Antivirus News

Trend Micro will begin shipping its Certified for Windows Vista Internet security suite on 30 January.

The security firm’s Internet Security 2007 has been available for Windows XP and older versions since September 2006. But the full suite will shortly be made available for Vista users.

For Windows Vista consumers just wanting antivirus and anti-spyware, the company announced that the Certified for Windows Vista Trend Micro AntiVirus plus AntiSpyware 2007 will be available on the same day.

The Vista product incorporates the Trend Micro PC-cillin engine and anti-malware protection along with a host of new features addressing root-kits, spyware, phishing, spam, hacking, viruses, Wi-Fi attacks, smartphone threats and the growing number of ID threats.

The subscription also includes TrendSecure online security services.

Ben Fathi, corporate vice president of the Security Technology Unit at Microsoft, said: “Our security partners play a vital role in the early adoption, development and delivery of Microsoft technologies.”

A nuisance known as “tab-jacking” may soon begin stalking internet users, according to security experts.

Tab-jacking involves exploiting a feature found in the latest internet browsers, including Microsoft’s new version of Internet Explorer, IE7, and the rival open source browser Firefox. Both programs let users open several web pages within a single browser window and switch between them quickly by clicking on the tabs at the top of the window.

The aim is to make surfing simpler while also using less of the computer’s memory, since new browser windows do not need to be opened. However, it may also open up new opportunities for so-called adware programs, claims Ed English, chief technology officer of security firm Trend Micro, based in California, US.

Security settings

Adware programs can be installed on a PC unwittingly, but they can also exploit software bugs or lowered security settings to wriggle onto a machine. Such programs may generate unwanted pop-up web pages or redirect a browser to different pages. Soon, English says, these pests may start hijacking web browser tabs too.

Researchers at Trend Micro created a prototype program that demonstrates how easily an adware program could take control of a browser’s tabs.

The effect could be more annoying than pop-up adverts, English claims, since the nuisance could be buried among genuine ones.

The problem will also remain as long as the adware responsible remains on a computer. “Even if the user manually shuts down the hijacked browser tab, when he next restarts, the adware tab will be restored,” English says.

Increasing threat

English believes that tab-jacking may increase once Microsoft’s new operating system is released this year, as this comes bundled with IE7.

Mikko Hypponen chief research officer at Finnish computers security firm F-Secure agrees that adware writers will be unable to resist tab-jacking. “I think it’s inevitable,” he says.

Hypponen is also concerned that the trick could provide another way to carry out financial scams. Hijacked tabs could perhaps be made to replace legitimate pages, posing as the log-in page for an online bank, for example.

Microsoft did not respond to requests for comment by time of posting.

When chip and PIN was rolled out across Britain on 14 February 2006, it was presented as a major step against bankcard fraud and a foolproof way of securing card payments. Since then there have been several scares, but overall the system proved to be secure and an important asset in fighting retail fraud.

However, new research from Cambridge has put a major doubt over the robustness of chip and PIN terminals against tampering. The method involves reprogramming a handheld payment terminal, making it possible to record private payment details that are keyed in by the user during the payment operation. According to researchers at Cambridge University, who have sounded the alarm bells, their idea could be easily replicated and criminals could substitute �??fake�?� payment terminals without shoppers suspecting anything.

APACS, Britain�??s payment clearing organisation, has already acknowledged the seriousness of the problem and admitted it is in talks with payment terminal manufacturers to see what can be done to protect users. An APACS spokesperson has also tried to allay people�??s fears, saying that experts carried out the reprogramming operation under lab conditions and it is not a �??realistic threat to retailers�?�. The organisation also underlined the fact that chip and PIN payment terminals were described to be �??tamper-resistant�?�, not �??tamper-proof�?�. This has not been the first hacking incident involving the new payment system: in 2006 Shell had to suspend chip and PIN from its petrol stations after it was revealed that as much as £1 million was siphoned off by criminals who tampered with payment terminals. Chip and PIN users were also warned in 2006 that cloned cards could be used to withdraw money abroad, where terminals only read the ma! gnetic strip of the card.

Cutting-edge phishers are creating websites in Flash to evade detection by toolbars, security experts said this week.
Instead of using HTML, cybercrooks are building pages using graphic animation technology so they are not flagged by most anti-phishing tools, said Mikko Hypponen, chief research officer of F-Secure. His firm viewed two examples, both targeting PayPal, which have since been taken offline.

“It’s no longer an HTML page with 20 different images,” he told SCMagazine.com today. “It’s just one file. It looks exactly the same. If you’re not careful, you won’t be able to tell the difference.”

Users can be tipped off that they are viewing a Flash site if they right click on the page, which reveals some program options, Hypponen said.

“This (technique) seems pretty efficient until the URL becomes known (to blacklists), but in the meanwhile, it works,” he said.

Avivah Litan, a Gartner analyst who specializes in phishing research, told SCMagazine.com that new schemes such as this one highlight the need for better protection than phishing filters can offer.

“The crooks are always one step ahead of our technology, and this is another proof of that,” she said.

She said the burden falls on internet service providers, domain registrars and browser and email service providers to create and manage an identity layer on the web.

