 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
June 2004
Zafi.B -- Posted by Igor_Donchenko on Thursday, June 24 2004
What is Zafi.B:
This is a variant of Zafi worm and spreads through infected email attachments. Zafi.B terminates any application that has the words 'firewall' or 'virus' in it. These files are overwritten with a copy of the worm. Several Windows tools, like Task Manager, Registry Editor are disabled when the worm is active. Zafi.B opens these files with exclusive locking to prevent anything else from opening them.
The worm sends itself in emails mostly as .pif attachment and in rare cases it sends .exe or. com. It uses its own SMTP engine to send messages with infected attachments in many different languages like English, Italian, Spanish, Russian, Swedish, etc..
Name: Zafi.B
Other Names: W32/Zafi.B@mm, I-Worm.Zafi.b
Probable Risk Rating: Medium
Type/Sub Type: Internet Worm
Surfaced date: 11th June, 04
Mode of Infection: Emails
Anti-Virus update link: click here
How it spreads
The worm is spread through infected attachments of .pif files. Zafi.B spreads in FSG! packed form which is 12800 bytes and unpacks to around 30 KB of hand-written assembly code
Technical Details - When Zafi.B is started it copies itself to the Windows System Directory with a random .DLL and random .EXE name. The .EXE file is added to the registry as
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_Hazafibb" = "%SysDir%\.exe"
Several additional files are created in the System Directory with a random name and .DLL extension in which it keeps its internal data.- Zafi.B enumerates all the directories in the system and copies itself as either 'winamp 7.0 full_install.exe' or 'Total Commander 7.0 full_install.exe' to the ones that contain 'share' or 'upload' in their name.
- Email Propagation
Zafi.B looks into the Windows Address Book and different files and tries to gather email addresses.
Source: http://www.mwti.net
|
Evolution of computer viruses (part 6) -- Posted by Igor_Donchenko on Thursday, June 24 2004
Computer viruses evolve in much the same way as in other areas of IT. Two of the most important factors in understanding how viruses have reached their current level are the development of programming languages and the appearance of increasingly powerful hardware.
In 1981, almost at the same time as Elk Kloner (the first virus for 8-bit processors) made its appearance, a new operating system was growing in popularity. Its full name was Microsoft Disk Operating System, although computer buffs throughout the world would soon refer to it simply as DOS.
DOS viruses
The development of MS DOS systems occurred in parallel to the appearance of new, more powerful hardware. Personal computers were gradually establishing themselves as tools that people could use in their everyday lives, and the result was that the number of PCs users grew substantially. Perhaps inevitably, more users also started creating viruses. Gradually, we witnessed the appearance of the first viruses and Trojans for DOS, written in assembler language and demonstrating a degree of skill on the part of their authors.
Far less programmers know assembler language than are familiar with high-level languages that are far easier to learn. Malicious code written in Fortran, Basic, Cobol, C or Pascal soon began to appear. The last two languages, which are well established and very powerful, are the most widely used, particularly in their TurboC and Turbo Pascal versions. This ultimately led to the appearance of "virus families": that is, viruses that are followed by a vast number of related viruses which are slightly modified forms of the original code.
Other users took the less "artistic" approach of creating destructive viruses that did not require any great knowledge of programming. As a result, batch processing file viruses or BAT viruses began to appear.
Win16 viruses
The development of 16-bit processors led to a new era in computing. The first consequence was the birth of Windows, which, at the time, was just an application to make it easier to handle DOS using a graphic interface.
The structure of Windows 3.xx files is rather difficult to understand, and the assembler language code is very complicated, as a result of which few programmers initially attempted to develop viruses for this platform. But this problem was soon solved thanks to the development of programming tools for high-level languages, above all Visual Basic. This application is so effective that many virus creators adopted it as their "daily working tool". This meant that writing a virus had become a very straightforward task, and viruses soon appeared in their hundreds. This development was accompanied by the appearance of the first Trojans able to steal passwords. As a result, more than 500 variants of the AOL Trojan family -designed to steal personal information from infected computers- were identified.
