 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
April 2005
A Trojan threatens the confidential data of the clients of thousands of banks worldwide -- Posted by Igor_Donchenko on Friday, April 29 2005
PandaLabs reports the appearance of the NL variant of the Bancos Trojan, programmed to intercept the confidential data of the clients of over 2,500 banking portals. Panda Software has already informed law enforcement authorities of the appearance of this malicious code.
This Trojan cannot spread by itself, but needs to be distributed manually by third-parties. Bancos.NL can therefore be distributed through traditional channels (floppy disks, CD-ROM), or email messages, Internet downloads, FTP transfers, P2P networks, etc.
In the event that a user executes the file containing Bancos.NL, the Trojan will be installed on the system under the name MSCVC.EXE. It then starts monitoring the user's Internet activity, waiting for a connection to be established with one of the 2,500 Internet addresses listed in its code. When this happens, it registers all the information about bank account numbers, credit cards, passwords or any other information entered by the user. This information is sent to an Internet server where it can be collected by cyber criminals.
"Although this malicious code does not have any technical characteristics that make it stand out from other Trojans programmed to steal banking details, its danger lies in the large number of users that could be affected by Bancos.NL. In fact, the addresses of the banking portals listed in the TrojanТs code belong to financial entities in 120 countries worldwide. These countries include Germany and Switzerland with over 200 addresses each," explains Luis Corrons, director of PandaLabs.
To prevent Bancos.NL or any other malicious code entering computers, Panda Software advises users to take precautions and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.
Source: http://www.pandasoftware.com
|
In the first quarter of 2005, spyware and adware accounted for 60% of malware detected by Panda ActiveScan -- Posted by Igor_Donchenko on Friday, April 29 2005
According to data gathered from scans performed by the Panda ActiveScan, the online anti-malware solution, spyware and adware represent 60 percent of all examples of malware detected between January and March 2005.
After spyware and adware, the malware most frequently detected in the computers of Panda ActiveScan users were Trojans, accounting for some 18 percent. Of these, 5 percent belonged to the Downloader family, designed to download other malware -mainly spyware- onto infected computers.
According to Luis Corrons, director of PandaLabs, "In the first quarter of this year, despite the apparent calm, we have witnessed a silent spyware epidemic. This confirms a basic sea-change in the motives of malware creators, who now, instead of simply wanting to damage computers, are driven by the goal of financial gain. This in turn also explains the activity of Trojans, which are closely linked to spyware as they can be used as a propagation vector for these spy programs."
Computer worms on the other hand, a type of malware which has traditionally been highly active, were only detected in 11 percent of cases. Other well-known types of malware were far less prevalent, such as a backdoor Trojans (2%) or dialers (0.3%).
New examples of malware in the first quarter of 2005
According to data obtained by PandaLabs, of all the new examples of malware detected during the first quarter of 2005, 42 percent were Trojans.
Nevertheless, and with particular regard to worms, their creators have chosen a new strategy in order to infect as many computers as possible. This involves launching, over a very short period of time, many variants of the same worm, dramatically increasing the possibility of a computer becoming infected by this malicious code.
"We are also noticing the effects of financial motivation of the creators of worms, as from what we have seen in the first quarter they are being used not just to spread rapidly and widely, but also to install other malware on systems. One such example is the Mytob family of worms of which there are already more than 60 members, all of which appeared in the first three months of 2005. These worms can, for example, create networks of computers affected by a particular example of spyware or create 'zombie' spammers, actions that can offer excellent returns to unscrupulous users."
Phishing attacks on the increase
Phishing, a type of online fraud that tries to steal confidential data from users by spoofing emails from reliable sources such as banks, has increased at a monthly rate of 20 percent during the first quarter of this year, in terms of the number of new emails using this kind of fraud.
"The increase in phishing attacks is also accompanied by the appearance of new forms of online fraud. One of these, known as pharming, may well represent a serious threat in the short term. It involves altering the DNS addresses used to browse the Internet. So for example, when a user enters the address of their online banking service, they reach a web page that perfectly imitates the original site but which reality has been created by a hacker who then receives all the data that a user enters," adds Corrons.
