 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
July 2004
Mydoom continues to cause chaos -- Posted by Igor_Donchenko on Tuesday, July 27 2004
Mydoom.m, the latest version of I-Worm.Mydoom is not only infecting machines around the globe, but reportedly causing problems for users of Google, Yahoo!, AltaVista and Lycos search engines.
The outbreak caused by Mydoom.m caused the search engines either to intermittently fail, or to return results far slower than usual. The most serious problems were experienced by users in the UK, France, and parts of the US.
This is a new twist in the long-running worm saga. Previous versions of Mydoom simply mass-mailed themselves to all addresses found on the victim machine. However, Mydoom.m has an additional trick. It not only harvests email addresses from the infected system and sends itself to these addresses, but also searches the machine's files for domain names. It then uses Google and other search engines to find additional email addresses in the same domain, and sends copies of itself to all these addresses.
'This worm has a very original approach to sending infected messages. The only similar method we've seen was when Swen sent itself to newsgroups, having requested a list of accessible groups from the newsgroup server.' commented Alexander Gostev, a Kaspersky Labs' virus analyst. 'As for the problems experienced by some search engines, it appears that only Google actually put out a press release. Google normally processes more than 200 million search requests a day - are there really enough machines infected by Mydoom.m to put such a system out of commission?'
Google was the search engine hardest hit by the additional traffic. The search engine received approximately 45% of the additional queries generated by Mydoom.m. The intermittent failure of the service is certainly a major irritation for users accustomed to getting results at the press of a key. It took several hours for adjustments to be made so that Google functioned normally.
However, a far more serious worry is the backdoor component which Mydoom installs on victim machines. Anyone who opened the attachment to an infected message now has a system which is wide open, making it possible to remotely upload and execute programs.
So what conclusions can we draw from the latest outbreak? The facts are clear: Mydoom once again clogged mail-boxes, generated additional traffic and left search engine users frustrated. Most anti-virus software vendors were quick to issue an update to their signature databases. And what should users do? As ever, ensure that antivirus protection is kept up to date, and observe the golden rule: never open attachments in a mail message from an unknown source.
Search: http://www.kaspersky.com
|
MyDoom Reincarnates -- Posted by Igor_Donchenko on Tuesday, July 27 2004
Old viruses and worms never die, they reincarnate in another form. MyDoom, the notorious worm that had wreaked havoc in the eWorld has come back as MyDoom.N. The worm spreads through file sharing networks like Kazaa and also through infected attachments.
Mr. Govind Ramamurthy, MD of MicroWorld Technologies Inc.,www.mwti.net, said that these worms have a built in SMTP engine (Small Mail Transfer Protocol). The SMTP engine allows the virus to send mails on its own. Not only that, the virus 'harvests' email Ids from your system and mails itself to them.
Mails carrying MyDoom-N appear as if they are automated mails. The worm opens a backdoor in the infected machine, allowing hackers to access the computer. Hackers and Spammers can take remote control of the machine or use it to hack other machines and launch Spam attacks. Your credit card information, banking passwords, etc. can be mailed to these hackers. You will never come to know until its too late.
Govind further pointed out that Bagle the internet worm after running through the alphabets A to Z with new variants, has now started appearing in the double alphabets, AA and the latest variant is Bagle.AI. The worm forges sender addresses to confuse the recipient about the worm's origin. Its subject and message bodies give the impression that the attachment contains pictures, music or information about certain animals. This ploy seems to be targeted towards the younger innocent users who may open the attachment. This variant of Bagle can sometimes arrive inside a password-protected zip file and the password is given in the email itself thus fooling people into thinking that the email is genuine.
Recalling the battle that was fought a couple of months back between authors of Bagle and NetSky, Govind said that initially the authors were content with writing insulting and profane insults to each other in the worm code but later they started 'killing' each other from infected machines. The war was fought with great ardor and it would have been fun but for the fact that after killing the current resident from an infected computer, the incumbent would go about its business, mentioned previously.
Source: www.mwti.net
|
Evolution of computer viruses (part 8) -- Posted by Igor_Donchenko on Friday, July 23 2004
In this latest edition of the evolution of computer viruses we will look at how virus creators began to exploit vulnerabilities in commonly-used software. A vulnerability can be defined as a security problem detected in a program or IT system. These flaws are often exploited by viruses to spread and infect computers.
The first ones
Even though the exploiting of software vulnerabilities may seem a recent phenomenon, it actually first began back in 1998. This was how the Back Orifice Trojan worked, using unprotected communication ports to enter systems and leave them at the mercy of hackers who could then take remote control of computers.
