequence of random characters]
--
Test, yep. Having been executed by an unwary user, the worm, to hide its viral nature, runs a standard calculator application which is usually installed by default in every system. Thus, the user is assured that he has launched a real calculator application. At the same time, the worm copies itself to the Windows\System folder as bbeagle.exe.
To secure its automatic launch at every subsequent system restart it creates the following entry in the autorun key of the system registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"d3dupdate.exe"=bbeagle.exe
The worm harvests e-mail addresses in the hard drives of the infected machine found in files with the following extensions: After that, it initiates its mass propagation routine and starts sending itself using its own SMTP engine. The sender’s address is spoofed. While collecting e-mail addresses the files with the following strings are excluded from the search: - hotmail.com
- msn.com
- @microsoft
- @avp.
The worm contains a Trojanized component. When in a system, it starts listening to port 6777 or future instructions from a remote user. The worm also has a long list of web sites in its code it tries to establish connection with. Presumably, it is intended to notify its creator on the infection of a specific machine and its IP-address. The access to many of those sites requires authentication and their content is not known.
Source: http://www.antivir.ru
|
Bagle, a new Internet Worm, Makes Its Presence Felt -- Posted by Igor_Donchenko on Friday, January 23 2004
Kaspersky Labs, an information security software developer is warning users about I-Worm.Bagle, a new Internet worm detected in the wild. The worm spreads via email with a random sender address. Kaspersky Labs has received reports of infections from around the world; Bagle is causing a significant outbreak.
The worm is a Windows EXE file about 15 KB in size attached to emails with random sender addresses. The subject, 'Hi', body, 'Test =)' and signature 'Test, yep' are constant, whereas the name of the attachment is random.
Once the worm is launched, it copies itself into the Windows directory and attempts to download and launch Mitglieder, a Trojan proxy server, on the infected machine. This proxy server allows the 'master' to use the infected machine as a platform to send more copies of the malicious code. Currently, all links to Internet sources for downloading Mitglieder are deleted. Thus, I-Worm.Bagle cannot use this technology to increase propagation speed.
As a result, at this time, I-Worm.Bagle is using a technique standard for Trojan programs. Bagle scans the file system on infected machines for files with extensions wab, txt, htm and r1. The worm then sends copies of itself to all email addresses that it uncovers, using a built in SMTP server.
Source: http://www.kaspersky.com
|
Virus author is brought to court -- Posted by Igor_Donchenko on Wednesday, January 21 2004
Dan Dumitru Ciobanu, author of an MSBlast virus variant, goes on trial in the Iasi county Court of Appeals.
The 26-year old is accused of having created a computer virus variant which spread over the intranet of the "Gh. Asachi" Technical University, in September 2003.
BitDefender virus researchers were instrumental in the police's efforts to identify Ciobanu. "We acted only by request of the Romanian authorities" said Mihai Radu, Communication Manager at BitDefender, SOFTWIN. "Young
people playing at virus writing should keep in mind that computer viruses are not games. When unleashing a computer virus, the author places property and people at risk", Radu concluded.
Although the virus only affected 27 computers, the youth is facing between three and fifteen years in jail for "unlawful possession of a program and disturbing a computer system".
In a similar case, Jeffrey Lee Parson, 18, is charged with creating another variant of the same virus and faces up to ten years imprisonment and/or fines up to 250.000$.
Source: http://www.bitdefender.com
|
Panda Software warns of fraudulent bank e-mails -- Posted by Igor_Donchenko on Friday, January 16 2004
Over the last few days, many users have been receiving e-mails telling them that, due to technical or other problems, they need to access a web page to validate their bank details.
One of the most widespread examples of these is one aimed at CITIBANK clients and arrives in an email with the subject "Important Fraud Alert from Citibank". The message itself says that due to a series of operations aimed at detecting illegal banking activity, users need to check if their data is correct by going to a certain website.
All these e-mails are false, and are aimed at tricking users into divulging confidential data such as account numbers, user names, passwords or other secret codes and numbers.
To do this, generally the messages have been carefully constructed in HTML to perfectly resemble genuine messages sent by the online banking service and deceive users.
