Antivirus News

When you buy a product (be it hardware or software), it is natural to assume that it will work perfectly out of the box. On the contrary, this isn’t always true, especially for the software industry, where most companies release patches/updates to resolve problems discovered during the product’s effective life cycle. Microsoft is no stranger to this concept and has been practicing this ever since the company existed. Security issues are particularly problematic to both personal and company’s productivity and in the bigger picture, a corporation’s well operand Microsoft is always on their toes to provide solutions for their customers so that they would be less prone to malware attacks and the likes. One such instance that we vividly recall was the annoying malware issue plaguing the early days of Windows XP with Service Pack 1 (SP1) which caused system slowdowns and forced shutdowns. The malware problems then were so chaotic that Microsoft followed up with SP2 to put an end to those security flaws.

Like it or not, security problems can’t be wished away with a magic wand. Even till today, Microsoft along with other third parties like Trend Micro and McAfee are constantly tracking malware activities and providing solutions to their customers on a weekly basis. Statistics show that up to one billion people in the world are using computers and have networking capabilities. Out of which 30 percent are potential cyber-victims to security threats. In today’s context, cyber-victims are not just victims of malware attacks that mess up their computer systems. A large portion of the online attacks happening today are in the area of online identity theft and fraud transactions resulting from visiting phishing sites. With so many security concerns hanging over our heads, Microsoft isn’t taking things lightly with their upcoming operating system (OS). In fact, security is a major focus in the development of Windows Vista to ensure its users can work and play on the new OS confidently and securely. You can expect a lot of new changes in Windows Visa that stands out from the current Windows XP operating system.

On that note, you might ask us what differences exist between Windows XP and Windows Vista with regards to security. That’s what this article is all about and we’ll show you some of the security benefits that Windows Vista users will gain when they migrate from Windows XP.
The Real Security Center is on Vista

In Windows XP SP2, there is a feature known as the Security Center within the control panel that allows you to quickly view and manage basic security related options (such as your firewall, Internet options and automatic updates settings). This one-stop center in XP is very handy and it is only natural that it gets ported over to Windows Vista. The concept behind the ‘one-stop center’ will remain, but you can expect more flexibility and features on Windows Vista to thwart those nasty attacks off your system. You’ll find several new options in the latest security center, so we’ll be stepping through each of them one at a time. To start off, here’s how the Security Centers differ of the old and new:-

A nuisance known as “tab-jacking” may soon begin stalking internet users, according to security experts.

Tab-jacking involves exploiting a feature found in the latest internet browsers, including Microsoft’s new version of Internet Explorer, IE7, and the rival open source browser Firefox. Both programs let users open several web pages within a single browser window and switch between them quickly by clicking on the tabs at the top of the window.

The aim is to make surfing simpler while also using less of the computer’s memory, since new browser windows do not need to be opened. However, it may also open up new opportunities for so-called adware programs, claims Ed English, chief technology officer of security firm Trend Micro, based in California, US.

Security settings

Adware programs can be installed on a PC unwittingly, but they can also exploit software bugs or lowered security settings to wriggle onto a machine. Such programs may generate unwanted pop-up web pages or redirect a browser to different pages. Soon, English says, these pests may start hijacking web browser tabs too.

Researchers at Trend Micro created a prototype program that demonstrates how easily an adware program could take control of a browser’s tabs.

The effect could be more annoying than pop-up adverts, English claims, since the nuisance could be buried among genuine ones.

The problem will also remain as long as the adware responsible remains on a computer. “Even if the user manually shuts down the hijacked browser tab, when he next restarts, the adware tab will be restored,” English says.

Increasing threat

English believes that tab-jacking may increase once Microsoft’s new operating system is released this year, as this comes bundled with IE7.

Mikko Hypponen chief research officer at Finnish computers security firm F-Secure agrees that adware writers will be unable to resist tab-jacking. “I think it’s inevitable,” he says.

Hypponen is also concerned that the trick could provide another way to carry out financial scams. Hijacked tabs could perhaps be made to replace legitimate pages, posing as the log-in page for an online bank, for example.

Microsoft did not respond to requests for comment by time of posting.

Virus writers are exploiting the hanging of former Iraqi dictator Saddam Hussein to distribute malware.

Researchers at anti-virus company F-Secure said that malware writers are trying to exploit the publicity around the hanging of Saddam Hussein to their own advantage.

“So far we’ve seen three different examples of malware using Saddam-related themes,” said F-Secure’s chief research officer Mikko Hypponen on the company’s blog. “These are now detected as W32/Banload.BSW, W32/Banload.BSX and Trojan-downloader.Win32.Delf.acc.”

