Antivirus News

A rootkit-cloaked worm is being heavily spammed to users as an attachment to “Happy New Year!” messages, a security researcher warned Friday.
The new worm, dubbed “Tibs” by Kaspersky Lab but pegged as a “Nuwar” variant by Trend Micro, comes disguised as a file attachment named “postcard.exe,” said Ken Dunham, director of VeriSign iDefense’s rapid response team, in an e-mail. Users who launch the executable will infect their PCs.

With antivirus signature updates still thin and over 160 servers spamming the new worm, the threat is significant, added Dunham. “The period of greatest risk is through the New Year’s holiday, when antivirus protection is the lowest for this new threat and users are most apt to click on a ‘New Year’s’ related message,” he said. “Everyone should be on guard for e-mails and other content potentially harboring malicious code during the holiday period.”

On at least one network the worm is generating as many as five spammed messages a second, iDefense reported.

The security intelligence firm’s research has identified more than a dozen pieces of malicious code — including zombie-making bot Trojans — installed by Tibs after it has gained a foothold on a PC. Two rootkits are also installed to mask the malware from antivirus scanners, and the worm also disables the Windows firewall, as well as several security programs, including F-Secure’s BlackLight rootkit scanner. The worm spreads by spamming itself to addresses it steals from the user’s files.

“This is a classic iceberg threat,” said Dunham, “where multiple codes are installed and then protected with rootkit technology.”

A recent wave of web worms appearing on social networking websites represent a new generation of more sophisticated computer worms.

Early forms of the computer threats classified as “worms” were intended more for causing havoc or were designed for proof-of-concept purposes to determine if vulnerabilities could be exploited.

Recently, however, new worms have been discovered on social networking sites such as MySpace, which are designed to steal data.

These new worms employ cross-site scripting (XSS) flaws found on many websites.

XSS is defined on the Whatis.com website as a security exploit in which the attacker inserts malicious codes into a link that appears to be from a trustworthy source. When the user clicks on the link, the embedded programming is submitted as part of that user’s web request and can execute on the user’s computer, typically allowing the attacker to steal information.

Web server applications that generate the web pages dynamically are vulnerable to this type of exploit if they fail to validate user input.

The popular MySpace website was first hit with the Samy worm in October.

Adam Biviano, a senior systems engineer at security firm Trend Micro, said a MySpace.com user, called Samy, had created a “malicious” profile by taking advantage of a flaw in the website’s design. The profile, when viewed, automatically activated a code to add the visitor to Samy’s “friends” list. Additionally, the malicious code would be copied into the victim’s profile, so when that person’s profile was viewed, the infection spread.

According to Biviano, “The infection stays on the website and almost creates a denial-of-service attack, because there is an exponential explosion of entries in your friends list that will eventually consume the infrastructure.”

The apparent intent of the Samy worm creator was to increase his popularity on the social networking site. In terms of numbers of “friends,” it worked.

In an e-mail interview posted on Google Blogoscope, the young author said: “It didn’t take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly.”

“When I saw 200 friend requests after the first eight hours, I was surprised. After 2,000 a few hours later, I was worried,” he said.

“Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.”

The Samy worm demonstrated the ease with which cross-site scripting could be used as an exploit and was quickly followed by a major phishing attack later in October.

One such exploit changes a user’s profile to include links to a pornographic website that hosts spyware.

Hackers are finding cross-site scripting “holes” in numerous large websites.

According to computer firm CGI, sites such as CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired and FBI.gov have one form or another of XSS bugs.

Protecting yourself will involve work.

For specific suggestions on steps to take consider visiting the website www.cgisecurity.com and searching for the article: xss-faq.

John Millar is the president of Digital Boundary Group, a London-based information technology security services firm. This article, written with the assistance of Deborah Washburn, a security specialist, contains general comment and suggestions. Digital Boundary may be reached at 519-652-6898. E-mail him at jmillar@digitalboundary.net.

Moscow-based Kaspersky Lab on Thursday updated its consumer security product line with beta support for Microsoft’s Windows Vista, the next-generation operating system that will roll out to retail the end of next month.

Maintenance Pack 2 for both Kaspersky Anti-Virus 6.0 (KAV) and Kaspersky Internet Security (KIS) 6.0 adds Vista support to the pair of programs, which debuted in May 2006. Current users can download the update free of charge.

