Friday, January 27, 2006

Weekly Virus Threat Report

This week's report looks at a Trojan -Mitglieder.HJ-, and two worms, Mytob.MU and Feebs.E.

Mitglieder.HJ cannot spread using its own means but needs to be distributed manually by third-parties (via email, Internet downloads, file transfers via FTP or other means). Nevertheless, if it receives the corresponding command, it can send a copy of itself via email using a certain SMTP server.

The action that Mitglieder.HJ takes on infected computers includes the following:
- Opening port 33322 and acting as a proxy server. It also waits for remote control orders to carry out on the PC -such as starting an SMTP server-, or updating itself.
- It tries to download, from several web pages, a text file containing a list of IP addresses.
- It creates a mutex -called 555-, to ensure that there is only one copy of itself running at any time.

The first worm that we are looking at today is Mytob.MU, which spreads via email in a variable message with a ZIP file attachment. When the file is run, the worm infects the computer and searches for email addresses to which to send itself using its own SMTP engine.

Mytob.MU connects to an IRC to receive remote control orders, which it executes on the computer that it has installed itself on. It also terminates processes belonging to several security tools - such as antivirus programs and firewalls- along with those belonging to certain other specimens of malware.

Similarly, it prevents users from accessing certain web pages, notably those belonging to antivirus companies. In computers with Windows XP, it disables the Internet connection firewall (ICF) and the Internet connection sharing (ICS) features.

The third threat in today's report is Feebs.E, a worm that spreads through P2P file-sharing programs and email.

One of the methods used to spread by email is to monitor network traffic to detect if any message is being sent with an attachment and MIME format. In this case it attaches itself to the message. By doing this, it passes itself off as coming from a reliable source, so recipients are more liable to open and run it.

After installing itself on a computer, Feebs.E opens several ports to receive remote control orders and uses rootkit techniques (to hide its files and Windows registry entries and the ports it has opened). In addition, this worm disables several security programs, leaving the computer vulnerable to attacks from other malware.

Thursday, January 26, 2006

Kama Sutra Worm Malware Attack Due February 3

Security Experts Warn of Kama Sutra Worm
To address what is so far the most expansive malware attack in 2006, speculation among security vendors and researchers has focused on the destructive nature of the worm. Unlike most viruses currently in the wild, the Kama Sutra code is not intended to reap the code writer a windfall of ill-gotten gains.

Security analysts are warning computer users about a new and potentially destructive Internet worm that can obliterate important documents. The worm, called Kama Sutra, is making the rounds now, but is scheduled to execute its first massive attack on February 3.

Detected last week, the malicious worm targets computers running Windows and spreads primarily by copying itself to shared network locations and then sending itself to e-mail addresses found on afflicted computers. With subject lines that read "the best videoclip ever," "give me a kiss," and "school girl fantasies gone bad," the worm entices computer users to open the attached file.

"This worm feeds on people's willingness to receive salacious content on their desktop computer, but they could be putting their entire company's data at risk," said Graham Cluley, senior technology consultant at Sophos.

According to Sophos, on the third of each month, the worm will attempt to disable existing antivirus and firewall software and also will delete specific files, such as Microsoft Office documents.

Waxing or Waning Threat
The worm -- also known as Blackworm, Nyxem-D, and W32.Blackmail.E, among others -- was said by Sophos to be the most frequently sighted e-mail worm last week. Sophos statistics indicate that, within the last 24 hours alone, the worm has accounted for some 23 percent of all virus reports.

There are disagreements in the security industry about the severity of the worm, with Symantec and F-Secure taking different positions on the issue. Controversy stems from interpreting one of the worm's most intriguing features: a Web counter. Once the worm infects a new computer, it accesses a Web page on which there is a counter. The counter number increases whenever the Web page is accessed.

Andrew Jaquith, a Yankee Group senior analyst, said that most reports indicate that the counter had risen already to 700,000, which could indicate that nearly a million computers are infected.

Much of the speculation in the industry about the potential for damage done by the Kama Sutra worm centers on the counter number -- which might represent unique machines or accesses to the counter page by the same machine more than once. One of the things that is "sorely lacking" with mass outbreak malware like the Kama Sutra worm, Jaquith said, is any real sense of how many machines are compromised.

"We still don't know, for example, how many machines were really affected by the WMF vulnerability," he explained. "The antivirus vendors don't seem to know either, or are unwilling to divulge much -- possibly because it would expose gaps in their signature coverage."

