Saturday, January 21, 2006

Malware Threat Percentages For 2005

2005 saw the decline of IT viruses, in favor of other threats such as Trojans or worms.

The data shows that in 2005:

Viruses - 1%
Trojans - 42%
Bots - 26%
Backdoor Trojans - 11%
Dialers - 8%
Worms - 6%
Adware/Spyware - 3%

Malware aims to exploit security flaws for commercial gain. Keep your computer secure with a multi-layered defense:

Firewall
Antivirus
Spyware Remover
Spam Blocker
Browser Lockdowns

Don't go online without protection!

Friday, January 20, 2006

Weekly Virus Threat Report

This week's report looks at two worms -Tearec.A and Mytob.MM -, and a Trojan -Banbra.BQT.

During this week, Tearec.A hit computers around the world, becoming the malware most frequently detected by Panda ActiveScan, a free online scanner.

Tearec.A is a worm that spreads across computer networks and via email. The subject, text and attachment name of the emails it spreads in are variable and chosen at random from a long list of options.

Nevertheless, all the messages have a common feature: erotic references in order to trick recipients. If a user runs the attached file, the worm uses its own SMTP engine to send itself out by email.

Tearac.A also takes a series of actions on the affected computer including: If it detects that any one of several antivirus programs specified in its code are installed on the computer, it terminates and disables them, displaying the text "Update Please wait" in the taskbar.

If it does not detect any antivirus program installed, it opens a compressed file called SAMPLE.ZIP, which is empty.

It tries to delete files belonging to several antivirus programs, P2Pfile-sharing programs and other Internet applications, preventing them from working. In order to obtain passwords, it monitors network traffic on certain connections related with antivirus programs and mail services.

The second worm we're looking at today is Mytob.MM, which spreads via email in a message with a .ZIP attachment. Once it is installed on a computer, Mytob.MM connects to an IRC Serverto receive remote control orders to carry out on the affected computer.

It also terminates processes belonging to certain security tools such as antivirus products and firewalls, and prevents users from accessing certain pages. In particular, those belonging to antivirus companies. Similarly, Mytob.MM terminates processes belonging to other malware.

We end today's report with the Banbra.BQT Trojan, which needs the intervention of third-parties in order to spread (using email, Internet downloads, FTP file transfers or other means). Once installed on acomputer, it monitors users' Internet movements to see if they access certain banking web pages in order to steal the passwords and then it sends this data to an email address.

Thursday, January 19, 2006

Federal Inmate Runs Identity Theft Scam

Prisoner indicted in identity-theft scam

A prisoner who won an abuse case before the Supreme Court a decade ago was indicted yesterday by a federal grand jury in Baltimore in an identity-theft scam.

The indictment alleges Dee Deidre Farmer, also known as Douglas C. Farmer, sent out fake court subpoenas and searched the Internet seeking out personal information on potential victims.

The data was used to impersonate dozens of people and open credit accounts in their names, according to federal prosecutors.

The 40-year-old from Baltimore was charged with five counts of mail fraud and two counts of aggravated identity theft.

More than $50,000 in money and property was obtained through the fraudulent accounts, according to the indictment.

In June 1994, the Supreme Court unanimously ruled that Farmer, a transsexual, was entitled to a full trial over her accusations that prison officials failed to protect her from a rape by other prisoners at a federal facility in Indiana. Farmer eventually lost the case.

Yesterday's indictment says that an investigation led by the U.S. Secret Service and the Maryland Transportation Authority.

Police found that Farmer sent fraudulent U.S. District Court subpoenas to the motor vehicle agency in Virginia and a motel in North Carolina last year seeking identity information about dozens of clients.

Wednesday, January 18, 2006

Tearec.A Virus Spreads Using Adult Content

PandaLabs has detected the appearance of Tearec.A, an e-mail worm that uses messages with erotic content to trick users. This malicious code has high distribution potential and, according to PandaLabs, has already infected users around the world.

