Saturday, January 08, 2005

McAfee® AVERT Reports Top 10 Threats for 2004 and Advises on Future Threats and Trends
Analysis Shows Enterprises Have Been Most Affected by Bots, Adware and Vulnerabilities, While Consumers Have Been Affected by Adware and Exploits Taking Advantage of Vulnerabilities

BEAVERTON, Ore., Jan. 3 /PRNewswire-FirstCall/ McAfee, Inc. (NYSE: MFE), the pioneer and worldwide leader of intrusion prevention solutions, today announced the top 10 malicious threats identified by McAfee® AVERT™, the company's Anti-virus and Vulnerability Emergency Response Team, to affect both enterprise and home users worldwide in the 2004 calendar year.

McAfee AVERT reports that Bots and Mass Mailers are still the predominant method by which virus writers impact enterprises, whereas Exploits and Adware account for over 60% of the malicious threats tracked, significantly impacting consumer and home users.

Based on reports, McAfee AVERT anticipates that Adware and unwanted content, transmitted via email and the Web, will continue to increase in 2005, with programs becoming increasingly complex.

Threats will be combined with content such as Spam and Phishing as the year progresses. It is anticipated that successful phishing schemes will continue to increase throughout 2005 due to a general lack of consumer awareness.

Additionally, the number of exploits that attack discovered vulnerabilities will increase as more vulnerabilities are discovered and disclosed. These assessments are based on AVERT's conclusions that today's programs are evolving rapidly, and could at some point, succeed mass mailers, the dominant threat of the past six years.

Computer virus attacks reaching a Medium risk assessment or higher have dramatically increased in 2004, compared to 2003. McAfee AVERT has assessed 46 threats as a medium risk or higher compared to 2003's total of 20 threats reaching that same risk level.

Most of this was due to the Netsky Bagle war that consumed most of Q1 2004. Within the first half of 2004, 50 new computer viruses (of varying risk assessments) were discovered daily.

And by the end of 2004, detection for 17,000 new malware threats were added to AVERT's growing database of threats.

The top 10 threats in 2004 all fall into one of the following key areas: spyware/adware threats, email-borne virus threats, and malware threats delivered by spam.

Listed in alphabetical order are the top threats for 2004:
Adware-180
Adware-Gator
Exploit-ByteVerify
Exploit-MhtRedir
JS/Noclose
W32/Bagle
W32/Mydoom
W32/Netsky
W32/Sasser
W32/Sdbot (family including sdbot, gaobot, polybot, spybot)

McAfee AVERT continues to expand its vulnerability and exploit analysis and reporting in 2004. McAfee AVERT reports that threats using vulnerable systems in 2004 totaled more than 380, exceeding totals in 2003 by approximately 50%.

McAfee's VirusScan online service reported more than 2 million detections for various types of exploits that were found on machines managed by the program. McAfee AVERT believes that this number will grow due to the continuing interest by hackers to exploit unpatched consumer systems.

Vulnerabilities discovered in 2004 totaled more than 2,800, which is down 25% from 2003. Though security companies are becoming increasingly adept at recognizing and fixing these vulnerabilities, along with manufacturers providing faster patch updates, hackers are becoming quicker at producing exploits in attempts to launch a major zero day attack.

"In 2004, the rise in viruses, worms, phishing, adware and vulnerability exploitation has surpassed what was noted in 2003," said Vincent Gullotto, vice president of McAfee AVERT. "Although we saw a steady 5% (year over year) decrease in the rate of virus production from 2000 to 2003, we have seen an increase in 2004 which can be partly attributed to Bagle and Netsky authors feuding, as well as a general lack of awareness in regards to adware and other such programs."

Bots Continue to Climb:
A "BOT" is an automated program that answers to commands from another source (robot). McAfee researchers estimate that there are over 7,000 bots in existence today.

They are growing at a rate of about 150 to 200 per week. Some bots are less pervasive than others. However, McAfee has seen a recent trend toward bots that download adware onto a users system.

These programs also have the ability to propagate quickly on the compromised system. Like any evolving security threat, the writers of these intrusive programs continue to develop new variants that propagate on systems that do not have proactive protection against buffer overflows.

Proactive generic protection is becoming imperative.

Spyware/Adware Threats Become an Increasing Concern:
Today's adware is more often categorized as surveillance-driven spyware, programs that are dropped onto a user's system and installed without their knowledge.

In addition, spam that is encoded with exploit capabilities to install spyware has become an increasing issue among consumers. On average, at least 13 adware components can be found on every machine.

Consumers are more affected by spyware/adware threats and less by email-borne threats because most consumers use Internet Service Providers that proactively scan and clean email viruses before being delivered to the consumer.

