Anti Virus Blog

Anti-virus maker F-Secure warned mobile phone users about a slippery new trojan disguising itself as an antivirus application.

Although the worm, dubbed Skulls.L, is similar to the Skulls.C trojan, writers have added a new wrinkle that differentiates it from previous variants: It’s advertised with a name used for F-Secure’s Mobile Anti-Virus installation package.

“The trojan obviously does not contain pirate copied version of anti-virus, it breaks the system applications on the phone, so that none of the smartphone functions of the phone are (sic) as long as the phone is infected,” Jarno Niemela, a virus researcher, wrote on the company’s weblog.

(more…)

Analysts at Gartner have warned that security threats on the Internet were being exaggerated. They have also compiled a list of five IT risks that they believe were being magnified by security experts.

Gartner has released the following list of the supposedly grave risks at the IT Security Summit in Washington, D.C.,

* IP telephony is unsafe
* Wireless hotspots are unsafe
* Regulatory compliance equals security
*’Warhol’ worms will make the Internet unreliable for business traffic and VPNs
* Mobile malware will cause widespread damage

Lawrence Orans, principal analyst at Gartner, explained why the firm considered that these risks were overblown, “Many businesses are delaying rolling out high productivity technologies, such as wireless local area networks and IP telephony systems, because they have seen so much hype about the potential threats,” he said.

(more…)

Rob Franco, Lead Program Manager for Internet Explorer Security at Microsoft posted a missive to the IEBlog hoping to dissolve the confusion surrounding a planned security future that will be found in IE7. IE7 will run in a reduced privilege mode called “Low-Rights IE” that will limit the actions of malware.

But the safeguard will not be available to everyone - only users that upgrade to Longhorn will be protected. And even Longhorn users may be vulnerable at another well known exposure point: Microsoft will not modify the default security settings for ActiveX and scripting, which account for a large number of known vulnerabilities.

Microsoft has programmed Longhorn to make it possible for users to have normal Windows sessions while having reduced user account privileges - making the browser safer to use than when it ran with full administrative privileges.

Longhorn’s predecessor, Windows XP, does not have this capability and cannot offer users the protection of Low-Rights IE. Users that do not upgrade to Longhorn will remain vulnerable to malware that can hijack default settings, modify system files and install malicious software.

(more…)

Security experts at UK firm Sophos are warning of a spam email that claims to have news of a suicide attempt by pop star Michael Jackson.

They say that the email directs recipients to a website for more information. If a victim visits the site, they are told that the site is busy. But in the background, the website triggers a download that places code for a Trojan horse on the PC.

The malicious code allows the infected PC to be used as a proxy through which spam mail can be sent by a

remote user. It also connects to IRC channels through which it can receive commands or further malicious code can be installed.

‘The sick minds behind viruses and other malware often exploit celebrity names and news stories in an attempt to infect as many people as possible,’ said Carole Theriault, security consultant for Sophos. ‘All computer users should be very careful about clicking on weblinks in unsolicited email or launching unknown attachments.’

(more…)

An online business based in Russia is paying Web sites 6 cents for each machine they infect with adware and spyware, according to security researchers who call the practice “awful.”

IframeDollars.biz says it pays Webmasters to place a one-line exploit on their sites. The code exploits a number of patched Windows and Internet Explorer vulnerabilities, including some that go back as far as 2002. Systems that haven’t been updated would be vulnerable to the exploit. According to analysis done by the SANS Institute’s Internet Storm Center, the exploit drops at least nine pieces of malicious code–including back doors, other Trojans, spyware, and adware–on any PC whose user surfs to a site that hosts the exploit code.

IframeDollars says it pays $61 per thousand unique installations, or 6.1 cents per compromised machine, to any site that signs up as an affiliate.

“It’s very clever,” says Richard Stiennon, the director of threat research at anti-spyware software vendor Webroot Software Inc. “And very brazen. This is new in that they’re taking an existing business model–an affiliate-style program–to exploit a [Windows] vulnerability to plant their code.”

(more…)

A spam e-mail that promises pictures of a captured Osama bin Laden but carries a malicious attachment has failed to spread widely, security experts said Friday.

Millions of copies of various versions of the e-mail were mass-mailed on Thursday, representatives from F-Secure and McAfee said. All versions of the message announced that the al-Qaida leader had been seized and included an attachment called “pics” that, when opened, attempted to download a worm to the victim’s PC, the antivirus companies said.

If the download is successful, the worm will attempt to start propagating by e-mailing itself, said Craig Schmugar, virus research manager at McAfee. It can also set the victim’s computer up to be used as a relay for spam, he said.

Part of one of the spam messages seen by F-Secure read: “Turn on your TV. Osama Bin Laden has been captured. While CNN has no pictures at this point of time, the military channel (PPV) released some pictures. I managed to capture a couple of these pictures off my TV. Ive attached a slideshow containing all the pictures I managed to capture.”

(more…)

A new “remarkably sophisticated” attack that uses three pieces of malware to turn PCs into zombies that can be sold to criminal groups appeared on the Internet this week, security vendor Computer Associates International Inc. said yesterday.

