|
|
SECURITY FIRM WARNS THAT VISTA WILL BE VULNERABLE TO THREE TYPES OF MALWARE
|
| |
[SC Magazine, December 1, 2006]
With Vista launching today, a security firm warned that its list of the top 10 viruses detected worldwide during November 2006 includes three types of malware capable of infecting Microsoft’s next generation Windows platform.
Sophos reported that one Vista-affecting baddy, the Stratio-Zip worm, overtook Netsky-P as the most widely circulated piece of malware, accounting for one-third of the total threats reported.
Following Stratio-Zip by a long way is Netsky-P, which is then followed by Bagle-Zip. Zafi-B is in fourth place, followed by Netsky-D, Nyxem-D and MyDoom-O. Eighth place goes to Mytob-C, then Sality-AA and Zafi-D is in tenth.
"No operating system is 100 per cent secure as a standalone system, as end users utilise various alternative applications such as independent email clients, instant messaging, file sharing and more that open new doors for hackers," said Ron O'Brien, senior security analyst at Sophos.
"While Microsoft should be commended for the huge security improvements offered by Vista, every organisation should supplement their systems with compatible technology that defends against hackers at all entry points.
"It won't be long before cyber criminals develop Vista-specific malware or modify current threats to fit the bill. The Stratio-Zip worm, for example, remains on the top 10 list due to constant, minor alterations to its code that force security systems to re-identify the malware," added O'Brien.
|
|
MALWARE CREATED by ORGANISED CRIMINALS for MONETARY GAIN EXPECTED in 2007
|
| |
[SC Magzine, November 30, 2006]
Researchers at McAfee Avert Labs predicted this week that the top security threats in 2007 will revolve around increased production of malware by organised criminals for monetary gain.
In a teleconference today, McAfee executives said cybercriminals will increasingly enlist sophisticated techniques such as rootkits, polymorphism, parasitic infectors and automated systems with cycling encryption to release new, for-profit builds.
"Within a short period of time, computers have become an intrinsic and essential part of everyday life, and as a result there is a huge potential for monetary gains by malware writers," said Jeff Green, senior vice president of McAfee Avert Labs and product development. "As we see sophisticated techniques on the rise, it's becoming increasingly hard for the general user base to identify or avoid malware infections."
The Avert Labs teams predictions for next year included the increased prevalence of password-stealing websites, an uptick in image spam, data loss and theft at the corporate level and the continued concern about vulnerabilities in widely-used software.
Particularly disconcerting to McAfee's security team is the rising trend of zero-day vulnerabilities appearing a day or two after Patch Tuesday to maximize the window of opportunity before Microsoft can address the issue. McAfee also predicted that bots will continue to be in the hacker bag of tricks, along with rootkits and parasitic malware.
As more consumers go online for entertainment, adware will "go mainstream" with an increase in commercial Potentially Unwanted Programs (PUPs), according to Avert Labs. The company also said that the popularity of video sharing on the web will make MPEG files a prime target for hackers to deliver malicious code.
|
|
SEVEN YEAR ANNIVERSARY OF LOVE BUG VIRUS
|
| |
[United Press International via COMTEX)] Computer users by necessity have become security conscious and savvy, but it has taken a number of cyber-disasters to educate everyone. Seven years ago millions of Netsurfers awoke to find their e-mail boxes filled with notes bearing the enticing subject line "ILOVEYOU."
That message, however, was not a love note. Attached to the e-mail was a virus that quickly wreaked havoc around the world. During what was then a pre-safe-computing era, the "Love Bug," as it came to be known, became one of the first mass-mailing worm outbreaks.
Estimates of damage ultimately ranged as high as several billion dollars as the worm worked its way around the globe, infecting hundreds of millions of users and thousands of organizations ranging from the Pentagon to Disney.
The Love Bug employed a clever type of social engineering that took advantage of human nature to circumnavigate any virus protection -- in this case, delivering a letter with I LOVE YOU in the subject line, usually from a name the victim recognized.
The bug exploited a vulnerability in Microsoft's Outlook software code. Once it gained access to a PC, it immediately sent copies of itself to persons listed in the computer owner's address book. Thus, in a rapidly multiplying environment, the bug was often sent to someone known to a first victim with a second potential victim wondering why he or she was being sent a note avowing love.
Looking back at the past seven years, experts think vulnerabilities remain, even though the world has become a more security-conscious place.
"Seven years ago, the concept of someone consciously writing a code (that would cause damage) ... I don't think anyone had really thought of it (as a problem)," Martin Linder, an official with the Carnegie Mellon Software Engineering Institute in Pittsburgh, told United Press International.