“Many of our users have expressed interest in Vista, and we are providing a clear path for them to do so,” Steve Orenberg, company president, said in a statement. “Customers can confidently continue to enjoy protection from Kaspersky regardless of which operating system they choose.”

Kaspersky is only the latest security vendor to update its consumer line to account for Vista. Symantec, for example, has had betas of Vista versions of its Norton AntiVirus and Norton Internet Security available for several weeks.

The maintenance pack for KAV and KIS can be downloaded from several Kaspersky FTP servers.

Phishers have branched out beyond e-mail, a security researcher said, and are now exploring both VoIP and text messaging as attack avenues.Voice over IP is attractive to identity fraudsters, said Zulfikar Ramzan of Symantec’s Advanced Threat Research group, in a company blog entry Tuesday, because it’s an affordable way to dial large numbers of phone numbers. Dubbed “vishing” for voice phishing, “such attacks can be conducted cheaply enough that phishers might see a sufficient return on their investment,” Ramzan said. Phishers substitute phone numbers for URLs in traditional e-mailed come-ons or dial consumers directly, circumventing e-mail entirely.

Another tactic, said Ramzan, is “smishing,” for SMS phishing. “A victim might receive a phone [text] message saying that he or she will be charged $x per day if a fictitious order at a particular Web site isn’t cancelled,” he said. “In a panic, the victim then visits the site to cancel the order [but] in the process the victim will end up with malicious software on his or her machine.”

Symantec also has accumulated evidence that shows that some phishers are collecting user names and passwords fast enough to defeat two-factor authentication number generators and are using one-time, quickly disposed URLs to avoid site blacklisting, a common anti-phishing technique.

“Phishers have demonstrated that they really mean business,” Ramzan said. “Their attacks have become more frequent, more varied, and quite frankly more innovative. We must continuously out-innovate them and persistently redouble our efforts.”

The absence of large-scale virus epidemics has, once again, been the most notable characteristic of the year. In fact, the list of frequently detected viruses during 2006 has varied little throughout the year. This does not mean, however, that there is a lower risk of infection. What is happening is that the attacks have become more silent and more specific, as they are increasingly motivated by financial gain rather than simply gratuitously attacking users�?? computers. A report produced by PandaLabs in the third quarter of 2006 revealed that 72 percent of Internet threats were financially motivated (http://www.pandasoftware.com/about/press/viewnews?noticia=8071).

So, malware is just as prevalent as always, if not more so, and more pernicious, if that were possible, than before, as today’s attackers are after your money. �??Despite what people may think,�?� explains Luis Corrons, director of PandaLabs, �??the risk of virus infection is greater than ever. Firstly, due to the strategy of simultaneously distributing numerous variants of a malicious code, as was the case with Bagle or Gaobot, thereby increasing the chances of infection, and secondly, because the majority of attacks are now financially motivated, and are therefore more discreet.�?�

As mentioned, the large-scale threats are disappearing, but there has still been a series of particularly virulent attacks which merit our close attention. With this in mind, Panda Software has published the Top Ten of the viruses most frequently detected in 2006.

In first place, for the second successive year, is Sdbot.ftp.  This malware first appeared in 2004 and six months later occupied first place in the ranking of our Top Ten.  Since then it hasn’t budged. The severity of this worm is classified as “medium” and there have been several variants all with the same MO of attacking random IP addresses, exploiting system vulnerabilities and downloading copies of the worm via FTP. In 2006, Sdbot.ftp was responsible for 2.62 percent of all infections.

Another veteran in the ranking of viruses detected by ActiveScan, which came second overall in 2006, is Netsky.P. This worm, detected in 1.22 percent of positive cases first appeared in 2004 and spreads via email and P2P file-sharing applications. Interestingly, this worm exploits the Exploit/iframe vulnerability in Internet Explorer for which a fix has been available for some time now. In third place this year is Exploit/Metafile. Responsible for just over 1 percent of infections, this malicious code is designed to exploit a critical vulnerability in the GDI32.DLL library in Windows 2003/XP/2000.  If a computer is vulnerable, Metafile allows the code to be executed which can then be used, for example, to download and run spyware.

