Current Viruses and Intrusions

Weekly report summarizing the most significant events in the world of computer viruses and intrusions.

This week's report examines a malicious code that can infect both Linux and Windows platforms, as well as the vulnerabilities corrected by Microsoft in its latest security bulletins.

The malicious code called Biwili.A stands out for its ability to infect both Linux and Windows platforms. D

espite claims in the media to the contrary, this capability is not entirely new, as in 2001 a malicious code called "ELF/Winux.2784" appeared which was also able to infect both platforms.

Biwili.A is no normal malicious code, as it falls into the category of "proof of concept".

This means that it is really a test so that other malicious code can be created using the techniques employed to craft BiWili.A. This malicious code infects PE (Portable Executable) and ELF (Executable and Linking Format) files in the directory in which it is located.

Interestingly, PandaLabs has explained that this is a virus of the 'old school', unlike the Trojans or worms that are frequently seen nowadays, as in order to spread it infects executable files adding its code behind the file header, a typical trait of classic viruses.

Fortunately, Biwili.A has no destructive effects and merely serves to demonstrate its capabilities.

It is a proof of concept highlighting the fact that it is possible to create a virus that can affect both Linux and Windows platforms.

Nevertheless, it is possible that in the future we will see malicious code based on the concept of Biwili.A.

On the other hand, Panda Software's weekly report on viruses and intruders also looks at the security bulletins released by Microsoft. These bulletins offer five updates for the company's products.

The first of these (bulletin MS06-013) is the much-awaited update for Internet Explorer to correct serious vulnerabilities through which an attacker could take control of a compromised system. An attacker could therefore, install programs with serious consequences or carry out any task without the user realizing.

The second, in bulletin MS06-013, corrects an error in MDAC (Microsoft Data Access Components), and can also allow a user to run code on affected systems (Microsoft Data Access Components, Microsoft Windows 2000, Windows Server 2003 y Windows XP).

A third vulnerability, also critical as it allows the remote execution of code, affects Windows Explorer and is described in "Microsoft Security Bulletin MS06-015".

It affects Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows ME.Other vulnerabilities, less serious according to Microsoft, affect Outlook Express (described in bulletin MS06-015) and FrontPage Server extensions (in bulletin MS06-017).

Free PC Security eBook

Good info on how to protect your PC from viruses, adware, spyware, phishing attacks, spam, and browser hijacks.

Plus it's free!

http://www.spamvirushelp.com/free-ebook.html

PHPList Vulnerability

critical vulnerability has been detected in PHPlist (http://tincan.co.uk/phplist), a double opt-in newsletter manager, which could allow a remote attacker to execute arbitrary code and compromise system security.

The problem stems from a lack of validation or normalization of data gathered through several entry parameters.

This is a typical and well-known vulnerability in Web applications and is exploited, for example, using SQL injection in online forms.

In the case we are looking at here, the affected parameters are "database_module" and "language_module".

If the "register_globals" option is enabled, a remote user could construct a URL to execute arbitrary code in the server hosting the vulnerable PHPlist application.

According to the original advisory, the vulnerability would affect PHPlist versions 2.10.2 and earlier.

Until a new version or official patch is available to correct the problem, users are advised to disable the "registers_globals" option or modify the code to properly filter the affected parameters.

Five New Microsoft Security Patches

Microsoft has released five updates for its products.

The first of these, according to "Microsoft Security Bulletin MS06-013", is the much-awaited update for Internet Explorer to correct serious vulnerabilities through which an attacker could take control of a compromised system, installing programs with serious consequences or launching tasks without the system owner realizing.

The second, in bulletin MS06-013, corrects an error in MDAC (Microsoft Data Access Components), and can also allow a user to run code on affected systems (Microsoft Data Access Components, Microsoft Windows 2000, Windows Server 2003 y Windows XP).

A third vulnerability, also critical as it allows the remote execution of code, affects Windows Explorer and is described in "Microsoft Security Bulletin MS06-015".

It affects Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows ME.Other vulnerabilities, less serious according to Microsoft, affect Outlook Express (described in bulletin MS06-015) and FrontPage Server extensions (in bulletin MS06-017).

We would like to draw readers' attention to the seriousness of these problems and remind them to install updates as soon as possible. In this case it is particularly important, as by allowing the installation of programs, these vulnerabilities create the perfect environment for the entry of new malware used inside cyber-crime.

Further information about these bulletins is available at: http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

Current Virus & Trojan Attacks

This week's report about viruses and intruders is a reflection of the current trend of criminalization of malware.

The creators of malicious code, bored perhaps with the futility of their craft, have opted to concentrate their efforts on digital theft.

The first example, the Banbra.BZY Trojan, searches Internet Explorer screens for certain texts, to see if the user is accessing certain online banking services.

If they are, users will see a web page identical to the one they were trying to access and which asks them to enter their data.

In this way, the creator of the malicious code can obtain the information needed to access the bank account as if they were the legitimate account holder.

Banbra.BZY does not spread automatically under its own steam, in the way that worms or traditional viruses do, but needs to be installed deliberately on the system.

This technique can be highly dangerous, as it is possible for a criminal to take advantage of a user (or company) using this code, thereby clearly entering the category of targeted attack.

Panda Software has created an animation to highlight the dangers of this type of attack and which is available at: http://www.pandasoftware.es/descargas/presentacionataques.

The next example of malware we are looking at in this week's Panda Software report is Mytob.NP.

This worm, once installed on a computer, connects to another system to receive commands through which an attacker could take complete control of the compromised computer.

To avoid detection, Mytob.NP terminates certain security processes, including those belonging to antivirus and firewall applications.

Mytob.NP reaches computers in a message that appears to come from the security department of the domain of the mail account of the target user.

This false message tries to get users to go to a website, apparently inoffensive, that really points to web page from which the malicious code will be downloaded.

Finally, this week's report looks at data provided by PandaLabs on KurtAgent.A, a password-stealer Trojan.

This Trojan logs users' keystrokes and can therefore record passwords entered. It also obtains other type of information, such as the addresses of websites visited, email accounts, etc.

KurtAgent.A also uses other malicious code to obtain information. KurtAgent.A needs to be spread by an attacker as it cannot spread itself automatically.