Soon after, vulnerabilities began to be exploited in the way we know today. In 1999 the Bubble Boy worm first appeared, which exploited a security hole in Internet Explorer to activate simply when the message containing the virus was viewed in the preview pane. A similar strategy was used by the Kak worm, whose code was hidden inside the autosignature of messages generated with Microsoft Outlook Express.
Exploits
When a virus takes advantage of a software vulnerability, it is nearly always through an exploit which has been previously programmed by other users, or very rarely, by the creator of the malicious code itself. Technically speaking, an exploit is a block of code which only runs if the computer under attack produces a specific known error, i.e. if the system has the corresponding vulnerability.
Creating an exploit is a complicated business, and not within the capabilities of just any user, as they are normally based on assembler language. The real problem is that the people who create exploits very often make them available to other users who incorporate them into programs written in high-level languages. These programs could obviously be computer viruses which thanks to the exploit can infect computers containing the vulnerability.
The inclusion of exploits into viruses or worms represents a new era for malicious code. The fact that a virus spreads or infects systems exploiting a vulnerability implies several advantages for the creators of malicious code. On the other hand, if the vulnerability affects operating systems such as Windows, this means that there will be millions of potential victims for a malicious code attack. And on the other hand, viruses that include exploits are normally rapidly spreading as nothing gets in their way.
For example, if a virus exploits a vulnerability that lets it enter computers through an unprotected backdoor, even updated antivirus software could only detected it when it is already in the system. In this case the antivirus would detect and eliminate it, but it wouldn't be able to prevent the antivirus from entering time and time again. The only solution is to repair the vulnerability that the virus is exploiting.
So, it's not surprising that viruses like this have so often caused worldwide epidemics whenever they have appeared. Klez, Blaster, Mydoom, Sasser... are just a few examples.
Source: http://www.pandasoftware.com
|
Proof-of-concept virus hits the last virus-resistant Microsoft OS -- Posted by Igor_Donchenko on Friday, July 23 2004
BitDefender Antivirus Labs today reported the occurrence of the first malicious code to infect the operating system used by over 17 million of Pocket PCs, smartphones, and other Internet appliances users.
Called WinCE4.Dust, "it infects pocket pc's PE files (ARM) in root (My Device) directory", as the virus author himself noted in a message addressed, probably, to most antivirus laboratories. The virus author, by his nickname Ratter, is part of the famous 29A VX group and created this virus "not meant to spread", just as "a proof of concept code".
"The same as the creators of Cabir (the virus for Symbian OS), the initiator of the Dust malware has not designed it to propagate on a massive scale, but rather to demonstrate that devices running Microsoft Windows CE can be infected by malicious code. The code was first sent to antivirus experts instead of being released in the wild" stated Viorel Canja, Head of BitDefender Labs.
In order to run, the virus needs a mobile compatible device running Microsoft Windows CE operating system. The virus displays a message box, asking for user's permission to spread to other files.
Source: http://www.bitdefender.com
|
Panda Software's new TruPrevent Technologies detect and block a new, previously unidentified virus -- Posted by Igor_Donchenko on Friday, July 23 2004
Panda Software has detected the appearance of the new worm Bagle.AH (W32/Bagle.AH.worm), a malicious code that uses both email and file-sharing programs like Kazaa, Morpheus, e-mule or LimeWire in order to spread rapidly across computers. From the afternoon of July 19, Panda Software’s laboratories began to receive a large number of incident reports involving this virus.
Panda Software’s TruPrevent Technologies will be launched officially on July 29. These innovative technologies are designed to use behavior analysis to block attacks like Bagle.AH and perfectly complement traditional antivirus applications due to their capacity to prevent even unknown malicious code from running.
The Bagle.AH worm uses an email with a false address to spread. The message text includes words like: "Predators", "Lovely animals", "fotoinfo", "The snake" or "Animals".
To spread to other email addresses, it has an attachment that must be run for the infection to start. This file could be called: "Serials.txt.exe", "Porno Screensaver.scr", "Microsoft Office 2003 Crack, Working!.exe", or "Music_MP3.com". The file could sometimes be included in a password protected ZIP file.
When the file containing the Bagle.AH worm is run, it starts to look on the infected computer for addresses to which it then sends itself.
This worm also uses P2P file-sharing programs in order to spread. To do this it makes a copy of itself in the shared directories of these applications with names that could entice other users to download and run them.
The damaging effects that this worm can have on computers include the blocking of antivirus or security application processes in memory which could leave computers vulnerable to further attack.
