 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
August 2005
Panda Software reports on the new Zotob.A that exploits the vulnerability in Plug and Play -- Posted by Igor_Donchenko on Monday, August 15 2005
PandaLabs reports on a new worm, Zotob.A, that exploits the vulnerability in Plug and Play (PnP) which could allow remote code execution and elevation of privileges in the affected computer. This worm is the first to appear which exploits this security problem, only 5 days after Microsoft announced this critical security problem on its bulletin MS05-039, which also includes details of the updates that users are advised to apply.
Zotob.A scans IP addresses through port 445 in order to find vulnerable systems. If it finds one, it will send instructions to transfer itself to these computers. A has an IRC client through which it connects to a certain IRC server. In this way it can receive commands that can enable the computer to be administered remotely.
Zotob.A creates the "B-O-T-Z-O-R" mutex to prevent two copies of itself being executed simultaneously on the system. Besides, it modifies the HOSTS file to prevent access to certain web pages.
Panda Software recommends users to download the patch offered by Microsoft which appeared just some days ago. The web page to download this patch is available here.
Source: http://www.pandasoftware.com
|
Panda Software reports one of the most complex organized attacks ever -- Posted by Igor_Donchenko on Monday, August 15 2005
PandaLabs has reported a sophisticated 'chain' attack, perpetrated through the SpamNet.A Trojan, discovered on a web page hosted on a server in the USA, with a domain registered from an address in Moscow. The attack is highly complex, using a tree structure to infect with up to 19 species of malware. Its principal goal is to send out junk mail, and, by using this complex structure, has so far compiled more than 3 million email addresses worldwide. Panda Software has contacted the companies that host the files and web pages that are the main part of this organized attack.
The infection chain begins when a user visits the web page mentioned above. This web page uses the Iframe tag to try to open two new pages. This initiates two parallel processes, each one associated to one of the two pages: - When the first of the two pages opens, it in turn opens six other pages, which redirect the user to several pages with pornographic content. It also directs the user to a seventh page, which starts the principal attack process. This page exploits two possible vulnerabilities to carry out its actions: Ani/anr and Htmredir. In any event, if the attack is successful, it installs and executes one of two identical files -Web.exe or Win32.exe, on the computer.
When run, these files create seven files on the computer, one of which is a copy of itself. The other six are as follows:
a. The first two are binarily identical copies of Downloader.DQY, and both create a file called svchost.exe in the operating system, which is really Downloader.DQW. This registers as a system service that tries to download and run files every ten minutes from four different web addresses, two of which were not available at time of writing, and the other two are:
i. The Multidropper.ARW Trojan
ii. The Sapilayr.A trojan
b. The third of the six files is Adware/SpySheriff
c. The fourth is the Downloader.DYB Trojan, which tries to find the computer ID. If the computer is in the UK, it downloads and runs Dialer.CHG. If it is not in the UK, it downloads another file identified as Dialer.CBZ. These types of files redirect users dial-up connections to premium-rate numbers.
d. The fifth, Downloader.CRY, creates two files. The first of these, svchost.exe, is created in c:\windows\system. The second has been identified as Lowzones.FO.
e. The sixth, Downloader.EBY, creates, in turn, another six files:
i. The first is the Downloader.DLH Trojan which uses an another application to compile email addresses and sent them to remote address via FTP. At time of writing, it had compiled 3 million addresses.
ii. The second, the Agent.EY Trojan, installs itself on the system and runs on every startup, visiting a web page which could be used to compile the IPs of the computers affected, thus providing statistical information about the infections.
iii. The third, Clicker.HA, waits ten minutes after executing and then opens a pornographic web page every 40 seconds.
iv. The fourth is Dialer.CBZ
v. The fifth is Adware/Adsmart
vi. The sixth, the Downloader.DSV Trojan downloads the backdoor Trojan Galapoper.C from a certain address. Galapoper.C carries out the main purpose of the attack: sending spam. It checks if there is an open Internet connection and, if there is, visits three web pages specified in its code and depending on the computer infected, downloads a file. This enables personalized attacks, and can even contain other instructions or updates for the backdoor Trojan.
Galapoper.C also opens a principal thread and two secondary ones: in the first it periodically checks the availability of content on the three pages mentioned above. It uses the secondary ones to send spam (from the infected computer) and compile information from the server (email addresses, subject, message texts) for the spam messages, every 10 minutes or every time it sends 70,000 spam mails.
- The second of the pages redirects the user to another, which tries to use the ByteVerify vulnerability to execute a file located on a URL. It also invokes a new page using an HTML tag, which was not available at time of writing.