Researchers are hoping that planned high-assurance, extended validation SSL certificates will better assure a site’s legitimacy, Litan said.

But Steven Myers, assistant professor of informatics at Indiana University, Bloomington, said phishing attacks have gotten so sophisticated, users should assume “phishers are going to control what shows up on your screen.”

Litan said organizations will not get serious about internet security until a cyberattack to the degree of the events of Sept. 11, 2001 occurs, whether that is a mass posting of private information or the widespread takedown of online financial institutions.

Phishers have branched out beyond e-mail, a security researcher said, and are now exploring both VoIP and text messaging as attack avenues.Voice over IP is attractive to identity fraudsters, said Zulfikar Ramzan of Symantec’s Advanced Threat Research group, in a company blog entry Tuesday, because it’s an affordable way to dial large numbers of phone numbers. Dubbed “vishing” for voice phishing, “such attacks can be conducted cheaply enough that phishers might see a sufficient return on their investment,” Ramzan said. Phishers substitute phone numbers for URLs in traditional e-mailed come-ons or dial consumers directly, circumventing e-mail entirely.

Another tactic, said Ramzan, is “smishing,” for SMS phishing. “A victim might receive a phone [text] message saying that he or she will be charged $x per day if a fictitious order at a particular Web site isn’t cancelled,” he said. “In a panic, the victim then visits the site to cancel the order [but] in the process the victim will end up with malicious software on his or her machine.”

Symantec also has accumulated evidence that shows that some phishers are collecting user names and passwords fast enough to defeat two-factor authentication number generators and are using one-time, quickly disposed URLs to avoid site blacklisting, a common anti-phishing technique.

“Phishers have demonstrated that they really mean business,” Ramzan said. “Their attacks have become more frequent, more varied, and quite frankly more innovative. We must continuously out-innovate them and persistently redouble our efforts.”

The absence of large-scale virus epidemics has, once again, been the most notable characteristic of the year. In fact, the list of frequently detected viruses during 2006 has varied little throughout the year. This does not mean, however, that there is a lower risk of infection. What is happening is that the attacks have become more silent and more specific, as they are increasingly motivated by financial gain rather than simply gratuitously attacking users�?? computers. A report produced by PandaLabs in the third quarter of 2006 revealed that 72 percent of Internet threats were financially motivated (http://www.pandasoftware.com/about/press/viewnews?noticia=8071).

So, malware is just as prevalent as always, if not more so, and more pernicious, if that were possible, than before, as today’s attackers are after your money. �??Despite what people may think,�?� explains Luis Corrons, director of PandaLabs, �??the risk of virus infection is greater than ever. Firstly, due to the strategy of simultaneously distributing numerous variants of a malicious code, as was the case with Bagle or Gaobot, thereby increasing the chances of infection, and secondly, because the majority of attacks are now financially motivated, and are therefore more discreet.�?�

As mentioned, the large-scale threats are disappearing, but there has still been a series of particularly virulent attacks which merit our close attention. With this in mind, Panda Software has published the Top Ten of the viruses most frequently detected in 2006.

In first place, for the second successive year, is Sdbot.ftp.  This malware first appeared in 2004 and six months later occupied first place in the ranking of our Top Ten.  Since then it hasn’t budged. The severity of this worm is classified as “medium” and there have been several variants all with the same MO of attacking random IP addresses, exploiting system vulnerabilities and downloading copies of the worm via FTP. In 2006, Sdbot.ftp was responsible for 2.62 percent of all infections.

Another veteran in the ranking of viruses detected by ActiveScan, which came second overall in 2006, is Netsky.P. This worm, detected in 1.22 percent of positive cases first appeared in 2004 and spreads via email and P2P file-sharing applications. Interestingly, this worm exploits the Exploit/iframe vulnerability in Internet Explorer for which a fix has been available for some time now. In third place this year is Exploit/Metafile. Responsible for just over 1 percent of infections, this malicious code is designed to exploit a critical vulnerability in the GDI32.DLL library in Windows 2003/XP/2000.  If a computer is vulnerable, Metafile allows the code to be executed which can then be used, for example, to download and run spyware.

Tearec.A. is in fourth place. This worm, which spreads via email and computer networks, can disable and terminate certain antivirus programs. Fifth place is occupied by the Q.host.gen Trojan, which was found to be the culprit in 0.76 percent of infected computers. The remaining places in the ranking are occupied by Torpig.A, a Trojan that steals passwords saved by certain Windows services, Sober.AH.worm!CME-681, a worm that terminates several processes, including some belonging to security tools; Parite.B, a virus that infects PE files with EXE or SCR extensions; Gaobot.gen, a generic detection for the Gaobot family of worms which exploits software vulnerabilities, and Bagle.pwdzip, a detection of the notorious Bagle family.

