 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
March 2005
90% of computers in companies are affected by spyware, informs Panda Software -- Posted by Igor_Donchenko on Thursday, March 31 2005
Spyware is one of the most common security risks and directly affects user privacy. What's more, it is one of the main reasons why users call internal technical support centers in companies. The data is surprising: according to a recent report compiled by the companies Webroot and Earthlink, 9 in 10 computers have spyware installed. This means that 90 percent of computers are affected by this type of malware. WhatТs more, an average of 25 spyware programs were installed on the computers studied. Similarly, data collected by Panda Software's free online antivirus solution, Panda ActiveScan -the new version of which also detects spyware-, shows that 84 percent of the malware installed on computers is spyware.
Spyware refers to IT programs that collect personal information about users without their consent, such as the software stored on an individual's computer, Internet browsing habits, pages visited, etc. This information is transmitted to third parties for advertising purposes.
Luis Corrons, head of PandaLabs explains, "Spyware is not usually detected by traditional antivirus solutions, unless they have been programmed specifically to do so. What's more, it is important to bear in mind that there are thousands of spyware programs in circulation and due to the way in which they are installed on computers, it is extremely easy for computers to be infected by one of them."
Companies could be hit the hardest by this type of malware, not only because of the risk to user privacy, but also due to the high internal support costs spyware generates by causing instability and performance problems in computers, as well as the extra resources they use.
Source: http://www.pandasoftware.com
|
Virus writers exchanging information -- Posted by Igor_Donchenko on Wednesday, March 16 2005
Virus analysts at Kaspersky Lab have been investigating the recent Bagle outbreak, and come to the conclusion that the authors of Bagle, Zafi and Netsky are working hand in hand with each other.
SpamTool.Win32.Small.b, a malicious program which harvests email addresses from infected machines, was first detected by Kaspersky Lab analysts on 15th February. Email addresses of antivirus companies are excluded from the list it compiles. Further analysis of the situation reveals that the mass mail of this program was a preliminary stage in the attack carried out by Bagle on 1st March.
In researching the Bagle outbreak, virus analysts have concluded that the authors of Bagle, Zafi and Netsky and others are working closely together; they may not be personally known to each other, but they are all using information provided by the author of Bagle to mass mail their creations.
In the space of just 2 days, approximately 50 modifications of a range of malicious programs were mass mailed. The timing of these mailings clearly shows that they are automated or semi-automated.
These recent events confirm the trend towards the criminalisation of the Internet. And likely as not, events will continue to evolve in such a way: network attacks are now automated, take place in several stages, and are carefully timed and planned. The authors of malicious code are joining forces, exchanging information and techniques, in order to increase the impact of attacks.
Source: http://www.kaspersky.com
|
Man jailed for Trojan horse which made 911 nuisance calls, Sophos reports -- Posted by Igor_Donchenko on Wednesday, March 16 2005
A US court has sentenced a Louisiana man to six months in prison for infecting WebTV users with a Trojan horse that made nuisance phone calls to the emergency services.
David Jeansonne, 41, of Metairie, Louisiana, pleaded guilty last month to causing a threat to public safety and causing damage to computers. On Monday 14 March he was sentenced to six months in prison, and ordered to pay Microsoft more than $27,100. US District Judge Ronald M Whyte sentenced Jeansonne to serve an additional six months home detention.
The WebTV service, now known as MSN TV, allows subscribers to connect to the internet using their television. Jeansonne's Trojan horse was emailed to users in 2002, posing as a program which would change colours on their TV screens. However, the attached file reset the settings on the user's WebTV box making it dial 911 next time it attempted to connect to the internet. Approximately 20 users are said to have received the email, and 10 reported that the local police either telephoned or visited their home in response to the emergency phone call.
"It's good to see firm action being taken against another author of malicious code," said Graham Cluley, senior technology consultant for Sophos. "Making prank phone calls to the police is a dangerous occupation which could have life threatening repercussions for innocent members of the general public, writing a program to automatically cause this kind of nuisance demonstrates a whole new level of moronic behaviour."
Sophos continues to recommend that all internet users are wary of unsolicited email attachments.