Phishing and Identity Theft is a Rising Concern:
Phishing became a major concern in 2004 and threatened both enterprise and consumer users worldwide and shows no signs of slowing down. Phishing is the distribution of email messages that have return addresses, links and graphic art that make the emails appear to be from a legitimate source that actually involves an effort to obtain private financial information such as passwords and Personal Information Numbers (PINs).

As reported by the Anti-Phishing Working Group, an industry association that McAfee recently joined to help fight identity theft and fraud, 176 unique new phishing attacks were reported in January 2004.

By June 2004, that number had skyrocketed to a reported 1,422 unique phishing attacks and now stands at 1,518 for the latest reported month of November.AVERT RecommendationsIn an effort to address the above threats and malicious programs, McAfee AVERT recommends both McAfee enterprises and consumers constantly stay updated with the latest DATs, install the latest patches, employ current spam filters and implement a multi-layered approach to detecting and blocking attacks.

For more information and solutions that can help enterprises and consumers ensure constant security protection, please visit www.mcafee.com. McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in thirteen countries on five continents.

McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee® IntruShield® and McAfee® Entercept® organizations, two research arms that were acquired through IntruVert Networks and Entercept Security.

McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.

About McAfee, Inc.
McAfee, Inc., headquartered in Santa Clara, Calif., creates best-of-breed intrusion prevention and risk management solutions. McAfee's market-leading security products and services help large, medium and small businesses, government agencies, and consumers prevent intrusions on networks and protect computer systems from critical threats.

Additionally, through the Foundstone Professional Services division, leading security consultants provide security expertise and best practices for organizations.

For more information, McAfee, Inc. can be reached at 972-963-8000 or on the Internet at http://www.mcafee.com/.

NOTE: McAfee, AVERT, Entercept and IntruShield are either registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.SOURCE McAfee, Inc.

Top 10 Computer Security Threats of 2004
Adware-180
Adware-Gator
Exploit-ByteVerify
Exploit-MhtRedir
JS/Noclose
W32/Bagle
W32/Mydoom
W32/Netsky
W32/Sasser
W32/Sdbot (family including sdbot, gaobot, polybot, spybot)


Notes:

Listed alphabetically. Includes both enterprise and consumer threats defined as:

1) spyware/adware threats
2) email-borne virus threats
3) malware threats delivered by spam.

Medium Risk Viruses Up 130% in 2004

Computer virus attacks reaching a Medium Risk assessment or higher dramatically increased to 46 in 2004, compared with only 20 in 2003.

"The rise in viruses, worms, Phishing, adware and vulnerability exploitation surpassed what was noted last year," said McAfee Vice President Vincent Gullotto. "

Although we saw a steady 5% (year over year) decrease in the rate of virus production from 2000 to 2003, we saw an increase in 2004 that can be partly attributed to Bagle and Netsky virus authors feuding, as well as a general lack of awareness in regards to adware and other such programs."

Within the first half of 2004, 50 new computer viruses (of varying risk assessments) were discovered daily.

Phishing Threats Increasing, Too
As reported by the Anti-Phishing Working Group, an industry association McAfee recently joined to help fight identity theft and fraud, 176 unique new phishing attacks—spam attempts to fool users into divulging financial information on phony websites—were reported in January 2004. By June 2004, that number skyrocketed to a 1,422.

Expect More Spyware & Adware in 2005
McAfee expects adware and unwanted content, transmitted via email and the Web, to increase in 2005, with threats becoming increasingly complex as they combine spam and Phishing. Worse, spyware-installing spam will also threaten users.

Find Out More
Read McAfee's latest news release here.

Friday, January 07, 2005

Virus Alert: Winxor.A, Breacuk.E and Asan.A.

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, January 7, 2005 - This week's report will focus on Winxor.A, Breacuk.E and Asan.A.

Winxor.A is the first malicious code designed to exploit a vulnerability inthe WINS service, which allows arbitrary code to be run on Windows 2003/XP/2000/NT/Me/98/95 servers.

Winxor.A can also affect computers runningWindows 2003/XP/2000/NT/Me/98/95.

Winxor.A connects to an IRC server and waits for control commands (such as download files or run programs).

When the author of this malicious code specifies, Winxor.A scans IP addresses in order to find open ports. If these belong to servers that are affected by this security flaw, it installs an FTP server in port 36010 and uses it to transfer itself to these computers.

When it has reached a computer, Winxor.A carries out the following actions:

- It creates two files: CCEVTMNGR.EXE, which is a copy of itself, andCCSETMNGR.EXE, which is a component that looks for remote computers affectedby the vulnerability in the WINS service in order to try and exploit it.

