 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
April 2004
Evolution of computer viruses (part 3) -- Posted by Igor_Donchenko on Wednesday, April 28 2004
This third installment of 'The evolution of viruses' will look at how the Internet and e-mail changed the propagation techniques used by computer viruses.
Internet and e-mail revolutionized communications. However, as expected, virus creators didn't take long to realize that along with this new means of communication, an excellent way of spreading their creations far and wide had also dawned. Therefore, they quickly changed their aim from infecting a few computers while drawing as much attention to themselves as possible, to damaging as many computers as possible, as quickly as possible. This change in strategy resulted in the first global virus epidemic, which was caused by the Melissa worm.
With the appearance of Melissa, the economic impact of a virus started to become an issue. As a result, users -above all companies- started to become seriously concerned about the consequences of viruses on the security of their computers. This is how users discovered antivirus programs, which started to be installed widely. However, this also brought about a new challenge for virus writers, how to slip past this protection and how to persuade users to run infected files.
The answer to which of these virus strategies was the most effective came in the form of a new worm: Love Letter, which used a simple but effective ruse that could be considered an early type of social engineering. This strategy involves inserting false messages that trick users into thinking that the message includes anything, except a virus. This worm’s bait was simple; it led users to believe that they had received a love letter.
This technique is still the most widely used. However, it is closely followed by another tactic that has been the center of attention lately: exploiting vulnerabilities in commonly used software. This strategy offers a range of possibilities depending on the security hole exploited. The first malicious code to use this method –and quite successfully- were the BubbleBoy and Kakworm worms. These worms exploited a vulnerability in Internet Explorer by inserting HTML code in the body of the e-mail message, which allowed them to run automatically, without needing the user to do a thing.
Vulnerabilities allow many different types of actions to be carried out. For example, they allow viruses to be dropped on computers directly from the Internet -such as the Blaster worm-. In fact, the effects of the virus depend on the vulnerability that the virus author tries to exploit.
Source: http://www.pandasoftware.com
|
Netsky-Z: Educational websites targeted -- Posted by Igor_Donchenko on Tuesday, April 27 2004
Researchers at Sophos are warning users of the latest variant of the prevalent Netsky worm, W32/Netsky-Z, which is spreading in the wild. The worm is capable of turning infected computers into launchpads for an attack designed to knock a number of websites off the internet.
Hidden inside the worm is a clock, ticking down until early May when it is designed to launch a distributed denial-of-service attack against three websites with an educational focus - www.educ.ch, www.medinfo.ufl.edu and www.nibis.de - based in Switzerland, USA, and Germany.
Two earlier spreading variants of Netsky (Netsky-X and Netsky-Y) have also scheduled attacks against the same websites, but these are programmed to cease at the end of April.
"It's anyone's guess why this virus writer is targeting these websites with a denial of service attack. Maybe he or she has a grudge against them," said Graham Cluley, senior technology consultant for Sophos. "Earlier strains of Netsky have focused on file sharing websites such as KaZaA. The different flavours of Netsky have dominated the virus landscape this year, and despite the similarities between several of the worms, computers users are still getting caught out. Everyone should ensure that their anti-virus software is updated and learn to treat all email attachments - even those which come with apparently innocuous subject lines - with caution."
Netsky-Z spreads via email, using the same subject lines, including 'Information', 'Document' and 'Important', as its predecessors. The worm arrives in a file with an attached ZIP file with file names such as 'Bill.zip', 'Important.zip' and 'Details.zip'.
"It seems sadly inevitable that there will be future versions of the Netsky worm, and some people may wonder what we will call them now we have seemingly reached the end of the road with Netsky-Z. The simple answer is we start at the beginning of the alphabet again with Netsky-AA," continued Cluley.
Source: http://www.sophos.com
|
Fifth anniversary of Chernobyl computer virus attack -- Posted by Igor_Donchenko on Tuesday, April 27 2004
Five years ago today, on 26 April 1999, the CIH virus (also known as Chernobyl) caused considerable damage as it flashed critical chips inside computers worldwide. According to government reports, in South Korea alone it caused over $250 million damage, infecting a quarter of a million computers.
