Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2005 >>
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Securelist Polls
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog / June 2005

Analyst's Diary

Global problem, global solution


  David       June 30, 2005 | 15:39  GMT

comments (2)  

A year ago today, the Hungarian virus author Laszlo K was sentenced to two years probation and ordered to pay 500,000 forints (around $2,400) in court costs. The charge? Unauthorised computer access. The court case followed the spread of the Magold.a virus, which used crude social engineering tactics to lure unsuspecting users into launching the malicious code: the virus posed as a screensaver of Hungarian porn star Maya Gold.

Laszlo K was just one of the virus writers arrested during 2004. The year also saw the arrest of Sven Jaschen, who admitted to writing Sasser and some Netsky variants. His trial will start in a week's time. The author of the numerous Agobot/Phatbot worm families was arrested, as was Oscar Lopez Hinarejos, a computer engineer from Spain, was arrested and tried for distributing the Cabrotor Trojan: he was sentenced to two years in prison. Later in the year, Jeffrey Lee Parson, a teenager from Minnesota, pleaded guilty to damaging computers by creating the Lovesan.b worm and in December a 16 year old British teenager received a six month suspended sentence for releasing the Randex worm.

Viruses and worms have evolved rapidly over the past few years and now pose a global threat. However, law enforcement agencies are also pooling their resources to gain a global reach. One successful joint operation was the arrest of 28 people in October last year in connection with identity theft in six countries. The operation involved the US Secret Service, the UK National Hi-Tech Crime Unit, the Vancouver Police Department's Financial Crimes Section (Canada), the Royal Mounted Police (Canada), Europol and police agencies in Belarus, Poland, Sweden, The Netherlands and Ukraine. More recently, we've seen the collaboration of the Israeli authorities and Interpol as part of Operation Horse Race, which led to a number of businessmen being detained.

Multiple Gpcode variants


  Yury       June 28, 2005 | 12:14  GMT

comments (1)  

In the last 24 hours we've detected five new versions of Virus.Win32.GPcode. This virus is interesting as it encrypts users' files - with whoever is sending the virus out asking for money to decrypt the files. The virus encrypts files, deletes itself from the victim machine, and also deletes all information which might give a clue how the virus penetrated the system.

The first variants we detected were spreading around the world. The latest version is mainly affecting Russian users. This illustrates the fact that cyber criminals are starting to target their attacks and spamming of malicious programs more precisely.

To date, we haven't established exactly how GPcode infects computers. However, it seems to be spreading either by exploiting a vulnerability in the operating system, or by a botnet.

A lot of users haven't contacted antivirus companies, but have instead contacted the authors or users of this malicious program. This will simply encourage the evolution of this virus as it makes it clear that there are potential gains to be made.

In order to protect their machines, users should make sure that they have installed all the latest patches, and keep their antivirus programs up to date. Once the virus is cleaned from encrypted files, they are restored to their original condition.


More attention for AIM


  Roel       June 15, 2005 | 13:00  GMT

comment  
We saw an interesting attack a few days ago (12 June) when an ongoing attempt to infect AIM users took place.

The same piece of malware was uploaded to several sites in an effort to increase its effectiveness. The malware that was used is a variant of IM-Worm.Win32.Opanki.

This effectiveness worked in several ways. By uploading to several sites the attackers still had one or more places left to turn to when measures were taken to take a site down.

Additionally, different messages were used to convince the recipient to click on the link. Among those messages was a one with a link to a .wmv file on a popular humor site. The link, of course, was fake, and it led to the malware.

Faking the link is done though some basic HTML code, and, in my opinion, this is yet another reason for not having an HTML parser in your IM client.

As is the case with newer IM-worms which spread across the MSN network, this Opanki variant also has the ability to send variable messages defined by the remote attacker. This helps to maintain and expand the botnet.

So, we're clearly seeing increasing organization when it comes to the spread of IM malware. Furthermore, it's also clear that newer IM malware has the ability to send messages which can be completely changed by the remote attacker over IRC.

The advice remains the same - be very cautious when clicking links you receive.

We have a write-up on IM-Worm.Win32.Opanki.d.

Cabir's first year


  Aleks       June 14, 2005 | 12:30  GMT

comments (4)  
Today, Cabir celebrates its first birthday. One year ago, 29a sent a sample of their latest creation to AV vendors worldwide via Virusbuster, a Spanish virus collector. Kaspersky Lab was first to detect this proof of concept malware, which turned out to be a worm that targeted mobile phones running under the Symbian 60 OS with Bluetooth capabilities.

The source code for the original Cabir appeared on the Net in late December 2004, which led to a number of copycat variants appearing in the wild. Cabir infections have been registered in over 30 countries to date.

In addition, there are now close to 100 malicious programs targeting mobile phones, most of which are Trojans. This highlights two important aspects: operating systems for mobile devices are very insecure thus far, and users need to realize that mobile devices are vulnerable to the same type of attacks as regular PCs.

