Malware News
 | The best way to stay current on this topic is to view the daily updated sites
with a select set of vendors. Here is a few recommended sites, in order of current preference: F-secure Virus Statistics F-secure has entered the market 1988 and after being listed 1999, grown to a viable vendor size. F-secure has the product unique, that a comprehensive solution is available from LAN-WAN to PDA (+ phone) devices. So far F-secure has managed to be among the best and most innovative virus detection and prevention vendors. Symantec Security Response Also a comprehensive & current threat overview Computer Associates - Virus Information Center A very good comprehensive threat overview. CA has integrated both virus and other threats in one clear, easy-to-read web page. McAfee - Virus Information Usually very updated, and McAfee has a very good world infection map, which lets the user to zoom on to any region of particular interest - sometimes not very reassuring to look at. . . The above vendors are the market leaders - and as a customer you need to consider that economies of scale are required to competently deal with the constant evolution of threats to your workstation security. The recommendation is definitely to stay with market leaders for effective virus protection. |
| Independent virus news sites: Wildlist.org (Wildlist overview) A month by month status of viruses. Hackerwatch A different perspective of the current threat situation. |
| Types of viruses and their purposes Viruses are classified by what they
infect and how they attempt to evade detection. Some originate from e-mails, others from files or Internet browsing. - Boot viruses: Inserts instructions into the boot sectors of floppy disks, or the boot sector or master boot record (partition sector) of a hard disk. - Program viruses: Infect executable files such as .COM, .EXE, and .DLL files. - Macro viruses: Infect document files such as Microsoft Word .DOC files by changing the way macros behave. - Other types of destructive code: Worms, Trojan horses, and logic bombs. These types of destructive code are different than viruses because they don't replicate. |
Malware News
| More on Conficker: 10th April, Conficker started downloading and installing the W32.Waledac malware which executes as a rogue Anti spyware application, which tries to trick people into paying UDS49.95 for "Anti-spyware". See more here. The W32.Waledac malware is in itself not a high-level threat; it has been detectable and removable since 23rd December 2008, so it should not be a problem for any users who have updated and patched their Windows PCs + have updated AV-signatures. |
| Conficker update: During January the infection spread, and On February 12, 2009, Microsoft announced a USD250,000 reward for information leading to conviction of the perpetrators behind Downadup/Conficker. MS also created a web page 6th Feb-09 to inform about the threat and mitigation MS initiated a partnership with the security industry to optimize efforts against this malware, see this announcement. The industry worked on tracking and disabling the malware and all major AV vendors soon had tools to ensure removal - and then everyone waited for the consequences of the built-in update date 1st April 2009. April 1st came and went. Conficker was largely prevented to perform it's scheduled update. That happened 9th April instead. It can be dedicted, that a large number of Windows PCs are not adequately protected - still. Most likely the PCs and web servers that were not timely patched when MS08-067 and MS08-078 were issued. |
| Malware of the Year 2008 - Microsoft's IE vulnerabilities (patched
October 2008
MS08-067 (urgent out-of-schedule)and December MS08-078) which enabled Downadup/Conficker to spread like wild-fire. See AFP's story from Taiwan for example. Also, the reason for this vulnerability to be nominated, is the fact that Microsoft has failed to ensure better IE security in general for many years. It is hoped, that IE 8 is engineered from the ground up to be more resilient. So, that is why we think Microsoft is actually the "winner" of 2008. |
| Malware of the Year 2007 - STORM WORM By a margin like Michael Schumacher in his great Ferrari days, STORM WORM is number ONE, and it is not about to let up either. Every minute the software components change and the botnet is able to defend itself also. The site Trusted Source has launched a tracking portal:  That's an industry first for a single malware "product". Here are two (uninfected) YouTube videos: 1. F-Secure's video of the first outbreak, 18-19th January 2007:  2. F-Secures August 2007 status and in-depth analysis of Storm Worm tactics and threat design:  |
| ESET Nod32 evaluation - we are trying out the below virus detection site: It might replace the least accurate of the current AV sites in the main home page table, soon. |
| A new STORM WORM - Important Update! Our honey pot e-mail account now picks up ONE e-Greeting card per day; maybe millions of other accounts/users get them as well. . .  (Source: Heise Security) |
| A new STORM WORM : This how the latest Storm Worm attack looks to the user. An e-mail appears (that you did not expect) from greetingcards.com, bluemountaincards, or hallmark.com (this example). Click on the link and you might see a greeting card, but not from anyone you actually know. . . What happens is this: A root-kit is installed and the software required for botnet usage and, possibly privacy-invading program(s). What a greeting card!!! Reports from software security companies indicate that they have tracked at least 200 million spam emails of the Storm Worm type last week. It is similar to the December 2006 attack. The reason for the renewed attack is the need for expansion of available botnets to spammers, malware ditributors and the phishing industry. Safeguards: As always - never open an e-mail that you do not expect, never click on embedded links and never click on attachments in e-mails that you have not agreed to receive beforehand. |
| EXCELLENT half-year statement from F-Secure - please take the time to
see/hear Mikko Hypponen's report at the F_Secure Blog, it is really good and quite thorough. |
| Major Victory for Hacker Hunters - and the still elusive Hang Up Team This article from 2005 is still very relevant, and is a very good in-depth documentation as to just how serious cyber crime really is. |
| Hoping against hope? (20th March 2007) The recent results of anti-malware efficiency testing from Malware-Test Lab (www.malware-test.com) has seemed increasingly depressing but here is (perhaps hoping against hope) some temporary light at the end of the tunnel - powerful new updates to three of the industry's strongest products: Webroot Spyware Sweeper had an upgrade which included VISTA support.  Spyware Doctor also sent out a new version, also with VISTA support, small enhancements of the user interface, slight streamlining of the look, but importantly, more efficient scanning and as stated, broader coverage. It is also more than twice the size of the previous version. Let's see. . . ZoneLabs ZoneAlarm PRO is also out with new features:  Hopefully the new feature mean a FAR better coverage against the exponentially growing number of malware threats. In conclusion: It is going to be very exciting to see the results of the next bout of testing results from Malware-Test Lab (www.malware-test.com); things simply HAVE to get better, if not for ay other reason, to JUSTIFY the prices the above vendors charge for their products. Time will show. . . |
| Documentation of a root-kit based composite malware attack.