It also opens another page, whose code is masked by a Javascript function, which uses the ADODB.Stream function to overwrite Windows Media Player using a file located on another page.
The complexity of this attack is virtually unprecedented. As Luis Corrons, director of PandaLabs, explains, "This attack is far more elaborate than usual. Users of TruPreventTM Technologieshave been protected from the outset, but this is one of the most complex organized attacks that we have ever witnessed at PandaLabs. The fact that more than 3 million addresses have been compiled to send spam to is an indication of the success the creator of this attack is enjoying. As is frequently the case with attacks nowadays, financial gain is the primary motive, over and above notoriety, and spam is one of the chief sources of income for malware creators." By way of advice, Corrons points out, "In addition to having an antivirus solution, users need to ensure their systems are updated, as the success of SpamNet.A depends largely on vulnerability exploits".
Source: http://www.pandasoftware.com
Sophos identifies the most prevalent spam categories of 2005 -- Posted by Igor_Donchenko on Friday, August 5 2005
While emails peddling snake-oil meds and low-interest loans continue to irk computer users and clog corporate networks, dangerous new categories of spam are becoming more prevalent according to Sophos, a global leader in network security, which today published the results of its research on the most prominent spam categories during the first six months of the year.
Researchers from SophosLabsЩ analyzed the spam received in its global network of spam traps. Sophos experts found that "pump-and-dump" stock scams are on the rise, and unsolicited pill or medication email, including generic or non-brand name versions of Viagra and other pharmaceuticals, accounted for more than 40% of all spam traffic.
The top five spam categories spanning January 2005 through June 2005 are as follows:
| Position | Spam category | Percentage of reports | | 1 | Medication/pills | 41.4% | | 2 | Mortgage | 11.1% | | 3 | Adult content | 9.5% | | 4 | Stock scams | 8.5% | | 5 | Product | 8.3% | | Others | 21.2% |
"Over the last six months, we've seen medication and mortgage spam retain their notorious ranking atop the spam charts, while unsolicited pornography, though still accounting for about 10% of all spam, is slipping downward," said Gregg Mastoras, senior security analyst at Lynnfield-based, Sophos. "The most interesting development, however, is the increased volume of stock scam spam, representing a new financial threat to somewhat naяve online investors."
Sophos's analysis shows that, during the first half of 2005, the volume of stock scam spam has increased at an average rate of 10% per month.
"The purpose behind the pump-and-dump stock racket is to quickly and cheaply disperse false information about a company's stock, along with information obtained from recent press releases, to potential investors via email," Mastoras explained. "Typically targeting microcap companies stock, once these fraudsters dump their shares, and then stop advertising the stock, the price often falls, and investors ultimately lose their cash."
Pump-andЦdump campaigns tend to run for short durations, keeping overall volume low. Even though some of the information provided is accurate, the deceptive and unsolicited nature of the messages qualifies them as spam. The majority of stock scam spam campaigns employ obfuscation techniques, using word variations such as "st0ck" or "stox" to avoid being caught by spam filters. Messages can arrive in many different formats, such as HTML or plain text, and are almost always sent via hijacked PCs known as zombies.
"Social engineering through email, where scam artists take advantage of unsophisticated computer users, is on the rise and represents a dangerous trend," said Brian Burke, IDC Research Manager. "Stock scams, combined with traditional phishing techniques, can result in significant financial loss for victims of these swindles."
Sophos recommends that the most effective way for businesses to reduce spam and other threats is to adopt a multi-layered defense as well as implement a best practice policy regarding email account usage. Users can also learn how to best minimize the influx of unwanted email by following a few simple guidelines.
Source: http://www.sophos.com
|
Sick Trojan spam attack poses as news about American marine deaths in Iraq -- Posted by Igor_Donchenko on Friday, August 5 2005
Experts at SophosLabs, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread spam campaign that poses as a breaking news report about the death of American marines in Iraq, but is really an attempt to lure innocent computer users into being infected by a Trojan horse and attacked by hackers.
Subject lines used in the malicious emails include, but are not limited to, the following:
140 died
140 US marines kiiIled
14 US Marines Killed in Iraq Bombbing
Iraq Bommbing
140 lives was taken
Bomging takkes 140 lives
Deadly strike - 140 US marines kiilled death in Irraq
Sophos experts believe that the people behind the email attack are using software to deliberately obfuscate and misspell the subject lines in an attempt to avoid rudimentary anti-spam filters.
Although the message pretends to be sent from a variety of different email addresses, it poses as a breaking news report from Associated Press. Unlike the changing subject lines, the body of the emails appears to always be the same:
14 US Marines Killed in Iraq Bombing
Guardian Unlimited
By ROBERT H. REID. BAGHDAD, Iraq (AP) - 40 minutes ago.