Tearec.A. is in fourth place. This worm, which spreads via email and computer networks, can disable and terminate certain antivirus programs. Fifth place is occupied by the Q.host.gen Trojan, which was found to be the culprit in 0.76 percent of infected computers. The remaining places in the ranking are occupied by Torpig.A, a Trojan that steals passwords saved by certain Windows services, Sober.AH.worm!CME-681, a worm that terminates several processes, including some belonging to security tools; Parite.B, a virus that infects PE files with EXE or SCR extensions; Gaobot.gen, a generic detection for the Gaobot family of worms which exploits software vulnerabilities, and Bagle.pwdzip, a detection of the notorious Bagle family.

Virus                % of infections
W32/Sdbot.ftp         2.62
W32/Netsky.P          1.22
Exploit/Metafile      1.08
W32/Tearec.A          0.79
Trj/Qhost.gen         0.76
Trj/Torpig.A          0.69
W32/Sober.AH          0.67
W32/Parite.B          0.62
W32/Gaobot.gen        0.55
W32/Bagle.pwdzip      0.54

Other conclusions that can be drawn from this year�??s ranking include:

- The continuing threat of financial fraud: Sdbot holds, for the second year running, first place in our Top Ten. This is a typical bot/worm designed to exploit system vulnerabilities for financial gain, highlighting the growth of this type of attack. Similarly, threats like Exploit/Metafile or Torpig.A, which are also high up the list, demonstrate this increasingly prevalent trend.

- Variations of worms: Hackers are now tending to launch different variants of the same type of malware in a very short period of time in order to increase the probability of computers being infected. This is the case with Q.host, Gaobot or Bagle. Sdbot, the first in the ranking, has also undergone significant variations over recent months.

- Infections: In 2005, the first nine threats on the list were all responsible for more than 1 percent of infections, while in 2006, only the first three reached that percentage. This should not be understood as an indication that there is less malware, on the contrary, it suggests that there is actually more malware in circulation.

All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free, online solution available at: www.pandasoftware.com/activescan. This allows users to thoroughly scan their computers if they suspect they have been infected.

More information about these and other threats is available in Panda Software�??s Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/

What do you get when you cross a file sharing network with a person desperate for advertising dollars? A worm that drives hits to a website, of course. Dubbed by various antivirus vendors as Worm.Kazaa.Benja or W32/Benjamin, the Benjamin worm disguises itself as an array of popular music and video selections. Unsuspecting KaZaA users who search on one of these topics will be presented with a file list of appropriate titles that aren’t legitimate files but rather the Benjamin worm. When the file is downloaded and run, users will be presented with a fake error message:

Access error #03A:94574: Invalid pointer operation
File possibly corrupted. Behind the scenes, the worm is busy creating a new file share folder and adding hundreds of copies of itself - all with fake titles of popular search requests. Antivirus vendor F-Secure reports that over 2000 titles are used.

Examples include:
“Deepest Purple-The Very Best of Deep Purple - Smoke on the Water”
“Metallica - Until it sleeps”
“Johann Sebastian Bach - Brandenburg Concerto No 4″
“South Park Vol.3-divx-full-downloader”
“Star wars Episode 1-divx-full-downloader”
“F1 Racing Championship-Games-full-downloader”
“Chessmaster 8000-Games-full-downloader”
“Apparently the worm was written to make money for the virus writer”, comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. The worm opens a webpage named benjamin.xww.de which contained advertisments. “Now the page has been taken down, but if the virus author got money based on ad views, he might have created some cashflow here”. After displaying the false error message, Benjamin creates a copy of itself named EXPLORER.SCR in the Windows\System direction and modifies the registry to load on startup. According to F-Secure, the Benjamin worm spreads only to and from computers that have the KaZaa network clients software installed. Manual Removal
If infected with the Benjamin worm, the following registry keys will have been modified to include the value shown:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“System-Service”=”C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR”
[HKEY_LOCAL_MACHINE\Software\Microsoft]
“syscod”=”0065D7DB20008306B6A1″Locate and delete the values shown.
Locate and delete the file EXPLORER.SCR.
Locate and delete the Sys32 subfolder located in the Windows Temp folder.

MADRID, December 26, 2006

Panda ClientShield with TruPreventTM Technologies, Panda�??s security solution designed to protect workstations from Internet threats, has obtained certification by ICSA Labs, an independent division of Cybertrust, in the Anti-Spyware for Windows XP Professional category.

