Antivirus News

Phishing attacks have outnumbered e-mails infected with viruses and Trojan horse programs for the first time, according to security experts.

Security mail services vendor MessageLabs reported on Monday that in January 2007, one in 93.3 e-mails (1.07 percent) comprised some form of phishing attack. There were fewer e-mails — one in 119.9, or 0.83 percent — infected with viruses.

The difference in the ratio of phishing to virus attacks is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. This includes the recent Storm Worm and Warezov attacks, according to MessageLabs.

“If you look at infected e-mail traffic for January, it’s very spiky,” Mark Sunner, chief technology officer at MessageLabs, told ZDNet UK.

“With Storm Worm, there are clear spikes, then drops down to normal levels,” Sunner said. “It’s as though someone is turning on the tap briefly, then letting it abate.”

Phishing attacks have become more sophisticated, according to MessageLabs. As online merchants and banks have shifted toward two-factor authentication, there has been a rise in sophisticated “man in the middle” phishing tools and Web sites, though such attacks are still quite rare.

Two-factor authentication often involves the user keying in pseudorandomly generated codes — for example, from a key fob — as well as entering a password. This is designed to foil attacks where information is harvested using keyloggers; the code can be used only once.

One particular form of man-in-the-middle attack tries to circumvent this by effectively hijacking a user session. Users are duped into visiting a spoofed portal, hosted on a compromised machine. Information entered, such a bank details and codes, is relayed through the compromised machine to the real bank site. Once the users have validated themselves on the real system through the compromised relay, hackers kill the user connection through the relay and take over the session.

Phishing e-mails are also becoming more personalised, according to Sunner, making such confidence tricks more believable. This includes phishers sending links to people for spoof sites of banks that the intended victims actually use, as opposed to randomly hitting a section of the population.

“We’re continuing to see a real increase in the targeted nature of messages across the board. Phishing is becoming more personalised,” Sunner said.

More phishing sites are now using Flash content rather than HTML in an attempt to evade anti-phishing technology deployed in Web browsers.

Security vendor Sophos confirmed that it also saw more phishing than malicious-software activity in January. “More e-mail at the moment does appear to be phishy rather than containing malicious attachments,” said Graham Cluley, senior technology consultant at Sophos. “The trend has been for the proportion of infected e-mail to drop for a while now.”

However, Cluley warned that this indicated a shift in infection methods toward Web-based attacks rather than a shift from malicious software to phishing.

“More and more of the bad guys are moving towards Web-based attacks,” he said. “That means that the e-mail itself may not contain a malware attachment but instead a Web link to a site or download that would then infect you with a Trojan horse.

“We shouldn’t necessarily conclude that the malware problem is diminishing; it just may be changing its nature,” Cluley added.

Sophos is seeing approximately 5,000 new malicious URLs every day hosting malicious software or drive-by downloads of unwanted content, Cluley said.

Two alleged cybercriminals are waiting to hear if they will have to go to jail for their part in creating and running a 1.5-million-strong botnet. Dutch authorities are hoping that the presiding judge at the court in the southern city of Breda will send the two unnamed individuals, who are 20 and 28 years old, to prison for a maximum of three years.

Police arrested the two men in their homes in Loop op Zand and Rijswijk back in 2005. In what has been the biggest cybercrime investigation in the legal history of the Netherlands, the prosecution claim to have proved both men created a massive network of bot computers. In order to hijack the 1.5 million PCs they used a special worm known as �??Toxbot�?�. Additionally, Dutch media have claimed that the pair were involved with the Russian Internet mafia and helped to write a Trojan called �??Wayphisher�?� that was used to steal private financial data from victims in Europe and US.

The prosecution service in the Netherlands has also alleged that the criminal group carried out cyberblackmailing. It is claimed the men threatened to carry out a Denial of Service attack on US advertising firm 180Solutions Inc., previously known as Zango Inc. The American company has in the past been linked with illicit promotion techniques and surreptitious installation of its products. Another claim from the police has been that the two men participated in phishing attacks, stealing financial data and gaining access to e-banking and PayPal accounts. These stolen funds were then used to fund the purchase of computer and other electronic goods, such as gaming consoles. Now, though, the prosecution hopes that money will be recouped: apart from the jail sentence it has asked the judge to impose large monetary fines totalling some 60 thousand Euros on the accused. A final verdict will be returned on 30 January.