Source: http://www.sophos.com
|
Users risk smackdown as WWE screensaver worm discovered, reports Sophos -- Posted by Igor_Donchenko on Wednesday, March 16 2005
Experts at SophosLabsЩ, Sophos's global network of virus and spam analysis centres, have warned users to be on their guard against a worm which can disguise itself as a screensaver featuring two female stars of professional wrestling.
The W32/Elitper-D worm spreads via email pretending to be a bug fix for Microsoft Windows XP SP2. However, when it attempts to spread via file-sharing systems and internet relay chat it disguises itself as a screensaver of WWE divas Torrie Wilson and Sable. The two blonde stars of professional wrestling are known to WWE devotees around the world, and have graced the pages of Playboy magazine.
The W32/Elitper-D worm makes changes to the security settings of infected computers, and blocks access to various websites, potentially leaving the PC open to further attack.
"WWE is phenomenally popular amongst many young people, but a mystery to the rest of us," said Graham Cluley, senior technology consultant for Sophos. "Anyone who visits file-sharing systems and chatrooms looking for material related to their idols should exercise care about what they download. This isn't the first time that virus writers have used celebrities as bait, and sadly it won't be the last time that innocent users fall for the trick."
Sable, an ex-Guess Jeans model whose real name is Rena Mero, and Torrie Wilson have inspired tens of thousands of internet websites, many with extensive image galleries and movie clips.
Source: http://www.sophos.com
|
New email scam promises money from the late Sir Denis Thatcher's will, reports Sophos -- Posted by Igor_Donchenko on Wednesday, March 16 2005
Spam researchers at SophosLabs, Sophos's global network of virus and spam analysis centres, are warning computer users to be wary of a new email scam, which dupes innocent people into believing they are the beneficiaries of the late Sir Denis Thatcher's last will and testament, in order to steal their identity and make a profit.
The email, which claims to come from the attorneys of former UK Prime Minister Margaret Thatcher's late husband, claims that the recipient will receive г950,000 in compensation for work they have done helping the less privileged. The email claims that Sir Denis Thatcher collected the money during his long and successful career in business.
In order to obtain the inheritance, recipients are asked to provide personal information such as documents of identification, address, telephone and fax numbers, in accordance with the British government's inheritance law.
However, the emails are fake; and users who innocently send their personal details may have their identity stolen, together with money taken from their bank accounts.
"Scammers are constantly trying to dupe computer users into divulging sensitive information with the promise of big money," said Graham Cluley, senior technology consultant for Sophos. "Using the late Sir Denis Thatcher's name is a sick trick designed to entice the unwary into falling for the scam."
This email con-trick is the latest of many 419 scams. These scams are named after the relevant section of the Nigerian penal code where many of the scams originated and are unsolicited emails where the author offers a large amount of money. Once a victim has been drawn in, requests are made from the fraudster for private information which may lead to requests for money, stolen identities, and financial theft.
Other examples of 419 email scams include a message claiming to come from a persecuted widow of the late Nigerian head of state, an associate of the massacred Nepalese royal family, and even an African astronaut stranded on the Mir spacestation.
Source: http://www.sophos.com
|
Three new worms threaten instant messaging users, while the cyber-war between virus authors continues -- Posted by Igor_Donchenko on Wednesday, March 16 2005
Virus creators are continuing to demonstrate their interest in instant messaging as a rapid means of spreading malicious code. PandaLabs has detected the appearance of three new worms - Kelvir.B, Kelvir.C and Fatso.A - programmed to spread via MSN Messenger.
The new Kelvir worms reach computer in messages with texts like: omg this is funny! (Kelvir.B)or lol! see it! u'll like it (Kelvir.C), which include a link to an Internet address. If the user clicks on this link, files containing the code of these worms will be downloaded and installed on the computer. These then send new messages to the contacts in MSN Messenger. At the same time, they download variants of the Gaobot or Sdbot Trojans from another web address. These Trojans allow a hacker to gain remote control of the affected computer through IRC chat channels. It is important to mention that all of the web pages from which the Kelvir worms or the Sdbot or Gaobot Trojans are downloaded have already been blocked, preventing them from continuing to spread. However, Panda Software's international tech support network detected, up until then, that Kelvir.B and Kelvir.C had spread widely to users' computers worldwide.