At the same time as the appearance of Bagle.AH, two new versions of Mydoom and Lovgate have started to spread across the Internet. W32/Mydoom.M.worm and W32/Lovgate.AQ.worm infected some computers and although initially it was feared that the epidemic could spread due to the simultaneous action of the worms, only Bagle.AH has become a real threat to a large number of computers.
Source: http://www.pandasoftware.com
|
Evolution of computer viruses (part 7) -- Posted by Igor_Donchenko on Tuesday, July 13 2004
This seventh edition on the history of computer viruses will look at how the development of Windows and Visual Basic has influenced the evolution of viruses, as with the development of these, worldwide epidemics also evolved such as the first one caused by Melissa in 1999.
While Windows changed from being an application designed to make DOS easier to manage to a 32-bit platform and operating system in its own right, virus creators went back to using assembler as the main language for programming viruses.
Versions 5 and 6 of Visual Basic (VB) were developed, making it the preferred tool, along with Borland Delphi (the Pascal development for the Windows environment), for Trojan and worm writers. Then, Visual C, a powerful environment developed in C for Windows, was adopted for creating viruses, Trojans and worms. This last type of malware gained unusual strength, taking over almost all other types of viruses. Even though the characteristics of worms have changed over time, they all have the same objective: to spread to as many computers as possible, as quickly as possible.
With time, Visual Basic became extremely popular and Microsoft implemented part of the functionality of this language as an interpreter capable of running script files with a similar syntax.
At the same time as the Win32 platform was implemented, the first script viruses also appeared: malware inside a simple text file. These demonstrated that not only executable files (.EXE and .COM files) could carry viruses. As already seen with BAT viruses, there are also other means of propagation, proving the saying "anything that can be executed directly or through a interpreter can contain malware." To be specific, the first viruses that infected the macros included in Microsoft Office emerged. As a result, Word, Excel, Access and PowerPoint become ways of spreading "lethal weapons", which destroyed information when the user simply opened a document.
Melissa and self-executing worms
The powerful script interpreters in Microsoft Office allowed virus authors to arm their creations with the characteristics of worms. A clear example is Melissa, a Word macro virus with the characteristics of a worm that infects Word 97 and 2000 documents. This worm automatically sends itself out as an attachment to an e-mail message to the first 50 contacts in the Outlook address book on the affected computer. This technique, which has unfortunately become very popular nowadays, was first used in this virus which, in 1999, caused one of the largest epidemics in computer history in just a few days. In fact, companies like Microsoft, Intel or Lucent Technologies had to block their connections to the Internet due to the actions of Melissa.
The technique started by Melissa was developed in 1999 by viruses like VBS/Freelink, which unlike its predecessor sent itself out to all the contacts in the address book on the infected PC. This started a new wave of worms capable of sending themselves out to all the contacts in the Outlook address book on the infected computer. Of these, the worm that most stands out from the rest is VBS/LoveLetter, more commonly known as "I love You", which emerged in May 2000 and caused an epidemic that caused damage estimated at 10,000 million euros. In order to get the user's attention and help it to spread, this worm sent itself out in an e-mail message with the subject "ILOVEYOU" and an attached file called "LOVE-LETTER-FOR-YOU.TXT.VBS". When the user opened this attachment, the computer was infected.
As well as Melissa, in 1999 another type of virus emerged that also marked a milestone in virus history. In November of that year, VBS/BubbleBoy appeared, a new type of Internet worm written in VB Script. VBS/BubbleBoy was automatically run without the user needing to click on an attached file, as it exploited a vulnerability in Internet Explorer 5 to automatically run when the message was opened or viewed. This worm was followed in 2000 by JS/Kak.Worm, which spread by hiding behind Java Script in the auto-signature in Microsoft Outlook Express, allowing it to infect computers without the user needing to run an attached file. These were the first samples of a series of worms, which were joined later on by worms capable of attacking computers when the user is browsing the Internet.
Source: http://www.pandasoftware.com
|
Malware evolution: June Roundup -- Posted by Igor_Donchenko on Monday, July 12 2004
June was characterised by cyber espionage and cyber theft in a variety of guises. Malicious code designed to steal passwords and grab keys to popular computer games has been evolving for some time, and this trend strengthened in June. Trojan.PSW.LdPinch, one such program, showed increased activity in June; a large number of new versions appeared, with several of them using spam mailings to propagate.
Overall, the number of malicious programs designed to steal confidential data is growing. More and more programs which steal credit card and e-payment system details are appearing. On 22nd June, the first version of TrojanSpy.Win32.Qukart was detected. This Trojan intercepts VISA and Mastercard credit card details and the corresponding PIN codes, and then sends them to the author of the program. Several modifications of the Trojan appeared within a few days of the first version making its appearance.