MicroWorld Technologies, provider of anti virus and content security products, presents a free Security Check up and repair for Virus and other malwares in computers, as part of its New Year celebrations.

MWAV 8.x from MicroWorld comes with come new power packed features to enhance its detection power and usability. Apart from the new and improved GUI, MWAV now detects and removes Spywares and Adwares, while also cleaning the registry entries made by these harmful programs.

“Many a times the first time users of MWAV are shocked to find out some nasty Trojans and spywares in their computers for months and years,” says Manoj Mansukhani, head, technology and marketing, MicroWorld Technologies.

“This free check up will benefit several computer users, while giving them a first hand experience of our technological edge over the competitors”.

The MWAV is simple in terms of installation of the software, as it consists of downloading and running the toolkit to scan the computer right away. MWAV even provides an option to add it to the startup list of programs on the PC so that the toolkit scans computer. The free version of MWAV can be downloaded from http://www.mwti.net/products/mwav/mwav.asp. This version will scan and clean the computer of any threats with the latest updates up to 15th February 2007.

“We are witnessing unprecedented growth in business volumes and market explorations in the last year, owing to intension of creating and enhancing a Futuristic Security Intelligence in each of them,” says Govind Rammurthy, CEO, MicroWorld Technologies.

MicroWorld updates its virus vaccines every hour in all its products, giving protection against Viruses, Worm, Trojans, Trojan Clickers, vulnerability exploits, Trojan Downloaders, Spyware, Adware, Keyloggers, Backdoors and Rootkits and many other such breeds.

Panda Software�??s weekly report on viruses and intruders looks at the Gagar CC and Mitglieder.LX Trojans, and the RaHack.BB worm.

Gagar CC is a Trojan that connects to a certain IP address and downloads another Trojan called Alanchum.MU. The latter, in turn, downloads the following malware onto the infected computer:

* Duel.A: This worm uses specific techniques in its code in order to hide while it is active.

* Nuwar.B: This Trojan spreads via email and downloads another Trojan, Gagar.CB, onto the infected computer.

* Spammer.ER: This is a Trojan that provides the email addresses to which to send Nuwar.B.

The second Trojan we are looking at this week is Mitglieder.LX. This malicious code downloads a file from several web pages and runs it on the computer. The downloaded file is a variant of the Bagle worm. It passes itself off as a crack (a tool for removing protection from original software) for a certain program.

RaHack.BB is a worm with no destructive effects. Its main purpose, as with all worms, is to spread to other computers. It can infiltrate computers which have the Radmin remote-administration application by exploiting weak passwords. Similarly, if the compromised computer is part of a network, RaHack.BB will try to access shared resources on the network and copy itself to them.

All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free, online solution. This allows users to thoroughly scan their computers if they suspect they have been infected.

Gagar CC is a Trojan that connects to a certain IP address and downloads
another Trojan called Alanchum.MU. The latter, in turn, downloads the
following malware onto the infected computer:

* Duel.A: This worm uses specific techniques in its code in order to
hide while it is active.

* Nuwar.B: This Trojan spreads via email and downloads another Trojan,
Gagar.CB, onto the infected computer.

* Spammer.ER: This is a Trojan that provides the email addresses to
which to send Nuwar.B.

The second Trojan we are looking at this week is Mitglieder.LX.  This
malicious code downloads a file from several web pages and runs it on
the computer. The downloaded file is a variant of the Bagle worm.  It
passes itself off as a crack (a tool for removing protection from
original software) for a certain program.

RaHack.BB is a worm with no destructive effects.  Its main purpose, as
with all worms, is to spread to other computers. It can infiltrate
computers which have the Radmin remote-administration application by
exploiting weak passwords. Similarly, if the compromised computer is
part of a network, RaHack.BB will try to access shared resources on the
network and copy itself to them.