The Fatso.A worm sends messages containing links to a page from which a file containing a copy of its code is downloaded and run. When it gets into a computer, it sends itself to all the contacts in MSN Messenger and downloads other files to the system root directory. These files can have names like Annoying crazy frog getting killed.pif, Crazy frog gets killed by train!.pif or Fat Elvis! lol.pif. This worm is also capable of spreading through P2P applications like KaZaA. To do this, it creates copies of itself in the shared directories used by these programs.
Fatso.A also ends the processes of various security programs running in memory, leaving the computer vulnerable to other possible attacks.
What's more, Fatso.A continues with the cyber-war between virus authors that started with the appearance of the Assiral.A worm, which showed a text attacking the Bropia worms. In response, Fatso.A creates a file called Message to n00b LARISSA.txt on affected systems, which contains an unfriendly message to the Assiral author and signed by someone called Skydevil.
Luis Corrons, head of PandaLabs, warns: "It is probable that new worms that spread via MSN Messenger will appear over the next few hours, and therefore, it is highly recommendable to take precautions with messages received through this application. The situation is getting more dangerous for users of instant messaging applications. As well as these new malicious code, the 20 variants of the Bropia worm and the two variants of the Stang worm detected over the last few days also use this means to spread. What's more," he adds, "cyber-criminals are showing a growing interest in instant messaging and there is a tendency to launch blended threats. The two new Kelvir worms, for example, not only aim to spread as widely as possible but also try to install other malware on computers. These could be used to carry out all kinds of actions, such as online fraud using confidential data stolen from affected computers."
Due to the possibility of receiving malicious code through instant messaging applications, Panda Software advises users to have reliable, updated anti-malware installed, and to be wary of all messages received, regardless of the source. Panda Software clients already have the updates available to detect and disinfect these new worms and the other malicious code that use instant messaging to spread.
Source: http://www.pandasoftware.com
|
Panda Software reports the appearance of Searchmeup, the first adware to exploit the Exploit/LoadImage vulnerability -- Posted by Igor_Donchenko on Friday, March 11 2005
PandaLabs has detected the appearance of Searchmeup, the first adware to use the Exploit/LoadImage vulnerability to download onto computers without usersТ permission. The pages from which Searchmeup are downloaded also contain a series of exploits to download other malware on the computer, such as the Tofger.AT Trojan Цwhich steals banking passwords-, Dialer.BB and Dialer.NO, and another adware called Adware/TopConvert.
Searchmeup is downloaded onto the computer when the user visits certain web pages. Once it is installed on a computer it changes the home page to that of a search engine that displays pop-ups every time it loads with the aim of installing spyware and dialers on the computer.
The web pages from which Searchmeup is downloaded also drop Tofger.AT onto computers,aTrojanwhich runs every time Internet Explorer is opened. Tofger.ATkeeps track of what the user of the computer is doing on the Internet, logging the passwords used in secure СhttpsТ connections, often used for secure connections with online banks. In addition, whenever it detects certain names in the url, it tries to capture the passwords used for the following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays, lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar, portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell, bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon, lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. Once it has collected this information, Tofger.ATsends it to a server.
Searchmeup can also generate an error in the Сservices.exeТ file, and then informs that the computer will be restarted in one minute. After the restart, the computer operates perfectly. On some occasions, Searchmeup can also display blue screen errors. Tofger.AT can actually update itself to a new version.
"The appearance of Searchmeup is a sign of the continuous evolution of malware, and of adware and spyware in particular. The first stage was that adware reached computers as a component of a freeware application, then web pages appeared that installed adware on usersТ computers using ActiveX. Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now," explains Luis Corrons, director of PandaLabs.
The Exploit/LoadImage vulnerability exploited by Searchmeup affects computers with Windows 2003/XP/2000/NT/Me/98, and allows arbitrary code to be run on the computer. It could be exploited by an attacker hosting a specially-crafted cursor or icon on a malicious web page or HTML email. Microsoft has released a patch to correct this problem, and it is advisable to install it.
Source: http://www.pandasoftware.com
|
|