Source: http://www.pandasoftware.com
|
The Cabir worm threatens cell phone security -- Posted by Igor_Donchenko on Sunday, June 20 2004
PandaLabs has identified Cabir, the first worm capable of spreading to cell phones. This malicious code affects those devices that use the Symbian OS operating system, used in many models of phone including some manufactured by Nokia, Siemens and Sony Ericcson
The creators of Cabir haven't designed the worm to propagate massively, but have used it as a trial to demonstrate that these kinds of devices can be infected by malicious code.
Cabir spreads in a file called Caribe.sis, which installs itself automatically on the system when the user accepts the transmission. It displays a message on the screen with the text: Caribe and then starts a continuous search for other devices to send itself to, although these must be connected via Bluetooth technology. The process radically affects that charge of the battery in the device.
On the other hand, it is possible that the Caribe.sis file copies itself to other devices using Bluetooth –such as some printers-, even though they don't use the operating system mentioned above. In these cases however, the worm would not be able to spread further.
According to Luis Corrons, head of PandaLabs: "It was foreseeable that Cabir would appear. This is another consequence of the spectacular advances made in mobile communication technology in recent years. This particular case is just a trial but could open the door to new viruses which could become a serious blight for cell phone users".
The emergence of Cabir is the start of a new era for IT security the implications of which will be felt beyond the world of computers. "From now on, when buying cell phones and mobile devices, users will have to look at more than just functionality and also consider the security systems that they have," explains Corrons.
Source: http://www.pandasoftware.com
|
IT Hoaxes: an avoidable danger -- Posted by Igor_Donchenko on Sunday, June 20 2004
Hoaxes are a simple but effective type of malware. These e-mails aim to trick the unsuspecting with false information and scare stories on a variety of topics, including alerts concerning non-existent viruses and a whole range of urban myths.
On many occasions IT hoaxes are created by malicious users with the simple aim of playing a trick on computer user. However, they can also be used to collect numerous e-mail addresses that can later be used to send spam.
Some hoaxes can also have serious consequences for users. Sulfnbk, which has been in circulation for over three years, tells users that a dangerous virus is infecting many computers without users knowing and hides in computers in a file called "Sulfnbk.exe". The hoax tells users to look for the file on their computers and delete it. This file does actually exist on most computers, but far from being a virus it is a file that has important functions in many operating systems.
One of the most recent hoaxes warned about possible terrorist attacks on Metro lines in the US on June 11. The text, which claimed that the warning came originally from a source in CNN, was created to cause widespread alarm among as many users as possible.
According to Luis Corrons, head of PandaLabs: "The only way to prevent a hoax from spreading is to delete the message immediately and not forward it to anyone. The authors of these messages are looking for them to spread to as many users as possible. Unfortunately, there are still many who get taken in by these messages and by forwarding them, are unwittingly contributing to their massive propagation and keeping them in circulation."
One way of stopping these hoaxes from spreading is to apply an e-mail content filtering system so that these kinds of messages are deleted without even being read.
Source: http://www.pandasoftware.com
|
Korgo worms: A dangerous experiment? -- Posted by Igor_Donchenko on Sunday, June 20 2004
At first, the Korgo.A worm was thought to be just another replica of the infamous Sasser. However, the fact that 12 variants have appeared in quick succession would seem to point to more sinister motives that could represent a serious threat to the integrity of IT systems.
The Korgo worms, just like Sasser, exploit the LSASS vulnerability to spread rapidly across the Internet. But unlike Sasser, these worms try to lay low when they infect computers and therefore users won't see tell-tale signs such as continuous restarts in infected computers. They can also, depending on the variant, delete certain files, open communication ports and try to connect to various IRC servers.