The test conducted by ICSA Labs laboratories provides a dual-perspective analysis. On one hand, it focuses on the capacity to block the entrance of spyware and, on the other, examines the detection of this type of software once it has become installed on the computer. Subject to different tests during the analysis, Panda ClientShield with TruPreventTM Technologies passed 100% of the test attacks, thereby obtaining the above-mentioned certification.

ICSA Labs certifications formally acknowledge the effectiveness of the software analyzed against Internet risks and threats, in addition to its user protection capacity. Therefore, the Panda Software product certified by these laboratories is guaranteed to protect against spyware both before and after it has installed on a computer.

Spyware detection, category in which Panda ClientShield with TruPreventTM Technologies has obtained certification, is becoming increasingly important due to the fact that this type of malicious software is one of the greatest risks posed by the Internet. Spyware programs gather data relative to the affected user�??s web surfing habits and preferences.

Panda ClientShield with TruPreventTM Technologies is aimed at workstations in corporate environments. With its low resource consumption and high performance level, this security software is capable of protecting against virus, worms, Trojans and all kinds of malware, in addition to filtering spam, blocking the use of spyware, dialers and other tools normally used by hackers. Administration is simple and fast thanks to the solution�??s integration in the AdminSecure console, which considerably reduces update time and, therefore, the risk of your corporate computers becoming infected.

Panda ClientShield includes TruPreventTM Technologies. These technologies, developed by Panda Software, block all types of attacks from unknown viruses and intruders, even when the antivirus hasn�??t yet been updated.

This certification of Panda ClientShield comes in addition to those received by other products, both corporate and consumer, with respect to detection of viruses and Trojans. In fact, prior to this, Panda ClientShield with TruPreventTM Technologies had already obtained certification in the Client/Server Antivirus for Windows XP Professional and Windows 2003 category. For more information on the characteristics, certifications and awards given to this product, please visit the following website:
http://www.pandasoftware.com/products/clientshield.

Spain’s Guardia Civil has this Thursday claimed to have broken up an important cybercriminal gang that carried out phishing attacks in the country. A total of six people were detained in the province of Malaga in the south of Spain following a year-long investigation carried out by the authorities in Navarre, a province in the northeast of the country.

The gang is thought to have been led by a 19-year-old youth of Moroccan origin. At least five of the gang’s members have been named as Moroccans, while the sixth detainee, a 21-year-old woman, originally came from Ceuta, a Spanish enclave in North Africa. The leader of the gang is a well-known hacker who has been involved in the business since he was 12 years old. Spanish authorities believe him to be one of the most eminent hackers in Europe at the moment.

Operation “Siluro”, as Spanish investigators named it, began after a complaint registered in Elizondo, Navarre, in April this year. From then on the police began monitoring phishing campaigns in Spain and looking for similarities that could lead them to identify the perpertators. Having collected the necessary evidence they carried out organised raids in the Malaga region, finding at least 500 fake bankcards and a lot of counterfeit European passports in the process. The group is known to have collected personal banking details on at least 20,000 persons and held a database of 200,000 emails that was used in their phishing campaigns. Another peculiar method was to offer a half-price online mobile phone account charging service. Users attracted by the offer entered their bank details, which were then collected for later use in fraud operations. In order to launder stolen money they employed cybermules who transferred funds for a cut of the sum, as well as other methods such as making online purchases. In order to hide their trail the group used hacked computers and also hijacked unprotected wi-fi connections.

Spanish authorities have so far declined to quantify the damages caused by this gang, but the figure is thought to be “extremely significant”. Vicente Ripa, a representative of Navarre’s regional government tasked with explaining the operation to the press, called it an amazing success, citing the nature of the crime and the size of the gang that was apprehended. This is not the only success Spanish cybercrime fighters have enjoyed this year: Spain’s National Police dismantled another sizeable criminal group last September, detaining 23 people in the three coastal regions of Catalonia, Valencia and Andalusia.

Imagine a virus-free world. Impossible? But what if an anti-virus solution could prevent even unknown viruses from entering one’s computer and did not need any updates or affect the computer’s performance?

Rudra Technologies Ltd says it has designed just such a solution,using a new technology that is under process for the USPTO patent.

With virus attacks increasing - in number and in complexity - it has become imperative for companies to think of new ways to curb this old menace.