Back to Old-School
To address what is so far the most expansive malware attack in 2006, speculation among security vendors and researchers has focused on the destructive nature of the worm. Unlike most viruses currently in the wild, the Kama Sutra code is not intended to reap the code writer a windfall of ill-gotten gains. The hacker designed the worm to create mayhem by destroying documents.

"The reason why experts at Sophos believe the worm is likely to have been written by an old-school hacker rather than an organized criminal is its destructive payload," Cluley explained. "That kind of destructive behavior is not typical of financially motivated worms because the damage is too obvious to the end user."

Frost & Sullivan analyst Rob Ayoub said he is not convinced that the worm represents the work of an old-school hacker. This worm is something that the industry has not seen in about a year. "This is just something we haven't seen in a while. It's not a botnet or a zombie. It's a throwback to malware that only seeks to create havoc."

ActiveX Controls
Of greater concern, said Ayoub, is the worm's ability to deceive Windows into receiving a malicious ActiveX control by providing a phony digital signature. Discovered originally by Fortinet, the worm apparently adds some 18 entries to the Windows Registry, allowing it to insert an ActiveX control that can circumvent Windows' defense mechanisms.

The development is interesting, Ayoub said, because, heretofore, the assumption has been that if a piece of software has a digital signature, then it is safe. Ayoub said Microsoft will need to take a serious look at digital-signature technologies.

"In the past, it has always been if the company signs it, then it must be authentic," Ayoub said. "Microsoft needs to look at the digital signing process or else we will see more things like this and that is pretty dangerous because that gets around some of the safeguards that are supposed to keep these things out."

Analysts are urging computer users, especially home users, to make sure that they have up-to-date antivirus software installed on their machines. "There should be no excuse for any data being lost on February 3 by this worm, but there is always the danger that some home users will not have heard that warning," Cluley said.

Tuesday, January 24, 2006

Notre Dame Reports Donor Database Hack

Notre Dame investigating computer hack

The University of Notre Dame was investigating apparent computer hacking that might have gained access to images of checks sent to the university by donors.Security software discovered the intrusion on a server housing donor data on Jan. 13, university spokeswoman Hilary Crnkovich said.

The hacking occurred Jan. 13. Crnkovich said checks received between Nov. 22 and Jan. 12 might have been viewed by outsiders because of the breach, but declined to say how many donors may have been affected.

``There was potential -- and this is what one can never quantify -- this information was accessed by an intruder,'' Crnkovich said. ``We don't know if someone who took a look at the information on the server used that information.''

The university sent letters and e-mails to donors whose personal information may have been accessed.

The university set up a Web site offering tips to donors who may have been affected at www.nd.edu/support andstarted a toll-free hot line at (866) 640-7118.

Several donors have already contacted the university after receiving the e-mail, but no one has reported their financial records had been affected, Crnkovich said.

FBI Pegs Cyber-crime Cost at $67 Billion

Last year, cyber-crime caused $67 billion in damages in the US alone, as revealed in a report carried out by the FBI, which is reported in several publications including Vnunet.com and Government Technology.

The findings of the study carried out by the FBI were based on a poll of 2,066 organizations.

Nearly 90 percent of these organizations confirmed that they had experienced a security incident in the last twelve months and 20 percent of them have suffered 20 attacks or more.

As regards the financial impact of these incidents, 64 percent of respondents incurred average losses of 24,000 dollars per case.

The list of most common attacks is headed by viruses (83.7%), followed by spyware (79.5%). Over one in five of the organizations interviewed confirmed that they had suffered from port scan incidents and data sabotage.

Forty-four percent of intrusions reported by the companies interviewed by the FBI came from within the organization, which demonstrates the need to pay attention to the security of internal networks.

Monday, January 23, 2006

Botnet Hacker Sentenced to 4 Years In Prison

California Man Pleads Guilty to Felony Hacking
A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing control of hundreds of thousands of Internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on Web sites and sent out spam.

Jeanson James Ancheta, of Downey, Calif., pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him more than $61,000, said federal prosecutor James Aquilina said.

Under a plea agreement, which still must be approved by a judge, Ancheta will receive from 4 years to 6 years in prison, forfeit a 1993 BMW and more than $58,000 in profit and pay $19,000 in restitution to the federal government, according to court documents. He is to be sentenced May 1.

