Anti Virus Blog

A new “remarkably sophisticated” attack that uses three pieces of malware to turn PCs into zombies that can be sold to criminal groups appeared on the Internet this week, security vendor Computer Associates International Inc. said yesterday.

A version of the Bagle worm downloader that the company has dubbed Glieder is serving as a “beachhead” to install more serious malware on computers, CA said. Demonstrating a new level of coordination between Glieder and other attacks, infected computers can have their antivirus and firewall software disabled and can be turned into remotely controlled zombies used to mount large cyberattacks, CA said.

“This is so coordinated that it’s remarkably sophisticated,” said Roger Thompson, CA’s director of malicious content research.

CA noted eight variants of Glieder released one after the other on Wednesday, “dazzling the Internet with their speed and deployment to maximize the number of compromised victims,” the company said. “The whole point is to get to as many victims as fast as possible with a lightweight piece of malware.”

(more…)

The April launch of Mac OS X 10.4, aka Tiger, lost a little of its sheen following news that the Dashboard - one of the key features of the operating system - was a potential security hazard.

The Dashboard is a layer of ‘widgets’, cute mini-applications such as calculators, calendars and weather reports, which drop down over the desktop with the touch of a button. Apple has encouraged developers to create additional widgets and around 250 are available for download from the company’s website, with others available from third-party sites.

The problem stems from the fact that widgets are automatically installed after downloading. According to an alert posted on the Full Disclosure mailing lists, an attacker could write a malicious widget that would run invisibly in the background and hijack a user’s sudo (or admin) privileges. With administrative privileges, the attacker would have full control over the Mac.

(more…)

The latest threat to AOL’s instant messaging (IM) platform, AIM, again targets users’ penchants to blindly click on links supplied by friends. The Gpic.aol worm comes with a message saying, “damn this looks just like me lol” and a link to what is displayed as pictures.google.com.

In reality, the displayed URL obscures the real Web site at newpeople.no-ip.info, which then downloads onto the user’s system, collects the names in the buddy list and sends the same message to all of them.

Gpic.aol is considered a medium-level risk threat; it doesn’t actually deliver a payload that allows the malware writer to gain remote access to the computer or corrupt or erase data on the hard drive.

For the time being, IM worms are merely a nuisance, propagating from one AIM buddy list to another. But Francis deSouza, IMlogic CEO, said he fears it’s only a matter of time before virus writers start delivering damaging code as well.

IM, replete with functionality, such as file transferring, video and audio, is at risk from malware writers gaining access to those features, he said.

“Your e-mail client can only do so many things,” he said. “Your IM client is actually much more functional and much more powerful, and because much of the functionality is real-time functionality, threats can propagate over IM much faster than over e-mails.”

(more…)

F-Secure has announced the availability of the industry’s first fully integrated vulnerability protection to include defence against so-called zero-day attacks. Such attacks, which exploit vulnerabilities for which there is no patch yet available - or possibly even before the vulnerability is announced - go unnoticed by existing signature-based defence mechanisms.

F-Secure Anti-Virus Client Security 6.0 and F-Secure Policy Manager 6.0 use behaviour-based analysis to recognise if a piece of malware is trying to install itself onto a computer, or if an illegitimate piece of code is trying to execute a process. It then quarantines the process or the computer involved, and prevents the malware spreading.

With the new solutions F-Secure introduces many features, including F-Secure Network Quarantine for both LAN/WAN and Internet access, which isolates computers with non-compliant security regardless of the location they connect to the network. Other new additions to the product include scanning of HTTP traffic for malicious code, and integrated virus outbreak alerts with monitoring of protection status in the network.

F-Secure Anti-Virus Client Security 6.0 also includes fully integrated anti-spyware software. Compared to current industry standards, this solution provides a higher level of protection for company workstations and laptops by integrating protection against spyware, adware, hackers, viruses, worms and zero-day attacks into a single, centrally managed solution.

(more…)

The epidemic of email threats that download the Bagle virus continues apace, according to antivirus experts.

Maksym Schipka, senior antivirus researcher at MessageLabs, said ‘The quantities are huge to be honest …[this is] one of the largest Bagle downloaders we have ever seen. And we’ve seen three variants in the first three hours. These are repeated versions of the same malware, the only difference is the executable packers.’

This is a well-known technique, according to Shipka. ‘It’s tricky and resource consuming to add support for every packer,’ he said. And there are hundreds of these compression packers. So some antivirus companies decide instead to issue a separate signature file each time a virus is packed, or compressed, differently - even though it is the same virus. Antivirus companies now say that there are eight variants of the Bagle downloader for the current strain alone.

(more…)

A one-two-three assault of disparate spammer and hacker groups in the last 24 hours bodes nothing but ill for users, a security expert said Thursday.

The attack, which involves a new combination of malicious code, shows evidence of “tactical coordination that is unprecedented,” said Sam Curry, vice president of Computer Associates’ eTrust security group.

Unlike blended threats, which were first popular two years ago — and in which one piece of malicious code uses multiple tricks or tactics to spread — this recent attack is a convergence of malware itself and its creators, Curry went on.

“They’re collaborating, and making quite an effective parcel,” said Curry.

