 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
November 2003
GFI white paper describes how to block over 98% of incoming spam -- Posted by Igor_Donchenko on Friday, November 28 2003
Why traditional anti-spam methods are no longer enough
As GFI's white paper explains, the techniques currently used by anti-spam software - such as blacklist checking, databases of known spam and keyword checking - are static, making it fairly easy for spammers to evade such filters simply by tweaking their message a little. These technologies are far from obsolete, but they cannot be used as effectively as needed if not combined with a new adaptive technique that remains familiar with spammers' tactics as they change over time. GFI's white paper shows how the answer lies in Bayesian mathematics, which can be applied to the spam problem, resulting in an adaptive, 'artificial intelligence' technique that is much harder for spammers to circumvent.
"We believe Bayesian filtering is the way ahead in combating spam," said Nick Galea, GFI CEO. "The Bayesian approach is the best way to tackle spam once and for all, as it overcomes the problems posed by more static technologies while also being able to adapt to the particular organization that it is protecting from spam. A recent BBC report, for example, said that spam detection rates of over 99.7% can be achieved through Bayesian filtering with a very low number of false positives. This is the kind of anti-spam solution that enterprises are seeking today."
How the Bayesian spam filter works
Bayesian filtering is based on the principle that most events are dependent and that the probability of an event occurring in the future can be inferred from previous occurrences of that event. This same technique can be used to classify spam. If a piece of text occurs often in spam but not in legitimate mail, then the next time that same text is encountered in a new email, it would be reasonable to assume that this email is probably spam.
Custom organization-based filtering
Before mail can be filtered using this method, the user must generate a tailor-made history for each word or token (such as the $ sign, IP addresses and domains, and so on) that is specific to the company being protected. A probability value is assigned to each word or token, based on calculations that take into account how often that word occurs in spam as opposed to legitimate mail. Once the word probabilities have been calculated, the filter is ready for use. GFI's white paper provides more detailed information about this process, highlighting that this analysis is performed on the company's mail, and is therefore tailored to that particular company.
For example, if using a general anti-spam rule set, a financial institution that legitimately uses the word "mortgage" in scores of daily email messages would get many false positives. The Bayesian filter, on the other hand, takes note of the company's valid outbound mail and would recognize "mortgage" as being frequently used in legitimate messages. It therefore has a much better spam detection rate and a far lower false positive rate. Additionally, the Bayesian filter is constantly updated based on new spam and valid emails; its performance therefore improves over time and adapts to changes in spam tactics and/or changes in the kind of emails written by users within the organization.
In a nutshell, Bayesian filtering offers the following advantages in the battle against spam: - Looks at the whole message
- Adapts itself over time
- Is sensitive/adapts to the company/user
- Multilingual and international
- Uses statistical intelligence
- Hard to trick.
Source: http://www.gfi.com
New Internet threats (III): spyware -- Posted by Igor_Donchenko on Tuesday, November 25 2003
Spyware is one of the most common types of malware in circulation. As its name suggests, this type of program is designed to snoop on users’ activity, especially when they are connected to the Internet. As any kind of spyware essentially compromises the confidentiality of data stored on a computer, it is considered a potential threat that needs to be dealt with.
These applications collect and send out information about the websites most frequently visited by users, the connection time, etc. Similarly, they can capture data about the computer on which they are installed: operating system, processor, memory, etc. There are even spy programs that detect and report if software installed on a PC is original or not.
These programs have become so widespread, largely due to a set of common characteristics, including: - Near perfect camouflage techniques. Spyware is usually installed along with other applications: P2P application clients, hard disk utilities, etc.
- Inconspicuous file names, allowing them to go unnoticed along with the rest of the files belonging to an application.
- As they are not viruses and don’t use any routines that can connect them to viruses, antivirus programs don’t detect spyware, unless they have been specially programmed to do so.
- They don’t show any visible symptoms in the computer, neither when they are installed nor when they are running. For this reason, users don’t usually worry about whether these types of applications are installed on their computers or not and as a result, spyware can hide in systems for a long time.
Source: http://www.pandasoftware.com
|
Protect your confidential data: some hints by DialogueScience, Inc. -- Posted by Igor_Donchenko on Monday, November 24 2003
The sequence of autumn epidemics of the Foo family worms (also known as Mimail, see our news of November 14th and 18th), which exploited the possibility of trojan components transportation by this type of malware with the main aim to steal commercial confidential information from victim's PCs, pointed out once again to the increasing tendency among virus originators to use mass mailing worms as carriers of the main malicious code. The mail worms attract close attention of the computer security experts working in the financial domain, as more and more incidents are registered, when apart from trivial functions of self-replication via e-mail and a set of standard destructive functions these programs are supplied with the procedures of collection of confidential information and its transmission to malfactors disposal.
