 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
September 2004
Trojans: a silent epidemic -- Posted by Igor_Donchenko on Friday, September 17 2004
How often do you hear people say things like "I haven’t got an antivirus and I have never been infected by a virus"? This might just have been possible some time ago, when there were relatively few viruses out and about. Today however, with more than 70,000 types of malicious code in existence, it is not likely.
One frequent misconception is that virus authors have the exclusive goal of deleting files from the hard disks of as many computers as possible. The reality is that there are now plenty of cyber-crooks on the Internet with high levels of expertise in the latest digital fraud techniques.
Another common mistake is to think that your computer cannot possibly be of interest to Internet criminals. Have never used your credit card number or bank account details over the Web? Have you never used any kind of online service -where your bank details are available- to check phone or electricity bills? Doesn't your ISP have an area where you can edit your personal details?
Cyber-crooks know all about these things. They know that the information they want is within reach, and all they need is the right tool to extract it. This might seem difficult, but this tool has actually been around for a while: the Trojan.
Unlike other viruses or worms -although there are exceptions- Trojans don’t delete files, display silly texts or even send infected emails. Nevertheless, Trojans can steal all types of information, or let an attacker into your system, or even give someone else complete control over your computer.
Trojans can also be used to let hackers use your Internet connection and launch attacks from your computer. This means that the victim of the attack will think you are responsible, not the hacker. This technique of using PCs as 'zombies' can also link up several computers to make it even more difficult for the real source to be detected.
To make matters worse, Trojans don't usually spread via email - as this is not subtle enough. Often they are hidden in programs downloaded from the Internet or exploit a vulnerability to infect computers simply when the unsuspecting user visits a website.
So to think that all you need to protect yourself from today's Internet threats is caution and common sense, is at best foolhardy. There is no substitute, if you really want to stay out of danger, for a good, antivirus updated at least once a day.
Source: http://www.pandasoftware.com
|
Protecting communications ports -- Posted by Igor_Donchenko on Monday, September 13 2004
The communication ports in computers make it possible to browse the Internet, send and receive email, or download files from FTP servers. Technically speaking, communication ports can be defined as access points in a computer or device thorough which information is transferred (both inbound and outbound) between the computer and external resources (via TCP/IP).
IT networks then, including the Internet, are really computers inter-connected through their corresponding ports, through which they can make requests or respond to calls made from other computers.
Nevertheless, at the same time, communication ports have become one of the main channels through which virus and hackers can try to achieve their nefarious aims. For example, there are viruses that can directly enter computers through communication ports without having to use traditional propagation means such as email. They can also be used by many Trojans to communicate with hackers or create backdoors in the port to let an attacker take remote control of the computer.
How to protect communications ports
Today, fortunately, protecting communication ports is a relatively simple task, within the reach of all users.
- Network protection
Companies with mid-to-large sized networks should consider the possibility of using a firewall server, as this will prevent attacks through ports in the rest of the computers that make up the network. There are many available on the market, although it is advisable to stick to the better known names. One thing that should be borne in mind when choosing a firewall is its compatibility with antivirus solutions. The combination of an antivirus and firewall will make it extremely difficult for threats to enter the network from the Internet.
In the case of SMEs, where IT resources consist of just a few PCs, a personal firewall in each of the computers in the network will suffice, as explained below.
- Protecting standalone computers
Protecting communication ports in computers that connect individually to the Internet -i.e. those that are not in a network- is best achieved using a personal firewall. These applications monitor the traffic circulating through the communications ports, blocking anything suspicious from entering. There are many available on the market and most can be configured only to allow connection to the Internet for programs that frequently do so, such as browsers, mail clients, etc. and deny access to any other application. This also prevents spyware from sending information out to third-parties.
However, the tightest security is obtained by combining a firewall with adequate antivirus protection as this will prevent infection from viruses in email, which are capable of terminating process in firewall applications, leaving computers defenseless against future attacks through communication ports. Some security suites on the market include both a firewall and protection against all types of malicious code.
Source: http://www.pandasoftware.com
|
Top Ten viruses most frequently detected by Panda ActiveScan in August -- Posted by Igor_Donchenko on Tuesday, September 7 2004
In August, according to the data gathered by Panda Software's free online antivirus solution, Downloader.GK was once again the malicious code responsible for most attacks on users' computers. This is the third month running that it has headed the list of Top Ten viruses detected by Panda ActiveScan, which has also seen the continuation of the prevalence of Trojans in general.