It is currently one of the viruses most frequently detected by the Panda ActiveScan free, online antivirus. Panda Software's TruPreventTM proactive protection technologies have detected and blocked Tearec.A with no need for previous updates, so computers with these technologies have been protected from the moment this malicious code appeared.

The e-mail messages that Tearec.A uses to spread have variable characteristics, as the subject, text and attachment name are chosen from a long list of options. Some of the options are as follows:

Subjects *Hot Movie*, Arab sex DSC-00465.jpg, Fw: SeX.mpg, Fw: Sexy, Fwd: Crazy illegal Sex!Text body: Fuckin Kama Sutra pics, Note: forwarded message attached. You Must View This Videoclip!. Attachment: Adults_9,zip.sCR, Photos,zip.sCR, SeX,zip.scR, Sex.mim.

The full list of options is available in Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=105192&sind=0"

Malicious code alluding to erotic content continue to spread successfully. In fact, it is still the number one topic for social engineering. Epidemics such as those caused by the Kournikova, Nakedwoman or Hybris worms provide good examples of this.

The best way to avoid these problems is to scan all e-mail before opening it with a reliable and up-to-date antivirus", explains Luis Corrons, director of PandaLabs.

If a user runs the message attachment, the worm sends itself out by e-mail using its own SMTP engine and creates several files on the computer with copies of itself. At the same time, it tries to delete certain files related to security tools which it may find on the system.

Moreover, on a computer in a network, it will try to delete files it finds in directories related to security applications not just on the affected computer but also on other networked computers which it is able to access. It also makes several Windows registry entries, both to disable security applications and also to ensure it runs on every system start-up.

According to Luis Corrons: " Cases such as this worm, which can spread rapidly, highlight the need for having proactive technologies installed on computers. This prevents the chance of infection during the so-called "vulnerability window", the time it takes after the appearance of a new threat for traditional antiviruses to include the corresponding update."

Phishing Attacks Increasingly Smarter

Phishers casts their nets wider- UK hit hard as attacks grow

The Anti-Phishing Working Group (APWG) has reported a sharp rise in the number of phishing attacks, combined with an increased sophistication among attackers.

In its monthly report for November 2005 the APWG said that reported attacks grew to 16,882 from 15,820, the third month of growth after a slowdown over the summer.

The UK and Europe were particularly hard hit as phishers looked for new targets outside the US.

The bulk of targets are still financial companies at nearly 95 per cent of attacks in November, up from 86 per cent in October.

There is also evidence that phishers are refining their targets lists, since the number of brands attacked has fallen despite the overall increase in activity.

Almost a third of all phishing sites are hosted in the US. South Korea is the second most popular host at 11.34 per cent, reflecting the country's high levels of broadband penetration.

There is also worrying evidence that attacks are getting smarter. The APWG noted an increase in legitimate sites being cracked and used to spread malware.

"A good example of this scheme was exhibited by an attack on the ShangHai Huizhong Automotive Manufacturing Company, one of the largest car manufacturers in China," the report said.

"Crackers programmed the site to deliver key-loggers to the PCs of consumers visiting the ShangHai Huizhong site, installing a system that attempted to load and run malicious code on the visitors' PCs."

The APWG also found a much higher percentage of domain name server redirections using Trojan software.

One example occurred when a "security tool" was emailed out claiming to be from PayPal which, once executed, automatically redirected any attempt to access PayPal to a phishing site hosted in India.

There is also little sign that website hosting companies are getting any better at shutting down phishing sites once they are discovered. The average time such a site stayed up was 5.5 days, unchanged from October.

Tuesday, January 17, 2006

Hackers Penetrate US Navy Nuclear Sub Shipyard

Computer hacker arrests for compromising the security of U.S. Navy

An alleged computer hacker was detained by Spanish police on Monday on suspicion of having compromised the security of a U.S. Navy yard used in the maintenance of nuclear submarines, the Spanish government said.