Another important characteristic is that some of the Korgo worms use mutex (mutual exclusion objects). These objects can control access to system resources and prevent more than one process from using the same resource at the same time. One of the mutex created by these malicious codes is called 'utermXX' (XX is a number -apparently sequential). So while Korgo.C uses the mutex 'utwrm7', Korgo.J uses 'uterm12'. This would imply that there are at least 12 versions of the worm (in this case, a version is a virus that has substantially different characteristics to its predecessors). In addition, there are other lesser variants, differing only fractionally from the original version. This is the case for example with Korgo.K and Korgo.L, created by introducing minor modifications to the original code
These malicious codes also alter the Windows Registry, with each new variant removing the changes made by its predecessors and making new changes. This means that the order in which they have been created can be traced by the changes that they make. For example, Korgo.D deletes the entries created by Korgo.F, implying that Korgo.D is actually a more recent creation.
The aims of the creator of these worms still remains a mystery. Luis Corrons, head of PandaLabs explains: "The amount of work being put into the development of the Korgo worms would suggest that this is more than just someone having a bit of fun. And this is not the typical virus strategy of simply getting as many variants in circulation as quickly as possible to infect as many computers as possible, as they have taken the trouble to make their creations delete their own predecessors."
It seems that the creators are trying to fine tune the malicious code in order to create a highly damaging example that will take users by surprise. It would, nevertheless, be a 'silent' epidemic, as one of the main features of the Korgo worms is that their actions can go unnoticed by users.
One seemingly contradictory detail is that despite such technical ingenuity, Korgo uses the LSASS vulnerability to propagate and will therefore cease to spread as users install the patch to fix this flaw in Windows. This may not be a problem for its creators because, as Corrons explains: "The creator of the worm could exploit other vulnerabilities as they are discovered. This is why it is advisable to keep an eye on the new variants which will no doubt appear. The sooner the creator is caught the better."
To prevent incidents involving the Korgo worms, Panda Software advises users to take precautions and update their antivirus software. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate these malicious code. To keep Korgo and its variants at bay, it is essential to apply the patch released by Microsoft to fix the LSASS vulnerability which can be downloaded at: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.
Source: http://www.pandasoftware.com
|
Evolution of computer viruses (part 5) -- Posted by Igor_Donchenko on Sunday, June 20 2004
Even though none of them can be left aside, some particular fields of computer science have played a more determinant role than others with regard to the evolution of viruses. One of the most influential fields has been the development of programming languages.
These languages are basically a means of communication with computers in order to tell them what to do. Even though each of them has its own specific development and formulation rules, computers in fact understand only one language called "machine code".
Programming languages act as an interpreter between the programmer and the computer. Obviously, the more directly you can communicate with the computer, the better it will understand you, and more complex actions you can ask it to perform.
According to this, programming languages can be divided into "low and high level" languages, depending on whether their syntax is more understandable for programmers or for computers. A "high level" language uses expressions that are easily understandable for most programmers, but not so much for computers. Visual Basic and C are good examples of this type of language.
On the contrary, expressions used by "low level" languages are closer to machine code, but are very difficult to understand for someone who has not been involved in the programming process. One of the most powerful, most widely used examples of this type of language is "assembler".
In order to explain the use of programming languages through virus history, it is necessary to refer to hardware evolution. It is not difficult to understand that an old 8-bit processor does not have the power of modern 64-bit processors, and this of course, has had an impact on the programming languages used.
In this and the next installments of this series, we will look at the different programming languages used by virus creators through computer history:
- Virus antecessors: Core Wars
As was already explained in the first chapter of this series, a group of programs called Core Wars, developed by engineers at an important telecommunications company, are considered the antecessors of current-day viruses. Computer science was still in the early stages and programming languages had hardly developed. For this reason, authors of these proto-viruses used a language that was almost equal to machine code to program them.
Curiously enough, it seems that one of the Core Wars programmers was Robert Thomas Morris, whose son programmed -years later- the "Morris worm". This malicious code became extraordinarily famous since it managed to infect 6,000 computers, an impressive figure for 1988.