All users that want to know whether their computers have been attacked
by these or other malicious code can use ActiveScan, the free, online
solution available at: www.pandasoftware.com/activescan. This allows
users to thoroughly scan their computers if they suspect they have been
infected.

Proof-of-concept code for an unpatched vulnerability in all supported versions of Windows, including Vista, has gone public, prompting alerts from security vendors and a warning from its Russian discoverer that the flaw may be dangerous.

It is the first Windows Vista exploit made public since the operating system was released to volume license customers Nov. 30.

According Symantec and eEye Digital Security, the bug is a memory corruption vulnerability that pops up when the MessageBox function is called; eEye pegged the threat as “medium,” while Symantec labeled it as a “privilege escalation,” a type of threat generally considered low on the security scale. An attacker would need authorized access to a PC to exploit the bug.

The code first showed up on a Russian hacker site, and was subsequently posted to milw0rm.com.

Mike Reavy, program manager with the Microsoft Security Response Center, acknowledged that the team was “closely monitoring” the situation even as the holidays approached.

“Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings,” Reavy wrote on the center’s blog early Friday.

Windows 2000 SP4, Windows XP SP1 and SP2, Windows Server 2003 SP1, and Windows Vista are at risk, Reavy added.

The Russian researcher who first reported the bug to Microsoft on Dec. 16, however, observed that the vulnerability may be more dangerous than the “Less critical” rating that Danish bug tracker Secunia assigned. “There is potential remote exploitation vector if some service uses user-supplied input for MessageBox() function,” wrote “ZARAZA U 3APA3A” on the Full Disclosure security mailing list.

Reavy downplayed the Vista-is-vulnerable angle. “While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date,” he said. Microsoft has touted Vista, which released to corporations late last month and will debut Jan. 30 in consumer PCs, as significantly more secure than earlier versions of Windows.

Reavy also recommended users turn on a firewall, apply all Microsoft security updates, and install and/or update antivirus and anti-spyware software to protect their PCs.

Additional information on the threat will be posted to the center’s blog, or if necessary, in the form of a security advisory, the mechanism Microsoft uses to inform users of possible defensive workarounds in lieu of, or prior to, a security update.

PandaLabs has reported the appearance of a new spyware program:

- Appeared: 12/21/2006

- Name of the new program: Adware/MalwareAlarm (Alias: Win32/Adware.SpySheriff)

- Type: Spyware; Subtype: Adware

- Means of propagation: Download from malicious web pages.

- Distribution: Low.

- Effects: Informs users of the existence of false (non-existent) threats on their computers. This is a strategy to get users to buy a security application that supposedly eliminates these non-existent threats.

- Other features. The spyware goes resident in the computer and, from time to time, shows an on-screen message informing that the system is infected and needs disinfecting.

- Detected by Panda Software solutions: Yes, by the signature file dated 12/21/06

Panda Software will publish updated information about this threat in the Virus Encyclopedia at http://www.pandasoftware.com/com/virus_info/encyclopedia/

Always use effective security solutions to combat spyware. Panda Software products incorporate one of the best anti-spyware technologies on the market, as acknowledged by such prestigious publications as PC World USA or PC Magazine. Also, Panda Software solutions that incorporate the TruPrevent(tm) proactive protection technologies can detect unknown spyware through behavioral analysis, with no need for updates. More information about Panda Software’s anti-spyware technologies at http://www.pandasoftware.com

Spain’s Guardia Civil has this Thursday claimed to have broken up an important cybercriminal gang that carried out phishing attacks in the country. A total of six people were detained in the province of Malaga in the south of Spain following a year-long investigation carried out by the authorities in Navarre, a province in the northeast of the country.

The gang is thought to have been led by a 19-year-old youth of Moroccan origin. At least five of the gang’s members have been named as Moroccans, while the sixth detainee, a 21-year-old woman, originally came from Ceuta, a Spanish enclave in North Africa. The leader of the gang is a well-known hacker who has been involved in the business since he was 12 years old. Spanish authorities believe him to be one of the most eminent hackers in Europe at the moment.