The virus, named "Chernobyl" by the media as it was programmed to activate its destructive payload on the thirteenth anniversary of the Chernobyl reactor meltdown, was able to wipe the data from users' hard disks and overwrite the computer BIOS chip, making the computer unusable.
"The Chernobyl virus opened a new chapter in the severity of computer malware," said Graham Cluley, senior technology consultant for Sophos. "It could effectively turn your computer into a useless lump of plastic - the only way to get your PC working again was to open it up and replace the chip."
Once the BIOS chip of infected computers was overwritten by the Chernobyl virus, users found they were unable to use their computers at all. Repair involved physically removing the BIOS chip and replacing it with a fresh one. On some computers, the BIOS chip is not removable, and so it could only be replaced by swapping the entire motherboard.
In September 2000, the Taiwanese military authorities detained Chen Ing-Hau in connection with the Chernobyl virus.
"Today more and more virus writers are turning away from the data destructive payloads used by Chen Ing-Hau in the Chernobyl virus, and implementing more insidious forms of attack instead," continued Cluley. "Increasingly we are encountering more viruses which are designed to steal information - such as credit cards and passwords - from compromised computers. All companies should ensure they are properly protected."
Source: http://www.sophos.com
|
Panda Software reports a spam message that downloads a Trojan -- Posted by Igor_Donchenko on Thursday, April 22 2004
PandaLabs has detected a spam message currently being sent to users which tries to get recipients to visit an advertising page and which also downloads a Trojan to users computers.
The characteristics of the message are:
From: the name of the sender is variable, although it tries to make recipients think it has been sent by the BBC or CNN.
Subject: "Osama Bin Laden Captured",
Message text: "Hey, Just got this from CNN, Osama Bin Laden has been captured! Goto the link below to view the pics and to download the video if you so wish: (Internet address) "Murderous coward he is". God bless America!".
The address indicated in the message takes users to what appears to be an advertising page. However, the page contains code that exploits a vulnerability (detected by Panda antivirus as Exploit/MIE.CHM). The code also downloads and runs a file (detected as VBS/Psyme.C). Finally, a file called EXPLOIT.EXE, which contains the Trojan Trj/Small.B is downloaded from Internet onto users' machines.
Source: http://www.pandasoftware.com
|
Evolution of computer viruses (part 2) -- Posted by Igor_Donchenko on Wednesday, April 21 2004
This second installment of 'The evolution of viruses' will look at how malicious code used to spread before use of the Internet and e-mail became as commonplace as it is today, and the main objectives of the creators of those earlier viruses.
Until the worldwide web and e-mail were adopted as a standard means of communication the world over, the main mediums through which viruses spread were floppy disks, removable drives, CDs, etc., containing files that were already infected or with the virus code in an executable boot sector.
When a virus entered a system it could go memory resident, infecting other files as they were opened, or it could start to reproduce immediately, also infecting other files on the system. The virus code could also be triggered by a certain event, for example when the system clock reached a certain date or time. In this case, the virus creator would calculate the time necessary for the virus to spread and then set a date –often with some particular significance- for the virus to activate. In this way, the virus would have an incubation period during which it didn't visibly affect computers, but just spread from one system to another waiting for "D-day" to launch its payload. This incubation period would be vital to the virus successfully infecting as many computers as possible.
One classic example of a destructive virus that lay low before releasing its payload was CIH, also known as Chernobyl. The most damaging version of this malicious code activated on April 26, when it would try to overwrite the flash-BIOS, the memory which includes the code needed to control PC devices. This virus, which first appeared in June 1998, had a serious impact for over two years and still continues to infect computers today.
Because of the way in which they propagate, these viruses spread very slowly, especially in comparison to the speed of today's malicious code. Towards the end of the Eighties, for example, the Friday 13th (or Jerusalem) virus needed a long time to actually spread and continued to infect computers for some years. In contrast, experts reckon that in January 2003, SQLSlammer took just ten minutes to cause global communication problems across the Internet.
Notoriety versus stealth
For the most part, in the past, the activation of a malicious code triggered a series of on screen messages or images, or caused sounds to be emitted to catch the user's attention. Such was the case with the Ping Pong virus, which displayed a ball bouncing from one side of the screen to another. This kind of elaborate display was used by the creator of the virus to gain as much notoriety as possible. Nowadays however, the opposite is the norm, with virus authors trying to make malicious code as discreet as possible, infecting users' systems without them noticing that anything is amiss.
