Saturday, January 29, 2005

Report on worms Crowt.A, Mydoom.AG, Cisum.A, Bagle.BK and Bagle.BL.

Crowt.A is a worm that spreads via email in messages that contain texts madeup of the headlines on CNN's website. This malicious code is designed tocreate a backdoor in affected computers in order to receive commands fromremote attackers.

What's more, Crowt.A installs a keylogger that can be used to steal personal or confidential data, such as passwords entered by theuser to access online banking services. Crowt.A also deletes the cookies stored on the computer and opens the Internet browser at a certain website.

Mydoom.AG is a new variant of a worm that, almost a year ago, caused a worldwide epidemic. This malicious code modifies the HOSTS file so that theaffected user cannot access the websites of certain antivirus manufacturers. It also ends the processes belonging to different antivirus programs and spreads via email and peer-to-peer (P2P) file sharing programs.

Cisum.A is a worm whose most distinguishing action is that it insults theuser by displaying a screen with the text 'YOU ARE AN IDIOT' while playing an MP3 audio file that repeats the same sentence.

This malicious code canonly spread automatically across computer networks. If a network user runsthe file carrying Cisum.A, it copies itself under the name ProjectX.exe to the root directory of the shared networks drives on the computer.

Cisum.A also ends the processes belonging to antivirus programs and other ITsecurity applications, leaving the computer vulnerable to possible attacksfrom other viruses and hackers. What's more, it creates several entries inthe Windows Registry in order to ensure that it is run whenever the affected computer is started up.

Finally, the BK and BL variants of the notorious Bagle worm reach computers in email messages in which the address of the sender of the message has been spoofed, and with a subject selected at random from a list of options. Some examples of these subjects are: 'Delivery by mail' or 'Delivery service mail'.

The message body contains texts like: 'Before use read the help' or'Thanks for use of our software'. The names of the files attached to these messages, which actually contain the code of these worms, are variable butalways have a COM, CPL, EXE or SCR extension.

In order to spread via P2P applications like KaZaA or Morpheus, these worms create copies of themselves under names like ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero7.exe, to name a few.

If a file carrying any of these worms is run, they automatically send themselves out to all the email addresses they find in files with certainextensions stored on the affected computer, using their own SMTP engine. What's more, these variants of Bagle end the processes running in memory belonging to various antivirus programs and other security applications.

Rapid propagation of Bagle.BK and Bagle.BL

PandaLabs has detected the appearance of the newworms Bagle.BK and Bagle.BL. They are both designed to spread rapidly via email -in messages that use social engineering-, and using P2P applications like KaZaA.

Panda Software's international support network has alreadybegun to register incidents caused by Bagle.BL in countries such as Holland and the USA, and it is likely, given the characteristics, that the number of computers affected by the worms will start to increase. With this in mind, Panda Software has set the virus alert level at orange.

Bagle.BK and Bagle.BL reach computers in email messages with spoofed sender addresses and with subject fields chosen at random from a list of options.

Possible subjects include: "Delivery by mail" or "Delivery service mail".The message text may include phrases like: "Before use read the help"or"Thanks for use of our software". The message attachments, which actuallycontain the worms, have variable names, although their extension is alwaysCOM, CPL, EXE or SCR.

In order to spread via P2P applications like KaZaA or Morpheus, both worms create -in the programs' shared folders- copies of themselves with names such as ACDSee 9.exe, Adobe Photoshop 9 full.exe or Ahead Nero 7.exe, among others. This is to bait other users into downloading them and then executing them.

Regardless of how they reach computers, when a file containing either of theworms is run, they use their own SMTP engine to send themselves to the emailaddresses they find in files with certain extensions stored on the computer. Nevertheless, they avoid sending themselves out to certain addresses,principally those related to IT security software companies.

The most dangerous action that both variants of Bagle take is thetermination of processes in memory related to antivirus and security applications, leaving computers defenseless against further attack.

They also make several entries in the Windows registry to ensure they are run every time the system is started up and delete others that could existas the result of infection by variants of Netsky.

Due to the high possibility of being infected by Bagle.BK and Bagle.BL,Panda Software advises users to take precautions with any email messages they receive and to update their antivirus software.

A New IE Hole Allows For The Perfect Phishing Scam

One of the most popular criminal activities on the Internet is Phishing. There are a lot of different forms of Phishing, but in general Phishing refers to the art of tricking someone into providing personal information by posing as a legitimate business.

Typically, when someone wants to conduct a Phishing scam, they will begin by sending out a SPAM message. This is no ordinary SPAM though. It is designed to appear to be from a legitimate business.

There are a million variations to bait messages, but often the person sending the message will pose as the recipient’s bank. The text contained within the message is designed to scare the recipient into taking action.

For example, one of the bait messages that was going around a few months ago said something to the effect that the bank had a computer glitch and they need all Internet banking customers to log in and verify that the correct amount of money is in their account. Read more...