Different categories of users may get attacked. Nobody is guaranteed against the intrusion – those having a bank account and doing internet-banking, on-line-shoppers and internet chatters. Creators of such programs thoroughly procure for their imperceptible "living" in the victimized machines and not always a computer owner may notice that his or her PC is open to an external invasion.
What can be stolen from a computer? Almost any kind of information – data files, e-mail addresses, IP-addresses, passwords, financial information. Special keylogging utilities, if delivered and installed into a system, will vigilantly spy on every key stroke you make. And even if you do not keep the credit card number in your files on the hard disk it still may become known to a criminal through a key strokes sequence.
Many remember the Bugbear mass-mailer outbreak in the beginning of the last summer. In addition to its mass-propagating functions the worm had a built-in Trojan keylogging utility which saved the stolen data into a file, that could be accessed remotely through the port that the Trojan would open on the victim's machine. This outbreak became one of the most expensive in the history of the computer virology.
Such risks, though very high, can be avoided by strictly following some basic security rules that we would like to remind you of. These rules can definitely help you to significantly reduce the probability to loose your financial and other confidential information when you are online. - Licensed anti-virus programs and firewalls installed on your computer with regular updates are indispensable conditions of your cyber safety. The installation of a firewall becomes highly important for those who use a broadband connection to the Internet. In the vast expanses of the World Wide Web unprotected and vulnerable systems are tasty morsels of hackers.
- Do not download entertaining programs, applets and images from unreliable and unknown sources. You can download a trouble attached to the entertainment.
- While making payments via the internet make sure your personal info, especially credit card details, will be transferred via a protected protocol.
- When posting your mail address to communication boards try to use the following method of entering the mail address:
mail_box_name @ domain_name_point_com
If written in this way the addresses will not fall a prey to a robot hunting for mail addresses but will be understandable for users who really wish to get in touch with you.
- Every month users of internet-banking receive statements of account listing the transactions made. Monthly checking all listed transactions should be a rule for you.
- The ill-intentioned programs using passwords dictionary attacks to penetrate your system became more frequent. Use complex passwords consisting of combinations of numeric and alphabetic symbols, avoid using common words, human names and burth dates.
- There are quite a lot of viruses already disseminating through popular communication channels in the Internet, IRC for example. Never use actual names and e-mail addresses in such conferences, nor publish any private information about you or near relations. Such "chats" are archived and can be used by cyber criminals.
- Credit card companies treat with understanding clients reporting unauthorized operations made with their accounts and giving proofs of them. Do not hesitate to contact your credit card company as soon as you perceive that somebody has been using your account without your permission.
- The Trojanized utilities may infiltrate into any folder of your computer, including the Trash can. Don’t be idle to change beyond recognition a file with the invoice received, or with a statement of account, or any other financial document, before throwing it away to the can. The same concerns the in-coming and out-going messages stored in your mail application.
Source: http://www.antivir.ru
|
CA to offer free antivirus and firewall software to Windows users worldwide -- Posted by Igor_Donchenko on Thursday, November 20 2003
Computer Associates International, Inc. (CA) in conjunction with Microsoft Corp. today announced an offer to provide qualified Windows home computer users with a no-charge, one-year subscription to CA's eTrust EZ Armor antivirus and firewall desktop security suite.
eTrust EZ Armor - the consumer version of CA's enterprise-class security technology - will dramatically improve the safety of individual home PC use, and greatly limit the proliferation of Internet threats.
CA will aggressively promote this special offer as part of Microsoft's "Protect Your PC" campaign. A download link for eTrust EZ Armor is featured on the Protect Your PC site on Microsoft's Web site, located at: http://www.microsoft.com/security/protect.
"The widespread embrace of PCs and the Internet has put extremely powerful technology in the hands of consumers," said Toby Weiss, senior vice president of eTrust solutions at CA. "To ensure the safety and integrity of the Internet experience, we are making CA's powerful enterprise-class security technology readily available to home computer users while supporting Microsoft's Protect Your PC campaign."
Experts agree that the large number of personal computer users operating without up-to-date antivirus software and/or a personal firewall collectively represents one of the single greatest information security risks to users of the Internet. By offering eTrust EZ Armor for one year at no charge, CA is addressing this critical issue for users of Windows XP, Windows 2000, Windows Millennium Edition and Windows 98/Windows NT.
"Helping Windows customers get more secure and stay protected is a top priority for Microsoft," said Tom Button, corporate vice president of Windows at Microsoft Corp. "We're very pleased that CA's eTrust EZ Armor software offer extends our Protect Your PC program and gives customers a great option for getting more secure."
According to the eighth annual ICSA Labs Virus Prevalence Survey, there are roughly 105 virus infections per 1,000 PCs per month. This has increased steadily from 32 per 1,000 in 1998. A recent survey conducted by AOL also revealed that 62 percent of home broadband users did not have recently updated antivirus software on their machines.