Source: http://www.pandasoftware.com
|
Panda Software reports the appearance of Netsky.X -- Posted by Igor_Donchenko on Wednesday, April 21 2004
PandaLabs has detected the appearance of the W32/Netsky.X worm. This is another new variant of Netsky, which so far in 2004 has caused numerous incidents to computers around the world. Its propagation is on the increase, although it has yet to reach alarming proportions.
Netsky.X is designed to spread, using its own SMTP engine, to as many computers as possible. It searches for e-mail addresses to send itself to in files with the following extensions: .eml, .txt, .php, .cfg, .mbx, .mdx, .asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx, .pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml, .mht, .mmf, .nch and ppt.
The X variant of Netsky is transmitted in a message with the following characteristics: - The e-mail address of the sender is faked to confuse the recipient.
- The message carrying the virus can appear in various languages depending on the country indicated in the domain of the recipient’s e-mail address. So, if the domain is .de, .fi, .fr, .it, .no, .pl, .pt or .se, the message will be in German, Finnish, French, Italian, Norwegian, Polish, Portuguese or Swedish respectively. If there is a generic domain, the message is in English. Curiously, if the domain is .tc (Turks and Caicos Islands), the message includes the text "mutlu etmek okumak belgili tanimlik belge".
- It includes a file with a .pif extension which contains the worm's code. The file size is 26,112 bytes and it is packed with "tElock".
Whatever the language, the text encourages the user to open the attachment.
Netsky.X is programmed to carry out a denial of service attack between April 28 and 30 2004, against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch.
Source: http://www.pandasoftware.com
|
Evolution of computer viruses: history of viruses -- Posted by Igor_Donchenko on Tuesday, April 13 2004
Like any other field in computer science, viruses have evolved -a great deal indeed- over the years. In the series of press releases which start today, we will look at the origins and evolution of malicious code since it first appeared up to the present.
Going back to the origin of viruses, it was in 1949 that Mathematician John Von Neumann described self-replicating programs which could resemble computer viruses as they are known today. However, it was not until the 60s that we find the predecessor of current viruses. In that decade, a group of programmers developed a game called Core Wars, which could reproduce every time it was run, and even saturate the memory of other players’ computers. The creators of this peculiar game also created the first antivirus, an application named Reeper, which could destroy copies created by Core Wars.
However, it was only in 1983 that one of these programmers announced the existence of Core Wars, which was described the following year in a prestigious scientific magazine: this was actually the starting point of what we call computer viruses today.
At that time, a still young MS-DOS was starting to become the preeminent operating system worldwide. This was a system with great prospects, but still many deficiencies as well, which arose from software developments and the lack of many hardware elements known today. Even like this, this new operating system became the target of a virus in 1966: Brain, a malicious code created in Pakistan which infected boot sectors of disks so that their contents could not be accessed. That year also saw the birth of the first Trojan: an application called PC-Write.
Shortly after, virus writers realized that infecting files could be even more harmful to systems. In 1987, a virus called Suriv-02 appeared, which infected COM files and opened the door to the infamous viruses Jerusalem or Viernes 13. However, the worst was still to come: 1988 set the date when the "Morris worm" appeared, infecting 6,000 computers.
From that date up to 1995 the types of malicious codes that are known today started being developed: the first macro viruses appeared, polymorphic viruses... Some of these even triggered epidemics, such as MichaelAngelo. However, there was an event that changed the virus scenario worldwide: the massive use of the Internet and e-mail. Little by little, viruses started adapting to this new situation until the appearance, in 1999, of Melissa, the first malicious code to cause a worldwide epidemic, opening a new era for computer viruses.
Source: http://www.pandasoftware.com
|
Top Ten viruses most frequently detected by Panda ActiveScan in March -- Posted by Igor_Donchenko on Sunday, April 11 2004
The effects of the wave of viruses that began in February, and is still the bane of computer users around the world, can be seen in the results of the monthly ranking of frequently detected viruses compiled from data gathered by the Panda ActiveScan free, online scanner.