Operation “Siluro”, as Spanish investigators named it, began after a complaint registered in Elizondo, Navarre, in April this year. From then on the police began monitoring phishing campaigns in Spain and looking for similarities that could lead them to identify the perpertators. Having collected the necessary evidence they carried out organised raids in the Malaga region, finding at least 500 fake bankcards and a lot of counterfeit European passports in the process. The group is known to have collected personal banking details on at least 20,000 persons and held a database of 200,000 emails that was used in their phishing campaigns. Another peculiar method was to offer a half-price online mobile phone account charging service. Users attracted by the offer entered their bank details, which were then collected for later use in fraud operations. In order to launder stolen money they employed cybermules who transferred funds for a cut of the sum, as well as other methods suc! h as making online purchases. In order to hide their trail the group used hacked computers and also hijacked unprotected wi-fi connections.

Spanish authorities have so far declined to quantify the damages caused by this gang, but the figure is thought to be “extremely significant”. Vicente Ripa, a representative of Navarre’s regional government tasked with explaining the operation to the press, called it an amazing success, citing the nature of the crime and the size of the gang that was apprehended. This is not the only success Spanish cybercrime fighters have enjoyed this year: Spain’s National Police dismantled another sizeable criminal group last September, detaining 23 people in the three coastal regions of Catalonia, Valencia and Andalusia.

A pump and dump scam has been publicly uncovered by the US Securities and Exchange Commission. The scam involved the manipulation of stock prices by means of using hijacked trading accounts. According to a press release from the SEC Russian national Evgeny Gashichev, owner of Estonian-based and Belize-registered trading firm Grand Logistic, carried out the scam.

The alleged scam was carried out between August and October this year. Mr Gashichev is thought to have pocketed more than $350,000 from at least 25 incidents of pumpimg and dumping stocks. His modus operandi was quite straightforward: he purchased low-priced and low-traded stocks of small companies in the name of his Grand Logistic firm and pumped up their value by using illegally obtained usernames and passwords from other online brokerage accounts. This was done to simulate trading activity and manipulate the price of stocks, which he subsequently sold on at a profit, using the same stolen trading accounts.

The SEC has been investigating the case and has now obtained an asset freeze ruling on Grand Logistic from a federal court in Manhattan. It is unknown how many accounts were actually hijacked by Mr Gashichev, but steps are now being taken to return the funds that were stolen and taken outside the US in the scam operation. His current whereabouts are unknown, but the SEC believes him to be a resident of St. Petersburg, Russia. He is also known to have frequently travelled to Tallinn, Estonia, to carry out his business. The SEC is currently working on the case with its Estonian counterparts. Linda Chatman Thomsen, Director of the SEC’s Division of Enforcement, warned potential fraudsters, “Account intrusions combine securities fraud, identity theft and hacking. Our action today demonstrates, once again, that the Commission will seek out and stop those who would prey on investors, in whatever manner.”

Two men who infected more than 100,000 computers with a Trojan that generated profits exceeding 12 million Euros have been jailed in Germany.

A court in Osnabrück sentenced one of the men to four years and the other to a 39 month sentence for their part in a criminal scheme that subverted innocent internet users’ PCs with software that dialled premium rate 0190 phone numbers to contact an adult website.

The men, aged 31 and 35 years old, amassed substantial illegal profits from the scam between July 2002 and September 2003.

‘Having infected a staggering 100,000 computers and run up huge phone bills for the unsuspecting users, the culprits are now facing Christmas in the slammer,’ said Graham Cluley, senior technology consultant for Sophos.

‘The German authorities must be commended for bringing these offenders to justice, and other hackers should look long and hard at the punishment dished out and ask themselves whether, in the long run, internet crime really pays,’ said Cluley.

Prosecution requests for an additional fine of 7.75 million Euros was rejected for legal reasons. Earlier in 2006, two other men were jailed for 18 and 22 months in connection with the case.