 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
July 2005
Chronicle of malware detected during the first half of 2005 -- Posted by Igor_Donchenko on Wednesday, July 13 2005
There were no significant epidemics during the first six months of 2005; however, and although this may seem contradictory, there was an extraordinary amount of activity from all types of malicious code. It appears that the latest trend followed by malware creators consists of infesting cyberspace with as many different codes as possible, rather than attempting to cause massive propagation by just one.
But among the new types of malware that appeared during this period, there are some that stand out, not for their degree of propagation, but more as anecdotes. So, based on certain more or less intriguing characteristics, Panda Software has drawn up the following ranking for the malware that emerged during the first half of 2005:
- The rudest. This "honor" unquestionably goes to Cisum.A. This worm, not satisfied with disabling the anti-malware protection systems in all the PC's it infects, leaves the user the message: You're an idiot. This appears not only in a small window that opens up on the screen, but also blasts from the PC speakers every 5 seconds.
- The most callous. The Zar.A worm fully deserves this "accolade", as it used the subject of donations to victims of the Asian Tsunami in order to trick users into opening the file containing the malicious code.
- The "sexiest". In it's own way, the Bropia.E worm Ц which propagates through instant messenger services- may be considered the sexiest malware to date in 2005. The truth is, that is the only term we can think of for the image in its attachment: a chicken with bikini marks on its body, bronzed, we imagine, by the sun... or by the oven it has just come from.
- The most dangerous. In this case, the choice was quite easy: Whiter.F, a "friendly" little malicious code that deletes the content of the entire hard disk. A curious aspect of this malware is that before deleting, it replaces all the user's files with files that contain the following text: You did a piracy, you deserve it.
- The avenging worms. Two malicious codes are neck-in-neck for this prize: on the one hand, the already renowned Trojan Whiter.F and, on the other, the Nopir.A worm. The latter deletes all the files it finds in the computer with COM and MP3 extensions, in addition to reproducing through P2P file-sharing networks. When it attacks a system, it shows an image condemning computer piracy. In any event, don't be taken in: the bit about piracy is just a vulgar excuse to put dangerous malware into circulation.
- The most persistent. Over 4200 variants launched to date this year leave no room for doubt: the creators of the Gaobot worms are definitely the most persistent we have seen up to now. The author(s)' intention in launching one variation after another to see if any of them cause an epidemic Ц always failing- may seem funny, but nothing is farther from the truth. The goal of the Gaobot creators is to put the maximum number of variations into circulation, so that the likelihood of users coming into contact with one of them is as great as possible.
- The most "socially-minded". "Socially-minded" must go between quotes, as the Gaobot.IUF and Prex.AM worms are most certainly not envisaged to help the needy, or anything of the sort. Their "social-mindedness" is limited exclusively to themselves, as what they do is share the work when undertaking malicious actions in the PC's where they install themselves. While Gaobot creates a backdoor in the computer that allows hacker attacks, Prex.AM takes charge of sending false messages by instant messenger so that other users download the file that contains both malicious codes.
- The most enticing. This award goes to the V variation of the extensive Sober family of worms. The lure of free tickets for the Soccer World Cup to be held in Germany in 2006 allowed it to reach a significant level of propagation. Fortunately, by now users are savvier and the creator was unsuccessful in his/her objective of causing a new epidemic.
- The extortionists. It appears that asking for money in exchange for release from the actions of malicious code is now coming into vogue as a new form of online fraud. The highlights of this section are the PGPCoder Trojans that encrypt files on the hard disk and demand money or the purchase of certain applications to be able to decipher them. It is somewhat similar to what other malware, such as SpywareNo does; this one also requires the purchase of a particular anti-spyware software in order to get rid of it.
- The most versatile. Eyeveg.D is one of those impossible-to-classify types of malware. It has certain characteristics of Trojans and backdoor, all for the purpose of stealing confidential data from the PC's it affects and allowing in remote attacks. For even greater effectiveness, it can reproduce through e-mail. What a pity that all that genius is wasted on malicious activities!
- The bank robbers. More than banks, what this malware attempts to do is to empty out users' bank accounts. The multiple variations of the Bancos family of Trojans all have the same ultimate goal: to get users' data in order to perpetrate all types of financial fraud.