Throughout March, the D and B variants of the Netsky worm were recorded as the most virulent malicious codes, with Netsky.D responsible for almost fifteen percent of all infections and Netsky.B the culprit in over 11 percent of positive cases.
Baglepwd.zip was in third place (7.52% of infections), although this figure represents the detection of all variants of Bagle that could reach computers in password-protected .zip files.
Despite the prevalence of the wave of new malicious code, fourth place in the list was still held by Downloader.L, which has appeared month after month among the most frequently detected viruses.
In fifth place however, with an infection rate of just over six percent, came Nachi.B another worm related to the latest flood of viruses and one which is designed to remove the Mydoom.A and Mydoom.B worms from infected computers. Despite its seemingly benign nature, this virus exploits a Windows vulnerability in order to propagate.
The new Netsky.P (5.89%) and Netsky.C (4.98%) worms occupied sixth and seventh place respectively in the Top Ten, while Mydoom.A, the code responsible for the worst epidemic in the history of computing, was in eighth place with a detection rate of just over four percent.
The last two places in the ranking were held by the veteran Bugbear.B and Parite.B viruses, both responsible for less than three percent of all infections.
| Ranking | Virus Name | Percentage | | 1 | W32/Netsky.D.worm | 14.67% | | 2 | W32/Netsky.B.worm | 11.59% | | 3 | W32/Bagle.pwdzip | 7.52% | | 4 | Trj/Downloader.L | 6.42% | | 5 | W32/Nachi.B.worm | 6.18% | | 6 | W32/Netsky.P.worm | 5.89% | | 7 | W32/Netsky.C.worm | 4.98% | | 8 | W32/Mydoom.A.worm | 4.00% | | 9 | W32/Bugbear.B | 2.71% | | 10 | W32/Parite.B | 2.67% |
The following conclusions can be drawn from the data collected by Panda ActiveScan last month:
- The latest wave of viruses is still a major blight for computer users around the world. Of the top ten viruses, seven had first appeared quite recently.
- Some of the viruses such as Nachi.E, Netsky.P and Bugbear.B, exploit vulnerabilities that were solved some months ago, once again highlighting the lack of diligence among users when it comes to installing patches to resolve these security holes.
-The prominence of the Downloader.L Trojan, which has been in circulation for some months now, is a reminder that it is not just topical, explosive viruses that users need to watch out for, but also those which can silently infiltrate computers and yet represent just as much of a security threat as the worst e-mail worm.
Source: http://www.pandasoftware.com
Virus Top Twenty for March 2004 from Kaspersky Labs -- Posted by Igor_Donchenko on Saturday, April 10 2004
| Ranking | Change | Virus Name | Percentage | | 1 | +1 | I-Worm.Netsky.b (Moodown.b) | 52.78% | | 2 | -1 | I-Worm.Mydoom.a | 12.45% | | 3 | new | I-Worm.Netsky.d | 8.98% | | 4 | - | I-Worm.Mydoom.e | 5.45% | | 5 | new | I-Worm.Netsky.q | 2.90% | | 6 | -3 | I-Worm.Swen | 2.37% | | 7 | new | PSW-Worm | 2.31% | | 8 | new | I-Worm.Mydoom.g | 2.30% | | 9 | +6 | I-Worm.Netsky.c | 1.65% | | 10 | new | I-Worm.Bagle.i | 0.75% | | 11 | new | I-Worm.Bagle.s | 0.47% | | 12 | new | I-Worm.Bagle.j | 0.45% | | 13 | -5 | I-Worm.Klez.h | 0.40% | | 14 | new | I-Worm.Bagle.e | 0.35% | | 15 | new | I-Worm.Bagle.g | 0.35% | | 16 | -6 | I-Worm.Mimail.q | 0.33% | | 17 | new | I-Worm.Lentin.v | 0.32% | | 18 | -11 | I-Worm.Mimail.a | 0.31 | | 19 | -7 | I-Worm.Mimail.c | 0.27% | | 20 | new | I-Worm.Bagle.c | 0.25% |
March 2004 was an even more virus filled month than February. February's virus Top Twenty contained six new email worms; this figure nearly doubled in March, with 11 new viruses entering the charts.