The evolution of malware designed to steal passwords and financial information has led to new approaches being taken to download and execute malicious code on victim machines. Virus writers are still actively using classic methods, but also exploiting the new opportunities offered, generally by vulnerabilities in operating systems. The vulnerability discovered in Windows LSASS is a prime example. Once the vulnerability was identified in mid-April, virus writers rapidly took advantage of it. The result - programs like Worm.Win32.Padobot and Backdoor.Rbot - new versions of old malware, rewritten with the capability to propagate via this vulnerability.
Among such programs, the most outstanding was I-Worm.Plexus, the first new virus to appear last month. Plexus was created using the source code of I-Worm.Mydoom as a starting point. However, the two worms are almost completely different; whereas Mydoom propagated via email and the Kazaa file-sharing network, Plexus exploits the majority of propagation methods currently available: email, local and file-sharing networks, and the LSASS and DCOM RPC vulnerabilties.
Plexus spreads as a Trojan downloader program with two main components. The first component controls propagation, while the second may be any piece of malware (or even a harmless program). Plexus.a contained a backdoor program from the Backdoor.Dumador family, whereas Plexus.b harbored Win32.Webber, a Trojan Proxy program. The worms appeared in quick succession at the beginning of June.
Plexus is currently the only network worm which utilizes such a wide range of propagation methods. However, it seems highly likely that this will not be the case for long. This month has shown that virus writers are quick to learn from each other, and we can expect to see programs with similar characterisitics appearing in the not-too-distant future.
As the saying goes, there's nothing new under the sun - although new vulnerabilities offer new opportunities, virus writers continue to exploit the tried and trusted methods. And this continues to bring results: regardless of intrinsic software or system security, the user will always be the weakest link in a chain. And this brings us to the second hit of the month: I-Worm.Zafi.b used social engineering techniques with great success, enabling it to spread widely and rapidly.
I-Worm.Zafi.b took up where its predecessor, Zafi.a, left off. Although it propagated in a standard manner, as an attachment to infected emails, it managed to cause a significant outbreak. The authors of Zafi.b achieved this by taking a tip from the authors of I-Worm.Netsky.y. Before sending an infected message, Zafi.b attempts to determine the language used by the recipient. In order to do this, it extracts the mail server domain name from the email address; in the majority of cases, the domain name gives a hint to the mail box owner's nationality. The worm then chooses a message written in the appropriate language from a list coded into its body. Such an approach increases the likelihood of the recipient being able to read the message, and, consequently, opening the infected file attached to the message. However, this trick was not foolproof - for example, the Russian message was full of mistakes, which made users in the .ru domain far less likely to open the attachment.
The most original new virus this month was Worm.SymbOS.Cabir.a - a malicious program coded for mobile phones which propagates via Bluetooth. This proof-of-concept virus seems to indicate that virus writers are testing their strength, sniffing out new areas of potential interest. So can we say that a new battlefield has been opened up? So far, no: Cabir was more like a border skirmish. It seems unlikely that such malicious code will evolve rapidly or cause epidemics in the near future, as the technology it uses to propagate is still in relatively limited use.
To sum up, the events of June lead to the following conclusions: - Malicious code designed to steal confidential information is likely to continue evolving rapidly
- New vulnerabilities will probably be detected, rapidly followed by viruses coded to exploit these vulnerabilities
- Virus writers will continue use current methods for creating, downloading and executing malicious code, both in the creation of new viruses and the modification of ones which are already in circulation
- Given that new viruses are often followed by a number of modifications, new versions of I-Worm.Plexus, or worms with similar characteristics may well appear
Pavel Zelensky
Virus analyst
Source: http://www.viruslist.com
Virus Top Twenty for June 2004 from Kaspersky Labs -- Posted by Igor_Donchenko on Tuesday, July 6 2004
| Ranking | Change | Virus Name | Percentage | | 1 | new | I-Worm.Zafi.b | 33.97%% | | 2 | -1 | I-Worm.Netsky.aa | 18.44% | | 3 | -1 | I-Worm.Netsky.b | 16.76% | | 4 | -1 | I-Worm.Netsky.q | 5.38% | | 5 | no change | I-Worm.Bagle.z | 5.04% | | 6 | no change | I-Worm.NetSky.d | 2.78% | | 7 | -3 | -Worm.NetSky.y | 2.38% | | 8 | -1 | I-Worm.LovGate.w | 1.89% | | 9 | -1 | I-Worm.NetSky.t | 1.57% | | 10 | no change | I-Worm.Mydoom.e | 0.66% | | 11 | +3 | I-Worm.NetSky.r | 0.64% | | 12 | -3 | I-Worm.Swen | 0.64% | | 13 | no change | I-Worm.NetSky.c | 0.56% | | 14 | -3 | I-Worm.Mydoom.g | 0.53% | | 15 | -3 | I-Worm.NetSky.o | 0.51% | | 16 | -1 | I-Worm.Bagle.y | 0.50% | | 17 | +1 | EXPLOIT.HTML.ObjData | 0.43% | | 18 | -2 | I-Worm.Sober.g | 0.42% | | 19 | re-entry | I-Worm.Netsky.z | 0.33% | | 20 | re-entry | I-Worm.NetSky.m | 0.25% | | Other malicious programs (not in the Top 20) | 6.31% |
June 2004 has probably turned out to be the quietest month this year : so far. It's hard to tell why: maybe virus writers have been lying low due to arrests of coders worldwide or maybe antivirus vendors have succeeded in clearing up the aftermath of previous outbreaks. In any case, we only have one new entrant in the top twenty this month. Zafi.b
I-Worm.Zafi.b was written in Hungary and spread rapidly throughout Europe leaving the NetSky family in the dust. The most likely explanation for Zafi's success lies in the clever social engineering techniques the senders used. The worm arrived in emails written in 18 different languages - depending on the IP address of the recipients. The actual texts were not very original - the usual fake warning from email providers or offers to view interesting photos.