He said that two of these types of malware try to disguise their actions by opening up a YouTube page with the Portuguese search keyword “enforcado” (execution).

MILLBURN, N.J.–(BUSINESS WIRE)–GRISOFT, the developer of AVG security software, today announced the extension of user product support for AVG Anti-Virus Free Edition 7.1 through February 18, 2007. Product support for users of version 7.1 had been scheduled to expire on January 15^th. This change will provide additional time for users to upgrade to AVG Anti-Virus Free Edition 7.5 or other AVG products. The Free Version 7.5 provides all the benefits of the previous version, but also offers better virus protection and improves ease-of-use for users.

With version 7.5, users receive improved virus detection based on better heuristics and NTFS data streams scanning, smaller update files and improved user interface. Anti-Virus Free Edition 7.5 is also Windows Vista-ready and is available via Windows Security Center as a security solution. To upgrade to free version 7.5, users can visit: http://free.grisoft.com.

�??As we have millions of satisfied users who enjoy using our free anti-virus software, we continue to offer the free version 7.1, which has been updated in our AVG 7.5 security product portfolio,�?� said Larry Bridwell, vice president of Global Security Strategies. �??We�??ve extended user support so that they can continue receiving daily computer threat updates as they transition to our improved Anti-Virus Free Edition or take advantage of the additional benefits with our commercial AVG products that protect against a myriad of computer threats.�?�

GRISOFT�??s AVG 7.5 security portfolio offers users several commercial security products with advanced benefits not included in the free editions. While AVG Free only provides anti-virus and anti-spyware programs, the AVG commercial products offer more security with a variety of options including additional anti-spam and firewall programs, as well as tools to detect and prevent identity theft attempts, bundled into one package such as the new AVG Internet Security 7.5.

The commercial AVG products also offer 24/7 professional technical support, high-speed updates and customizable settings. Users can upgrade to the AVG commercial security products at: http://www.grisoft.com/doc/5/lng/us/tpl/tpl01.

All AVG products have reliable and frequent automatic updates, low level use of computer resources, and unified and easy-to-use interface.

About GRISOFT

www.grisoft.com

GRISOFT is a leading provider of antivirus, firewall protection and security solutions for consumers and SMEs. It is one of the fastest growing companies in the industry with more than 40 million users around the world that rely on GRISOFT AVG products to protect their computers and networks.

Established in 1991, GRISOFT employs some of the world�??s leading experts in antivirus software, specifically in the areas of virus analysis and detection, software development, and antivirus support. GRISOFT award-winning products are distributed globally through resellers and the Internet as well as via AVG Anti-Virus Software Developer�??s Kit (SDK) to interested partners.

Gagar CC is a Trojan that connects to a certain IP address and downloads
another Trojan called Alanchum.MU. The latter, in turn, downloads the
following malware onto the infected computer:

* Duel.A: This worm uses specific techniques in its code in order to
hide while it is active.

* Nuwar.B: This Trojan spreads via email and downloads another Trojan,
Gagar.CB, onto the infected computer.

* Spammer.ER: This is a Trojan that provides the email addresses to
which to send Nuwar.B.

The second Trojan we are looking at this week is Mitglieder.LX.  This
malicious code downloads a file from several web pages and runs it on
the computer. The downloaded file is a variant of the Bagle worm.  It
passes itself off as a crack (a tool for removing protection from
original software) for a certain program.

RaHack.BB is a worm with no destructive effects.  Its main purpose, as
with all worms, is to spread to other computers. It can infiltrate
computers which have the Radmin remote-administration application by
exploiting weak passwords. Similarly, if the compromised computer is
part of a network, RaHack.BB will try to access shared resources on the
network and copy itself to them.

All users that want to know whether their computers have been attacked
by these or other malicious code can use ActiveScan, the free, online
solution available at: www.pandasoftware.com/activescan. This allows
users to thoroughly scan their computers if they suspect they have been
infected.

Security researchers have released proof-of-concept code that exploits vulnerabilities in MMS implementations in mobile phones running mobile versions of Windows.

The vulnerability was discovered six months ago by security researcher Collin Mulliner, who published the exploit at the Chaos Communication Congress in Berlin last week in a bid to force manufacturers to deal with the issue.