Curry outlined the three-step process, which he characterized as “spread, disarm, and exploit,” as starting with the Glieder Trojan horse. Wednesday, said Curry, at least eight Glieder variants — which are similar enough to the Bagle worm that many security firms label them as such — hit the Web, one after another, “about one each hour.” According to another security researcher, Carole Theriault of Sophos, that pace continued into Thursday.

(more…)

Computer security software company Trend Micro Inc. said Friday that an International Trade Commission judge will recommend the agency bar the import of Fortinet Inc.’s antivirus software because of patent infringement.

The Tokyo-based company said the judge determined that Fortinet’s FortiGate firewall software violates a 1997 patent held by Trend Micro covering server-based antivirus technology. The patent describes technology that has the computer remotely scan e-mail and Internet data for viruses before it reaches the desktop.

The company said the judge will recommend that the ITC issue an order banning the import of Fortinet products which infringe Trend Micro’s patents, along with a cease-and-desist order.

(more…)

Microsoft said Friday it will begin an in-house test of Windows OneCare, the firm’s PC security and maintenance subscription service.

The software giant said it will distribute the product, which offers automated antivirus updates and periodic PC tune-ups, to 60,000 of its employees.

The Redmond-based company plans to widen its circle of beta testers beyond its employees this summer, with an eye to extending to a complete testing by year’s end.

OneCare is a collection of services readily available from PC security firms such as Symantec, McAfee, and TrendMicro. It includes automatic antivirus and anti-spyware updates, along with two-way firewall protection, scheduled disk cleanup, disk defragmentation, and file backup and repair.

“Once a product or service offering hits the market, customers will be able to decide the best product to suit their needs,” Symantec said in a statement. “We are prepared to compete on a combination of technology and the back-end infrastructure required to support it (and) the strength of our relationships with our channel partners.”

(more…)

The longevity of the current Sober worm may be largely due to a new technique it uses to evade virus scans, according to antivirus firm Kaspersky Labs.

The worm, variously labelled Sober.P, Sober.S, Sober.O and Sober.V by different companies, continues to circulate in large amounts, making up 84% of all virus traffic as of Monday, according to Sophos. While researchers have attributed its success to the fact that it circulates in both English and German, and to its use of free World Cup tickets as a lure to users, social engineering is only part of the equation, Kaspersky says.

The new variant used a refined mechanism for blocking input/output access to its files by other programs, says Kaspersky senior research engineer Roel Schouwenberg in an alert posted this week. Previous variants used a similar technique, but didn’t succeed in blocking programs running in the System account.

Sober.P does what the others didn’t do and blocked the System account as well, Schouwenberg says. That meant no other programs, including antivirus scanners, could detect Sober.P while it was resident in memory, he says.

(more…)

The creator (or creators) of the Mytob worms are continuing in their attempt to spread as many malicious code across the Internet as possible. With the detection of the new CU and CX variants, there are now 103 members of this family of worms.

The great danger of the Mytob worms lies in the fact that they have backdoor characteristics, allowing remote control of the computers that they infect. According to Luis Corrons, director of PandaLabs: “The real intention of the creators of these worms is to form a network of infected computers, obeying their orders in unison. This will allow them, for example, to install the same spyware program on hundreds of computers at the same time. Any of these actions could generate significant financial income for the creators”.

(more…)

Sophos is advising customers to upgrade their antivirus applications after a flaw was found in an old version of the security firm’s software.

The vulnerability was highlighted on the Bugtraq mailing list, and concerns how a potentially infected file could be hidden on a hard drive without being scanned by Sophos’ software.

One of the dangers is that, after a reboot, the infected file could be activated before the antivirus engine starts to function.

The flaw affects version 3.93 of Sophos’ antivirus engine and users are advised to upgrade to version 5.0.1.

(more…)

In a move to improve the security of applications running in Linux environments, Novell has acquired Immunix Inc. and its AppArmor software. Novell announced the deal Tuesday, but didn’t disclose how much it paid for Immunix.

AppArmor is used to prevent applications operating in the Linux environment from being co-opted by viruses, worms, and other malware into doing things they shouldn’t. Using application-containment technology, AppArmor keeps applications from “masquerading,” or using ill-gotten permissions to do malicious things, says Ed Anderson, VP of product marketing for Novell’s platform group.

That complements Novell’s existing Linux security, Anderson says. Novell’s SuSE Linux Enterprise Server 9 already has a Common Criteria Evaluation Assurance Level security certification of 4+, out of a possible 7, which reflects the operating system’s access controls and password protections. AppArmor offers a layer of protection if those protections are compromised.

(more…)

Look beyond the bells and whistles, and make sure the security’s tough.

That’s the attitude of operating system makers, who aren’t just focusing on features such as snazzy graphics and better networking tools when revamping products. Now they’re also providing sturdier defenses.

The new generation of OSes includes improvements aimed at keeping data more safe. Microsoft, long the target of hackers’ efforts and resulting customer ire, has promised anti-spyware and other tools in the upcoming version of Windows, code-named Longhorn. And while they aren’t as aggressive about marketing their security efforts, Apple Computer and Linux-seller Novell recently released updates with an eye to stronger defenses.

(more…)