- It generates several entries in the Windows Registry in order to ensure itis run whenever the computer is started and thereby, register as a Windowsservice.

Breacuk.E is a worm that spreads via the P2P (peer-to-peer) file sharingprogram KaZaA. To do this, it follows the routine below:

- It creates a directory called SOFTWARE KINGS AND QUEENS in the Windowsdirectory and shares it through KaZaA.

- In this directory it creates multiple copies of itself under attractivenames, so that other users download them, thinking that they are games orother applications.

However, when the downloaded file is run, the computerwill be infected by Breacuk.E.

Breacuk.E deletes files with certain extensions, including: EXE, DLL, OCX and BMP, preventing certain applications from working correctly.

What's more, this malicious code causes problems on switching on the affected computer.

We are going to finish this week's report with Asan.A, a worm that affects servers with a vulnerable version of the program phpBB installed, and that have already been attacked by a worm detected by Panda Software as PHP/Santy.A.worm.

In this case, it removes the vulnerability from the server, although this could lead to loss of certain functionalities.

For further information about these and other computer threats, visit Panda Software's Encyclopedia:http://www.pandasoftware.com/virus_info/encyclopedia/

Tuesday, January 04, 2005

- Weekly report on viruses and intruders -

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, December 31 2004 - Spyki.A, the B variant of Santy and HHelp are dealt with in this last report of 2004.

Spyki.A and Santy.B are two worms that spread via the Internet, exploiting the Remote URL Decode Input Validation vulnerability, which affects servers with a version of phpBB prior to 2.0.11 installed.

Once the server is infected and in order to allow remote access to it, Spyki.A takes the following action:

- Installs several programs that can be controlled via IRC to take malicious action.

- Opens port TCP 6667, and connects to an IRC Server to receive remote commands.

- Scans different ports to see if it finds any open. Sanity.B on the other hand takes the following actions, among others:

- Uses Google, America Online or Yahoo searches to find vulnerable computers.

- Creates scripts -such as BOT.TXT, SSH.A, WORM.TXT or WORM1.TXT-, or downloads them to install a backdoor and connect to different IRC servers.

- Deletes all files called SSH (with any extension), or whose name begins with BOT.

We end today's report with HHelp, a generic detection for malicious code that can Exploit-HelpZonePass, which allows certain security features in Service Pack 2 for Windows XP to be evaded.

Malware that uses this exploit to spread can be used to execute arbitrary code on affected computers, withthe same permissions as the user that started the session. HHelp normally affects computers by downloading itself from a malicious webpage.

For further information about these and other computer threats, visit Panda Software's Encyclopedia:http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Exploit: This can be a technique or a program that takes advantage of a vulnerability or security hole in a certain communication protocol, operating system, or other IT utility or application.

- Script / Script virus: The term script refers to files or sections of code written in programming languages like Visual Basic Script (VBScript), JavaScript, etc.

More technical definitions at:http://www.pandasoftware.com/virus_info/glossary/default.aspx

Cabir cell phone threat worsens | CNET News.com

By Paul Festa
Staff Writer, CNET News.com

TrackBack Print E-mail TalkBack
Reporting a new crop of variants, a security firm warned that the Cabir cell phone virus is becoming more of a threat.

Earlier versions of Cabir, which spreads through phones running the Symbian operating system and Bluetooth wireless technology, won attention this summer for being the first worms to spread via smart phones. But they were quickly determined to be relatively harmless, proof-of-concept programs.

As it issued alerts for Cabir.H, Cabir.I, and Cabir.J, security firm F-Secure warned that the latest versions of Cabir are evolving beyond its comparatively benign predecessors.

"These new Cabir variants fix a flaw that was slowing down original Cabir's spreading speed," F-Secure warned in a release Tuesday. "Cabir originally would only spread to one new phone per reboot (while) Cabir.H and Cabir.I can spread to an unlimited number of phones per reboot."

The sheer quantity of variants being detected now and their closeness to the original indicate that Cabir's secret sauce is no longer much of a secret, F-Secure warned.

"These new variants seem to...

BostonHerald.com - Technology: Spyware, computer worms plague Internet

Spyware, computer worms plague Internet
By Associated Press
Monday, January 3, 2005

NEW YORK - Computer worms raced around the world, leaving behind tools that spread spam. Scammers sent e-mail to trick bank account holders into revealing passwords. Rogue programs known as "spyware" hijacked Web browsers and crippled computers.

These were among the top Internet threats of 2004 as the perpetrators grew smarter and more sophisticated, driven more than ever by economic gains. And while technology to combat such threats has improved, experts concede that's not enough to address what's bound to emerge in the coming year.....