Viruses and worms have caused billions of dollars in damage worldwide this year, with the SoBig worm alone costing individuals and business more than $29 billion, according to the London-based digital risk assessment firm mi2g. eTrust EZ Armor addresses the key steps for effective PC protection as outlined in Microsoft's Protect Your PC program by delivering: - Enterprise-class antivirus technology, based on CA's award-winning eTrust Antivirus and certified by ICSA Labs
- Daily updates to protect against malicious computer risks such as viruses, worms and Trojans
- An easy-to-use, pre-configured personal firewall
- The ability to control and weed out pop-ups, cookies and other invasive code
eTrust EZ Armor is specifically designed for easy and intuitive use by computer users at all skill levels. At just 18 MB, it is also designed to be extremely effective without burdening PC resources.
eTrust EZ Armor is a $49.95 retail value. This free subscription for qualified Windows users is available for download through June 30, 2004, and provides one year of personal firewall and antivirus protection including daily virus signature updates. Complete information on eTrust EZ Armor software and CA's free offer is available at http://www.my-etrust.com/microsoft.
Source: http://www.cai.com
|
New Internet threats (II): dialers -- Posted by Igor_Donchenko on Wednesday, November 19 2003
One of the types of malware (‘any programs, documents or messages that can have detrimental effects on computers’) that is becoming more and more problematic nowadays is dialers.
Dialers are small programs that dial up phone numbers for accessing certain services. Originally, these types of applications were distributed by Internet service providers to help clients connect to their servers.
A little later, other services that were accessible from computers were also developed. These services, which were mainly related to pornography, were only available through special high-rate telephone numbers and as a result, dialers were developed to allow users to access them.
However, it wasn’t long before malicious users realized that, if used in a certain way, dialers for accessing these services could be extremely profitable. This is when dialers started being inserted in web pages across the Internet. These pages were designed to download, install and run dialers that automatically connected the affected computer to high-rate phone numbers without the user realizing. Around about the same time, viruses appeared that were designed to do the same, but with the advantage that they could spread more rapidly.
This process results in a new dial-up network connection being created, and furthermore, this number will be used as the default number for connecting to the Internet. Another, even more dangerous, consequence of this process is that it can disconnect the dial-up network connection the user normally uses, so that when the user tries to establish a connection, this number will not connect to the user’s Internet service provider but to a high-rate toll number.
In either case, the result is the same, the user receives an exorbitant phone bill. Phone bills run up by dialers have been so significant that, on many occasions, they have been reported by the media. And what’s more, the majority of this fee goes directly into the pocket of the author of the program that has installed the dialer on the affected computer.
Source: http://www.pandasoftware.com
|
A New Version of Mimail Spreads -- Posted by Igor_Donchenko on Tuesday, November 18 2003
Kaspersky Labs has detected Mimail.i, a new version of the Mimail Internet worm in the wild.
Like its predecessors, the latest version of Mimail spreads as an email attachment named paypal.asp.scr. The sender address is fake and appears as donotreply@paypal.com. The subject is also a deliberate attempt to fool the recipient and purports to be information about the user's PayPal account. The subject line reads 'YOUR PAYPAL.COM ACCOUNT EXPIRES'. The body of the letter contains a text in English, which requests the recipient to update their personal PayPal information by using the attached file.
The worm gains control over victim machines only if the attachment is opened. If the victim does launch Mimail, the worm opens a dialogue box where it asks for PayPal credit card information. Any data that is entered is saved in a file named ppinfo.sys, which the worm mails to the virus creator.
Source: http://www.avp.ru
|
New Internet threats (I): Spam -- Posted by Igor_Donchenko on Thursday, November 13 2003
The term malware can be defined as ‘any programs, documents or messages that can have detrimental effects on computers’. Viruses, therefore, are only a small part of an ever-expanding group, which covers all types of IT security threats, including spam, dialers and spyware, and whose effects can be just as damaging as any virus attack.
One of the biggest dangers on the Internet today is spam or unsolicited commercial mail, as it can cause damage at many different levels.
The term ‘spam’ is said to have originated from a Monty Python sketch. The sketch takes place in a restaurant where all the dishes on the menu include the canned luncheon meat SPAM. When the waitress reads out the menu a group of Vikings sing a chorus of “spam, spam, spam...” louder and louder, drowning out other conversation. The term probably started to be used to describe unsolicited commercial mail because it drowns out legitimate mail.
The financial damage caused by this type of malware can be calculated in terms of the number of working hours lost around the world every day by users having to delete these messages, without even reading them. Take a network with five hundred workstations as an example, if each workstation receives ten spam messages every day and ten minutes is spent deleting these messages, it is easy to calculate how many working hours are lost a year dealing with spam. What’s more, if the subject is attractive enough to entice the user into reading it or connecting to an Internet address specified in the text, the number of working hours lost significantly increases.