These mails have been cunningly designed to exploit the URLSpoof vulnerability -as yet uncorrected- in Microsoft Internet Explorer. This flaw makes it possible to trick a user into thinking that the web page they are accessing –from a link on the e-mail- is that of a bank, when really the web page is a replica of the original, hosted elsewhere.
In this way, if the user enters the data they are asked to, this will fall straight into the hands of the malicious user that has created the e-mail and web page.
For this reason, Panda Software recommends that all users treat with extreme caution e-mails from banks requesting information, as it is highly likely that it is part of an attempted fraud. In any event, before revealing any confidential information, users should confirm authenticity of the message by contacting the bank in question.
Source: http://www.pandasoftware.com
|
New Internet threats (VII): software vulnerabilities -- Posted by Igor_Donchenko on Wednesday, January 14 2004
Software vulnerabilities are rapidly becoming one of the most serious problems for today’s computer user. The massive expansion in Internet use, for all its benefits, has also had the unpleasant side-effect of the emergence of new problems, or at least the exacerbation of previously inconsequential problems. Computers are no longer isolated elements, but integrated components of the World Wide Web with which other users around the globe can interact.
A software vulnerability can essentially be defined as a security flaw or hole detected in a program or IT system that could be used by a virus to infect and spread or by a hacker to gain unauthorized access to a system. Put more simply, it is a design fault in a program installed on a computer, which could allow a virus to act on the computer without user intervention, or open communication ports to allow access to hackers.
However, one of the problems with security holes lies in the way they are detected. Most often, the flaws are uncovered by individuals or organizations who have nothing to do with the software vendor, and normally, those who discover the flaw pass the information on to the vendor who in turn promptly publishes information and a fix to the problem.
However this is not always the case, and there have been many instances where important security problems have been reported directly to the media or even simply posted on a special forum or other website.
This leaves the vendor little or no time to react before malicious users can work out ways to take advantage of the vulnerability. Worse still, groups of malicious users sometimes publish an exploit or application designed to take advantage of the problem for malicious ends.
This situation has now reached the point that, on more than one occasion, some of the leading software vendors have started projects to improve the handling of information related to the discovery of new vulnerabilities, although as yet the results are not overly encouraging.
All in all, these vulnerabilities now represent one of the most serious threats to IT systems. Viruses of the ilk of Blaster, Klez.I, SQLSlammer or CodeRed are just some of the examples of malicious code which spread like wildfire and wreaked wide ranging havoc by exploiting these kinds of vulnerabilities.
Source: http://www.pandasoftware.com
|
IT threats: outlook for 2004 -- Posted by Igor_Donchenko on Friday, January 9 2004
New year, new resolutions and, once again, new Internet threats. While predicting the future is a risky business, by extrapolating the events of the past twelve months, we will try to offer an idea of the kind of threats that are likely to dominate the coming year.
The most reasonable forecast is that 2004 will be the year of 'other' malware, i.e. not just viruses and worms. This is not to say that there will be less viruses or there won’t be epidemics, but rather traditional viruses will lose ground to an increasing number and wider variety of other threats, such as dialers, spyware or spam.
Reasons for this increase are likely to be purely financial, as many unscrupulous users have realized the potential benefits of installing dialers -reconnecting modem users to premium rate phone numbers-, stealing bank or credit card details, or selling data bases to dubious marketing companies.
Spam is also likely to play a major role, and poses a double-edged threat. On the one hand, the enormous waste of time that reading and deleting junk mail supposes and on the other, the possibility that at some time it could be used as a means of propagation for viruses or other malicious code.
Hacker attacks are also likely to increase, facilitated by the increased proliferation of backdoor Trojans and hacking tools in recent months.
As for the new viruses expected to appear in 2004, virus creators are likely to continue probing for vulnerabilities in widely used software in order to spread their creations as widely as possible. This is a strategy that has been increasing in popularity, often with devastating results. We are likely to see more worms than any other type of virus, due to their capacity to spread rapidly and Trojans, due to their ability to install other malware on computers.
Luis Corrons, head of PandaLabs, says: "2004 won't be dominated exclusively by viruses. Other malware, such as dialers, spyware, hacking tools and spam, must be taken into account when designing security policies. Viruses will no doubt continue to appear, possibly even more than before, but the increased presence of other threats means that good antivirus defense on its own is not enough; users will also need to have specific tools to counter this new wave of Internet threats."