Source: http://www.pandasoftware.com
|
Two men arrested in Tucson for phishing ID theft -- Posted by Igor_Donchenko on Wednesday, April 27 2005
Two men from Tucson, Arizona, have been arrested in connection with sending spam phishing emails pretending to come from online banks, credit card theft and fraud.
The men, 24-year-old Robbin Shea Brown and 19-year-old Joshua T. Breshears, are accused of having supported their expensive lifestyle by sending out emails asking recipients to confirm their credit card details.
According to police, the men coded blank credit cards with the information they had stolen and used them at automated-teller machines.
During a police search of the men's premises, officers found expensive furniture, artwork, plasma TVs and even a new stainless steel refrigerator with a built-in television. Half a dozen computers were also found, according to police reports, as well as devices to imprint data on the magnetic strips used on credit cards,
"Phishing can generate large profits for the criminals who mastermind the schemes, and all the signs indicate that the problem is growing," said Graham Cluley, senior technology consultant for Sophos. "Everyone needs to take care to secure their computer and to exercise caution about with whom they exchange sensitive data, such as their credit card numbers."
Police authorities in Tucson are now working closely with the Secret Service to determine if others, potentially overseas, could be involved in the scheme.
Source: http://www.sophos.com
|
Man arrested for spying on 17-year-old girl via her webcam -- Posted by Igor_Donchenko on Wednesday, April 27 2005
A 45-year-old man from Cyprus, has been arrested in connection with hacking a teenage girl's webcam, in order to take illicit pictures of the young woman in her bedroom.
The man, who has not been named, is alleged to have spied on the 17-year-old girl through her webcam after infecting her PC with a Trojan horse. According to police reports, the suspect - who is a computer technician based in Nicosia -is said to have taken compromising pictures of the teenager while she was alone in her bedroom, and threatened to send the pictures to her email contacts unless she stood naked in front of the webcam. The girl refused and contacted the police.
It is alleged that the Trojan horse infected the PC after it was sent as an email attachment to the unwitting victim.
"The last 12 months have seen a dramatic rise in the number of new viruses, worms and Trojan horses designed to spy on innocent users: whether it be via their webcam, intercepting emails, or monitoring keypresses to grab banking passwords. Sophos's labs analyse approximately 15 new pieces of malware which include this kind of sinister payload every day, compared to 5 a day a year ago," said Graham Cluley, senior technology consultant for Sophos. "As well as Trojans being used for financial gain, this latest case has highlighted a worrying trend of voyeurism. Everyone needs to be extremely careful about their computer security to ensure they do not fall victim to an internet blackmailer or peeping tom."
In February, a computer science student was fined by a Spanish court for a similar offence.
Source: http://www.sophos.com
|
The number of new viruses detected has increased 278% since the third quarter of 2004, Panda Software reports -- Posted by Igor_Donchenko on Wednesday, April 27 2005
For some months now, there has been an increasing tendency to launch numerous variants of the same malicious code in order to increase the probability of computers becoming infected. The trend observed in 2004, which saw wave after wave of malicious code such as Bagle, Netsky or Mydoom, has gained pace in 2005. The result is a 278 percent increase in the number of malicious code detected compared with the third quarter of 2004. This figure can be used indirectly to measure viral activity, indicating that at present, even though no global epidemics have been registered, there is still a very high possibility of a computer being infected by malicious code.
The Mytob worm, which first appeared in February, is a leading exponent of this strategy, with 74 variants at last count. Other examples include the Kelvir (25 variants) and Bropia (36 variants) worms. There are even malicious code that appeared some months ago and have been reused following the same strategy, such as Bagle or Mydoom, whose variants have increased since January 2005 by 35 and 32 respectively.
