Malware Authors Unleash Bird Flu-themed Trojan

[Jeff]

Today brings further proof that no human disaster these days arises without been exploited by internet ne'er-do-wells. Hot on the heels of a spam campaign punting Tamiflu, the drug believed most effective at protecting humans from the potentially-lethal H5N1 strain of the bird flu virus, comes a piece of malware designed to tap into topical concerns about the disease.

 

The Naiva-A Trojan masquerades as a Word document containing information about the bird flu epidemic in order to dupe unwitting Windows users into opening the maliciously constructed file. Once executed, the malware uses two Word macros to run and install a second item of malicious code, Ranky-FY, onto infected PCs. Ranky-FY gives hackers the ability to control compromised PCs.

 

Infectious code normally arrives in user's email in-boxes at an attachment in spam email messages with subject lines such as "Outbreak in North America" or "What is avian influenza (bird flu)?" both of which refer to a disease experts fear could become a pandemic, and spread further around the world following deaths in Asia.

 

The malware is not spreading widely and therefore poses only a modest threat. Anti-virus firms say the Trojan attack mounted by the Naiva-A Trojan illustrates the dangers of opening attachments in unsolicited emails. "Unfortunately, we were expecting something like this. This is not the first time, and won’t be the last, that writers of malicious code have taken advantage of people’s misfortune and anxieties to spread their Trojans or worms," said Luis Corrons, director of PandaLabs. "Fortunately, in the case of this threat, it does not seem to be extremely dangerous, due to the means of infection it uses. However, we must not underestimate it, given the success rate of social engineering techniques to spread malware."

[Jeff]

A worm propagating through AOL's Instant Messenger network comes with rootkit technology designed to slip under anti-virus defences. The Sdbot-ADD worm is being passed through instant messages from members on a user’s Buddy List and within AOL chat rooms.

 

Sdbot-ADD, the latest variant of a family of worms that is continuously modified with new components by hackers, comes complete with an adware bundle and a rootkit file, lockx.exe. "The executable provides an attacker with the capability to upload, download and monitor the infected host. Furthermore, the executable attempts to shut down anti-virus programs and leaves a backdoor on the host PC to install additional software," according to IM security firm FaceTime, which was among the first security firms to notify of the threat.

 

Rootkits refer to a set of tools used by crackers after breaking into a computer system to hide logins and processes under the control of an attacker from detection. Rootkits have been familiar items of malicious Unix hackers' tool kits for years but more recently the technique has been applied in the creation of types of Windows malware. In this case the lockx.exe rootkit that connects to an IRC server, awaiting remote commands from an attacker.

 

Sdbot-ADD also changes a surfer’s original search page to www.eza1netsearch.com/sp2.php and installs various adware applications including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway, and SearchMiracle. Infested machines are likely to slow to a crawl under the weight of all this garbage, FaceTime warns.

[Jeff]

October breaks malware production records

 

October saw the biggest increase in virus numbers since anti-virus firm Sophos began tracking outbreaks in 1988. The security vendor now identifies and protects against a total of 112,142 viruses, an increase of 1,685 on September.

 

Rather than creating new viral strains, the bad guys are churning out multiple new variants of popular backdoor programs such as Agobot, SdBOt, various Trojan downloaders and the like. Anti-virus firm F-Secure notes that many of the malware families have spawned more than 700 variants. Each time hackers add new components to readily available malware code a new variant is created. The trend is showing no signs of slowing down.

 

September's 1,233 new viruses was followed by a record high of 1,685 viruses in October. Nearly two thirds of the viruses reported to Sophos during the month were versions of the Mytob worm, with the new Mytob-GH and Mytob-EX variants having made a significant impact. One in 60 emails (1.66 per cent), circulating in October were viral, according to Sophos.

 

Despite all this new activity, NetSky-P, the worm written by convicted German virus author Sven Jaschan, continues to head up Sophos's top ten chart twenty months after it was first detected. Mytob-GH, which first appeared on 16 October 2005, is already in second place and showing no sign of abating. October's chart consists of only three virus families - NetSky, MyTob and Zafi, indicating that virus writers are continuing to create variants of established threats, which prove most effective for financial gain.

 

"There are six variants of the Mytob worm in the October chart, half of which are new entries," said Carole Theriault, senior security consultant at Sophos. "The creators of Mytob appear to be a gang of virus writers called Hellbot. By having several gang members they can easily issue several different variants in a short space of time."