Last month, Downloader.GK was the culprit in 17.51 percent of infections, followed a long way off by Briss.A-, the cause of just under seven percent of attacks. After these two came Qhost.gen and Mhtredir.gen, both responsible for over six percent of positive cases. Fifth place in the Top Ten was held by Sasser.ftp (5.93%), and in sixth place came Netsky.P (5.61%). Downloader.OG (4.96%), StartPage.FH (4.44%), Gaobot.gen (4.24%) and Downloader.HC (3.35%) occupied the final positions in the August ranking.
The following conclusions can be drawn from the data collected by Panda ActiveScan last month:
- Major presence of the Downloader family.
Downloader.GK tops the ranking for the third successive month, with a percentage infection rate twice that of Briss.A, in second place. Just as happened in July, three of the Top Ten are from the Downloader family of Trojans.
- Trojans continue to dominate.
Similarly in August, seven of the ten viruses most frequently detected by Panda ActiveScan were Trojans, highlighting the continuation of this worrying trend. In both June and July, six of the Top Ten were Trojans, in May there were three, while previously there had only been one.
- The same old faces.
There were only two new viruses in this month’s ranking: Exploit/Mhtredir.gen and Downloader.OG, replacing Downloader.HC and Bagle.AH.
| Virus Name | Percentage | | Trj/Downloader.GK | 17.51% | | Trj/Briss.A | 6.93% | | Trj/Qhost.gen | 6.35% | | Exploit/Mhtredir.gen | 6.12% | | W32/Sasser.ftp | 5.93% | | W32/Netsky.P.worm | 5.61% | | Trj/Downloader.OG | 4.96% | | Trj/StartPage.FH | 4.44% | | W32/Gaobot.gen.worm | 2.24% | | Trj/Downloader.JH | 3.35% |
Source: http://www.pandasoftware.com
|
Malware Evolution: August Roundup -- Posted by Igor_Donchenko on Tuesday, September 7 2004
In contrast to last summer, August was a relatively quiet month in terms of virus activity. However, the month did bring certain developments in the evolution of malicious code. Some of the programs which were first detected this month are likely to appear more frequently in the future.
The most important event this month was the appearance of Backdoor.WinCE.Brador.a. This is the first true malicious program for Pocket PCs; although last month a proof of concept virus was detected devices running Windows CE, it was effectively harmless and not detected in the wild. Brador, in contrast, is a remote administration utility, which can receive and execute a range of commands. The author of the program is offering to sell the client part to any interested party; if this offer is taken up, Brador may become widespread in the future.
Another innovation this month was Trojan.SymbOS.Mosquit.a. This Trojan for mobile phones confirms the theory that once the first piece of malicious code for an operating system has appeared, variations or new programs will not be long in following. In this case, Mosquit.a followed on the heels of Cabir, the proof of concept virus coded for phones running the Symbian operating system, which was first released in June this year. Mosquit is actually a popular game for mobile phones. However, the program is coded to send SMS messages to numbers contained in the body of the program, without the knowledge of the user; it is therefore classified as a Trojan.
The flood of Trojan spy programs showed no signs of decreasing in August, with 7 new versions of Trojan.PSW.LdPinch being detected, and two new versions of TrojanSpy.Win32.Small.q. This Trojan is designed to steal account details to 55 on-line payment systems; the information is then sent to the author of the program. Also circulating this month were a number of modifications of Trojan.PSW.Lmir, a program which steals passwords to Legend of Mir, a Chinese on-line game.
In the middle of the month, the British company Pentest announced the detection of a vulnerability in WIDCOMM Bluetooth Connectivity software. The vulnerability allows the execution of arbitrary code with current user rights. No patch for this vulnerability has been released. Although so far there have been no reports of this vulnerability being exploited, it may only be a matter of time before the first program coded to take advantage of this loophole appears.
The end of the month brought a number of emails with the subject '1', and an attachment named 1.gif or 2.gif. The attachments contained the text 45451212. The messages themselves contained html code, which uses Exploit.HTML.ObjData to download a file containing TrojanDropper.Win32.Small.kv from the Internet. This Trojan spread with a number of versions of Bagle; this spam mailing may be a preparation for the release of a new version of Bagle.