Source: http://www.pandasoftware.com
|
An Overview Of Virus Activity In 2003 from Kaspersky Labs -- Posted by Igor_Donchenko on Tuesday, January 6 2004
Kaspersky Labs, an information security software developer, presents the annual review of malicious programs. The material below contains information about major virus outbreaks which occurred in 2003, expert opinion about malicious program trends and Kaspersky Labs forecasts for the future.
Introduction
9 major virus outbreaks were registered in 2003, and 26 less significant ones, which were mainly of a local nature. This figure is lower than that of 2002, when there were 12 major outbreaks and 34 minor incidents. However, even though the number of outbreaks has decreased, their scale and the impact they have on the Internet has increased significantly.
Major virus outbreaks
There were two global outbreaks in 2003, which were the biggest in the history of the Internet. It should be noted that these outbreaks were not caused by classic email worms, but by worms modified for the Internet which spread as network data packets.
The foundations of the first outbreak were laid on the 25th January by the Internet worm Slammer (Helkern), which used a vulnerability in the Microsoft SQL Server in order to replicate. Slammer became the first fileless Internet worm which fully demonstrated the capabilities of flashworms, first described in 2001. On 25th January 2003, in a matter of mere minutes, the worm infected millions of computers throughout the world, and increased network traffic by between 40% and 80% (estimates vary), causing national backbone servers to crash. The worm attacked through port 1434; on penetration it did not replicate itself on the disk, but simply remained in the memory of the infected machine. An analysis of the outbreak shows that the worm probably originated from East Asia.
The second outbreak, which was no less damaging than the first, was started on the 12th August by Lovesan (Blaster). Lovesan clearly demonstrated to the entire world just how vulnerable the popular operating system Windows is. Lovesan used a Windows security breach to propagate. However, in contrast to Slammer, Lovesan used a breach in the RPC DCOM service, which is present on every computer working under Windows 2000/XP. This meant that the majority of Internet users that day was exposed to the worm.
Only a few days after the worm first appeared, three other versions of Lovesan were detected. Then the Welchia worm, which used the same Windows breach, exploded onto the Internet. However, Welchia differed from the original worm. It deleted copies of Lovesan on infected computers, and attempted to install a patch for the RPC DCOM service.
2003 was the year of ceaseless email worm outbreaks. Ganda and Avron were detected in January. The former was written in Sweden, and is still one of the most wide-spread email worms in Scandinavia. The author was arrested by the Swedish police at the end of March. Avron was the first worm written in Kazakhstan to cause a global outbreak. The source code of the worm was published on virus web sites, which led to the creation of several less successful versions of the worm.
January also saw the appearance of the first worm in the Sobig family, which caused regular outbreaks. Version Sobig.f broke all records, becoming the most widespread email worm in the history of the Internet. At the peak of the outbreak in August, Sobig.f could be found in every 20th email message.
This particular piece of malicious program was especially dangerous: one of the aims of the authors of the Sobig family was to create an infected network of computers in order to carry out distributed DoS attacks on random web sites. The infected network of computers was also intended to act as a proxy servers for distributing spam.
The email worm Tanatos.b was another notable piece of malicious program which appeared in 2003. The first version of Tanatos (Bugbear) was written in mid 2002, with the second version appearing nearly a year later. The worm used a breach long known about in the Miscosoft Outlook security system (the IFRAME breach) to automatically launch itself from infected messages.
The latest worms in the Lentin (Yaha) family continued to appear. According to current data they were all created in India by one of the local hacker groups in the course of a virtual war being conducted between Indian and Pakistani hackers. The most widespread were versions M and O, where the virus replicated in the form of a ZIP archive attached to infected messages.
Virus writers from Eastern Europe were also active in 2003. The second worm from the former USSR to cause a global outbreak was Mimail. The worm used a vulnerability in Internet Explorer to replicate itself, and the vulnerability became known as Mimail-based. The vulnerability allowed the extraction and execution of binary code from an HTML file and was first exploited in Russia in May 2003 by Trojan.Win32.StartPage.L. Following this, the vulnerability was used by the Mimail family of worms and a number of Trojan programs. The author of Mimail published the source code on the Internet, giving rise to several new versions by virus writers from other countries, including the USA and France.