However, spam also entails other dangers. For example, although it is not very common, it could carry viruses or other malicious code, or contain links to web pages that are designed to download software to the computer without the user realizing. This is probably the method that Sobig.F used to become ‘the fastest-spreading virus in computer history’.
How to protect against spam
In the fight against unsolicited commercial mail users have one big advantage, as most spam messages have certain characteristics that make them quite easy to identify. Almost all spam tries to persuade the user to buy a certain product using similar buzz-words. Therefore, a special software program can draw up a mail profile in order to categorize messages as spam and delete them before they are downloaded to the mail client or recipient’s mailbox.
Source: http://www.pandasoftware.com
|
World first virus jubilee - they've been around for 20 years! -- Posted by Igor_Donchenko on Thursday, November 13 2003
The past 20th century, like no other time in the history of the mankind, was rich for astonishing discoveries and inventions – some of them useful and helpful in our life, some bringing disasters and calamities.
A "dubious" jubilee is celebrated these days by the computer community – with no congratulations for the hero of the occasion – the twentieth anniversary of the first computer virus. The concept of creation of a self-replicating program, put forward and investigated by John von Neiman, goes back to the 50th of the last century, though the year of the first virus design is considered to be 1983.
In 1962 Vyssotsky. McIlroy and Robert Morris from Bell Telephone Laboratories, USA, created a game named Darwin. During the game the computer programs called “organisms” were downloaded to the computer main memory and tried to destroy each other. It was then, when the “organisms” of that game were called “viruses”. The term “virus” was firstly applied a bit later, in 1972, when the game gained popularity and received wide distribution in other research centers and institutes.
The humanity has promptly responded to the innovation. In 1975 the science fiction written by John Brunner was published, The book described the "worms" - self propagating computer programs. It is highly possible that the publication of the book acted as an impulse for creation of the Morris worm in 1988, though the practical development of such program was a pure fiction at that time. The Morris worm opened the epoch of large-scale computer epidemics embracing the whole cyber world within a few days or even hours.
In 1977 the number of Apple II personal computers reached 3 mln machines. In last 70th in USA began a rapid growth of networks for data transmission via common telephone systems. The same time the Bulletin Board System, the prototype of modern file-sharing networks, began functioning. Programmers placed there computer programs and anyone could download them and install on the computer. That was the time when computer hooliganism and vandalism in the form of programs destroying data on the victimized PC or simply displaying innocent pictures was born.
In 1983 Fred Cohen, a student of California University, devised a first UNIX-virus as a proof of concept and gave the definition for the term "Virus". This very year the computer virology was born. That very year began the history of billions of business losses and of millions of anti-virus companies' profits.
For 20 years of the viruses existences their number exceeded 60 000. Some of them showed extreme vitality and continue to travel worldwide for years. Their codes become more and more compact, the replicating mechanisms more sophisticated and refined.
Source: http://www.antivir.ru
|
Monthly virus review by DialogueScience, Inc.- October 2003 -- Posted by Igor_Donchenko on Wednesday, November 12 2003
October, though poor for new remarkable virus events, preserved the stable tendency of the "leadership" of Win32.HLLM.Gibe.2 mass-mailing worm, also known as Swen. This worm seems to finally displace from the first line of virus charts its predecessor Win32.HLLM.Yaha.4 - an incontestable leader of the virus world of the current year till the mid of August. Though the latter still comes second among viruses detected in mail traffic, the ratio between the leader and its pursuer is considerable - 7 to 1.
More and more often the first lines of the virus chart are occupied by the viruses the authors of which exploit for their propagation the so-called social engineering techniques, masquerading them as patches for Microsoft Windows operating systems. This is obviously explained by the genuine intent of computer users to apply patches from Microsoft, which strikingly rocketed after virus epidemics of last August. The unfortunate thing, though, is that only few of them have enough patience to download patches from the Internet, as its size may sometimes turn to be oppressively huge. The tempting possibility to install the patch already received via e-mail, which means users does not need to waste their precious time downloading the gigantic files via dial-up connection, deaden security considerations. This explains not only the enormous proliferation of Win32.HLLM.Gibe.2, but also the presence in the fourth position in the October monthly statistics of Win32.HLLM.Dumaru, which firstly surfaced during the global panic caused by the outbreak of Win32.HLLW.LoveSan internet worm.
Falling under virus originators’ tricks users forget the paramount postulate of cyber security, repeated time and again by all anti-virus vendors and Microsoft itself:
Microsoft never e-mails patches, they are available for download from official company’s sites ONLY!