The flaw involves buffer overflow vulnerabilities in the SMIL (Synchronized Multimedia Integration Language) protocol in MMS messages. As a result long MMS messages appended with malware may crash phones in such a way as to deposit hostile code in the memory of targeted devices. The IPAQ 6315 and i-mate PDA2k are confirmed as vulnerable but other devices running Pocket PC 2003 and Windows Smartphone 2003 are also likely to be at risk of attack using the technique.

Even in devices confirmed as vulnerable the attacker needs to know the correct memory slot where the MMS processing code is executing, so exploitation is far from easy. Malicious MMS message will most likely only crash a device rather than infecting it, reports anti-virus firm F-Secure.

“While [this] is very significant, it does not pose an immediate danger to any large group of users. Although it is possible to create an MMS worm or other malware that uses the vulnerability, this particular exploit cannot be directly used in creating malware,” Jarno Niemela, a researcher at F-Secure’s Labs, writes. ®

Social networkin g sites like YouTube, Orkut and MySpace, that were a mad rage among young netizens last year, may be hot targets for virus attacks this year. 
 
Research by F-Secure tells us about dangerous vulnerabilities in Cross Site Scripting (XSS) that is used on some of these sites. Niraj Kaushik, country manager, Trend Micro (India & SAARC) speculates, �??Web threats will impact consumers and corporations alike through confidential information leakage, identity theft, bot infection, adware/spyware installation, and the like.�?� 
 
In 2007, Trend Micro also expects to see the bot threat grow with its creators finding newer methods to install them in users machines. �??More ingenious social engineering and software vulnerabilities will be the likeliest candidates for this,�?� adds Kaushik. 
 
In 2005, security pundits declared there was a marked decrease in the growth rate of spam and some major networks such as AOL even reported a modest decrease in spam volumes. Spam filter efficacy was high worldwide so much that many found themselves in agreement with Bill Gates who said �?? �??the spam problem was solved�?�. 
 
However, by end 2005, spam volumes increased 200 per cent. And this surge continues in 2007. Predictably, spam volumes will again more than double and spam throughput is expected to again triple, putting strain on global email infrastructure and causing disruptions in legitimate email delivery, predicts a security report by IronPort. 
 
Spammers are adopting techniques used by virus writers for years and that�??s the alarming bit. Spammers will develop a new strain or variant of spam and might send out a very limited trial quantity to see how effective the new strain is against spam filters. Once spammers are confident that they have created a content set that will get through most spam filters, they will launch a very large-scale attack, warns IronPort. 
 
Windows Vista�??s arrival in 2007 will only add to the frown lines. Says Vishal Dhupar, managing director, Symantec India, �??Be ready to witness an increased attacker interest and motivation in the coming year. Consumers and businesses will soon start to migrate to Windows Vista and there may be more threats that target this new operating system as adoption rates increase.�?� 
 
Security report by Symantec notes that macro-based viruses that have increased from zero outbreaks in 2005 to 15 outbreaks in 2006, are to be watched carefully in 2007 Macro-based viruses are viruses that reside inside Microsoft files such as Word and Excel files. 
 
These viruses can be very potent, since many email administrators rely on attachment file type filtering to limit exposure to new outbreaks. Furthermore, Word and Excel files are much more familiar to end users, resulting in higher open and infection rates than more esoteric attachment file types. 
 
Parasitic malware will make a comeback, says McAfee. �??Even through parasitic malware accounts for less than 10 per cent of all malware (90 per cent of malware is static), it seems to be making a come back. Parasitic infectors are viruses that modify existing files on a disk, injecting code into the file where it resides. When the user runs the infected file, the virus runs too.�?� 
 
Popular polymorphic parasitic file infectors identified in 2006 had stealth capabilities and could download Trojans from compromised ites. 

Madrid, December 29, 2006 �?? PandaLabs has detected the presence of emails containing Nuwar.B, a new variant of the Nuwar family of worms. This malicious code uses the New Year as a ruse to infect computers. However, oddly enough, this is not a malicious code designed to cause an epidemic or damage computers but to artificially drive up certain prices on the stock market.

Nuwar.B reaches computers in a message with the subject Happy New Year!. The message text is blank, and includes a file with the name postcard.exe, which contains the worm. Also, in order to gain credibility, it spoofs the sender�??s address, pretending to come from various users.

If the target user runs the attached file, Nuwar.B copies itself to the system. However, instead of massively sending itself out like most email worms, it downloads a copy of the Spammer.EN Trojan to the computer. The Trojan then connects to certain email servers in order to send out spam to the addresses it finds on the affected system. This spam contains publicity trying to convince users to buy certain stocks to increase their price rapidly.