This type of strategy doesn't just affect computers without adequate security systems, but can also hit those with traditional anti-malware software installed. Such systems are only effective if the malware in question has been previously identified. This means that first it must have been detected by antivirus companies, who then generate the corresponding vaccine and finally incorporate the updated file into users' anti-malware solutions.
According to Luis Corrons, director of PandaLabs: "Until now, daily updates were considered sufficient for keeping a computer protected from new viruses, and it is exactly this belief that the creators of malicious code are now looking to exploit. If they can launch many variants of a malicious code, those that appear after the user has incorporated the new vaccines to their anti-malware solution will have no less than 24 hours to infiltrate the system before the following update."
Panda Software offers one or more daily updates to its signature files and its products include automatic update systems which can be configured by each individual user. Nevertheless, there is still a gap between one update and another -known as the vulnerability window- which can consequently allow the entry of malicious code into the system.
Source: http://www.pandasoftware.com
|
Panda Software's weekly report on viruses and intruders -- Posted by Igor_Donchenko on Wednesday, April 27 2005
This week's report on viruses and intruders includes several new threats that have emerged this week; two variants of the Mytob worm, a variant of the Mitglieder Trojan and a new version of the Bancos Trojan.
The new variants of Mytob -Mytob.BC and Mytob.BD- open backdoors in affected computers. This action allows the BC variant to connect to a web server and the BD variant to connect to an IRC server, where they wait for commands from a malicious user. What's more, they modify the system HOSTS file so that the user cannot access the websites of certain antivirus companies. These worms spread via email, across networks protected with weak passwords and by exploiting the LSASS vulnerability. They also download other malware, such as the Faribot.A worm.
The Bancos.FC Trojan has also appeared this week. This malicious code goes memory resident and has keylogger functions. Bancos.FC waits for a dialup modem connection to be established (it only affects this type of connection). When this happens, it checks if the websites visited coincide with the address of any of the banking entities included in its code. If it finds any matches, it collects the information entered through the keyboard and sends it to an Internet server. Bancos.FC cannot spread alone, it needs external intervention to do so.
Finally, Mitglieder.CG is a Trojan that aims to disable certain security tools (antivirus and firewalls), which could be installed on the computers it affects. To do this, it can delete files and Registry entries or end the processes running in memory. What's more, it modifies the system HOSTS file so that the user cannot access the websites of certain antivirus companies.
Mitglieder.CG seems to have been mass-mailed, either manually or through zombi computers, and tries to download other malware from different websites.
Source: http://www.pandasoftware.com
|
A new Trojan -Bancos.FC- threatens users banking details -- Posted by Igor_Donchenko on Wednesday, April 27 2005
PandaLabs has detected the new Bancos.FC Trojan, programmed to steal data related to users' bank accounts and send them to hackers who can then use them fraudulently.
As with other Trojans, it cannot spread by itself, but needs to be distributed manually by the hacker that wants to use it. Bancos.FC can therefore affect users through various channels: Internet downloads, e-mail, P2P networks like KaZaA, storage devices, etc.
In the event that a user executes the file containing Bancos.FC, the Trojan will be installed on the system, creating a copy of itself under the name FTPEX.EXE, and another file called FTPEX.DLL. The latter contains numerous Internet addresses corresponding to financial entities around the world, especially those in Spanish-speaking countries. FTPEX.DLL comes into action every time users execute a process or application, waiting for them to use Internet Explorer. When this happens, it checks every URL typed into the system to see if it coincides with one of those listed in its code. Both the URL and additional data entered by the user (such as account numbers, credit card numbers, username is, passwords...) are collected and sent to an Internet server where they can be collected by cyber crooks.
One important detail is that the Trojan can only act in the event that the user connects to the Internet via a modem. If the connection is across a local area network or broadband, Bancos.FC cannot take its intended action, although it does still affect the use of Internet Explorer.
"The appearance of this kind of Trojan, designed to steal the bank details, is motivated by the potential financial gain that can be obtained by the creators of these malicious code. Online fraud would now seem to be the main objective of cyber delinquents. This is why, for example, according to our data phishing is increasing at a rate of 20% per month, and new and dangerous tactics are emerging to steal money from users, such as pharming," explains Luis Corrons, director of PandaLabs.