- The new gurus of the 8-bits and the assembler language.
The names Altair, IMSAI and Apple in USA and Sinclair, Atari and Commodore in Europe, bring memories of times gone by, when a new generation of computer enthusiasts "fought" to establish their place in the programming world. To be the best, programmers needed to have profound knowledge of machine code and assembler, as interpreters of high-level languages used too much run time. BASIC, for example, was a relatively easy to learn language which allowed users to develop programs simply and quickly. It had however, many limitations.
This caused the appearance of two groups of programmers: those who used assembler and those who turned to high-level languages (BASIC and PASCAL, mainly).
Computer aficionados of the time enjoyed themselves more by programming useful software than malware. However, 1981 saw the birth of what can be considered the first 8-bit virus. Its name was "Elk Cloner", and was programmed in machine code. This virus could infect Apple II systems and displayed a message when it infected a computer.
Source: http://www.pandasoftware.com
|
The month that shook the world -- Posted by Igor_Donchenko on Wednesday, June 2 2004
May 2004 is turning into a record breaker for cyber law enforcement: Sasser and Phatbot suspects in Germany, Trojan horse author in Taiwan and Randex family author in Canada. Police worldwide are trawling successfully for virus coders.
Peep is a Trojan horse written by Ping-an, a Chinese computer engineer living in Taiwan. After failing to sell his program, Ping-an posted it on popular hacker sites. The sophisticated Trojan was used by an alarming number of hackers to vandalise government and corporate sites throughout Taiwan.
Randex worms circulate to this day. These network worms have backdoor functions allowing remote intruders to access victim machines via IRC channels. Randex variants can easily be used to create networks of zombie machines for spam mass mailer or DoS launch platforms.
Are things improving for users? Certainly. Can everyone relax? Not really. Yes, cyber crime now receives the attention it deserves and this spate of arrests demonstrates that law enfocement agencies worldwide are taking notice. And action.
However, technology is changing and new opportunities for users equal new opportunities for virus coders. Win64 machines have been hit with their first virus. The virus isn't perfect and Win64 Intel Itanium is still rare. But the ice has been broken and we're sure to see many more Win64 viruses in the future.
Source: http://www.viruslist.com
|
Evolution of computer viruses (part 4) -- Posted by Igor_Donchenko on Wednesday, June 2 2004
In the early days of computers, there were relatively few PCs likely to contain "sensitive" information, such as credit card numbers or other financial data, and these were generally limited to large companies that had already incorporated computers into working processes.
In any event, information stored in computers was not likely to be compromised, unless the computer was connected to a network through which the information could be transmitted. Of course, there were exceptions to this and there were cases in which hackers perpetrated frauds using data stored in IT systems. However, this was achieved through typical hacking activities, with no viruses involved.
The advent of the Internet however caused virus creators to change their objectives, and, from that moment on, they tried to infect as many computers as possible in the shortest time. Also, the introduction of Internet services -like e-banking or online shopping- brought in another change. Some virus creators started writing malicious codes not to infect computers, but, to steal confidential data associated to those services. Evidently, to achieve this, they needed viruses that could infect many computers silently.
Their malicious labor was finally rewarded with the appearance, in 1986, of a new breed of malicious code generically called "Trojan Horse", or simply "Trojan". This first Trojan was called PC-Write and tried to pass itself off as the shareware version of a text processor. When run, the Trojan displayed a functional text processor on screen. The problem was that, while the user wrote, PC-Write deleted and corrupted files on the computers’ hard disk.
After PC-Write, this type of malicious code evolved very quickly to reach the stage of present-day Trojans. Today, many of the people who design Trojans to steal data cannot be considered virus writers but simply thieves who, instead of using blowtorches or dynamite have turned to viruses to commit their crimes. Ldpinch.W or the Bancos or Tolger families of Trojans are examples of this.
Source: http://www.pandasoftware.com
|
|