As predicted, March was the month of the Bagles. Five new versions of Bagle appeared. In seventh place is PSW-Worm, an umbrella identification which includes several versions of Bagle. These differ from other worms in the Bagle family in that they spread in password protected ZIP and RAR archives, and the password is either included in the message or contained in a graphics file. Such an approach is not new, but Bagle exploited it with great success. Incidentally, tricks like this have positively influenced the development of new antivirus technology designed to detect and intercept such sneaky viruses.
Statistics for March show that Netsky.b (also known as Moodown.b) and Mydoom.a have changed places, with Netsky.b now leading the charts. Worms from the Netsky family made a significant impact in March, with four versions appearing in the first 9 positions. Netsky was also the initiator of a virtual war, deleting Mydoom, Bagle and Mimail from machines infected by these viruses: an antivirus virus. This action, together with the rapid propagation of Netsky led to three groups of virus writers writing insults directed at the other groups into the code of their viruses.
Those viruses which have appeared in the Top Twenty before also show interesting results. Naďve or careless users managed to keep Swen, Klez.h and also three worms (a, c and the polymorphic q) from the Mimail family in the ratings. A leader in previous months, Sober.c has disappeared altogether from the charts. However, Kaspersky Labs detected 2 new versions of the worm in March, and it is entirely likely that one of them, Sober.e will make an appearance in the Top Twenty in the future.
Additionally, Sobig.f, last year's overall leader, finally disappeared from the ratings. Sobig.f has been sliding down the charts over the last six months, but this month it finally lost the battle, yielding to the new families of malicious code.
The final new entrant is the latest modification of the Lentin worm, Lentin.v. It was first detected in December 2003, and has quietly made its way into seventeenth place. Lentin.v and Klez.h are two classic email worms, which do not use spam technology or extensive networks of infected machines to replicate. It is interesting to speculate whether this month's chart toppers would have reached their current positions if they had used more traditional methods of propagation.
Other malicious programs made up a significant amount of virus traffic; over 1200 different malicious programes were detected last month.
Summary:
New viruses: 11 in total - Netsky.D, Netsky.Q, PSW-Worm, Mydoom.G, Bagle.S, Bagle.J, Bagle.I, Bagle.E, Bagle.G, Bagle.C, Lentin.V
Moved up: Netsky.B, Netsky.C
Moved down: Mydoom.A, Swen, Klez.H, Mimail.Q, Mimail.A, Mimail.C
|
Monthly virus review by DialogueScience, Inc.- Macrh 2004 -- Posted by Igor_Donchenko on Saturday, April 10 2004
The Beagles, Netskys and MyDooms released with the dawning of year 2004, splashed out a crowd of variations in March. Many of them successfully stay in the virus charts for weeks and even months.
Mass-mailers from the Beagle family obviously bore the palm this month, as, for quite a long period of time, they, or, better to say, their permanently appearing siblings, presented new and new puzzles for solving of which the antivirus hunters had a limited time.
Every new modification emergence was zested with some novelties introduced into the basic initial code. But more often a notorious "human element" was relied upon. To spread messages as if on behalf of Internet service providers, furnished in addition with a user’s own mail address was a clever and sure move. You will hardly stay indifferent to the message notifying your mail account will be temporary disabled. Neither you will hesitate to open an attachment from your dear ISP.
Originally, quite a new method of counteraction to the detection techniques applied by antivirus programs was used in the code of these worms. They usually arrived at users’ computers in a password protected archives, thus being inaccessible for scanning by standard tools; application of different passwords led to constant variation of the archived files with the virus attached and it made difficult the inclusion of their signatures into the virus databases. The necessity to counteract this innovation resulted in the new entry in the Dr.Web® virus database allowing to detect representatives of this family inside the ZIP- formatted archives.
Win32.HLLM.Beagle.38550, which appeared in March 14, 2004, bore a new "progressive" detail. The password to the viral archive arrived in the form of a graphical image. Truth to tell, the antivirus companies have quickly found the inoculation to such a cunning trick. In the same Win32.HLLM.Beagle.38550 there was a destructive function included into this “harmless” program. It infected executable files found on the hard drives of the victimized machines.