The alleged hacker used the internet to penetrate a U.S. Defense Department computer in the Point Loma naval base in San Diego, the Interior Ministry said in a statement.

The security breach was detected by US Navy computer experts, who alerted the National Criminal Intelligence Service, who in turn traced the infringement to a computer in Spain.

Details of the computer break-in were communicated to the cyber-terrorism unit of the Spanish Civil Guard, who then uncovered a group of people involved in internet computer hacking.

The investigation led to a computer operator in the Mediterranean port city of Malaga in southern Spain, who had interfered with a computer linked to a dry dock in Point Loma, which is used to maintain nuclear submarines.

Four other members of the hacking group were detained. Police suspect the group may have caused security breaches in over 100 computer systems around the world, reports the Associated Press.

Monday, January 16, 2006

Computer Security - Online Security - Secure Your Windows PC

Computer Security - Online Security - Secure Your Windows PC: Computer Security Tips
Computer security is a goal to which we all aspire. However, Windows security is often an oxymoron - a contradiction in terms.

If you want computer security on a Windows platform, you have your work cut out for you. This article discusses three things you must do to build a strong security foundation.

- Apply all Windows security patches
- Tighten Internet Explorer security
- Create a multi-layered defense

Sunday, January 15, 2006

Top Three Current Computer Security Threats

Today's report looks at three security problems affecting several Microsoft products and which could allow anattacker to take control of vulnerable systems, two Trojans-Mitglieder.HE and Spymaster.A-, and a worm -Mytob.ML-.

The first security problem that we are looking at affects Office 2000SP3, Office XP SP3, Office 2003 SP1 and SP2, and Exchange Server. It stems from the way in which Outlook and Exchange Server encrypt email messages using the TNEF (Transport Neutral Encapsulation Format)protocol.

The second vulnerability in today's report affects Windows2003/XP/2000/Me/98, and stems from the way Windows processes malformed embedded Web fonts. This can be exploited by an attacker by hosting malicious web font on a specially created web page and enticing users to visit it, or sending an email message containing malicious Web font.

The third and last security problem we're looking at today lies in theGraphics Rendering Engine, in computers running Windows 2003/XP/2000,and could allow arbitrary code to be run on vulnerable systems. This could be exploited by an attacker hosting a WMF (Windows MetaFile) imageon a specially crafted website, and convincing users to visit it, ors ending an email message containing the WMF image.

Microsoft has released three security bulletins -MS06-003, MS06-002 andMS06-001-, announcing the availability of patches to resolve these three vulnerabilities, and users of affected systems are advised to install them.

The first Trojan in today's report is Mitglieder.HE, which needs to be spread manually by an attacker, although it can also start an SMTP server and send a copy of itself by email.

Mitglieder.HE opens port 9031 on infected computers and acts as a proxy server. In addition, it awaits remote control commands, such as downloading and running files, starting an SMTP server, changing the access port or updating itself.

The next Trojan in today's report is Spymaster.A. Like the Trojan described above, it does not spread automatically and requires the intervention of an attacker. It is normally spread via email in a message with an attachment called SERVER.EXE.

Spymaster.A logs keystrokes entered by the user in order to obtain passwords and other confidential information, and monitors web pages visited. At the same time, it can see the programs running and the files created, modified or deleted by the user. The information it compiles is saved to a file which is sent to an FTP server.

Spymaster.A also uses as pecial stealth system to pass itself off as MSN messenger, so that users are unaware of its presence.

We end today's report with Mytob.ML, a worm that spreads via email in a message containing a link. Once it has infected a computer, it connects to an IRC server and awaits remote control commands. It also terminates processes belonging to other types of malware and to certain securityprograms, such as firewalls, and prevents access to certain web pages, mostly those of antivirus companies.

Make sure your antivirus software is up to date and your computer is protected by a personal firewall. See the Resources listings at lower left for links to free versions.