Antivirus News

There are hundreds of millions of spam email messages being sent every
day. This has been a significant problem as spam covers 90% of all emails
worldwide. Now this has become an even bigger challenge due to increased
volume of image spam.

Image spam is a serious and growing problem, not least because of its ability
to circumvent traditional email spam filters to clog servers and inboxes. In
just half a year, the problem of image spam has become general enough to be
representative of 35 per cent of all junk mail. Not only this, but image spam
is taking up 70 per cent of the bandwidth bulge on account of the large file
sizes every single one represents.

Apart from taking up valuable bandwidth, the time taken to filter out and
destroy spam represents a significant burden on both IT staff and personnel
in businesses and organizations. At the same time, operators themselves are
building ever more efficient email servers and bandwidth capacity in order to
deliver emails that nobody wants!
 
Ironically, at the heart of the problem are ordinary computer owners
completely unaware that their computers are being used to launch the very
attacks that end up in their inboxes. This is achieved through botnets, where
computers are silently infected and activated as part of a larger raft of
computers to do the spammers’ bidding. Vast majority of all the spam is being
sent from these botnets of zombie computers.

To give some idea about the scale of the problem a typical Warezov-based
botnet can send 160 million spam messages in just two hours. And last year
botnets raised the volume of spam in circulation by 30 per cent. For
enterprises, often the target of spam attacks, that figure was 50 per cent.

Spam originally used basic text captured in a GIF image to bypass standard
dictionary-based content filters but this has now morphed into image spam.
Image spam is characterized by patchwork colours, multicolour characters with
pixel-level randomization. It also features the use of random nonsensical
text messages sampled from legitimate web sites between the hard sell of
products like Viagra and other popular pharmaceuticals.

In the war against this new menace are ever-more efficient spam filters. In
practice, all of the most recognized spam filter systems have upped their
game in order to deflect these new techniques. Technology aside, Mikko
Hypponen, Chief Research Officer at F-Secure believes there is a larger issue
to address - people themselves: “We will never rid ourselves of spam until
people stop buying the products advertised in these mails. Spam obviously
works, otherwise we would not see it so prevalently,” he concluded.

F-Secure Messaging Security Gateway has a unique approach to combat
image-based spam, and uses several advanced techniques specially designed to
detect image-based spam messages. These improved techniques in
Proofpoint-powered MLX include fuzzy matching for obfuscated images, dynamic
spam image detection, animated GIF spam detection and dynamic botnet
protection. Using these image-based spam specific techniques with other
existing spam detection techniques with fully automatic updates, F-Secure
Messaging Security Gateway is able to provide comprehensive solution to it’s
customers.

Cutting-edge phishers are creating websites in Flash to evade detection by toolbars, security experts said this week.
Instead of using HTML, cybercrooks are building pages using graphic animation technology so they are not flagged by most anti-phishing tools, said Mikko Hypponen, chief research officer of F-Secure. His firm viewed two examples, both targeting PayPal, which have since been taken offline.

“It’s no longer an HTML page with 20 different images,” he told SCMagazine.com today. “It’s just one file. It looks exactly the same. If you’re not careful, you won’t be able to tell the difference.”

Users can be tipped off that they are viewing a Flash site if they right click on the page, which reveals some program options, Hypponen said.

“This (technique) seems pretty efficient until the URL becomes known (to blacklists), but in the meanwhile, it works,” he said.

Avivah Litan, a Gartner analyst who specializes in phishing research, told SCMagazine.com that new schemes such as this one highlight the need for better protection than phishing filters can offer.

“The crooks are always one step ahead of our technology, and this is another proof of that,” she said.

She said the burden falls on internet service providers, domain registrars and browser and email service providers to create and manage an identity layer on the web.

Researchers are hoping that planned high-assurance, extended validation SSL certificates will better assure a site’s legitimacy, Litan said.

But Steven Myers, assistant professor of informatics at Indiana University, Bloomington, said phishing attacks have gotten so sophisticated, users should assume “phishers are going to control what shows up on your screen.”

Litan said organizations will not get serious about internet security until a cyberattack to the degree of the events of Sept. 11, 2001 occurs, whether that is a mass posting of private information or the widespread takedown of online financial institutions.

Security researchers have released proof-of-concept code that exploits vulnerabilities in MMS implementations in mobile phones running mobile versions of Windows.

The vulnerability was discovered six months ago by security researcher Collin Mulliner, who published the exploit at the Chaos Communication Congress in Berlin last week in a bid to force manufacturers to deal with the issue.

The flaw involves buffer overflow vulnerabilities in the SMIL (Synchronized Multimedia Integration Language) protocol in MMS messages. As a result long MMS messages appended with malware may crash phones in such a way as to deposit hostile code in the memory of targeted devices. The IPAQ 6315 and i-mate PDA2k are confirmed as vulnerable but other devices running Pocket PC 2003 and Windows Smartphone 2003 are also likely to be at risk of attack using the technique.

