Friday, February 17, 2006

Bagle.GZ Virus & New Mac OSX Oomp.A Trojan

This week's report focuses on the updates released by Microsoft to correct several errors. As well as the W32/Bagle.GZ.worm, we can also highlight the appearance of OSX/Oomp.A, a worm that affects Mac OSX.

On February 14, Microsoft published seven updates for Windows and Office, two of which are classified as critical. The first update, MS06-004, is applied to fix a critical vulnerability in the Graphics Rendering Engine (generally exploited using an WMF) in computers running Windows 2003/XP/2000/Me/98.

This flaw allows remote execution ofarbitrary code on vulnerable systems. The second critical update, MS06-005, corrects problems in Windows MediaPlayer in computers running Windows 2003/XP/2000/Me/98.

This flaw also allows remote execution of arbitrary code on vulnerable computers. Successful exploitation of these vulnerabilities allows hackers to gain remote control of the affected computer, with the same privileges as the logged on user.

If this user has administrator rights, the hacker would have complete control of the system, which puts the computer at serious risk.

As well as these two updates, Microsoft has also release five otherupdates, which are not classified as critical.

The first malicious code in today's report is Bagle.GZ, a worm thatdrops the Downloader.HRV Trojan on affected computer, which access several web pages to display advertising.

In order to spread Bagle.GZ sends an email message that tries to get the user's attention by referring to the Winter Olympics being held in Turinuntil February 26. When the user opens the file attached to the message,it displays a message to trick the user into thinking that a systemerror has occurred, while it makes several copies of itself in thesystem folders.

The Trojan Banbra.BTM is used to steal the passwords of users of the NetEmpresa service belonging to the Brazilian bank Bradesco. As well as passwords, this Trojan steals the digital certificates (files with a CRTextension) and keys (files with a KEY extension) used by users to access their current accounts through their computers.

Thanks to the work of PandaLabs, this worm has been deactivated, as the website housing the malicious code has been closed. To download the code, an email message has been mass-mailed that claims to come from an employee of Brandesco Net Empresa, which prompts the user to download the code.

Finally, we will look at a worm called OSX/Oomp.A. This malicious code is developed for the MacOS/X operating system, which replaces other programs in the copy with a copy of itself which includes the original program among its resources.

When it is run, this replacement file runs the malicious code and then tries to execute the original program.

However, due to programming errors, the original program is not launched correctly. This worm spreads via instant messaging in a file called 'latestpics.tgz'.

Thursday, February 16, 2006

Spyware Exploits Found on 1.5% of Web Pages

"Drive-by" Spyware Downloads Attack You From 1.5% of Web Pages

The Internet is becoming increasingly risky for novice users. You have to protect your PC and browser from "drive-by malware downloads" because so many sites automatically exploit the gaping security holes in Internet Explorer.

A study recently published by a group of researchers at the Department of Computer Science and Engineering at theUniversity of Washington has found that 1.5 percent of the URLs studied exploited flaws in Internet Explorer to install spyware without the user's permission.

Although 1.5 percent may seem it a very small percentage, it means that one in every 67 web pages analyzed included malicious content to exploit vulnerabilities in the browser.

The study, available at http://www.cs.washington.edu/homes/gribble/papers/spycrawler.pdf, examined 18 million URLs in May and October last year, which also allowed the evolution over time to be studied.

This study is particularly interesting because of the diversity of the data it offers, analyzing many websites by category and type of executable file downloaded (keyloggers, dialers, Trojans, adware or browser hijackers).

The study also shows that a large number of the executable files downloaded contained various attack functions. In May of last year, the most common attack was adware, whereas in October this attack dropped compared to browser hijackers, which were the most common with 85 percent of detections.

Wednesday, February 15, 2006

Cyber Fraud - Bot Networks Churn Out Adware

Adware Bot Network Churns Out Big Profits

The end of the 90s saw the famous 'dotcom' boom, a period which moved enormous amounts of money into the Internet. But it didn't last long. The bubble burst as quickly as it was formed.

However, the Internet is still a good source of income for many cyber-criminals who take advantage of the Internet and its users to commit fraud, theft and other crimes.

A clear example is Jeanson James Ancheta. After creating a network of bots (computers infected with a code that obeys external commands) that infected 40,000 computers, he installed adware on them without the users realizing it.

The network of bots started to generate income for the creator. Unaware to users, by showing advertisements for which Jeanson James Ancheta received considerable payments, he received up to $60,000 from single companies in some cases.

We urge all of our readers to check their computers for malicious code that their current antivirus solution has not detected.

The danger of forming part of a fraud network is not just theoretical, but, as seen here, very real. A simple code can turn computers into zombies and make them part of fraud scams or simply, allow user information (including bank account access details) to be stolen.

Check your computer for adware and malware with the free tools listed in our resource links.

Tuesday, February 14, 2006

Microsoft Patches Windows Media Player

Critical Security Patch Released For Windows Media Player

Microsoft has announced a new collection of updates for today. Some of the problems corrected are considered critical, i.e. they could seriously affect the security or stability of systems.

The first update applies to Microsoft Windows Media Player and is one of those described as critical. In order not to divulge information about this vulnerability, Microsoft has treated it discreetly. For Microsoft Windows there are four updates, one of them critical.

Microsoft has not revealed too much information in this case either. The other two corrections apply to Windows and Office (classified as "important").

The reduced amount of information about these corrections is no doubt part of an attempt to avoid "zero day exploits".

These exploits are generated the same day as the vulnerability appears and so users are unable to update systems in time and could become victims of the exploit.

To avoid this type of threat, computers need to have intelligent protection installed to detect unknown malicious code, such as zero day exploits.

Currently, the danger of these exploits does not lie in actions such as deleting files typically associated with older malicious code. There is now an increasing amount of threats designed to return financial gains at the cost of the unprotected users, either through the installation of adware and spyware or by directly stealing bank details.