Intention-based technology

Rudra’s software is built on `intention based technology’ as opposed to the traditional signature (also called fingerprint) and heuristic-based technologies used by companies such as Norton, Symantec and McAfee, says N.S. Baskar, Managing Director, Rudra Technologies.

Signature technology uses a database to store the signature (a binary digit) of each virus discovered in the world. Signatures of files entering a computer are matched against the database.

If a match is found, a virus is detected and removed. Every time a virus attack occurs in any part of the world, the signature of the virus responsible for the attack is added to the database and the user is sent an update on the same. However, this technology is ineffective against new viruses whose signatures are yet to be discovered. Heuristic technology tackles this to an extent. It studies the pattern of virus entries in the past and prevents the next attack based on logical calculations. But this technology too is not foolproof against viruses. Rudra’s software stores information about the computer and not the virus, hence eliminating the need for databases.

The software uses filters to detect viruses. If a file or signature that seems incompatible with the computer tries to enter the system, it will be detected and thrown out, says Baskar.

But what if the virus is in a type of file that is compatible with the computer? Baskar says it will still be blocked, but declines to divulge details, with the patent application pending with the authorities.

For Rudra, new and old viruses are alike - each of them undergoes checks at the filter. This checking takes negligible time and does not affect the computer’s performance, says Baskar. As viruses are compared with the computer’s information and not a virus signature database, no patches or updates need to be sent to users.

Behavioural blocking

Other companies are also working to reduce dependence on traditional systems. F-Secure Security Labs is working on a `behavioural blocking’ mechanism that can be built over signature-based technology.

According to a recent survey by F-Secure, about one lakh computer viruses were discovered last year and about 1.5 lakh more are expected this year. Patrik Runald, Senior Security Specialist, F-Secure, says most virus attacks are targeted at a company or an important person.

“There are cases of viruses being sent through resumes in response to a company’s advertisement for vacant positions. In such cases, a Human Resources manager would never suspect a virus �?? and open the resume file,” he says. Common file extensions such as .exe, .xls, .doc and .ppt are used for targeted attacks.To prevent such attacks, F-Secure’s solution `Deep Guard’ works on behavioural blocking technology that monitors the behaviour of a computer in real time. Monitored behaviour can include attempts to open, view, delete, or modify files, changing the logic of executable files and computer settings, besides scripting and sending e-mails with self-executable content.

If the behaviour blocker detects a program likely to initiate malicious behaviour, it will block the same, says Runald.

But this system also has its drawbacks. To identify the complete behaviour pattern of a malicious code, it must be run on the computer. During execution, a virus may misplace many files existing in the computer before finally being detected and blocked by the behavioural blocker. For the user, this misplacement of files is as bad as a virus-affected machine.Foolproof or not, Internet security providers are certainly working on new approaches to take us closer to a virus-free world.

Security firm Sophos is reminding users of the threat posed by image spam following a new campaign, which claims to offer a cut-price edition of Microsoft Windows Vista.

Image spam, which uses a graphic embedded in an email rather than regular text, has grown in popularity amongst spammers attempting to communicate their marketing messages to Internet users. Often image spam is used for promoting stock pump-and-dump scams or drugs to help with weight loss and sexual performance. In the latest widespread campaign seen by Sophos experts, image spammers are offering a bargain edition of Microsoft’s new operating system, Windows Vista.

The spam email claims that the recipient can save $319.05 by downloading Windows Vista today.

It is not clear whether acting upon the spam would furnish the computer user with a pirated edition of Windows Vista or simply steal their credit card details.

“This widespread spam campaign carries all the hallmarks of a typical image spam. The spammer has added random noise in the form of speckled pixels to make the graphic slightly different on each sending, and users are told to type in the name of the website rather than clicking on a link,” said Graham Cluley, senior technology consultant for Sophos. “Approximately 30% of all spam is now using images to try and sneak past anti-spam filters. Computer users need to ensure that they have strong defenses in place or they will continue to be bombarded by nuisances like this.”

“The growth of image spam is one of the security stories of the year. Internet users should make it their New Year’s resolution to make 2007 the time they got wise to internet threats,” continued Cluley. “It’s worrying just how poorly educated people are about web and email threats. System administrators and security geeks know about informative websites like GetSafeOnline but the average man in the street hasn’t got a clue.”