The further stage of the code perfection resulted in the delivery of the four versions at once of Win32.HLLM.Beagle.49152 (named by other antivirus companies Beagle Q, R, S and T). Their appearance made somewhat useless to remind careless users of the danger to open the messages from the unknown addressees. The point is that the mail messages distributed by these variants of the worm did not contain an executable attachment, neither they had any accompanying text.
To infiltrate systems the authors of new siblings of the Beagle worm exploited a six-month old flaw in the security system of MS Internet Explorer (the so-called Object Tag vulnerability). To secure the maximum possible level of infection the worms’ authors supplied them with a huge list of Internet sites their executable code was downloaded from. The list of antivirus protection means they were to disable was impressive too. Their release ruined the illusion a computer can get infected only through the receipt and execution of an executable file with the virus.
To own the information means to own the world. The present days reality urges to transform this statement into “ to own means of information leads to the supremacy over the world”. And we speak today not only about a virtual possession and control over the world spread army of computers, which can be manipulated by a puppeteer at its own request. Such a supremacy worth struggling for. And the struggle is grave.
A rivalry which commenced in February between the Netskyers, on the one part, and the Mydoomers and Beaglers, on the other, continued in March. The end of February marked its new stage with the appearance of the second variant of Netsky. This modification contained a new function of deletion of values created in the system registry by these worms. This obviously reduced to nothing their efforts spent for creation of their own web of spam-relays – a go-go stock on the market of spam for which its gamblers are ready to pay and actually pay sizable money. The problem at issue does not concern the spam only! Though it also, in the long run, results for law-abiding users into hundreds of thousands hours of wasted time and money.
More important is, that such networks of zombie-computers have become a powerful weapon in the dirty competitive struggle where one can affect a business opponent with a DoS – attack launched simultaneously from thousands of computers around the world. Quite often such DoS-attacks are executed for banal extortion and blackmail, its common victims are Internet traders and on-line casinos. Last versions of Netskys do not ignore DoS-attacks, they are aimed at popular file-sharing networks, for example, KaZaA and eDonkey.
Statistics – March 2004
680 new entries were added into Dr.Web® virus database in March, 2004. Below goes a summary virus types table.
| Virus type | January | February | March |
| Trojan programs | 316 | 414 | 462 | | Backdoors | 97 | 122 | 159 | | Network worms | 50 | 49 | 48 | | Mailing worms | 17 | 18 | 41 | | Macro viruses | 7 | 0 | 2 | | IRC-viruses | 5 | 11 | 22 | | Script-viruses | 26 | 11 | 19 | | BAT-viruses | 2 | 12 | 14 | | Parasitic viruses | 2 | 3 | 9 |
|
Viruses and graphics: a dynamic strategy for creators of malware -- Posted by Igor_Donchenko on Wednesday, April 7 2004
Since computer viruses first appeared on the IT scene, their creators have used a variety of graphics either as a bait to trick users and infect computers or as a way of leaving their own personal mark.
As the first viruses in circulation appeared before the Internet or e-mail were in common use, the propagation of these creations was slow and substantially limited. For this reason, virus writers were keen to ensure that victims were immediately aware of the presence of their creations. To this end, and in particular as a result of the advent of Windows, many of them, such as Marburg, Ping Pong or Cookie, displayed images when activated, some simple, some more elaborate and some were even animations.
However, as the Internet and e-mail became commonly used as means of mass communication, virus creators became more ambitious. The objective was simply to infect as many computers as possible as rapidly as possible. They soon discovered the effectiveness of convincing users that a file contained an enticing photo – even if it wasn't true.
Nowadays, virus writers often use fixed images to try to trick users into unwittingly running a virus on their system. This was the case with Gibe.C for example, which presented users with a perfect imitation of Microsoft web pages.
Similarly, in order to trick users, viruses display images or icons associated with well-known applications. This is the case with Bagle.A, which uses the icon of the Windows calculator. However, probably the most frequently used image –as it is fairly easy to create- is the typical Windows dialog box reporting an error. Many viruses, including the Deadhat.A. worm, have used this technique.
Nevertheless, the world of IT viruses is highly dynamic and the past does not always serve to predict what will appear in the future. For this reason, the best defense is to keep your guard up and have a good, update antivirus installed on your computer.
Source: http://www.pandasoftware.com
|
|