Even in devices confirmed as vulnerable the attacker needs to know the correct memory slot where the MMS processing code is executing, so exploitation is far from easy. Malicious MMS message will most likely only crash a device rather than infecting it, reports anti-virus firm F-Secure.

“While [this] is very significant, it does not pose an immediate danger to any large group of users. Although it is possible to create an MMS worm or other malware that uses the vulnerability, this particular exploit cannot be directly used in creating malware,” Jarno Niemela, a researcher at F-Secure’s Labs, writes. ®

A rootkit-cloaked worm is being heavily spammed to users as an attachment to “Happy New Year!” messages, a security researcher warned Friday.
The new worm, dubbed “Tibs” by Kaspersky Lab but pegged as a “Nuwar” variant by Trend Micro, comes disguised as a file attachment named “postcard.exe,” said Ken Dunham, director of VeriSign iDefense’s rapid response team, in an e-mail. Users who launch the executable will infect their PCs.

With antivirus signature updates still thin and over 160 servers spamming the new worm, the threat is significant, added Dunham. “The period of greatest risk is through the New Year’s holiday, when antivirus protection is the lowest for this new threat and users are most apt to click on a ‘New Year’s’ related message,” he said. “Everyone should be on guard for e-mails and other content potentially harboring malicious code during the holiday period.”

On at least one network the worm is generating as many as five spammed messages a second, iDefense reported.

The security intelligence firm’s research has identified more than a dozen pieces of malicious code — including zombie-making bot Trojans — installed by Tibs after it has gained a foothold on a PC. Two rootkits are also installed to mask the malware from antivirus scanners, and the worm also disables the Windows firewall, as well as several security programs, including F-Secure’s BlackLight rootkit scanner. The worm spreads by spamming itself to addresses it steals from the user’s files.

“This is a classic iceberg threat,” said Dunham, “where multiple codes are installed and then protected with rootkit technology.”

What do you get when you cross a file sharing network with a person desperate for advertising dollars? A worm that drives hits to a website, of course. Dubbed by various antivirus vendors as Worm.Kazaa.Benja or W32/Benjamin, the Benjamin worm disguises itself as an array of popular music and video selections. Unsuspecting KaZaA users who search on one of these topics will be presented with a file list of appropriate titles that aren’t legitimate files but rather the Benjamin worm. When the file is downloaded and run, users will be presented with a fake error message:

Access error #03A:94574: Invalid pointer operation
File possibly corrupted. Behind the scenes, the worm is busy creating a new file share folder and adding hundreds of copies of itself - all with fake titles of popular search requests. Antivirus vendor F-Secure reports that over 2000 titles are used.

Examples include:
“Deepest Purple-The Very Best of Deep Purple - Smoke on the Water”
“Metallica - Until it sleeps”
“Johann Sebastian Bach - Brandenburg Concerto No 4″
“South Park Vol.3-divx-full-downloader”
“Star wars Episode 1-divx-full-downloader”
“F1 Racing Championship-Games-full-downloader”
“Chessmaster 8000-Games-full-downloader”
“Apparently the worm was written to make money for the virus writer”, comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. The worm opens a webpage named benjamin.xww.de which contained advertisments. “Now the page has been taken down, but if the virus author got money based on ad views, he might have created some cashflow here”. After displaying the false error message, Benjamin creates a copy of itself named EXPLORER.SCR in the Windows\System direction and modifies the registry to load on startup. According to F-Secure, the Benjamin worm spreads only to and from computers that have the KaZaa network clients software installed. Manual Removal
If infected with the Benjamin worm, the following registry keys will have been modified to include the value shown:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“System-Service”=”C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR”
[HKEY_LOCAL_MACHINE\Software\Microsoft]
“syscod”=”0065D7DB20008306B6A1″Locate and delete the values shown.
Locate and delete the file EXPLORER.SCR.
Locate and delete the Sys32 subfolder located in the Windows Temp folder.

Imagine a virus-free world. Impossible? But what if an anti-virus solution could prevent even unknown viruses from entering one’s computer and did not need any updates or affect the computer’s performance?

Rudra Technologies Ltd says it has designed just such a solution,using a new technology that is under process for the USPTO patent.

With virus attacks increasing - in number and in complexity - it has become imperative for companies to think of new ways to curb this old menace.

Intention-based technology

Rudra’s software is built on `intention based technology’ as opposed to the traditional signature (also called fingerprint) and heuristic-based technologies used by companies such as Norton, Symantec and McAfee, says N.S. Baskar, Managing Director, Rudra Technologies.

Signature technology uses a database to store the signature (a binary digit) of each virus discovered in the world. Signatures of files entering a computer are matched against the database.