(3rd March 2007) A test system, exposed to the wilder sides of the Web, became infected during 2006 it seems:  (An unpleasant picture from the registry - even the classic 180 solutions is there!) A HiJackThis session showed this result - an indication of unwanted activity: :\DOCUME~1\ \LOCALS~1\Temp\XSJZKVU.exe (file missing) HiJackThis offered this explanation:  Subsequent re-boots of the infected system and then scanning from a healthy system showed these different signs of a composite malware infection:    RAPIER 3.1.4 was used to scan from within the infected system, but ended hanging up. A second scan also hung up, indicating either a software fault, or a problem caused by the malware complex. Consequently, as there seemed NO
WAY to disinfect this system; it simply |
| Malware news items of 2006 profile a worrying state-of-the-World: Malware wars: Are hackers on top? (The Register 5th December 2006) An interesting article in The Register discusses malware from the economic perspective; more money in the malware business than tin the anti-malware business... Microsoft says fighting malware is impossible (eWeek, 4th April 2006) "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit." (Mike Danseglio, program manager in the Security Solutions group at Microsoft.) Quoted from the InfoSec World conference 2006. Eighty percent of new malware defeats antivirus (ZDnet Australia, 19 July 2006) "At the point we see it as a CERT, which is very early on -- the most popular brands of antivirus on the market … have an 80 percent miss rate. That is not a detection rate that is a miss rate. "So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in." (Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), at a conference in Sydney, July 2006) |
| UPDATE!: Real and perceived coverage against malware - BAD NEWS! The table from malware-test.com (20th November 2006) says it all: not even a multi layered anti-spyware solution will protect a stand-alone computer from spyware. . .  From Malware-Test Lab (www.malware-test.com) |
| Open vulnerability in Microsoft's XML Core Services XMLHTTP ActiveX
control |
| Real and perceived coverage against malware. (An anti-virus system is
presumed as part of the underlying security.) The example below attempts to illustrate the total protection offered by multiple anti-malware solutions. This is not easy to depict correctly, as at any given time, the quality of the different products varies. Periodically products are tested at AV-Test.org which provides an impression of the overall position of the product. One very interesting aspect is that vendors pursue the bundling concept; however all tests until now show that it is the specialist products which offer the best coverage. Zone Alarm may be the recognized world leader in software based Firewalls, but is certainly not the world leader in anti-malware prevention, however relevant heir addition of this feature may be. And, not shown here, while F-Secure may be the cutting-edge antivirus vendor, they are not in a position to provide a bundled software firewall in ZoneAlarm's league. The single best commercial anti-malware product as of summer/fall 2006 is Webroot's Spy Sweeper, according to tests done in conjunction with AV-test.org. In the example below, Spyware blaster, the ActiveX malware specialist product, is shown as overlaying Spybot S&D; this is intentional, as these two products compliment each other very well - but take up system resources, of course.  The bottom line is that for both corporate users as well as for private users it is absolutely necessary to implement layered security. No matter the fact that there may always be an unknown residual risk, it is clear that the best possible coverage can never be provided by a single product or product suite. |
| HAXDOOR - several versions (BackDoor-BAC.dr, W32/HaxDoor.KI, Troj/Haxdoor-DT,
Backdoor.Win32.Haxdoor.ki, BKDR_HAXDOOR.IS) Haxdoor is a powerful backdoor with rootkit and spying capabilities. It can hide its presence, processes and files, on an infected system. It has ended up being the main tool for the major NORDEA Home Bank heist, published January 2007. |
| NX-bit protection evaluation Using the tools from Joanna Rutkowska, three PCs from different generations have been evaluated for vulnerabilities using the Microsoft-supported hardware feature. The details are here. The conclusion: A fully implemented NX-bit feature does offer additional protection, while a software-only implementation (DEP in Windows XP) offers very little protection og finally, a non-NX-bit or non-DEP supported OS has no defenses whatsoever. |
| As mentioned on
the Register 7th August 2006, there was a most interesting
presentation at the SyScan Conference in Singapore on 21st July and at the Black Hat Briefings in Las Vegas on 3rd August by Joanna Rutkowska (JR) "How to implement a rootkit into VISTA (without any re-boot)". JR has generously made her presentation available at her site invisiblethings.org. It is highly recommended reading for all security professionals, as it goes into very deep detail, and there are very illustrating videos included as well. It appears, that what is not said directly in the PowerPoint presentation that the method used is the classic "hidden channel attack". A delegate from the BlackHat conference has brought this corrective news forward. Virtualization a PC/Workstation is NOT as safe as on a classic mainframe computer, as shown in the below illustration:  |