The sequence of Nicky worms (also known as Sexer), which emerged in the second half of October, hitting the Runet mostly, looked like a funny nuisance and joined the class of politically motivated pests used for promotion of one of the candidates in Moscow mayor elections. The most spread in October was the third variant of this worm Win32.HLLM.Nicky.3 dispatched as anti-virus utility.
Statistics – October, 2003
413 new entries were added to Dr.Web® virus database in October, 2003. Below goes the viruses types distribution table: - Trojan programs - 253
- DDOS-viruses - 34
- FDOS-viruses - 30
- Network worms - 23
- Mail worms - 18
- Macro viruses - 6
- Script viruses - 5
- BAT-viruses - 3
- Parasitic viruses - 2
864 viruses of 250 different species have been detected in files submitted for the on-line virus check at the site of DialogueScience, Inc. during the month.
Below goes a summary table of the on-line check results of this month:
| Ranking | Virus Name | Quantity | | 1 | VBS.Redlof | 59 | | 2 | Win32.HLLM.Yaha.4 | 51 | | 3 | Win32.HLLM.Gibe.2 [Swen] | 49 | | 4 | Win32.HLLW.LoveSan.based | 37 | | 5 | W97M.Thus | 29 | | 6 | Win32.HLLM.Bugbear.2 | 28 | | 7 | Win32.HLLM.Dumaru | 26 | | 8 | IRC.Random | 22 | | 9 | Trojan.Isbar | 17 | | 10 | Win32.Klez.4926 | 17 | | 11 | Trojan.Tooncom | 15 | | 12 | W97M.Eight | 14 | | 13 | Trojan.Dyfuca | 12 | | 14 | Win32.HLLM.Nicky.3 | 12 | | 15 | Trojan.StartPage.36864 | 11 |
We also offer for your attention a summary table of viruses detected at mail servers in October. More than 4.2 mln viruses of 566 species were caught by Dr.Web anti-virus filters last month (to compare – in September there were 4.3 mln viruses of 540 species, in August - 7.3. mln viruses of 625 species, in July - 2.17 mln of 1006 species).
| Ranking | Virus Name | Percentage, % | | 1 | Win32.HLLM.Gibe.2 [Swen] | 61.8072 | | 2 | Win32.HLLM.Yaha.4 | 14.7374 | | 3 | Win32.HLLM.Klez.4 | 5.2773 | | 4 | Win32.HLLM.Dumaru | 4.2076 | | 5 | Win32.HLLM.Reteras [Sobig.f] | 3.5391 | | 6 | Win32.HLLM.Bugbear.2 | 3.3409 | | 7 | Win32.HLLM.Gibe.3 | 1.3491 | | 8 | Win32.HLLM.Foo.26432 [Mimail] | 1.2835 | | 9 | Win32.HLLM.Nicky.3 | 0.7229 | | 10 | Win32.HLLM.Yaha.64000 | 0.6455 | | 11 | VBS.Redlof | 0.4226 | | 12 | Win32.Roger.45056 | 0.2791 | | 13 | Win32.HLLM.Odin [Sober] | 0.2413 | | 14 | Win32.HLLM.Klez.1 | 0.1828 | | 15 | Win32.HLLM.Yaha.based | 0.1441 |
Source: http://www.antivir.ru
|
Virus writer wanted for $250 000! -- Posted by Igor_Donchenko on Wednesday, November 12 2003
The abundance of viruses, worms, Trojan Horses and other ill-intentioned programs come to the surface of the World Wide Web in thousands each and every day. But scarce are the reports on virus writers arrests. In most cases the Global network, like a real Black Hole, does not unveil the names of its evil geniuses. The single reports on the detention of some virus originator are mostly connected with large bank robberies (as it was in case with penetration into accounts of Absa bank’s clients in the South Africa, or the much-talked breaking in of the Russian hacker into the security system of American CitiBank). Sometimes the headline news inform on the massively spread mass-mailing pest, when the loss suffered from its distribution and activity amounts to billions.
Several month have already passed since a highly virulent Win32.HLLW.LoveSan (MSBlast) was unleashed by someone into the Wild. The virus incurred the damage which has broken all records in the virus invasion chart of all times, but its originator has not been found yet. The same is with another virus writer – the author of no less devastating Win32.HLLM.Reteras (SoBig.F) mass-mailing worm, which turned the world internet channels into sticky impassible swamp.
The officials from Microsoft, FBI and Interpol in their joint press-conference held this Wednesday announced the reward for valuable information about the originators of these two insidious worms, 250 000 dollars per each "head". The conference is held in the framework of Anti-virus Reward Program proclaimed by Microsoft. The sum total allocated by the company for the program reaches $ 5 mln.
The reward announced for these particular two virus authors is explained probably by the absence of real trails leading to their originators and is not accidental. Both of them became the most costly viruses in the history of computer virology. Both of them wormed through systems exploiting breaches in the security system of Windows, the vulnerabilities categorised by the company as highly severe. Both breathed upon Microsoft’s reputation to reestablish which the corporation is undertaking such PR moves.
