Saturday, May 06, 2006

Current Virus Threats

A worm, Nugache.A, the backdoor Trojan Hiviti.Aand the Banker.CTD Trojan are the focus of this week's report.

Nugache.A can spread in three different ways: exploiting the LSSAS andRPC DCOM known software vulnerabilities, through the popular MSNMessenger application, or via email.

When installed on a computer, Nugache.A creates a copy of itself in theWindows system directory, in a file with the name MSTC.EXE.

In addition, it generates several Windows registry entries. Having done this, itopens several communication ports to connect to a series of IP addressesfrom which it receives remote instructions across P2P networks, allowingan attacker to take malicious action on the affected system.

Hiviti.A is a backdoor Trojan that cannot spread on its own, butrequires the intervention a malicious user. When it is installed on acomputer, it creates a copy of itself under the name LOADCNTR.EXE, itmakes new entries in the Windows registry, and injects itself in theexplorer.exe process so that it is not noticed by users.

In this way,the Trojan waits to log keystrokes made by the user, thereby accessingall types of confidential information, such as user names, passwords,etc. The data collected is then sent to certain predetermined emailaddresses.

We finish this week's report with Banker.CTD, a new banker Trojan, i.e.designed to steal confidential data related to online banking services. Banker.CTD waits for the user to access web pages belonging to certain banks, including Banking, Bradesco, NetBanking, Santander and Sudameris, in order to log the data entered by the user.

It then sends the data toa certain email address. Banker.CTD requires the intervention of an attacker in order to reach computers. The means of distribution used vary and include floppy disks,CD-ROMs, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.

Wednesday, May 03, 2006

April Top 10 Viruses

April could be described as a calm month withrespect to virus epidemics, but appearances can deceive.

Thousands of malicious codes are awaiting the opportunity to install themselves onthe computers of unwary users.

This relative calm is what the creators of malware are looking for, as they are now driven by the potential of financial return and are well aware that clamorous epidemics do not serve their objectives.

For this reason, they try to insert their creations on users' computers as discreetly as possible.

In April, Sdbot.ftp once again occupied first place in the ranking. This is a script used by the Sdbot family of worms to download themselves onto computers via FTP.

After this, the next most frequently detected malicious code was Nestky.P, which has figured in the ranking for the last two years.

Exploit/Metafile was in third place. This is the detection of an exploit of the vulnerability in the processing of WMF files in Windows.

From this it can be deduced that despite not having been used to cause massive epidemics, malware creators view this security problem as a good way to insert their creations on users' computers, and for this reason they have been using it assiduously.

Other malicious code in the list include the Lowzones.RI Trojan, theTearec.A worm -also called Kamasutra- and the Qhost and Torpig.AY Trojans.

April's ranking is completed by the Parite.B worm -another habitual offender in the list of frequently detected viruses-, the Torpig.AZ Trojan and the generic detection for members of the numerous Gaobotf amily of worms.

Malware % frequency
W32/Sdbot.ftp 2.10
W32/Netsky.P.worm 1.07
Exploit/Metafile 0.79
Trj/LowZones.RI 0.64
W32/Tearec.A 0.62
Trj/Qhost.gen 0.51
Trj/Torpig.AY 0.51
W32/Parite.B 0.50
Trj/Torpig.AZ 0.48
W32/Gaobot.gen.worm 0.48

The most notable feature of this ranking is the presence of malicious code that uses vulnerabilities to install itself on systems.

This would suggest that there are numerous computers that have not been updated and which could therefore become a breeding ground for the distribution ofmalware. Users need to stay informed about the discovery of new vulnerabilities affecting software and to install the necessary patches to correct them.