The "YOU ARE AN IDIOT" Virus

- If your computer insults you, it has been infected by the new Cisum.A worm

PandaLabs has detected the appearance of Cisum.A,a worm whose most distinguishing characteristic is that it insults the userby displaying the following message on screen

"YOU ARE AN IDIOT"

All the while playing an MP3 audio file that repeats the same phrase.

Cisum.A can only spread automatically across computer networks. If a networkuser runs the file carrying Cisum.A, this worm copies itself under the name ProjectX.exe to the root directory of the shared drives on the computer.

At the same time, it displays a window containing the text: "YOU ARE ANIDIOT," and constantly plays the aforementioned MP3 audio file the worm has previously generated on the system.

Cisum.A also ends the processes belonging to antivirus programs and other IT security applications, leaving the computer vulnerable to attack from other viruses or hackers.

What's more, it creates several entries in the Windows Registry in order to ensure that it is run whenever the computer starts up. Even though no incidents caused by this worm have been registered, PandaSoftware advises users to take precautions with any file they receive or download from the Internet and to update their antivirus software.

PandaSoftware has made the corresponding updates available to its clients todetect and disinfect Cisum.A.

Monday, January 24, 2005

Hackers Snatch Data From Bogus Wireless Access Points

Gregg Keizer, TechWeb News, 21-Jan-2005

An "Evil Twin" that hijacks unsuspecting wireless transmissions is the latest security bugaboo, academic researchers in the U.K. asserted Thursday.

But the idea is anything but fresh.

The hacking technique is dubbed "Evil Twin" because scammers set up a bogus wireless access point near a legitimate base station that they then jam. Users within range of the sham access point connect to it thinking that it's a real link to the Net.

All the time, however, the information transmitted over the wireless connection is being intercepted by the hackers, who look for passwords, usernames, financial account log-in information, or other confidential data.

Think of it as one big key logger and you get the idea.

"So-called 'Evil Twin' hotspots present a hidden danger for Web users," said Phil Nobles, a wireless and cybercrime expert at Cranfield University in the U.K."Users think they've logged on to a wireless hotspot connection when, in fact, they've been tricked to connect to the attacker's unauthorized base station," said Nobles in a statement. "The latter jams the connection to a legitimate base station by sending a stronger signal within close proximity to the wireless client " thereby turning itself into an 'Evil Twin'."

The technique could be potent where public hotspots are in play, such as those offering connections in coffee shops or airports. Public access points typically don't accept encrypted traffic, so users are accustomed to transmitting "in the clear."

"Cyber criminals don't have to be that clever to carry out such an attack," added Nobles. "Because wireless networks are based on radio signals, they can be easily detected by unauthorized users tuning into the same frequency."

Since it happens more or less transparently, users often have no clue they've been duped -- and identities or information compromised -- until long after the fact.

Professor Brian Collins, the head of the information systems department at Cranfield University, chimed in. "Web users who use Wi-Fi networks should be on their guard against this type of cyber crime," he said in an accompanying statement prior to a presentation Thursday evening at London's Dana Center, a science and technology discussion forum.

"Given the spread and popularity of wireless, users need to be wary of using their Wi-Fi enabled laptops or other portable devices to conduct financial transactions or anything of a sensitive or personal nature, for fear of disclosing this information to an unauthorized third party," added Collins.

While the U.K. researchers pressed for users to activate security options in their wireless client to protect themselves, the idea of 'Evil Twin' turns out to be not all that new. Internet Security Systems, for instance, published a wireless FAQ over two years ago that mentions this threat (as well as a host of others.)

ISS dubbed the threat "BaseStation Clone (Evil Twin)," and said it could occur when "an attacker tricks legitimate wireless clients to connect to the attacker's honeypot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. "

"This may cause unaware users to attempt to log into the attacker's honeypot servers. With false login prompts, the user unknowingly can give away sensitive data like passwords."

Worm Steals CNN Headlines To Stay Timely, Fool Users

TechWeb News , 24-Jan-2005

A new worm uses breaking news -- and a devious technique to keep itself up-to-date -- to dupe recipients into opening attachments, an anti-virus firm said Friday.

U.K.-based security vendor Sophos said that the Crowt.a worm grabs its subject lines, message content, and attachment names from headlines culled in real-time from CNN's Web site.

The worm's subject and attachment filename constantly change to mirror the top headline on CNN.com, while the e-mail message's text is also hijacked from CNN.

The idea is to fool recipients into thinking that they're reading a legitimate newsletter or news brief rather than looking at payload-carrying message about to infect their PC.

Crowt.a also slips in a backdoor component that tries to record keystrokes and send the stolen info to the hacker, an element of many worms that are meant not only to give the attacker later access to the infected computer, but also lets them walk off with valuable passwords or bank account information.

"This latest ploy feeds on people's desire for the latest news," said Carole Theriault, a security consultant at Sophos, in a statement. "Many people subscribe to legitimate email news updates...virus writers are always looking for new tricks to entice users into running their malicious code."