Pharming involves altering DNS (Domain Name System) addresses so that the web pages that a user visits are not the original ones, but others created specifically by cyber-crooks to collect confidential data, especially information related to online banking.
Bancos.FC has been located by PandaLabs on a web page from which it can be downloaded to be used by hackers. Those in charge of the server hosting this page have been informed by Panda Software, but it is still highly likely that it may be found on many other sites, so it is advisable to take precautions when opening email messages or downloading files from the Internet or FTP servers.
Source: http://www.pandasoftware.com
|
A new variant of the Mitglieder Trojan is being mass mailed, reports Panda Software -- Posted by Igor_Donchenko on Wednesday, April 27 2005
PandaLabs has detected the mass mailing of spam that contains the new and dangerous CG variant of the Mitglieder Trojan (also known as Bagle.bn by other security companies). Data collected by the international PandaLabs network shows that this new malicious code is starting to spread rapidly across several countries.
The email messages in which this new Trojan has been detected have a blank subject and message body and include an attached file called work.zip. However, users should be careful, as this Trojan is being spammed out manually or through zombi computers and therefore, the characteristics of the email message carrying Mitglieder.CG could be totally different.
If the user runs the file containing Mitglieder.CG, the Notepad application will be opened, displaying the word "Sorry". At the same time, a file called winshost.exe is created in the Windows system directory on the affected computer. When the computer restarts, this file will be run and create another file called wiwhost.exe. This file will modify the host file so that the user will not be able to access certain websites; mainly websites related to antivirus programs and IT security.
In addition, the Trojan deletes files and Registry entries and stops processes related to security applications that could be installed on the computer.
According to Luis Corrons: "The aim of Mitglieder.CG is to download malware to the computer. It does this by connecting to a large number of Internet addresses and trying to download files, which could predictably contain other malware, such as backdoors, spyware, adware, bots, etc. This allows the authors of these malicious code to create networks of infected computers in order to launch attacks on other computers or collect hundreds of thousands of email address to send spam to."
Due to the wide circulation of this Trojan, Panda Software advises users to take precautions and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.
Source: http://www.pandasoftware.com
|
Net citizens with good intentions may be caught out by Sober-M worm, Sophos reports -- Posted by Igor_Donchenko on Wednesday, April 20 2005
Experts at SophosLabs, Sophos's global network of virus and spam analysis centres, have warned users that the W32/Sober-M worm is spreading in the wild. The worm is currently the fifth most commonly encountered virus in the last 24 hours, being beaten only by variants of the prevalent Netsky and Zafi worms.
The W32/Sober-M worm bulk mails itself in either German or English language, depending on whether it believes the recipient's email address to be owned by a German or English speaker.
Email sent in English have the following characteristics:
Subject line:
I've_got your EMail on my_account!
Message text:
Hello,
First, Very Sorry for my bad English.
Someone is sending your private e-mails on my address.
It's probably an e-mail provider error!
At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you & zipped then.
Make sure, that this mails don't come in my mail-box again.
bye
Attached file:
your_text.zip
"This latest variant of the Sober worm may catch out the unwary as they open their email inbox," said Graham Cluley, senior technology consultant at Sophos. "It looks like the virus writer is deliberately using 'broken english' to lull people into a false sense of security that it's not a virus that has sent the message through, but an aggrieved email user. The virus plays on people's desire to be a good net citizen - anyone who receives a message like this may feel duty bound to open the attachment and investigate how their computer has been sending erroneous email, but such good intentions could result in a nasty infection."
Source: http://www.sophos.com
|
Panda Software's weekly report on viruses and intruders -- Posted by Igor_Donchenko on Wednesday, April 20 2005
This week's report on viruses and intruders includes five vulnerabilities in different Microsoft products and new variants of the Mytob, Gaobot and Kelvir worms.