14 US Marines were killed when a huge bomb destroyed their lightly armored vehicle, urling it into the air in a giant fireball in the deadliest roadside bombing suffered by American forces in the Iraq war
Read more...
"Receiving or reading the emails themselves does not mean you are infected," explained Graham Cluley, senior technology consultant for Sophos. "However, users must be very careful not to click on the link contained inside the mails as that will take them to a malicious website. In an ideal world everyone would be running industrial-strength anti-spam software at their email gateways which would help reduce the chances of computers being put in this kind of peril."
Windows users who follow the web link visit a website which pretends to be a fuller version of the news story, but exploits vulnerabilities in Microsoft's Internet Explorer software to install the Cgab-A and Borodr-Fam Trojan horses. The malicious attack is designed to allow remote hackers to gain unauthorized access to the victim's computer.
"The deaths of American marines in Iraq is a tragedy, and its sickening to think that hackers are prepared to exploit the troubles in that country in an attempt to break into computers for the purposes of spamming, extortion and theft," continued Cluley. "Everyone should ensure they have defenses in place to properly protect against the very latest malware attacks."
Source: http://www.sophos.com
|
Online video game pirates targeted by Hagbard instant messaging worm -- Posted by Igor_Donchenko on Thursday, August 4 2005
Experts at SophosLabs, Sophos's global network of virus, spyware and spam analysis centers, have discovered a worm that spreads via instant messaging chat systems and poses as pirated video games on file-sharing networks.
The W32/Hagbard-A worm can pose on file-sharing networks as one of over 400 different downloadable programs, including disk images of popular PS2 and XBOX console games such as "Grand Theft Auto: San Andreas" and "Need For Speed Underground 2".
Once the worm has infected a computer, it can send instant messages to other users of Windows Messenger, containing a link and the following text:
please download this...its only small brb
The link points to a copy of the worm stored on the infected computer.
"Because this worm can arrive in the form of an instant message, some users may be fooled into thinking it has come from a friend or colleague rather than a virus on their PC," said Graham Cluley, senior technology consultant for Sophos. "The reference to 'brb' is shorthand for 'be right back'. What the recipient doesn't realise is that once infected remote hackers can gain unauthorized access to the data on their computers."
Sophos reports that often virus writers have used popular cultural icons such as film stars, video games and musicians to entice people into running their malicious code. Last year Sophos reported how the prevalent Netsky-P worm could pose as a Harry Potter computer game.
"The video game business is huge, and they are fighting internet pirates just like the music and movie industries. People who are in the habit of downloading illegal copies of games from the net are not only damaging the video games industry, they are also potentially putting their own computer at risk of infection," continued Cluley. "The best advice is not only keep your anti-virus and firewall defenses up-to-date, but also to never download pirated software from the net."
Source: http://www.sophos.com
|
Basic steps to stay out of the reach of spyware -- Posted by Igor_Donchenko on Thursday, August 4 2005
In addition to using good, effective anti-malware tools, users should also consider changing some of their Internet 'habits', as this can also reduce the risk of falling victim to this type of malware
The fact that nine out of ten computers contain spyware is an indication of the tenacity of this type of malware, which will exploit the slightest chink in computer defenses to infect systems. For this reason, only the best protection will do.
The basis for effective protection against spyware is the use of an appropriate technological solution, integrating reactive and proactive technologies. Nevertheless, users' habits when using computers and the Internet have a direct influence on the chances of a system becoming infected by spyware. With this in mind, the following practical tips are designed to help users drastically reduce the chances of their computers being infected by this type of malware: - As a lot of spyware enters computers by exploiting software vulnerabilities, it is important to install the latest security patches supplied by software vendors.
- Carefully read the user licenses of each program that you install on your computer, in particular freeware and shareware versions. Very often, these types of programs install some kind of spyware on the system (in return for using the application).
- Take care when entering addresses in your browser. Some spyware creators are using web pages -specially designed to download spyware- with domain names similar to those of other famous sites (googkle.com is just one recent example). The aim is of course, to take advantage of simple user typing errors to install spyware on their systems.
- Don't download pirate programs, music, films, etc. Regardless of any legal questions, these types of files are a rich source of all types of malware, including spyware.
- Stay away from underground sites (those related to illegal downloads, hacking tools and techniques, etc.). Not only are these pages often designed to download spyware automatically, but they may also contain applications which, when installed, can drop all types of malware onto systems.