If a match is found, a virus is detected and removed. Every time a virus attack occurs in any part of the world, the signature of the virus responsible for the attack is added to the database and the user is sent an update on the same. However, this technology is ineffective against new viruses whose signatures are yet to be discovered. Heuristic technology tackles this to an extent. It studies the pattern of virus entries in the past and prevents the next attack based on logical calculations. But this technology too is not foolproof against viruses. Rudra’s software stores information about the computer and not the virus, hence eliminating the need for databases.

The software uses filters to detect viruses. If a file or signature that seems incompatible with the computer tries to enter the system, it will be detected and thrown out, says Baskar.

But what if the virus is in a type of file that is compatible with the computer? Baskar says it will still be blocked, but declines to divulge details, with the patent application pending with the authorities.

For Rudra, new and old viruses are alike - each of them undergoes checks at the filter. This checking takes negligible time and does not affect the computer’s performance, says Baskar. As viruses are compared with the computer’s information and not a virus signature database, no patches or updates need to be sent to users.

Behavioural blocking

Other companies are also working to reduce dependence on traditional systems. F-Secure Security Labs is working on a `behavioural blocking’ mechanism that can be built over signature-based technology.

According to a recent survey by F-Secure, about one lakh computer viruses were discovered last year and about 1.5 lakh more are expected this year. Patrik Runald, Senior Security Specialist, F-Secure, says most virus attacks are targeted at a company or an important person.

“There are cases of viruses being sent through resumes in response to a company’s advertisement for vacant positions. In such cases, a Human Resources manager would never suspect a virus �?? and open the resume file,” he says. Common file extensions such as .exe, .xls, .doc and .ppt are used for targeted attacks.To prevent such attacks, F-Secure’s solution `Deep Guard’ works on behavioural blocking technology that monitors the behaviour of a computer in real time. Monitored behaviour can include attempts to open, view, delete, or modify files, changing the logic of executable files and computer settings, besides scripting and sending e-mails with self-executable content.

If the behaviour blocker detects a program likely to initiate malicious behaviour, it will block the same, says Runald.

But this system also has its drawbacks. To identify the complete behaviour pattern of a malicious code, it must be run on the computer. During execution, a virus may misplace many files existing in the computer before finally being detected and blocked by the behavioural blocker. For the user, this misplacement of files is as bad as a virus-affected machine.Foolproof or not, Internet security providers are certainly working on new approaches to take us closer to a virus-free world.

Security analysts and anti-malware organisations are going after the those who spread viruses and other pieces of nasty software.

Security analyst F-Secure is asking domain-name registration companies to be more pro-active in stopping phishing sites from even getting on the Internet by checking the details of the person registering details.

The company has found a recent registration of �??signin-ebay-c.com�?�, and says that it’s found registration for variants on the names of well-known banks that number in the thousands.

These types of domain names are obviously destined for phishing sites, where hackers try to trick people into entering login information and personal details on sites that mimic authentic, secure sites.

F-Secure notes that many of the contact details for the phishing domains are bogus, and, in an open letter, has requested that domain registration agency refuse the registration of these bad domains.

In related news, the Center for Democracy and Technology and StopBadware.org have teamed up to ask US federal regulators to take action against FastMP3Search.com.ar.

The site, which is registered in Argentina, advertises itself as a search for MP3 files, but StopBadware.org has been unable to download a single MP3 from the site.

Instead, the site implants all sorts of nasty software on a victim’s PC when he or she downloads a mini application that supposedly allows them to download the music files. A representative of StopBadware.org called the files that were downloaded �??a parade of uglies�?�.

Both organisations want the federal organisation, the FTC, to find out who is responsible for the site and go after them.

Although the number of known viruses kept growing at a steady pace, year 2006 witnessed a remarkable step down in the volume of visible attacks by worms, viruses and other malware. At the same time, however, targeted attacks using backdoors, booby trapped document files and rootkits became increasingly commonplace. Also spam reached new record-breaking heights.

One of the largest email worm outbreaks in 2006, Warezov proved to be a lot more complicated than first imagined. A long running battle against it revealed a well orchestrated campaign to evade detection and generate a huge volume of spam.

Research by F-Secure has also revealed dangerous vulnerabilities in Cross Site Scripting (XSS) that threaten many of the most popular social networking sites. Could this be the next big thing for malware authors intent on unleashing a widespread web application worm?

Also in the mobile malware world, F-Secure has seen a steady rise in malware both adapted from existing code and entirely new. Investigations into mobile spyware also revealed a thriving industry for companies selling their wares to spy on other⿿s mobile phone transactions.

For more information about these and other stories, consult �??F-Secure 2006 Data Security Wrap�?�. In addition of being available for download as a PDF file, F-Secure has also prepared a video and audio Podcast versions of the wrapup, featuring Chief Research Officer Mikko Hypponen.

Please see http://www.f-secure.com/2006/2/ for more.