The five vulnerabilities have been rated 'critical' and affect not only Windows operating systems, but also other applications like Internet Explorer, Exchange Server, MSN Messenger, Word, Works and Office. If the patches that fix these flaws are not applied, an attacker could gain remote control of affected systems.
As far as malicious code is concerned, we can highlight the gradual increase in the number of Mytob worms emerging. The Mytob worms connect to an IRC server and wait for remote control commands to carry out on the affected computer, such as deleting, downloading or running files. Some variants prevent the user from accessing the websites belonging to certain antivirus and IT security companies. What's more, they spread via email, through the Internet -by exploiting the LSASS vulnerability- and across networks protected with weak passwords. However, the proactive TruPreventTM detection technologies blocked all these variants of the Mytob worm without needing to be able to identify them first. Therefore, users that have these technologies installed on their systems have been protected from the very start.
The appearance of Gaobot.EYP can also be highlighted. This is a worm that also opens a backdoor, allowing a remote attacker to gain control of affected computers. The attacker would be able to carry out multiple actions including running commands, downloading and executing files, capturing keystrokes, obtaining the characteristics of the computer, launching distributed denial of service attacks (DDoS), etc.
Gaobot.EYP ends the processes belonging to different security tools, such as antivirus programs and firewalls, leaving the computer vulnerable to attack from other malware. WhatТs more, it ends the processes belong to other worms.
Gaobot.EYP uses a number of methods to spread: - It copies itself to the shared network resources it manages to access.
- It exploits the following vulnerabilities to spread via the Internet: LSASS, RPC DCOM, WINS buffer overflow in the workstation service.
- It can get into computers with SQL Server, whose SA (System Administrator) account has a blank password.
Finally, we will look at Kelvir.L.worm. This worm spreads via MSN Messenger by sending a message to all the contacts with the text "its you!", which points to a URL belonging to the hydr0.net domain.
If the user clicks on this link, a compressed, autoexecutable file, detected as Trj/MultiDropper.ZL, is downloaded and run. This file contains files called "uncanny.exe" and "advbot.exe", which are copies of Kelvir.L.worm and Gaobot.EYX.worm, respectively.
Source: http://www.pandasoftware.com
|
Panda Software warns of the growing threat of rootkits -- Posted by Igor_Donchenko on Wednesday, April 13 2005
According to data from PandaLabs, there has been a marked increase in the appearances of a type of malware called rootkits for Windows. Although there is no evidence that they have been used massively to carry out attacks on Windows, the current proliferation indicates that in the short term they could become a common means for hackers to carry out malicious action.
Luis Corrons, director of PandaLabs, asserts: "Just as security solutions evolve, so do hackers, searching for new ways to enter systems undetected. Even though they are not new, rootkits have re-emerged as a kind of malware that could let hackers discreetly carry out numerous malicious actions. In fact, we have seen that they are being used in combination with backdoors to take remote control of computers".
Rootkits are really a classic type of malicious code, as they first appeared some 10 years ago. They are, in fact, tools used by hackers to cover their malicious action. To do this, they modify the operating system on the computer, and can even replace basic functions. This means that not only do they hide their own existence, but also the action that a malicious user could be taking remotely on compromised computer. Moreover, a rootkit can also hide the existence of other malware on a computer, simply by modifying file data, registry keys or active processes.
Until now, rootkits had represented a serious problem for Unix environments, the platform for which they were originally developed. In fact, the name is derived from the Unix 'superuser', also known as "root", that has full rights and privileges on the system.
How to protect against rootkits
The best defense against rootkits is prevention. A good protection measure is to have a properly updated anti-malware solution, which can prevent the entry of most rootkits. In addition, firewalls are also highly useful, as they can prevent rootkits from entering through unprotected ports and also stop them from being used once they have already been installed on a computer.
Source: http://www.pandasoftware.com
|
The flood of Mytob worms not letting up: 38 variants are now in circulation -- Posted by Igor_Donchenko on Wednesday, April 13 2005
PandaLabs is detecting new variants of the mass-mailing worm Mytob every day. This family of worms already has 38 members. Twenty two of these have emerged this month and it is highly probable that more Mytob worms will appear over the next few days.