September 2003 was the month of the Internet worm Swen. Swen disguised itself as a Microsoft patch, infected hundreds of thousands of computers throughout the world, and to this day remains one of the most widespread email worms. The virus author was able to successfully exploit the fact that users were already unsettled by the recent Lovesan and Sobig.f incidents and were therefore likely to instantly install the so-called patch.
There were two other major security events which should be mentioned. The first of these was caused by Sober, a relatively simple email worm written by a German in imitation of the leader of the year, Sobig.f. The second of these was the backdoor Trojan Afcore: in spite of the fact that it did not spread widely, it is worth a certain amount of attention due to the interesting way it conceals itself in a system, by writing its code to alternate data streams of the NTFS file system. Even more interesting, Afcore does not use the alternate data streams of files but of directories.
The Top Ten Viruses In 2003
| Ranking | Name | Percentage |
|---|
| 1 | I-Worm.Sobig | 18,25% | | 2 | I-Worm.Klez | 16,84% | | 3 | I-Worm.Swen | 11,01% | | 4 | I-Worm.Lentin | 8,46% | | 5 | I-Worm.Tanatos | 2,72% | | 6 | I-Worm.Avron | 2,14% | | 7 | Macro.Word97.Thus | 2,02% | | 8 | I-Worm.Mimail | 1,45% | | 9 | I-Worm.Hybris | 1,12% | | 10 | I-Worm.Roron | 1,01% |
Trends
The most noticeable trend in 2003 was the way in which worms dominated. Moreover, within this category, there was a worrying increase in the number of Internet worms over classic email worms. Kaspersky Labs predicts that this trend will be maintained, and Internet worms should become the dominant form of malicious code in 2004. This highlights the utter necessity to install not only anti-virus protection, but also firewalls on every computer and corporate network.
The discovery of breaches in operating systems and applications is a cause for great concern. In previous years, the vulnerabilities which were used to penetrate systems had been known about for a long time, and patches already existed for the breaches, but in 2003 this time frame collapsed to a matter of weeks.
The interval between the discovery of a vulnerability and an attack exploiting the vulnerability is becoming shorter and shorter. In the case of Slammer, the breach in the Microsoft SQL Server was known about for more than six months prior to the attack. In a couple of months the instructions on how to exploit the breach were published in several places on the Internet. However, Lovesan, the next worm used to attack the Internet on 12th August 2003, appeared only 26 days after a patch was issued to secure the RPC DCOM vulnerability in MS Windows.
The computer underground has come to the understanding that attacking through a security breach is the most effective method of penetrating computers and is actively making use of this idea. As a result virus writers receive information about the newest vulnerability and quickly write malicious programs. The Trojan program 'StartPage' was registered as spreading on 20th May 2003. It penetrated through the 'Exploit.SelfExecHtml' breach, and at the time there was no patch for this vulnerability. Given this, it may be that in the near future breaches may come to light thanks to reports of new viruses, rather than vendors' reports on the issuing of patches
In 2003, the tendency of the previous year towards malicious programs for new platforms and applications was broken. In 2002, virus writers attacked Flash technologies, SQL Servers, and file sharing networks (KaZaA). This year virus writers confined themselves to attacking the cartographic application MapInfo: MBA.Kynel, a virus written by a Russian in MapBasic managed to successfully infect documents of this format and was even discovered by Kaspersky Labs in the wild.
The trend of 2002 towards backdoor programs (unauthorised remote administration utilities) and spy programs continued. The most notable representatives of these classes were Agobot and Afcore. There are currently more than 40 modifications of Agobot due to the fact that the program's author was able to create a network of several web sites and IRC channels, where anyone who wanted was able to become the owner of an exclusive version of the backdoor for payment upwards of $150. The malicious software would be written to order in accordance with the order of the client.