A version of the Bagle worm downloader that the company has dubbed Glieder is serving as a “beachhead” to install more serious malware on computers, CA said. Demonstrating a new level of coordination between Glieder and other attacks, infected computers can have their antivirus and firewall software disabled and can be turned into remotely controlled zombies used to mount large cyberattacks, CA said.

“This is so coordinated that it’s remarkably sophisticated,” said Roger Thompson, CA’s director of malicious content research.

CA noted eight variants of Glieder released one after the other on Wednesday, “dazzling the Internet with their speed and deployment to maximize the number of compromised victims,” the company said. “The whole point is to get to as many victims as fast as possible with a lightweight piece of malware.”

(more…)

The April launch of Mac OS X 10.4, aka Tiger, lost a little of its sheen following news that the Dashboard - one of the key features of the operating system - was a potential security hazard.

The Dashboard is a layer of ‘widgets’, cute mini-applications such as calculators, calendars and weather reports, which drop down over the desktop with the touch of a button. Apple has encouraged developers to create additional widgets and around 250 are available for download from the company’s website, with others available from third-party sites.

The problem stems from the fact that widgets are automatically installed after downloading. According to an alert posted on the Full Disclosure mailing lists, an attacker could write a malicious widget that would run invisibly in the background and hijack a user’s sudo (or admin) privileges. With administrative privileges, the attacker would have full control over the Mac.

(more…)

The latest threat to AOL’s instant messaging (IM) platform, AIM, again targets users’ penchants to blindly click on links supplied by friends. The Gpic.aol worm comes with a message saying, “damn this looks just like me lol” and a link to what is displayed as pictures.google.com.

In reality, the displayed URL obscures the real Web site at newpeople.no-ip.info, which then downloads onto the user’s system, collects the names in the buddy list and sends the same message to all of them.

Gpic.aol is considered a medium-level risk threat; it doesn’t actually deliver a payload that allows the malware writer to gain remote access to the computer or corrupt or erase data on the hard drive.

For the time being, IM worms are merely a nuisance, propagating from one AIM buddy list to another. But Francis deSouza, IMlogic CEO, said he fears it’s only a matter of time before virus writers start delivering damaging code as well.

IM, replete with functionality, such as file transferring, video and audio, is at risk from malware writers gaining access to those features, he said.

“Your e-mail client can only do so many things,” he said. “Your IM client is actually much more functional and much more powerful, and because much of the functionality is real-time functionality, threats can propagate over IM much faster than over e-mails.”

(more…)

F-Secure has announced the availability of the industry’s first fully integrated vulnerability protection to include defence against so-called zero-day attacks. Such attacks, which exploit vulnerabilities for which there is no patch yet available - or possibly even before the vulnerability is announced - go unnoticed by existing signature-based defence mechanisms.

F-Secure Anti-Virus Client Security 6.0 and F-Secure Policy Manager 6.0 use behaviour-based analysis to recognise if a piece of malware is trying to install itself onto a computer, or if an illegitimate piece of code is trying to execute a process. It then quarantines the process or the computer involved, and prevents the malware spreading.

With the new solutions F-Secure introduces many features, including F-Secure Network Quarantine for both LAN/WAN and Internet access, which isolates computers with non-compliant security regardless of the location they connect to the network. Other new additions to the product include scanning of HTTP traffic for malicious code, and integrated virus outbreak alerts with monitoring of protection status in the network.

F-Secure Anti-Virus Client Security 6.0 also includes fully integrated anti-spyware software. Compared to current industry standards, this solution provides a higher level of protection for company workstations and laptops by integrating protection against spyware, adware, hackers, viruses, worms and zero-day attacks into a single, centrally managed solution.

(more…)

The epidemic of email threats that download the Bagle virus continues apace, according to antivirus experts.

Maksym Schipka, senior antivirus researcher at MessageLabs, said ‘The quantities are huge to be honest …[this is] one of the largest Bagle downloaders we have ever seen. And we’ve seen three variants in the first three hours. These are repeated versions of the same malware, the only difference is the executable packers.’

This is a well-known technique, according to Shipka. ‘It’s tricky and resource consuming to add support for every packer,’ he said. And there are hundreds of these compression packers. So some antivirus companies decide instead to issue a separate signature file each time a virus is packed, or compressed, differently - even though it is the same virus. Antivirus companies now say that there are eight variants of the Bagle downloader for the current strain alone.

(more…)

A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert said Thursday.

The attack, which involves a new combination of malicious code, shows evidence of “tactical coordination that is unprecedented,” said Sam Curry, vice president of Computer Associates’ eTrust security group.

Unlike blended threats, which were first popular two years ago — and in which one piece of malicious code uses multiple tricks or tactics to spread — this recent attack is a convergence of malware itself and its creators, Curry went on.

“They’re collaborating, and making quite an effective parcel,” said Curry.

Curry outlined the three-step process, which he characterized as “spread, disarm, and exploit,” as starting with the Glieder Trojan horse. Wednesday, said Curry, at least eight Glieder variants — which are similar enough to the Bagle worm that many security firms label them as such — hit the Web, one after another, “about one each hour.” According to another security researcher, Carole Theriault of Sophos, that pace continued into Thursday.

(more…)