Evidence seems to suggest that the appearance of this number of variants over such a short period space of time responds to a predefined plan. "As there is no evidence to suggest that the source code of these worms has been published, as has happened with other malware, we are led to believe that all of these worms have been created by a single author or an organized group," explains Luis Corrons, head of PandaLabs, who goes on to say, "therefore, what they are trying to do is unleash the largest number of different worms possible in order to increase the probability of computers being infected by one of them."
All of the variants of Mytob have a series of common characteristics, such as opening backdoors in infected systems. For this reason, it is possible that the main aim of the authors of these worms is to create networks of computers that can be controlled at the same time. This would allow the attacker to carry out many different malicious actions, from mass mailing spam, launching attacks against other computers or stealing confidential information in order to commit fraud.
The results of an analysis carried out by PandaLabs show that there are many similarities between the Mytob worms and the infamous Mydoom worm, which appeared at the beginning of 2004 and caused a worldwide epidemic. "The source code of Mydoom seems to have been used as a basis to create the Mytob worms. What's more, some modifications have been made, as they are also programmed to exploit the Windows LSASS vulnerability, which allowed the Sasser worm to launch a widespread attack in 2004."
Due to the high possibility of being infected by one of the Mytob worms, Panda Software advises users to take precautions and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect these new malicious code.
Source: http://www.pandasoftware.com
|
Panda Software reports a wave of variants of the Mytob worm -- Posted by Igor_Donchenko on Wednesday, April 6 2005
PandaLabs has detected the appearance of four new variants (S, U, V and W) of the Mytob worm in just a few hours.
All of these variants have backdoor Trojan characteristics, i.e. they leave a backdoor open on the system to receive commands. This process is not carried out directly, but using servers called 19.xxor.biz (in the case of variants S, U and W), and irc.blackcarder.net, which is used by MyTob.V. This allows their creator to take control of any computers infected with these variants of Mytob.
One of the greatest dangers of this worm lies in its ability to modify system "hosts" files. It does this to prevent users connecting to the web pages of certain antivirus developers. Because of this modification, infected users won't be able to receive the updates needed to eliminate this malicious code.
The worm uses three different methods to spread:
- Exploiting the known LSASS vulnerability, published and corrected by Microsoft in the MS04-011 security bulletin, available here
- Through shared resources protected with weak passwords, i.e. ones that are easy to guess.
- By email. Sending messages with an attachment containing the Mytob code with one of the following extensions: .bat, .exe, .pif, .scr or .zip. The attached file could be called Data, Doc, Document, File, Readme, Text or Body, among others.
It sends itself to addresses it finds on the infected system in files with .adb,.asp, .dbx, .htm, .php, .pl, .sht and .tbb extensions and in the Windows address book. The extensions used depend on the variant of Mytob. As is becoming common practice with malicious code that spreads by email, the address of the sender is spoofed to help prevent infected computers from being rapidly pinpointed.
Mytob does not send itself out to certain email addresses (including those that contain the word УpandaФ), in an attempt, albeit unsuccessful, to impede its detection.
To prevent more than one copy of the worm running at the same time on the system, it creates different mutex, which vary according to the specific version of Mytob. The S version creates the mutex "ggmutexk2", the U variant creates "ggmutexk1", the V version "H-E-L-L-B-O-T-2-BY-DIABLO" and the W variant creates a mutex called "H-E-L-L-B-O-T".
As is becoming common lately, the author or authors of these worms are trying to unleash the largest number of malicious code possible in order to increase the probability of computers being infected. This time, as these are worms that allow remote control of affected computers, it is obvious that their aim is to create a network of computers that can be controlled at the same time. This would allow the attacker to carry out many different malicious actions, from mass installing other malware, like keyloggers or spyware, to creating "zombies" for sending out spam.
Source: http://www.pandasoftware.com
|
|