August also brought a new Mydoom epidemic: I-Worm.Mydoom.q. This worm was programmed to cease replicating on 20th August when the system clock shows 21.11.11. However, Backdoor.Win32.Surila.g, which Mydoom installed on victim machines, has no expiry date; the machines will remain open to remote administration until the backdoor program is removed.
Forecast for the coming month:
Next month worms will, as usual, be the most widespread type of malicious program, while spy programs will appear in the highest numbers. It is quite possible that new malicious programs for hand held computers and mobile phones will be detected, including programs which use the vulnerability in WIDCOMM Bluetooth Connectivity Software to spread. The spamming of Exploit.HTML.ObjData, which downloads TrojanDropper.Win32.Small.kv may be the precursor to another Bagle outbreak.
Source: http://www.viruslist.com
|
Virus Top Twenty for August 2004 from Kaspersky Labs -- Posted by Igor_Donchenko on Tuesday, September 7 2004
| Ranking | Change | Virus Name | Percentage | | 1 | +1 | I-Worm.Netsky.aa | 18.22% | | 2 | +1 | I-Worm.Netsky.b | 16.37% | | 3 | +1 | I-Worm.Netsky.b | 13.64% | | 4 | -3 | I-Worm.Zafi.b | 7.55% | | 5 | new | I-Worm.Mydoom.m | 5.41% | | 6 | no change | I-Worm.Netsky.t | 5.05% | | 7 | new | I-Worm.Mydoom.q | 4.29% | | 8 | -3 | I-Worm.Bagle.z | 3.36% | | 9 | -1 | I-Worm.Netsky.d | 2.40% | | 10 | -1 | I-Worm.Lovgate.w | 2.26% | | 11 | -4 | I-Worm.Netsky.y | 2.11% | | 12 | +6 | I-Worm.Netsky.r | 1.30% | | 13 | new | Trojan.Dropper.VBS.Zerolin | 1.06% | | 14 | -1 | I-Worm.Sobig.f | 0.98% | | 15 | new | I-Worm.Mydoom.l | 0.93% | | 16 | -2 | Backdoor.Rbot.gen | 0.72% | | 17 | -6 | I-Worm.Netsky.o | 0.72% | | 18 | +2 | I-Worm.Swen | 0.66% | | 19 | -9 | I-Worm.Bagle.gen | 0.65% | | 20 | new | TrojanDownloader.Win32.Agent.bq | 0.61% | | Other malicious programs (not in the Top 20) | 11.73% |
August turned out to be an odd month for virus statistics. Everyone was expecting a traditional, virus-filled month - something similar to August 2003. Instead we saw a quiet summer month distinguished only by the appearances of 5 new malicious programs - the most we've seen since April 2004.
As a result, our predictions that August would see much more virus activity than the other summer months turned out to be both true and false: new malicious programs were detected but there were no serious outbreaks.
Netsky.aa pushed Zafi.b aside to become the leader once again - in fact, the top three viruses this month, all Netsky variants mimic the May top 20 stats.
Zafi.b has been knocked down to fourth place in a plunge from an impressive 57% in July to a mere 7.5% in August. We might even see Zafi disappear completely from the Virus Top Twenty in September.
The most important newcomers to this month's Top Twenty are three new versions of Mydoom. The original worm, Mydoom.a, set new records for the number of copies clogging email channels at any one time. All three newbies were based on the Mydoom.a source code and did not demonstrate anything new in terms of malicious code evolution. Mydoom.m jumped immediately to the fifth place slot, while the other two versions of Mydoom occupy seventh and fifteenth place respectively.
Top Twenty oldies such as Bagle, Swen, sobig, Lovgate and other Netsky variants maintained equilibrium, moving up and down the table only slightly.
Two new Trojans made their mark on the Top Twenty and both deserve a closer look. First we have TrojanDropper.VBS.Zerolin - a script Trojan programmed to install viruses on infected machines. We saw a significant number of spam campaigns where Zerolin came as a 'free' add-on. Zerolin then proceeded to install a variety of malware on victim machines, ranging from primitive key logging programs to multi-functional backdoors and even some worms.
The second Trojan, Dowloader.Agent.bq, also arrived via mass mailings. Agent.bq downloads all files placed on the servers listed in the Trojan's code; these files included a number of spy programs.
Source: http://www.viruslist.com
|