According to Luis Corrons, director of PandaLabs, "In order to protect against spyware, it is important to have an anti-malware suite which detects both known and unknown spyware. But bear in mind that nothing is infallible, and therefore the way people use the Internet should also be geared towards reducing the chances of encounters with malware. Just as no one in their right mind would think of taking a tight bend in a car at 150 mph, no matter how advanced the car's safety systems, neither does it make sense to surf pages infested with malware, regardless of how good your protection is."
Source: http://www.pandasoftware.com
|
Top Ten viruses and spyware most frequently detected by Panda ActiveScan in July -- Posted by Igor_Donchenko on Thursday, August 4 2005
As it does every month, Panda Software has published its ranking of the top ten viruses most frequently detected by its online anti-malware solution, Panda ActiveScan, over the last month (www.activescan.com). A new version of this tool which also detects spyware has recently been made available to users. Based on this feature, Panda Software has also published the top ten spyware programs most frequently detected last month.
The list of the most widespread viruses has not altered drastically this month, with the most significant exception being the absence, for the first time in three months, of Mhtredir.gen at the top of the list. This exploit, according to the data gathered by Panda ActiveScan in July, has been overtaken by the script for the FTP function of SDBot as the most detected malware. By means of this script, certain variants of SDBot are able to download the worm via FTP, if they manage to exploit operating system vulnerabilities, such as LSASS or RPC-DCOM.
It is quite clear that bots are becoming more significant by the day. The script for SDBot is joined in fourth place of the ranking by the generic detection for Gaobot family, a worm with bot functions which is saturating the Internet with several hundred variants. The usefulness of this type of malware for its creators is evident: They can create bot networks in order to carry out a range of actions at will, including spamming or launching coordinated attacks. In fact, it is not uncommon for these bot networks to be leased out to third parties with these nefarious aims.
In general, another tendency that is notable in this ranking, and which has become increasingly apparent over recent months, is that malware creators are forgoing notoriety in exchange for greater profitability of their attacks, keeping users less aware of their malicious techniques. Along these lines, in addition to the two types of malware related to bots (one of the main channels used by those seeking financial gain) there is the Smitfraud virus, which is aimed exclusively at providing financial returns from its actions: it is part of an adware program of the same name that, among other things, fraudulently tries to get users to buy a supposed antispyware program.
Mhtredir, with its BS variant, represents two entries in this month's ranking, and is a type of malware that exploits unpatched vulnerabilities in computers. Netsky.P on the other hand, continues to be responsible for numerous infections, exploiting a vulnerability that allows execution of attachments simply when viewed in the preview pane. The high rate of infection of both specimens of malware make it all more important for users to be reminded of the need to keep operating systems up-to-date with corresponding security patches, and not to open attachments unless they come from a completely reliable source.
The full list of viruses, worms and Trojans is as follows:
| Virus Name | Percentage | | W32/Sdbot.ftp | 2.47 | | Exploit/Mhtredir.gen | 2.08 | | W32/Netsky.P.worm | 1.94 | | W32/Gaobot.gen.worm | 1.56 | | Trj/Qhost.gen | 1.43 | | VBS/Psyme.C | 1.04 | | Exploit/Mhtredir.BS | 0.95 | | W32/Smitfraud.B | 0.81 | | Trj/Downloader.DEW | 0.75 | | W32/Parite.B | 0.75 |
In addition to this list, a separate ranking of infections by spyware has been generated. Spyware is a type of malware designed to gather data regarding usersТ Internet habits and preferences, which is then sent to the creators of the malware or sold on to third-parties, normally spammers.
The classification of the most widespread spyware over the last month is as follows:
| Spyware | Percentage | | Spyware/ISTbar | 3.32 | | Spyware/Cydoor | 3.01 | | Spyware/XXXToolbar | 2.79 | | Spyware/New.net | 2.54 | | Spyware/BetterInet | 1.13 | | Spyware/Dyfuca | 0.91 | | Spyware/YourSiteBar | 0.75 | | Spyware/Petro-Line | 0.67 | | Spyware/Altnet | 0.57 | | Spyware/BargainBuddy | 0.51 |
As in previous months, the spyware program that has been most frequently detected is ISTbar, whose main characteristic is that it is an entry point for other similar types of malware, such as spyware, adware or dialers. Much of the rest of this ranking remains unchanged, with many of the specimens now well-known by users, such as Altnet, a type of spyware related to one of the most well-known file sharing programs. The most notable inclusion in its battle of YourSiteBar, a type of spyware of which, like many others, gathers user information and sends it to advertising companies on the Internet.
Source: http://www.pandasoftware.com
|