So, how soon will it be before the proof-of-concept trickle turns into a flood? It's difficult to be sure. However, there are two issues to consider. First, experience has shown that malware authors target systems that are commonly used. Ownership of mobile devices hasn't yet reached critical mass; but when it does, they will prove an irresistible target. Second, it's clear from developments during the last two years that the computer underground has realized the potential for making money from malicious code in a world where Internet connectivity has become central to business.

Today's threats are largely geared towards making money illegally: through fraud, unwanted advertising (including spam) and extortion. Since mobile devices offer users the same capabilities as PCs, they also offer the same rewards for the criminal underground.

Robots, vile robots everywhere!


  Costin       June 05, 2005 | 09:34  GMT

comments (2)  
The time of the flash internet worms which were able to spread to millions of machines in less than an hour has passed. Nowadays, we are living in the days of the trojans, phishing, password stealing and backdoors. However, combinations between fast spreading worms and very cunning trojans aren't rare at all.

Thursday, 2nd of June around 17:12 GTM, we've received an interesting exploit from one of the machines which are part of the grand 'Smallpot' honeypot network. Slowly, more packets started to arrive and it became obvious that whatever was sending them was picking up momentum. Since the simplest explanation is usually the right one, the first guess was an Internet worm attack.

Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We've secured a binary and took a look under the cover. The responsible worm was a Rbot variant, 121504 bytes long and is generically detected by KAV as 'Backdoor.Win32.Rbot.gen'. It is packed with the MEW runtime executable packer and it has an MD5 of '7fe7a8320bbd029a87e0228ff5d23053'.

Besides the ASN.1 exploit - and this is the first worm to use it successfully on the Internet - the Rbot variant uses a multitude of other exploits, DCOM, RPC, Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities. Basically, it's a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we're seeing nowadays are no different.

Three years ago, the worst thing that could happen to your computer was a corrupted flash ROM or a wiped HDD. In most cases, you could even recover the data from the HDD. Nowadays, a virus infection is much worse. Your computer may easily become the pawn of an organization of cybercriminals which is blackmailing companies over the Internet. Or your e-banking accounts are suddenly missing a few hundred euros. Or your valuable items from a virtual game on the Internet are suddenly somebody else's. There are cases when people killed each other over such things.

With that in mind, I come up with a question: aren't we becoming too addicted to our beloved computers? Is it really worth dying for a thing which only exists as polarized atoms on a plate, between other billions, 10000Km away? Are we becoming too dependent on technology, so soon? I'm afraid the answer has more implications than we are ready to accept.

Sobig.c celebrates anniversary


  Aleks       June 02, 2005 | 12:16  GMT

comment  

It's two years to the day since the email worm Sobig.c caused a major epidemic.

In 2003, worms from the Sobig family were the most widespread malicious programs on the Internet. Sobig's family tree dates back to January 2003, when Sobig.a was first detected. Sobig.a was a piece of malware using many techniques which would be exploited by other virus writers in the future.

Firstly, something that Sobig.c clearly demonstrated was that spamming malware can create an epidemic. The virus sent itself to millions of addresses around the world in a matter of hours, and spammer technology made this possible. Such techniques are now used by almost every virus writer and Trojan author to distribute their creations. Essentially, the criminal alliance between virus writers and spammers came into being with Sobig.c

Secondly, worms from the Sobig family had a limited life span - they were designed to function for two or three weeks, and then a new version would be released to take its place. Mydoom and Sober worms also use this approach.

Thirdly, Sobig.c infected millions of computers throughout the world, creating an enormous botnet, which was then used to launch new versions of the worm. One of these, Sobig.f was the first case in virus history where a price was placed on the author's head - Microsoft offered half a million dollars for information leading to arrest of Sobig.f and Lovesan's authors. The money remains unclaimed to this day.


New runner in Horse Race


  Costin       June 01, 2005 | 12:50  GMT

comment  
Some interesting developments in the Operation Horse Race story, which we wrote about in our news section a couple of days ago.

A security company named 2bSecure originally located the Trojan code. The police asked them not to share the Trojan sample with antivirus companies in order to avoid alerting the offenders. However, now that they have been arrested and evidence is being collected, 2bSecure intend to publish the code of the Trojan on their website.

The company also plans to publish a disinfection tool along with the code to help victims remove the Trojan from their computer. 2bSecure believes that making the Trojan code publicly available will serve a similar purpose, by helping victims to identify infected systems and to evaluate the damage.

The full disclosure concept is nothing new, and in the past, other so-called security companies have published Trojan and virus code in order to "help" users deal with them.

In this case, given that a disinfection tool will be available, I think publishing the source or the Trojan code is redundant and, in my opinion, irresponsible. In the past, whenever a piece of malware has been made available on the Internet, it basically opened the door to countless modifications, hacks, or patched variants. We've seen this happen in the past with other bots where the source has been widely distributed - Agobot and SdBot are the first that come to mind, with over 800 variants in each family!

Sure, there will be researchers who will benefit from access to the Trojan - they'll be able to analyse its behaviour and develop protection against it. However, the damage which will be inflicted on the Internet community by the potential multitude of new variants will far outweigh any positive effects.

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com