Weekly Antivrus & Trojan Alert

This week's report looks at a peculiar Trojan: RedBrowser.A. This Trojan combines two trends that would seem to be establishing themselves in 2006: malicious code for cell phones and themalware-based business model.

As announced by PandaLabs in its reports on viral trends (available at www.pandasoftware.com/pandalabsreport), we are now witnessing a new trend in malicious codes. In place of traditional actions such as deleting files, hackers are out to get financial returns from their creations.

With this in mind, the creator of RedBrowser.A has designed an application that simulates access to WAP pages through free SMS messages.

What really happens though is that a message is sent through the Short Message Service (SMS) to the number 1615. Sending a message to this number is charged at a premium-rate number in Russia, providing succulent returns for the service provider.

However, before sending the message, the user is asked for confirmation, thereby greatly reducing the potential danger of RedBowser.A.

Inaddition, it is easy for users to recognize the Trojan, as it reaches the phone in a file normally called REDBROWSER.JAR, and displays anon-screen image.

Another clear example of the malware business model are the Nabload.BR and Banker.CDV Trojans.

Nabload.BR is a Trojan which, avoiding the firewall in Windows XP, accesses the Internet without restrictions in order to take actions including downloading Banker.CDV.

This password-stealing Trojan monitors whether users access web pages belonging to several online services, such as banks and mail services in English and German.

In this way, it gets passwords, security data, information about the user and other confidential data. Then, it sends the information gathered to a certain web page.

Apple Patches Mac OS X Security Holes

Apple has issued a security update for Mac OS X to fix up to 15 different vulnerabilities. Those fixes are available at http://www.apple.com/support/downloads/

Many of them solve problems that may cause different security problems, such as denial of services, arbitrary code execution, arbitrary files overwriting with "root" privileges, buffer overflows, etc.

The patches are applied to several locations, including the PHP Apache module, IPSecservices, WebKit and Safari.

We suggest to readers to update their systems, but taking the correct protective backup measures to avoid malfunctions that could cause an incorrect patch application.

The full information disclosed by Apple is available at http://docs.info.apple.com/article.html?artnum=303382

Top Ten Viruses in February

For the ninth month running, Sdbot.ftp was the malware most frequently detected by the free, online antivirus PandaActiveScan (www.activescan.com) in the computers of users around the world.

Similarly, there has been a significant number of defections of Netsky.P, one of the oldest examples of malware in the ranking.

Amongthe rest of the threats detected, the third place occupied by Metafile confirms how the vulnerability in the processing of WMF files is being actively exploited.

Meanwhile, Tearec.A remains in fourth place, after the commotion caused last month by its activation on the third of every month.

During February, Sdbot.ftp was responsible for 2.48 percent of infections. Then came the veteran Netsky.P (1.28%), followed by other more recent threats such as Metafile (1.24%), Tearec.A (0.95%), Sober.AH(0.85%) or Bagle.GS (0.84%).

Finally, with less significant frequency rates, came Qhost.gen, Gaobot.gen, Alcan.A and Parite.B.

The continuing rising trend of worms is of particular significance int his month's Top Ten.

While in December, six out of ten of the threats most frequently detected by Panda ActiveScan were worms, this rose in January to seven out of ten and now in February eight out of ten.

The clearest example of the success of worms is Tearec.A (CME-24), also known as Kamasutra, which spread widely using, as is common with this type of threat, social engineering techniques, in this case the lure of e-mails with erotic content.

And once again social engineering is the main factor behind the persistence of Sober.AH, a worm that caused an Orange Alert status at the end of November, and comes in the guise of, among other things, a warning from the FBI.

Another code that stands out is Metafile, an exploit or code written especially to take advantage of a security hole in GDI32.DLL. It's used by programs such as Windows Picture and Fax Viewer, affecting the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003.

This confirms that malware creators are taking advantage of the latest vulnerabilities - in this case one affecting processing of WMF files - in order to spread their creations.

DOE Employee Pleads Guilty To Hacking

Kenneth Kwak, 34, of Chantilly, Va., pleaded guilty today in the District of Columbia federal court before U.S. District Judge Royce Lamberth to a one-count information charging him with unauthorized access to a protected computer in furtherance of a criminal or tortious act, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney Kenneth L. Wainstein for the District of Columbia announced today.