Prosecutors called the case the first to target profits derived from use of "botnets," large numbers of computers that hackers commandeer and marshal for various nefarious deeds, their owners unaware that parasitic programs have been installed are being run by remote control.

Botnets are being used increasingly to overwhelm Web sites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft Corp.'s Windows operating system, typically machines whose owners haven't bothered to install security patches.
A November indictment charged Ancheta with 17 counts of conspiracy, fraud and other crimes connected to a 14-month hacking spree that started in June 2004 and that authorities say continued even after FBI agents raided his house the following December.

"Part of what's most troubling about those who commit these kinds of offenses is they think they'll never be caught," said Aquilina, who spent more than a year investigating Ancheta and several of Ancheta's online associates who remain uncharged co-conspirators.

Ancheta's attorney, federal public defender Greg Wesley, did not immediately return phone calls seeking comment.

The guilty plea comes less than a week after the FBI released a report that estimates viruses, worms and Trojan horse programs like the ones Ancheta employed cost U.S. organizations $11.9 billion each year.

November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on Web sites.
Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on Internet chat channels.

A Web site Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of Web site.

In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.

In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computers users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.

Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom prosecutors identified by his Internet nickname "SoBe," Ancheta infected more than 400,000 computers.

Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.

Prosecutors say Ancheta and SoBe then installed the ad software from the two companies — Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired last year by 180Solutions of Bellevue, Wash. — on the bots they controlled, pocketing more than $58,000 in 13 months.

"It's immoral, but the money makes it right," Ancheta told SoBe during one online chat, according to the indictment.

"I just hope this (Loudcash) stuff lasts a while so I don't have to get a job right away," SoBe told Ancheta during a different conversation.

Aquilina, the assistant U.S. attorney prosecuting the case, wouldn't say whether authorities plan to charge SoBe or any of the people accused of renting out Ancheta's bots, many of whom are described as "unindicted co-conspirators."

During the course of their scheme, Ancheta and SoBe infected U.S. military computers at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Va., according to a sworn declaration signed by Ancheta.

Copyright © 2006 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.

Trojan Horse Viruses Attack Cell Phones

pzaerkjNew Trojan Horses Threaten Cell Phones
Three new malicious programs are hitting certain mobile phones, antivirus companies have warned. The Trojan horses, or programs that are disguised as legitimate applications, spread via Bluetooth or multimedia messages and can affect phones running the Symbian operating system.

The infection rate so far from the new malware is low, Symantec reported in threat warnings issued last week.

The Bootton.E Trojan horse was spotted last week by F-Secure and Symantec and is perhaps the most potentially crippling of the three to those infected. The program restarts the mobile device but it also releases corrupted components that cause the reboot to fail, leaving the device unusable.

The Pbstealer.D Trojan sends an infected user's contact list, notepad, and calendar to-do list to other nearby users via Bluetooth. The third Trojan, Sendtool.A, sends malicious programs such as the Pbstealer Trojan to other devices via Bluetooth.

Symantec and F-Secure both admit that these Trojans are unlikely to spread very widely.

"They don't spread quickly because they're not purely autonomous," says Ollie Whitehause, a researcher with Symantec. Unlike worms on computers that spread without users knowing, the Trojan horses hitting cell phones spread as attachments that require users to download them.

In the Works?

So far, worms haven't hit mobile phones but it's very likely that people who write viruses are working on them, says Anton Von Trover, marketing manager for F-Secure.

Because current threats are caused by what David Wood, executive vice president of research at Symbian, calls user weakness, antivirus software for mobile devices isn't necessary. "Unlike the case on desktop PCs where you need to have a firewall and antivirus software and you have to keep them up to date, that's not necessary on phones," says Wood.

But with the looming threat of vulnerabilities being found by malicious code writers, enterprises should do a better job preparing for the future, says Rob Bamforth, an analyst with Quocirca. His research shows that enterprises are much more lax about securing mobile handheld devices than laptops.

He advises enterprises to create a policy around securing such devices. Currently, that policy might not include antivirus software because the incidence of viruses seems to be low.

"But there will be a problem so they have to take the issue seriously while not necessarily taking every announcement seriously," Bamforth says. He cautions that historically, most reports of viruses on handheld devices have come from antivirus software firms and not end users, an indication that infection rates are probably quite low.