Virus                % of infections
W32/Sdbot.ftp         2.62
W32/Netsky.P          1.22
Exploit/Metafile      1.08
W32/Tearec.A          0.79
Trj/Qhost.gen         0.76
Trj/Torpig.A          0.69
W32/Sober.AH          0.67
W32/Parite.B          0.62
W32/Gaobot.gen        0.55
W32/Bagle.pwdzip      0.54

Other conclusions that can be drawn from this year�??s ranking include:

- The continuing threat of financial fraud: Sdbot holds, for the second year running, first place in our Top Ten. This is a typical bot/worm designed to exploit system vulnerabilities for financial gain, highlighting the growth of this type of attack. Similarly, threats like Exploit/Metafile or Torpig.A, which are also high up the list, demonstrate this increasingly prevalent trend.

- Variations of worms: Hackers are now tending to launch different variants of the same type of malware in a very short period of time in order to increase the probability of computers being infected. This is the case with Q.host, Gaobot or Bagle. Sdbot, the first in the ranking, has also undergone significant variations over recent months.

- Infections: In 2005, the first nine threats on the list were all responsible for more than 1 percent of infections, while in 2006, only the first three reached that percentage. This should not be understood as an indication that there is less malware, on the contrary, it suggests that there is actually more malware in circulation.

All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free, online solution available at: www.pandasoftware.com/activescan. This allows users to thoroughly scan their computers if they suspect they have been infected.

More information about these and other threats is available in Panda Software�??s Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/

Spain’s Guardia Civil has this Thursday claimed to have broken up an important cybercriminal gang that carried out phishing attacks in the country. A total of six people were detained in the province of Malaga in the south of Spain following a year-long investigation carried out by the authorities in Navarre, a province in the northeast of the country.

The gang is thought to have been led by a 19-year-old youth of Moroccan origin. At least five of the gang’s members have been named as Moroccans, while the sixth detainee, a 21-year-old woman, originally came from Ceuta, a Spanish enclave in North Africa. The leader of the gang is a well-known hacker who has been involved in the business since he was 12 years old. Spanish authorities believe him to be one of the most eminent hackers in Europe at the moment.

Operation “Siluro”, as Spanish investigators named it, began after a complaint registered in Elizondo, Navarre, in April this year. From then on the police began monitoring phishing campaigns in Spain and looking for similarities that could lead them to identify the perpertators. Having collected the necessary evidence they carried out organised raids in the Malaga region, finding at least 500 fake bankcards and a lot of counterfeit European passports in the process. The group is known to have collected personal banking details on at least 20,000 persons and held a database of 200,000 emails that was used in their phishing campaigns. Another peculiar method was to offer a half-price online mobile phone account charging service. Users attracted by the offer entered their bank details, which were then collected for later use in fraud operations. In order to launder stolen money they employed cybermules who transferred funds for a cut of the sum, as well as other methods such as making online purchases. In order to hide their trail the group used hacked computers and also hijacked unprotected wi-fi connections.

Spanish authorities have so far declined to quantify the damages caused by this gang, but the figure is thought to be “extremely significant”. Vicente Ripa, a representative of Navarre’s regional government tasked with explaining the operation to the press, called it an amazing success, citing the nature of the crime and the size of the gang that was apprehended. This is not the only success Spanish cybercrime fighters have enjoyed this year: Spain’s National Police dismantled another sizeable criminal group last September, detaining 23 people in the three coastal regions of Catalonia, Valencia and Andalusia.

Spain’s Guardia Civil has this Thursday claimed to have broken up an important cybercriminal gang that carried out phishing attacks in the country. A total of six people were detained in the province of Malaga in the south of Spain following a year-long investigation carried out by the authorities in Navarre, a province in the northeast of the country.

The gang is thought to have been led by a 19-year-old youth of Moroccan origin. At least five of the gang’s members have been named as Moroccans, while the sixth detainee, a 21-year-old woman, originally came from Ceuta, a Spanish enclave in North Africa. The leader of the gang is a well-known hacker who has been involved in the business since he was 12 years old. Spanish authorities believe him to be one of the most eminent hackers in Europe at the moment.

Operation “Siluro”, as Spanish investigators named it, began after a complaint registered in Elizondo, Navarre, in April this year. From then on the police began monitoring phishing campaigns in Spain and looking for similarities that could lead them to identify the perpertators. Having collected the necessary evidence they carried out organised raids in the Malaga region, finding at least 500 fake bankcards and a lot of counterfeit European passports in the process. The group is known to have collected personal banking details on at least 20,000 persons and held a database of 200,000 emails that was used in their phishing campaigns. Another peculiar method was to offer a half-price online mobile phone account charging service. Users attracted by the offer entered their bank details, which were then collected for later use in fraud operations. In order to launder stolen money they employed cybermules who transferred funds for a cut of the sum, as well as other methods suc! h as making online purchases. In order to hide their trail the group used hacked computers and also hijacked unprotected wi-fi connections.

Spanish authorities have so far declined to quantify the damages caused by this gang, but the figure is thought to be “extremely significant”. Vicente Ripa, a representative of Navarre’s regional government tasked with explaining the operation to the press, called it an amazing success, citing the nature of the crime and the size of the gang that was apprehended. This is not the only success Spanish cybercrime fighters have enjoyed this year: Spain’s National Police dismantled another sizeable criminal group last September, detaining 23 people in the three coastal regions of Catalonia, Valencia and Andalusia.