Everything seems to indicate that the creator(s) of Nuwar.B have sent out the worm as spam, manipulating certain email servers in an attempt to distribute it as quickly as possible. The proactive TruPreventTM Technologies have detected Nuwar.B without prior identification, so computers that have them installed have been protected from the outset

According to Mikel Perez, Director of the Malware Detection Department of PandaLabs, �??This is just another turn of the screw in the field of cyber-crime. In this case we see how an email worm, a type of threat clearly in decline as a result of the new financial motivation behind the actions of malware creators, is also being used to make money. Most probably this is a criminal that has bought stocks at a low price, and has endeavored to increase their price and obtain large benefits by spreading Nuwar.B�?�.

A rootkit-cloaked worm is being heavily spammed to users as an attachment to “Happy New Year!” messages, a security researcher warned Friday.
The new worm, dubbed “Tibs” by Kaspersky Lab but pegged as a “Nuwar” variant by Trend Micro, comes disguised as a file attachment named “postcard.exe,” said Ken Dunham, director of VeriSign iDefense’s rapid response team, in an e-mail. Users who launch the executable will infect their PCs.

With antivirus signature updates still thin and over 160 servers spamming the new worm, the threat is significant, added Dunham. “The period of greatest risk is through the New Year’s holiday, when antivirus protection is the lowest for this new threat and users are most apt to click on a ‘New Year’s’ related message,” he said. “Everyone should be on guard for e-mails and other content potentially harboring malicious code during the holiday period.”

On at least one network the worm is generating as many as five spammed messages a second, iDefense reported.

The security intelligence firm’s research has identified more than a dozen pieces of malicious code — including zombie-making bot Trojans — installed by Tibs after it has gained a foothold on a PC. Two rootkits are also installed to mask the malware from antivirus scanners, and the worm also disables the Windows firewall, as well as several security programs, including F-Secure’s BlackLight rootkit scanner. The worm spreads by spamming itself to addresses it steals from the user’s files.

“This is a classic iceberg threat,” said Dunham, “where multiple codes are installed and then protected with rootkit technology.”

A recent wave of web worms appearing on social networking websites represent a new generation of more sophisticated computer worms.

Early forms of the computer threats classified as “worms” were intended more for causing havoc or were designed for proof-of-concept purposes to determine if vulnerabilities could be exploited.

Recently, however, new worms have been discovered on social networking sites such as MySpace, which are designed to steal data.

These new worms employ cross-site scripting (XSS) flaws found on many websites.

XSS is defined on the Whatis.com website as a security exploit in which the attacker inserts malicious codes into a link that appears to be from a trustworthy source. When the user clicks on the link, the embedded programming is submitted as part of that user’s web request and can execute on the user’s computer, typically allowing the attacker to steal information.

Web server applications that generate the web pages dynamically are vulnerable to this type of exploit if they fail to validate user input.

The popular MySpace website was first hit with the Samy worm in October.

Adam Biviano, a senior systems engineer at security firm Trend Micro, said a MySpace.com user, called Samy, had created a “malicious” profile by taking advantage of a flaw in the website’s design. The profile, when viewed, automatically activated a code to add the visitor to Samy’s “friends” list. Additionally, the malicious code would be copied into the victim’s profile, so when that person’s profile was viewed, the infection spread.

According to Biviano, “The infection stays on the website and almost creates a denial-of-service attack, because there is an exponential explosion of entries in your friends list that will eventually consume the infrastructure.”

The apparent intent of the Samy worm creator was to increase his popularity on the social networking site. In terms of numbers of “friends,” it worked.

In an e-mail interview posted on Google Blogoscope, the young author said: “It didn’t take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly.”

“When I saw 200 friend requests after the first eight hours, I was surprised. After 2,000 a few hours later, I was worried,” he said.

“Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.”

The Samy worm demonstrated the ease with which cross-site scripting could be used as an exploit and was quickly followed by a major phishing attack later in October.

One such exploit changes a user’s profile to include links to a pornographic website that hosts spyware.

Hackers are finding cross-site scripting “holes” in numerous large websites.

According to computer firm CGI, sites such as CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired and FBI.gov have one form or another of XSS bugs.

Protecting yourself will involve work.

For specific suggestions on steps to take consider visiting the website www.cgisecurity.com and searching for the article: xss-faq.

John Millar is the president of Digital Boundary Group, a London-based information technology security services firm. This article, written with the assistance of Deborah Washburn, a security specialist, contains general comment and suggestions. Digital Boundary may be reached at 519-652-6898. E-mail him at jmillar@digitalboundary.net.