"It was an eye-opener," Linder added. "Since that time a lot has changed. We have a tool box (of technology) to help prevent such attacks -- including good common sense by human beings." He said chances of a Love-Bug-type attack happening again are a lot smaller, but added, "knock on wood."
Linder warned software and systems remain vulnerable, taking note of the Blaster virus of 2003. He added, however, that attacks such as the Saser virus lasted only 90 minutes until they were contained. "Businesses are more aware of the pain and damage (caused by viruses)," he said. "Do we have a long way to go? Yes."
He said even with improved software and new systems coming online, both current and legacy software will continue to be used by individuals and companies for some time -- along with their deficiencies.
Central Command Inc., an anti-virus software company in Medina, Ohio, said the overall sophistication of some worms has gradually increased, and the motive for virus writing has altered to an orientation toward ID theft and other illegal goals.
Yet virus authors today continue to rely heavily on social engineering. Steven Sundermeier, Central Command's vice president for products and services, told UPI hackers continue to name their files creatively in an attempt to pique user curiosity and trick them into running malicious worms.
Sundermeier said these file names typically exploit high-profile celebrities -- such as Paris Hilton -- or hit movies, current events or popular teen games. He said the teen population is particularly easy to exploit. The Love Bug had tricked users by coming from familiar sources.
"At the time, people were just clicking away," he said of PC users opening e-mail attachments. Because e-mail remains one of the main forms of communication within corporations and individuals, he added, it comes as no surprise the propagation of worms via e-mail remains rampant.
"People are people, and users are still blindly opening attachments," he said and noted many worms in circulation are dependent on some sort of human interaction to spread. "Practicing safe computing is critical in the fight against computer viruses," Sundermeier said.
|
|
THE PESKY NETSKY WORM
|
| |
This NETSKY variant propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine.
It exploits a known vulnerability affecting Internet Explorer involving incorrect MIME Header (MS01-020), which allows the automatic execution of email attachments while an email is read or previewed.
The email that it sends out has varying subjects, message bodies, and attachment file names. It gathers email addresses from files with certain extension names.
It also attempts to propagate via network shares by dropping copies of itself on certain folders found in the affected system. It deletes several autorun registry entries in an attempt to prevent the automatic execution of BAGLE, NACHI, MYDOOM and DEADHAT worms. It also deletes certain registry keys.
This memory-resident worm is compressed using UPX and FSG, and runs on Windows 95, 98, ME, NT, 2000 and XP.
Note: Trend Micro also detects the empty email as WORM_Netsky.P, and the HTML file containing the exploit as HTML_NETSKY.P. The email and the HTML file may contain a damaged attachment or no attachment at all. At any case, no malware file will be executed.
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program.
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_NETSKY.P. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program.
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press CTRL+ALT+DELETE.
On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry. Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE> Software>Microsoft>
Windows> CurrentVersion>Run.
In the right panel, locate and delete the entry or entries:
Norton Antivirus AV = "%Windows%\FVProtect.exe"
Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions:
Running Trend Micro Antivirus.
Scan your system with Trend Micro antivirus and delete all files detected as WORM_NETSKY.P. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.
Applying Patches
This malware exploits known vulnerabilities in Internet Explorer. Download and install the fix patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.
NOTE: For further details about the NETSKY worm, details of other serious viruses, and for a free scan of your system, visit TREND MICRO WEBSITE
|
|
NEW VARIANT OF MyDoom
|
| |
[CNET Reviews]
A variation of the MyDoom virus appears to be e-mail containing photographs. MyDoom.s (w32.MyDoom.s@mm, also known as MyDoom.m (Norman), MyDoom.q (Symantec), MyDoom.r (Panda), and Ratos (Trend Micro)) is a mass-mailing worm that uses its own SMTP engine to send out copies of itself to addresses harvested from the infected PC. It spoofs the return address, making it hard to trace infected machines, and attempts to download a backdoor Trojan horse from one of two sites on the Internet. MyDoom.s does not affect Linux, Mac, or Unix systems.
Because MyDoom.s spreads via e-mail, opens a remote access backdoor on infected PCs, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
MyDoom.s arrives as an attachment with the following characteristics:
Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe
If the attachment is opened, MyDoom.s adds the file rasor38a.dll to the Windows folder and the file winpsd.exe to the system directory. It also makes the following system Registry changes:
Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe
Once executed, MyDoom.s attempts to download a backdoor Trojan horse from either www.richcolour.com or zenandjuice.com.
Prevention
If you receive MyDoom.s, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
|
|
|
|