Cyber security experts believe, the announced reward will hardly reduce the quantity of new viruses, neither it will decrease the number of those who wish to experiment on how to design a malicious code. It is most likely that they will reduce their exchanging of ill-intentioned codes, and fewer and more cautiously communicate with each other.
Nevertheless, sometimes cyber criminals can be well traced and caught. A few days ago there was a report on the arrest of a 39 year old Italian involved into development and distribution of the Win32.HLLM.Marquee mass-mailing worm last October. Despite the fewness of Italian speaking users - the text of the message has been composed in Italian– there were a great deal of careless people who visited the site the link, embedded into HTML mail message led to. When the web-page was opened a screen saver containing the strings in Italian was downloaded into the victim computer and followed by the executable module of the worm itself. As a result, the downloaded file turned the infected computer into the system contaminating all the contacts in the address book, the worm automatically distributed itself to. On the victimized computer the worm changed dial-up connection phone number setting to one in Aruba, as well as user name and the access password. The Marquee worm succeeded to gain 57,000 minutes and its author’s income exceeded Euro 100,000.
Source: http://www.antivir.ru
|
CA Bundles Backup and Antivirus Together -- Posted by Igor_Donchenko on Tuesday, November 11 2003
Computer Associates (CA) has put storage management and virus protection functions into a single package by bundling its Brightstor ArcServe Backup 9.0 software with its eTrust Antivirus scan-protection application.
Called the CA Protection Suite, the new offering fully integrates the two software products, allowing them to work together seamlessly, according to David Liff, vice president of storage at CA.
The ArcServe Backup/eTrust integration allows files to be scanned for viruses when they are backed up as well as when they are stored.
Files that are scanned during a backup are tagged as "scanned" so they don't have to be rescanned in the restore process, Liff said.
Greg Knieriemen, vice-president of marketing at reseller Chi, said: "From what we've seen, the marriage [of storage and security] can be very successful.
"Security is creeping up more and more as part of storage. But until now, we've had no single solution in our back pocket."
Antivirus scanning is emerging as an important issue in the burgeoning disk-to-disk backup space, Knieriemen said.
"With disk-to-disk backups, you are constantly overwriting data to a hard drive. And if there is no time mark on the data, you could be overwriting data with corrupted data or files," he said.
Jason Rabbetts, managing director of VAR Source Consulting, said the move made sense. "Data security and data storage are entwined anyway, and both come under the remit of data protection.
"A bundle such as this would be attractive for SMEs in particular. But I still see larger organisations selecting more specialist products for each area," he said.
The CA Protection Suite for the Windows environment is already shipping.
|
Panda Software warns users about the wave of new variants of the Mimail worm -- Posted by Igor_Donchenko on Tuesday, November 11 2003
PandaLabs has detected three new variants, E, F and G, of the Mimail worm which, according to data collected by Panda Software’s international tech support network, have already started causing incidents.
The new variants of Mimail are very similar to their predecessors and are designed to mass mail themselves using their own SMTP engine. They also try to carry out denial of service (DoS) attacks on several websites. When these worms are run on a computer, they go memory resident.
All of these variants reach computers in e-mail messages that use so-called social engineering techniques to trick users into running the attached file, which actually contains the worm. The characteristics of the messages carrying the different variants of Mimail are available in Panda Software’s Virus Encyclopedia.
With the appearance of these three new variants of Mimail, in addition to variants C and D that Panda Software warned users about just a few days ago, it seems that the author or authors of these viruses want to spread as many worms as possible in order to increase the probability of a computer being hit by a variant of Mimail.
Due to the high possibility of being infected by one of these variants, Panda Software advises users to treat all e-mails received with caution, and to update their antivirus solutions if they haven’t already done so.
Source: http://www.pandasoftware.com
|
Top Ten viruses most frequently detected by Panda ActiveScan in October -- Posted by Igor_Donchenko on Tuesday, November 11 2003
According to the data gathered by Panda ActiveScan, Panda Software’s free online scanner, Bugbear.B once again heads the monthly list of the most virulent malicious code.
In September, this worm was responsible for just over five percent of infections detected by ActiveScan. In October however, it was responsible for over two percent more. This increase can no doubt be explained by its capacity to mass-mail itself and to exploit a vulnerability in Internet Explorer to run automatically.
Bugbear.B is closely followed by Gibe.C, which was also the culprit in just over seven percent of incidents. This worm spreads via e-mail in a message which perfectly imitates the design of a Microsoft website to trick users into thinking that the attachment is a security patch.
In third place is the Blaster worm, which was responsible for just under six percent of infections. The fact that this worm spreads directly via the Internet and exploits the RPC DCOM vulnerability in Windows allows it to continue infecting unprotected computers.
