Viruses, worms, trojans and other stuff

Friday, April 14, 2006

Phishing stooge arrested

Czech authorities have arrested a man suspected of involvement in a gang which phished the bank accounts of innocent internet users.

In what is said to be the first arrest of its kind in the Czech Republic, a man was arrested while waiting at a bank counter in Prague, where he was said to have been attempting to pick up money stolen through the phishing scheme. If found guilty, the man faces up to 12 years in prison.

According to the police, the detained man was hired by a criminal gang to withdraw money from a bank account, which had had funds transferred to it from plundered accounts belonging to Citibank customers. The gang is said to have sent a number of emails disguised as communications from Citibank, asking for recipients to confirm their bank account details and other personal data.

"The Czech police deserves congratulations for investigating this case and making its first phishing arrest. But this is just an opening move in a long game, and we also need to see firm action taken against the phisher kings," said Graham Cluley, senior technology consultant for Sophos. "Sophos experts have for a long time been aware of criminal gangs operating in eastern Europe, which is sadly becoming one of the world's hotspots for internet crime. Everyone needs to be on their guard against phishing, and ensure that their finances are not being put at risk."

First J2ME virus found

Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.

The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents. But what Redbrowser actually does is to send SMS messages to one specific number thus it may cause financial losses to the user.

The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering.

The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries.

Sunday, April 09, 2006

Spammers take a novel approach to selling goods online

Experts have identified a new spam campaign that uses text from a classic Russian novel in an attempt to evade anti-spam software.

The unsolicited email messages contain sections of Mikhail Bulgakov's book "The Master and Margarita", considered to be one of the greatest Russian novels of the 20th Century, but has embedded graphics promoting websites which sell goods to enhance sexual performance.

Today's spammers include news stories, jokes and even text from novels in an attempt to fool anti-spam software into thinking the email is legitimate. In the case of this campaign, the spammers are not even including a clickable link to the spammers' website, but rather asking prospective purchasers to type it in by hand, in order to evade detection by less sophisticated email filters.

"Whether or not Mikhail Bulgakov anticipated the level of success that his novel would eventually meet with is uncertain, but its a safe bet that he didn't anticipate it being used to flog sexual enhancement drugs," said Graham Cluley, senior technology consultant for Sophos. "People are bored to the back teeth with junk email, and should ensure the goods peddled by the spammers do not become bestsellers by never purchasing items marketed in this way."

Tuesday, February 28, 2006

Dutch police arrest suspected email scam gang

Dutch police have arrested 12 Nigerians suspected of being part of a gang who conned more than $2 million from unsuspecting Americans in an email scam designed to trick people into investing in non-existent money-making schemes.

According to a police statement, the gang sent more than 100,000 emails to potential victims, enticing them to hand over money advances.

Authorities detained the dozen suspects following police raids in Amsterdam and Zaandam, seizing computers, bank statements, forged passports and 25,000 Euros in cash.

"Many email users will be used to receiving dodgy sounding business propositions in their inbox, promising them a fortune. These schemes, however, only make money for the criminals behind them," said Graham Cluley, senior technology consultant for Sophos. "Everyone needs to be careful not to fall for this kind of confidence trick, or they could find themselves penniless."

The con-trick, commonly known as a 419 scam, are named after the relevant section of the Nigerian penal code where many of the scams originated and are unsolicited emails where the author offers a large amount of money. Once a victim has been drawn in, requests are made from the fraudster for private information which may lead to requests for money, stolen identities, and financial theft.

The four principal suspects will face extradition charges to bring them to the United States. The other eight are expected to stand trial in The Netherlands.

Wednesday, February 01, 2006

Nyxem: New disaster?

It turns out, the numbers of Nyxem worm infectees may be very inflated. Antivirus companies are basing the numbers on a counter on a web that the worm calls into when it infects. Each hit on that website ups the tally by one. The problem is, several antivirus companies published the URL used by the Nyxem worm in their virus descriptions. The URL is also listed in different SNORT rules. And each time someone visit the site to get the latest count, their visits also get counted in the tally. The end result: it is impossible to tell how many computera might really be infected with the Nyxem (aka Blackmal, Kama Sutra) Internet worm. Chances are, the very high numbers are nothing more than the result of curious users visiting the site to see the tally.

Tuesday, January 31, 2006

Worm: Nyxem.E

The 'Nyxem.e' is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related and file sharing software as well as destroys files of certain types. It is similar to the '' that was found a few days ago.

Alias: W32/MyWife.d@MM, Kama Sutra, W32.Blackmal.E@mm, Email-Worm.Win32.Nyxem.e

  • Turns off anti-virus applications
  • Sends itself to email addresses found on the infected computer
  • Deletes files off the computer
  • Forges the sender's email address
  • Uses its own emailing engine
  • Downloads code from the internet
  • Reduces system security
  • Installs itself in the Registry

Monday, January 09, 2006

Sober-Z virus reaches pandemic proportions, reports Sophos

Sophos, a world leader in protecting businesses against viruses, spyware and spam, has revealed the top ten viruses and hoaxes causing problems for businesses around the world during the month of December 2005.

The report, compiled from Sophos's global network of monitoring stations, reveals that Sober-Z has taken the world by storm this month, accounting for a massive 78.92% of all malware reported to Sophos. Its domination of the charts is making other current threats pale in comparison, and the Sober threat shows no sign of slowing down.

The top ten viruses in December were as follows:

Position Last
Virus Percentage of reports
Others 9.5%

The highly prolific Sober-Z worm sends itself as an email attachment and attempts to turn off security software on the user's computer. The author of this worm has been operating anonymously for more than two years, and this latest threat is the cyber criminal's most widespread virus yet.

"A key differentiator of the Sober worms is their ability to dupe users. From promising World Cup football tickets, to posing as the FBI or long-lost pal, it seems the Sober family will stop at nothing to ensure that recipients launch the viral email attachment," said Carole Theriault, senior security consultant at Sophos. "The Sober-Z worm stormed to the top of the November 2005 chart and continued to hold the number one spot throughout December. Should the author go ahead and upload malware onto websites for infected machines to grab and run, as anticipated, the worm may disrupt businesses even further."