Source: http://www.pandasoftware.com
|
Are you sure you don't have spyware installed on your computer? -- Posted by Igor_Donchenko on Wednesday, July 13 2005
Spyware has become one of the most widespread threats affecting computers connected to the Internet. Figures shown in a study carried out by the Webroot and Earthlink companies are irrefutable: 90 percent of computers are infected by spyware.
This is mainly due to the means of propagation chosen by creators of this type of malware, as spyware can reach computers in the most unexpected ways. The most frequent types of propagation for spyware are: - Other malware, like Trojans, which download it from the Internet and install it on systems.
- Installation of ActiveX controls from unsafe or unreliable sources.
- Visits to web pages that contain code designed to exploit a vulnerability in the targeted user's computer.
- Installation of freeware or shareware programs.
With the exception of the first one, the means of propagation used by spyware depend greatly on users' knowledge or expertise when it comes to avoiding visits to "underground" web pages or, allowing unreliable software to be installed on their computers. Yet there is another important factor, especially for corporate environments: on many occasions, web pages that contain and install all sorts of spyware contain attractive contents which lure users into visiting them. This prevents security policies established by companies from being totally effective. As a result, the solution to spyware consists in using technologies that can stop spyware from entering systems, effectively blocking and eliminating it.
Symptoms of spyware infection
The general belief is that the only effect of spyware is theft of data related to users' web browsing habits for it to be used for publicity purposes. However, the scenario changes radically if you consider the fact that a great number of the phone calls received by internal Tech Support services regarding system malfunction stems from the presence of spyware on computers. It must be taken into account that spyware programs are actually computer applications, and as such, they use up system resources, or can cause incompatibilities with the software installed on computers. The most common symptoms of presence of spyware on a system include:- Unusual slowness of the system.
- System instability.
- Slow Internet connection.
- Reception of an unusual amount of spam or junk mail.
According to Luis Corrons, head of PandaLabs, "Contrary to what you might think, spyware is a type of malware that has been around for some years now; in fact, it appeared practically at the same time as the Internet. Having said this, it hasnТt been until recently that spyware has started to proliferate to such a worrying extent. This is due to the fact that information about the browsing habits of millions of users has become a goldmine for creators of this type of malware. "Additionally" -he adds-, "one of the objectives of spyware creators is to infect as many computers as possible without "making much noise", unlike -for example- worms, which spread massively via email. In this way, they aim at preventing users from taking the necessary measures to stop spyware from entering their computers or removing it from their systems, thus ensuring their creations stay in affected computers for a long time".
Source: http://www.pandasoftware.com
|
Two new worms work together to spread across the Internet -- Posted by Igor_Donchenko on Monday, July 11 2005
PandaLabs has reported the appearance of two new worms, Gaobot.IUF and Prex.AM, with a previously unseen feature: they spread together in a single file with RAR format (even though this is a self-extracting file and users actually see a file with an .EXE extension). This file could initially have been sent manually to a certain number of users, as these malicious codes' true means of propagation is through the MSN Messenger instant messaging system.
When the user runs the infected file, it decompresses automatically, generating two files that contain the worms. From them on, the malicious codes "share" the actions they carry out. Gaobot.IUF creates a backdoor in the affected computer and connects to an IRC server, waiting to receive commands from a remote attacker. The attacker can perform numerous actions on targeted computers, including obtaining information about computer hardware, stealing registration codes for some computer games, or upgrading the worm itself. Gaobot.IUF can also spread across shared network resources protected with weak passwords.
Prex.AM sends out messages through MSN Messenger with the text: hmm like my friend said dont look ahaha, SICK pictures, and a link to an Internet address. If the user clicks on the link, a RAR file containing both malicious codes downloads onto the computer.
Users of Panda Software's proactive TruPreventTM Technologies have been protected against these two worms from the outset, since they have been able to detect and block them without having prior knowledge of them, unlike other antimalware solutions that cannot protect users until their virus signature files have been updated.
"The way these two worms spread is rather atypical and, although rudimentary, it succeeds in increasing the ways in which these two malware specimens propagate. Creators of computer threats are trying hard to find new ways of distribution more effective than the current ones. So far this year they seem to be focusing on instant messaging systems", explains Luis Corrons, head of PandaLabs.