Parite.B takes fourth place, having caused just over five percent of incidents. This virus spreads through the means normally used by viruses: CD-ROMs, Internet downloads, e-mail, etc. as well as across local networks.
In fifth and sixth place are Klez.I, with over four and a half percent, and PSW.Bugbear.B, with over three and a half percent.
Two variants of the Blaster worm, Blaster.E and Blaster.C, come in sixth and seventh place, with over three percent of incidents each. Finally, at the bottom end of the ranking are Nachi.A and EnerKaz with over two and half percent of infections each.
From the data collected by Panda Software’s free online antivirus last month, it can be concluded that many computer users still haven’t applied the security patches released by Microsoft. Eight of the Top Ten malicious code spread by exploiting security flaws in the software installed on computers. In fact, the first virus in the ranking that does not rely on the fact that users have not applied security patches in order to spread is Parite.B in fourth place and the second, Enerkaz, is in tenth place.
| Ranking | Virus Name | Percentage | | 1 | W32/Bugbear.B | 7.14% | | 2 | W32/Gibe.C.worm | 7.02% | | 3 | W32/Blaster | 5.95 | | 4 | W32/Parite.B | 5.17 | | 5 | W32/Klez.I | 4.53 | | 6 | Trj/PSW.Bugbear.B | 3.63 | | 7 | W32/Blaster.E | 3.20 | | 8 | W32/Blaster.C | 3.17 | | 9 | W32/Nachi.A | 2.58 | | 10 | W32/EnerKaz | 2.55 |
Source: http://www.pandasoftware.com
Kaspersky Labs presents the twenty most widespread viruses for October 2003 -- Posted by Igor_Donchenko on Monday, November 10 2003
| Position | Change | Virus Name | Percentage by Occurrence |
|---|
| 1 | +1 | I-Worm.Swen | 70.94% | | 2 | +4 | I-Worm.Tanatos | 1.13% | | 3 | = | I-Worm.Mimail | 1.07% | | 4 | +4 | Worm.Win32.Lovesan | 0.89% | | 5 | +6 | Backdoor.SdBot | 0.70% | | 6 | new | I-Worm.Sober | 0.63% | | 7 | +2 | Worm.P2P.SpyBot | 0.59% | | 8 | -7 | I-Worm.Sobig | 0.52% | | 9 | new | Backdoor.Ciadoor | 0.47% | | 10 | +3 | VBS.Redlof | 0.39% | | 11 | re-entry | TrojanDropper.Win32.Small | 0.38% | | 12 | new | Backdoor.Agobot | 0.30% | | 13 | -3 | Win95.CIH | 0.29% | | 14 | +4 | Backdoor.Optix.Pro | 0.28% | | 15 | new | TrojanProxy.Win32.Hino | 0.23% | | 16 | re-entry | Backdoor.IRCBot | 0.23% | | 17 | -3 | Win32.Parite | 0.22% | | 18 | new | Keylogger.Win32.PerfectKeyLogger | 0.21% | | 19 | re-entry | Macro.Word97.Flop | 0.18% | | 20 | re-entry | Trojan.Win32.StartPage | 0.18% | | Other Malicious Programs* | 4.52% | | * not included in the Top Twenty |
The October Virus Top Twenty has brought some unexpected surprises.
Firstly, the list has dropped the the Klez and Lentin Internet worms, which have been mainstays on the Virus Top Twenty list since November 2001 and March 2002 respectively. Additionally, the Sobig Internet worm that has occupied the top spot over the past several months has dropped drastically from first to eighth position.
Currently, a newcomer - the worm Swen, appearing just one and one half months ago in mid September, occupies the top spot. In fact, Swen dominates the list by claiming over 70% of all registered incidences, while its closest rivals, the Tanatos and Mimail worms accounted for just over 1% each.
Another unexpected occurrence in October is the significant growth in the number and variety of Trojan programs appearing. An impressive total of nine malicious programs belonging to the Trojan family made the list. In aggregate, Trojan programs well over doubled the total turned in by computer viruses - 6.46% to 2.77%.