| YAHOO mail infection - June 2006 Another good reason to ban the use of Web mail has appeared in Russia in October 2005 and becoming relevant in western countries in June 2006: a worm (Yamanner) based on a Java-script flaw which allowed scripts embedded in HTML emails to execute in the user's Web browser (working equally well on Internet Explorer and Mozilla) With clever social engineering a spread was ensured. Consider this common misunderstanding: "It's only Web-mail and it's in the browser only, so what could happen here?" Well, that one has now been answered. The good thing about Yamanner was that it was a proof-of-concept only, implemented to explore this avenue for further sophisticated mal-ware - the incident died down after a 2 days. But it is an interesting phenomenon that might be used in a different form. Also the vulnerability in Yahoo mail was fixed - so for now it is just an indication of things to come. The advice to anyone using Web-mail is to exercise the SAME caution as with any other form of e-mail handling: NEVER open unsolicited mail, especially mail that seems "important", coming from a bank, from Microsoft or credit card companies, etc. Or even mail that you did not expect from someone that you actually know - just like the precautions that apply to POP3 mail. |
| Spyware infections directly via YAHOO On the site itself a number of spyware-ridden sites advertise, screen savers, emoticons, etc. Yet another reason to limit (polite way of saying BAN) the use of YAHOO, although it has in principle, nothing to do with the site itself. The main problem being, that it is a prominent site! These infections use the WMF vulnerability (January 2006) but also a number of other vulnerabilities (click on the picture and you're on!). Some of these infections only require a mouse-over, not even a click. The remedy? There is no other prevention except workstation-based layered security + central URL scanning with high- grade site monitoring - as all traffic is directed via http: port 80, and the traffic relates to the open and valid session i nitiated by the user - and as such invalidates the firewall and traditional protection. This makes the need for either very strong and enforced corporate policy or state-of-the art malware prevention from the perimeter right through to the workstation itself; expensive in all respects. |
| RANSOMWARE - OLD, BUT GETTING M U C H WORSE! Ransomware has been around December 2004, but often just a nuisance - that changed January 2006! GPCODE (Ransom ware, using a 56-bit RSA encryption key, encrypted a users data and asked for a donation to acquire or "purchase") a key... The principle is not new but the sophistication of the encryption is - and 7th June 2006 a new variant GPCODE.AG used a 660-bit key for the system's RSA-based algorithm. Due to good fortune the algorithm was broken due to a high similarity of the GPCODE's reverse-engineered source code, so it was broken by Kaspersky Labs within 24 hours. The attack involved an email with a masked attachment, seemingly benign, which execute the encryption of folders - The user then cannot access any data, in panic looks in the folders and finds a read.me file with instructions on who to contact and how to pay. |
| WGA - too much for the customers. Brian Johnson, Los Angeles, is taking MS to court over vgatray.exe's invasive behavior. Even if MS has modified the software's behavior to only call back at each monthly update, it may be a problem in relation to privacy laws for citizens. But what about companies? All companies using MS client software need to check WGA (vgatray.exe) and analyze how much information is being sent and to which degree this may violate corporate IT security policy. This does not apply if you use Microsoft Windows with a local license server, such as in Windows server 2003. The law applicable is (if you live in the US):'   Definitely a viable case. . . |
| Keeping in touch with malware news. One of the best sites is
Spyware Warrior where a
blog updated daily runs news of malware occurrences and of the peculiar workings of the advertising industry trying everything to seem respectable. Contains very good and researched information. Here is where you will find background information re. classics like CoolWWWSearch, 180solutions, BronziBuddy, HotBar, etc. |
| Latest and nastiest - root kits. Originally and still are
development tools for applications that should always run. And this is exactly what they are being used for, now also by malware writers. A site (rootkit.com) has this as its subject and it is known in the security industry that root kits are a hot subject. Tools exist to remove these. One commercial product available for free at present is F-Secure's BlackLight beta. Another entirely free tool (and to remain free) is from
Sysinternals -
Root Kit
Revealer:
If this tool is priced reasonably, then it is most likely a must-have in many
corporations globally |
| Commercially available zombie
networks? Yes, they are available - but the address below has been cancelled: 
(back) |