A new trend in 2003 was the increasing appearance towards the end of the summer of a new class of Trojan programs, TrojanProxy, intended for illegal installation of proxy servers. This was the first and most noticeable sign of the appearance of mixed threats, a cross between viruses and spam. Computers infected by such Trojans were then used by spammers for the distribution of unsolicited email, while the owner of the computer might be unaware of such abuse.
It is clear that spammers also participated in several major outbreaks where the initial replication of the malicious software used spamming technology (Sobig).
Worms also developed actively, replicating by stealing passwords to remote network resources. Such worms, as a rule, are based on IRC clients, scan the addresses of IRC channel users, and then attempt to penetrate the users' computers, using the NetBIOS protocol and port 445. In this family, one of the most notable representatives was the worm family Randon.
In conclusion, malicious software is now starting to appear which includes retroviruses: viruses that have inbuilt protection against anti-virus programs and firewalls. In fact, these viruses usually attempt to delete information security products from computers. Swen, Lentin and Tanatos are all examples of such programs.
Source: http://www.kaspersky.com
Panda Software reports on the Jitux.A worm -- Posted by Igor_Donchenko on Tuesday, January 6 2004
PandaLabs has detected the appearance of the new worm Jitux.A (W32/Jitux.A.worm). This is a malicious code designed to send messages via MSN Messenger, which contain a link to download a file -called jituxramon.exe- from a web page.
This file actually contains the worm's code. So if the user runs the file, Jitux sends new messages containing the link every five minutes to all contacts stored in MSN Messenger. However, this worm has no other destructive effects, nor does it cause changes to the system configuration.
Source: http://www.pandasoftware.com
|
Kaspersky Labs Now Battling Spam At The ISP Level -- Posted by Igor_Donchenko on Tuesday, January 6 2004
Kaspersky Labs, an information security software developer, presents a new level of anti-spam protection developed specially to filter spam at the level of Internet providers; a logical extension to the range of Kaspersky Labs anti-spam products which allow highly effective filtration of unsolicited email messages for large amounts of data.
Kaspersky® Anti-Spam ISP Edition is a worthy answer to the growing activity of spammers. On one hand, the product allows Internet providers to solve the problem of system resources overload due to enormous volumes of spam. And on the other, it significantly raises the competitive ability of the services provided, by offering users centralized protection from unsolicited advertising. As a result, clients no longer have to spend time filtering their own unwanted mail, paying for spam traffic, or worrying that an important business communication has been lost.
Kaspersky Anti-Spam ISP Edition, an intelligent solution for filtering unwanted email correspondence at the level of Internet Service Providers, works under Linux and FreeBSD. The system recognizes, identifies and filters unsolicited mail messages when email is being received via SMTP protocol. In this way, the filtering of spam is carried out before the message is delivered to the final recipient's mailbox. Kaspersky Anti-Spam ISP Edition has a minimal effect on system performance in order to optimize the product for ISP use.
The use of modern identification technology means that 90 - 95% of spam can be identified as such. These results are due to a series of new technologies developed by Kaspersky Labs. The combination of several filtration methods - linguistic analysis (encompassing not only the contents of the message, but also of all attached objects), formal analysis of message characteristics, the use of blacklists and whitelists, including RBL (Realtime Black List) - enables the detection of the majority of undesirable messages. At the same time, the use of heuristic analyser tools means that new varieties of spam can be effectively identified.
Kaspersky Anti-Spam ISP Edition is able to protect the ISP user from the most insidious types of persistent advertising - the system effectively searches for and recognises random sequences of characters (symbols) contained in mail messages. Kaspersky Anti-Spam ISP Edition is highly reliable: out of 100000 messages, the number of messages falsely identified as suspicious ranged from between 1 to 10 messages.
The load on mail servers caused by the mass circulation of spam can be significantly reduced, by implementing Kaspersky Anti-Spam ISP Edition. In addition to this, Kaspersky Anti-Spam ISP Edition enables the end user to avoid the ever-prevalent problem of insistent advertising. The product corresponds to modern demands in ISP provision. Unique technologies, on-going analysis of new spam and prompt database updates ensure the reliability of the system; ISP providers using Kaspersky Anti-Spam forestall spammers, thus offering their clients an impenetrable barrier against unsolicited correspondence.
Source: http://www.kaspersky.com
|
|