Summary:- New malicious programs appearing in the October list are: Sober, Ciadoor, Agobot, Hino, PerfectKeyLogger
- Moving up are: Swen, Tanatos, Lovesan, SdBot, Spybot, Redlof, Optix.Pro
- Moving down are: Sobig, CIH, Parite
- Returning to the list are: Small, IRCBot, Flop, StartPage
- Holding firm at its previous position is the Mimail Internet worm in third
October Evil Top Ten from BitDefender -- Posted by Igor_Donchenko on Saturday, November 8 2003
October Evil Top Ten is naught but a collection of midgets and have-beens. Msblast.A is still on top of our top, running strong with twice the number of infected machines it had chalked up last month, but the rest of it is just as peaceful as we like it .
| Ranking | Virus Name | Percentage | | 1 | Win32.Msblast.A | 34.2% | | 2 | Win32.BugBear.B@mm | 12.5% | | 3 | Win32.Swen.A@mm | 10.0% | | 4 | Win32.Parite.B | 8.2% | | 5 | Win32.HLLP.Hanta.A | 7.0% | | 6 | Win32.HLLW.Agobot.G | 7.1% | | 7 | Win32.Worm.Welchia.A | 6.3% | | 8 | Win32.P2P.Tanked.B | 5.2% | | 9 | JS.Trojan.NoClose.K | 4.8% | | 10 | Win32.Klez.H@mm | 4.7% |
Although it may seem things have soothed down, there are some signs of fresh viral activity scattered within these first days of November. One of the new viruses discovered earlier this week is Sober.A, which seems to be spreading a great deal and might be worthy of taking into consideration
for the next month's ranking. And the statistics strongly indicate this trend: after just a few daysin the wild, Sober.A is climbing very fast in the weekly virus top and, more interestingly, the infections ratio is going up higher and higher. Today, the number of newly infected systems
rose to 48% of the total number of infections reported in the previous four days.
Based on past experiences, we strongly suspect that next month will see a renewed flurry of activity on the virus front, but until then BitDefender prefers to keep its users still interested and perfectly protected.
The report, called the "Evil Top Ten", is based on the number of virus occurrences confirmed through BitDefender Response Team tracking.
|
New Mimail Worm Promises Exotic Photographs & Harasses E-Gold -- Posted by Igor_Donchenko on Sunday, November 2 2003
Kaspersky Labs, a leading data security software developer, reports the detection of Mimail.c - a new modification of the infamous network worm, Mimail. There have been numerous registered reports of infection from this malicious program.
Mimail.c is a classic e-mail worm, spreading via email messages containing the following characteristics:
Sender address:
james@recipient's domain
Subject:
Re[2]: our private photos
Message body:
Hello Dear!,
Finally i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
Attachment:
photos.jpg.zip
It is interesting to note that the sender address of infected messages is formed with the domain of the recipient. This tactic makes it harder to localize the infection epicentre and may give recipients the impression that the message came from a colleague or acquaintance.
If someone carelessly opens the infected file attachment and launches Mimial.c, the worm installs itself into the computer and proceeds to spread through the network. Firstly, Mimail.c copies itself to the Windows directory under the name, netwatch.exe, then registers this file in the auto-run key in the system registry, and creates several additional helper files. To create one of these files, the Mimail worm uses a built-in ZIP archiving procedure. To mail itself out, Mimail.c uses another built-in function, a procedure to spread itself via e-mail using SMTP protocol. The worm scans files in the Shell Folders and Program Files catalogues and takes from them text strings likely to be e-mail addresses. Next, unbeknownst to the victim, Mimail.c mails itself out to the found email addresses.
Mimail.c has the added ability to cause significant damage to those using the E-Gold payment system. The worm traces the activity of E-Gold applications installed on infected machines, records from them confidential data, and send this information out to several anonymous email addresses owned by the worm's creator.
Additionally, all infected computers are exploited to carry out a distributed DoS attack on the www.darkprofits.com and www.darkprofits.net web sites, sending to them an endless cycle of random data packets.
Source: http://www.avp.ru
|
Sober Sings the Praises of Sobig -- Posted by Igor_Donchenko on Sunday, November 2 2003
Kaspersky Labs, an expert in data security software development, warns about the start of a virus epidemic from the Sober Internet worm. Sober was first detected this past Saturday, but is now observed surging in activity in connection with the beginning of the workweek.
Sober is a classic Internet worm that spreads via e-mail. Infected e-mail messages can have various body texts in English and in German; additionally the infected file attachment can have one of several file extensions (PIF, BAT, SCR, COM, EXE). All of this makes it significantly more difficult to identify from outside appearances.
Example of a message infected with the Sober:
Subject:
New Sobig-Worm variation (please read)
Message body text:
New Sobig variation in the net.
You must change any settings before the worm control your computer!
But, read the official statement from Norton Anti Virus!
Attachment name:
NAV.pif
If the infected attachment is mistakenly opened the Sober worm is activated and proceeds to display a false error message:
File not complete!
Using different file names, Sober creates three copies of itself in the Windows system directory, and registers these copies in the system registry's auto-run key. Next, the worm launches its spreading routine in which Sober first searches victim computers for files that may contain e-mail addresses (such as HTML, WAB, EML, PST, etc. file types), and then clandestinely, under the guise of the computer owner, sends itself out to the e-mail addresses found.
The worm's body contains text strings in which its author expresses his admiration for the creator of another network worm, Sobig.
Source: http://www.avp.ru
|
|