The past two months have seen a successful crackdown on cyber crime - almost 10 coders were arrested in different countries. With any luck, we should see the arrest of Zafi's author sometime soon.
The rest of the June top twenty is almost identical to May's hit parade. Some email worms lost or gained a few points, but many remained in the exact same place (a detailed analysis is available in earlier Top 20 lists).It is worth noting that Exploit.HTML.ObjData has gained strength, whereas Klez.h, a classic network worm, has finally disappeared from the list after a record breaking two-year stint.
However, the calm before the storm was disturbed by a slew of backdoor-worms - Internet worms with spy features. The LSASS vulnerability that Sasser underscored served as a catalyst for this trend. Hundreds of malicious programs are now exploiting this vulnerability shifting the paradigm of virus propagation from email to the Internet via attacks on open ports.
Other malware continued to make up a significant proportion of overall virus traffic in the Internet this month with almost 300 different viruses detected.
Source: http://www.kaspersky.com
|
Top Ten viruses most frequently detected by Panda ActiveScan in June -- Posted by Igor_Donchenko on Thursday, July 1 2004
According to data gathered by Panda Software’s free, online scanner, the Trojan Downloader.GK caused the most incidents in users’ computers worldwide in June 2004. The impact of this Trojan has allowed it to take the top spot in the Top Ten ranking of the viruses most frequently detected by Panda ActiveScan, replacing Netsky.P, which held this position in April and May.
Last month, Downloader.GK caused 12.75 percent of incidents followed by Briss.A, at 11.87 percent. Behind these malicious code are Netsky.P (8.34 percent), Sasser.ftp (7.29 percent) and Gaobot.gen(4.74 percent). The bottom half of the ranking includes Qhost.gen, Netsky.D, Downloader.HC, Revop.F and StartPage.FH.
The following can be highlighted from the data collected by the free, online scanner, Panda ActiveScan last month:
- Leadership and prevalence of Downloader.GK.
After taking first place in the two previous rankings, Nestky.P has dropped to third place, while Downloader.GK came in first.
Downloader.GK is a Trojan that cannot spread alone, as it must be downloaded to computers when the user visits certain web pages and agrees to install a specific ActiveX control. Its position in this ranking demonstrates that it has been included in a large number of web pages, even a long time after it emerged (at the beginning of June).
- Significant increase in Trojans.
In June, six of the ten malicious code most frequently detected by Panda ActiveScan were Trojans. In May, only three Trojans made the ranking, and only one in prior months. This increase shows the intense activity of cyber criminals with the objective of getting some kind of financial benefit from their creations, as the actions they can carry out include stealing confidential details that can be used for fraudulent purposes.
| Ranking | Virus Name | Percentage | | 1 | Trj/Downloader.GK | 12.75% | | 2 | Trj/Briss.A | 11.87% | | 3 | W32/Netsky.P | 8.34% | | 4 | W32/Sasser.ftp | 7.29% | | 5 | W32/Gaobot.gen | 4.74% | | 6 | Trj/Qhost.gen | 4.68% | | 7 | W32/Netsky.D | 3.5% | | 8 | Trj/Downloader.HC | 3.42% | | 9 | Trj/Revop.F | 3.23% | | 10 | Trj/StartPage.FH | 2.97% |
Source: http://www.pandasoftware.com
|