According to a statement of facts filed with the guilty plea, Kwak was a system auditor working on federal information security management audits as a member of the Department of Education's Office of Inspector General.

Kwak placed software on his supervisor's computer which enabled him to access the computer's storage at will.

He later used that access on numerous occasions to view his supervisor's e-mail and Internet activity as well as other communications, and to share those communications with others in his office.

Kwak carried out his crime and invaded his supervisor's privacy for personal entertainment; there is no indication he profited financially from his actions.

"This case is an example of our zero-tolerance approach to public corruption and computer hacking, and highlights the excellent working relationship between our office and the Computer Crime and Intellectual Property Section of the Criminal Division," said U.S. Attorney Wainstein.

Kwak faces a maximum penalty of five years in prison and a fine of $250,000 for the crimes to which he pleaded guilty. A sentencing date has been set for May 12, 2006.

The matter was investigated by the Computer Crime Investigations Division of the Department of Education's Inspector General's Office.

The case was prosecuted by Senior Counsel William Yurek (cross-designated as a Special Assistant U.S. Attorney in the D.C. U.S. Attorney's Office), along with assistance by Trial Attorney Howard Cox, both of the Computer Crime and Intellectual Property Section in the DOJ Criminal Division.

The prosecution was part of the "zero-tolerance policy" recently adopted by the U.S. Attorney's office regarding intrusions into U.S. government computer systems.

Ernst& Young Loses Laptops With Client Data

Once again, Ernst and Young have admitted to losing laptops containing sensitive client information.

On this occasion, four laptops were lost or stolen when a group of Ernst and Young employees left a client's offices to go to lunch on February 9, leaving their laptops in the company's conference rooms.

According to reports, minutes later two men entered the rooms, and carried off the four Dell computers valued at around 7,000 euros.

This kind of theft is of serious concern, as the consultancy's employees' laptops often contain confidential client information, such as Social Security numbers or other personal information, as in the previous case in which a laptop was stolen from an Ernst and Young employees' car.

In this case, one of the affected clients was Scott McNealy, CEO of Sun Microsystems, whose Social Security number was compromised in this incident.

It is not known what type of security Ernst & Young had implemented on the four missing laptops, although it maintains that the laptop in the previous case (with McNealy's information) was password protected.

In the event of the computers being recovered in this type of incident, it is important to run a full scan of the software as it could easily have been infected with malware.

Moreover, some type of unknown software could have been installed and therefore before using the computer, it should be scanned with a proactive system for detecting new malicious software.

Weekly Virus Threat Report

This week's report focuses on four malicious codes. The first of these, following in the wake of the code that was reported last week for Mac OS/X, is Inqtana.A. We're also looking at the bot SpyBot.AAV and the Trojan Torpig.AE, both of which are designed forstealing confidential information, as is Briz.A, which has led to the uncovering of a complex network for creating data-stealing Trojans.

Inqtana.A is a worm that only affects computers with the operating system Mac OS X 10.4 installed, although it has no destructive effects, it only spreads itself (via Bluetooth) in order to affect as many computers as possible. If the affected user accepts it or the system is configured to accept requests without the user's approval, Inqtana.A copies its files in thedefault file exchange directory.

If the computer also has the CAN-2005-1333 vulnerability, Inqtana.A copies its files in a special folder of the operating system. In this way, the worm ensures that it is run whenever the computer is started.

SpyBot.AAV and Torpig.AE collect a range of information from computers, such as the IP address, free memory space, operating system, RAM, microprocessor speed, etc. They then send this information back to their creators so they can install more trojans to hijack data, reroute browsers and trigger ads from which they benefit.

However, the most notable code this week is Trj/Briz.A, not so much for the code itself, but for the network of crimeware that has been discovered thanks to this Trojan. The code collects information about passwords and activity on the computer that it has infected.

The designers of Briz.A are part of the new business model arising among the creators of malware. Instead of creating code purely for fun they are now doing so for financial gain, both through selling the code (acustomized version of Briz.A is on offer for $990) or by fraudulently using the data obtained.

Everynon needs to make sure there computer is secure. Use the menu links to access free tools for protecting your PC or to compare the top protection programs.