Source: http://www.pandasoftware.com
|
Virus Top Twenty for May 2005 from Kaspersky Labs -- Posted by Igor_Donchenko on Friday, July 1 2005
| Position | Change in position | Name | Percentage | | 1. | 0 | Net-Worm.Win32.Mytob.c | 24.28 | | 2. | 0 | Email-Worm.Win32.NetSky.q | 15.54 | | 3. | 0 | Email-Worm.Win32.NetSky.aa | 5.27 | | 4. | 0 | Email-Worm.Win32.NetSky.b | 4.00 | | 5. | +1 | Email-Worm.Win32.Zafi.b | 3.71 | | 6. | -1 | Email-Worm.Win32.LovGate.w | 3.30 | | 7. | New! | Email-Worm.Win32.Sober.p | 3.21 | | 8. | +1 | Net-Worm.Win32.Mytob.u | 3.17 | | 9. | -1 | Email-Worm.Win32.Zafi.d | 3.05 | | 10. | -3 | Net-Worm.Win32.Mytob.q | 2.91 | | 11. | 0 | Email-Worm.Win32.Mydoom.l | 1.89 | | 12. | +6 | Net-Worm.Win32.Mytob.h | 1.83 | | 13. | +4 | Net-Worm.Win32.Mytob.t | 1.78 | | 14. | New! | Worm.Win32.Eyeveg.f | 1.63 | | 15. | -5 | Email-Worm.Win32.NetSky.d | 1.61 | | 16. | New! | Net-Worm.Win32.Mytob.au | 1.52 | | 17. | -5 | Email-Worm.Win32.Mydoom.m | 1.48 | | 18. | New! | Net-Worm.Win32.Mytob.ar | 1.46 | | 19. | -4 | Email-Worm.Win32.NetSky.t | 1.38 | | 20. | -7 | Email-Worm.Win32.NetSky.x | 1.19 | | Other malicious programs | 15.79 |
After a large number of new malicious programs from the Mytob family appeared in the April Top Twenty, May has been relatively quiet. The six top worms have retained their places, with only LovGate and Zafi changing places with each other. Mytob.continues to head the ratings, followed by three old friends from the NetSky family.
Far more interesting is what happened outside this leading group. Mytob seriously shook up the Top Twenty in April, with six different variants, and it seemed unlikely that any new virus would give Mytob a run for its money. Nevertheless, there are some new entrants to this month's ratings.
Seventh place this month is occupied by a new version of the German worm, Sober.p. It was detected on 2nd May, and took in the course of a week gained a significant foothold in the European segment of the Internet. This broke ground for the following version, Sober.q. which was detected on 14th May. Sober.q didn't make it into the Top Twenty for the simple reason that it's not really a worm, but more of a robot which spammed far right political propaganda.
In spite of the competition, or perhaps because of it, the authors of Mytob decided not to rest on their laurels, seemingly setting themselves the target of filling the entire Top Twenty with their creations. In April there were six Mytobs in our ratings, and another two joined them in May - Mytob.ar and Mytob.au. However, as Mytob.r only made it into 21st place, the versions in our rankings now total 7. New Mytobs are being detected with frightening regularity, once every three days, so it seems certain that this family will continue to figure in our monthly reviews.
The fourth, and final new entrant was Eyeveg.f. Although Eyeveg.a, the first version in this family, was detected in September 2003, the Top Twenty has never included a worm from this family before, so it's worth taking a closer look at it.
Eyeveg.f, currently in 14th place, differs from traditional email worms in that it contains a Browser Helper Object, which when installed works within the Internet Explorer process. In the case of Eyeveg, this functions as a keylogger, tracking exactly which keys are pressed on the keyboard of the victim machine and then sending this information to a remote malicious user. Two other versions of Eyeveg were detected in May, but were relatively unsuccessful: Eyeveg.g took 23rd place, and Eyeveg.h didn't even figure in the 50 most widespread malicious programs this month.
The rest of the Top Twenty continues to exhibit its own Brownian motion, with various NetSkys and Mydooms floating up and down in a backdrop to other virus activity. And the background is one composed of tens of thousands of infected machines - a background where antivirus solutions are never used, and the operating systems are never updated.
Other malicious programs made up a significant percentage of all those intercepted in mail traffic, 15.79%. This shows that a large number of worms and Trojans from other families are still circulating throughout the Internet.
Source: http://www.viruslist.com
|
