Viruses, worms, trojans and other stuff

Thursday, September 29, 2005

Why write viruses?


The computer underground has realised that paid for Internet services, such as Internet access, email and web hosting, provides new opportunities for illegal activity with the additional satisfaction of getting something for nothing. Virus writers have authored a range of Trojans which steal login information and passwords to gain free access to other users' Internet resources.

The first password stealing Trojans appeared in 1997: the aim was to gain access to AOL. By 1998 similar Trojans appeared for all other major Internet service providers. Trojans stealing log in data for dial-up ISPs, AOL and other Internet services are usually written by people with limited means to support their Internet habit, or by people who do not accept that Internet resources are a commercial service just like any other, and must therefore be paid for.

For a long time, this group of Trojans constituted a significant portion of the daily 'catch' for antivirus companies worldwide. Today, the numbers are decreasing in proportion to the decreasing cost of Internet access.

Computer games and software license keys are another target for cyber fraud. Once again, Trojans providing free access to these resources are written by and for people with limited financial resources. Some hacking and cracking utilities are also written by so-called 'freedom fighters', who proclaim that all infomration should be shared freely throughout the computing community. However, fraud remains a crime, no matter how noble the aim is made out to be.

Organised cyber crime

The most dangerous virus writers are individuals and groups who have turned professional. These people either extract money directly from end users (either by theft or by fraud) or use zombie machines to earn money in other ways, such as creating and selling a spamming platform, or organizing DoS attacks, with the aim here being blackmail.

Most of today's serious outbreaks are caused by professional virus writers who organize the blanket installations of Trojans to victim machines. This may be done by using worms, links to infected sites or other Trojans.

Bot networks

Currently, virus writers either work for particular spammers or sell their wares to the highest bidder. Today, one standard procedure is for virus writers to create bot networks, i.e. networks of zombie computer infected with identical malicious code. In the case of networks used as spamming platforms, a Trojan proxy server will penetrate the victim machines. These networks number from a thousand to tens of thousands of infected machines. The virus writers then sell these networks to the highest bidder in the computer underground.

Such networks are generally used as spamming platforms. Hacker utilities can be used to ensure that these networks run efficiently; malicious software is installed without the knowledge or consent of the user, adware programs can be camoflaged to prevent detection and deletion, and antivirus software may be attacked.

Financial gain

Apart from servicing spam and adware, professional virus writers also create Tojan spies which they use to steal money from e-wallets, Pay Pal accounts and/or directly from Internet bank accounts. These Trojans harvest banking and payment information from local machines or even corporate servers and then forward it to the master.

Cyber extortion

The third major form of contemporary cyber crime is extortion or Internet rackets. Usually, virus writers create a network of zombie machines capable of conducting an organized DoS attack. Then they blackmail companies by threatening to conduct a DoS attack against the corporate website. Popular targets include estores, banking and gambling sites, i.e. companies whose revenues are generated directly by their on-line presence.

Other malware

Virus writers and hackers also ensure that adware, dialers, utilities that redirect browsers to pay-to-view sites and other types of unwanted software function efficiently. Such programs can generate profits for the computer underground, so it's in the interests of virus writers and hackers to make sure that these programs are not detected and are regularly updated.

In spite of the media attention given to young virus writers who manage to cause a global epidemic, approximately 90% of malicious code is written by the professionals. Although all of four groups of virus writers challenge computer security, the group which poses a serious, and growing threat is the community of professional virus writers who sell their services. (

Tuesday, September 27, 2005

Commwarrior sightings and some mobile malware statistics

There is a increasing number of queries about just how many known mobile malwares are out there. Here's some statistics on how many cases we have seen and how frequent the cases actually are.

Currently the total count of known malware is 87 of which 82 run on Symbian series 60 platform.

Symbian malware is the vast majority in all mobile malware, but in our opinion this is not because Symbian would be any more insecure compared to other mobile platforms. The large number just shows how popular Symbian devices are, and thus they are the most interesting target for malware authors.

F-Secure Mobile Anti-Virus has been able to handle 61 (74%) cases of Symbian malware with generic detection. Which means that the Anti-Virus has been able to detect and stop the malware without needing database updates. Which in turn means that the user has been protected even before F-Secure have received the first sample.

Sunday, September 25, 2005

Data theft the old fashioned way

American soldiers' personal data has been stolen - but not by hackers. The American army confirmed on Monday that computers or hard drives had been stolen from Fort Carson army post in Colorado. The case is being investigated, but there are currently no suspects.

The equipment, which was stolen back in August, contained soldiers' social security numbers, and other personal information including data of birth, rank, unit and citizenship. The lost of this data potentially puts the army personnel at risk of identity theft. However, the soldiers and their families have been warned to keep an eye out for unusual activity on their bank and credit card accounts.

Additionally, those who are serving overseas have an 'active duty alert' placed on their credit records. This means that if anyone attempts to use the personal data of a soldier who is on active duty to apply for credit, the request has to be verified by law.

Saturday, September 24, 2005

Google Plans to Alert Site Owners of Potential Problems

There is some great news for website owners who fear they may have been penalized by Google. Matt Cutts, the owner of this quickly growing blog and employee of Google, confirmed on his website that Google is piloting a new program which will proactively alert website owners of potential problems on their website.

This is definitely exciting for website owners who do not know if they have been penalized, but it should not be taken for something that it is not. Keep in mind the following points:

  1. This is a pilot program. It is not a full fledged program that guarantees everyone will be contacted who has been negatively effected. Chances are, you will not be contacted at all.

  2. It is an automated program. Google will not have any one person sending out these emails, but a bot that will have to 'discover' your email address. If it can't find one, it will try to guess an email address. If you are good at protecting yourself from spam, you may not get a message from Google even if they want to contact you.

There may be a day in the not-so-far future where Google is able to contact legitimate website owners who made an honest (or maybe not so honest) mistake. That day is not here yet, so the responsibility is still that of the individual website owner to make sure they have a legitimate website in the eyes of Google.

Friday, September 23, 2005

Mozilla Thunderbird 1.0.7 Release Candidates Available

The Mozilla Quality weblog has announced the availability of Mozilla Thunderbird 1.0.7 release candidate builds. Thunderbird 1.0.7 is a minor update that will fix a few bugs, including a return receipt regression introduced in version 1.0.2 (bug 289091) and the Linux command line URL parsing security flaw (bug 307185).

According to Mozilla Foundation Security Advisory 2005-57, Thunderbird is not affected by the recent international domain name (IDN) link buffer overflow vulnerability, so there is no need for version 1.0.7 to address this issue.

Wednesday, September 21, 2005

Infected files found on mozilla site

Infected binary or source code files aren't anything new. And sometimes they are found on public servers. is the latest example.

Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b

This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.

The infected files have now been removed, but it took some time. And this isn't the first time that infected binary or source code files have been placed on public servers. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.

Tuesday, September 20, 2005

Second wave of attack: new Bagle Trojans spammed out

SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned that for the second day running a hacker is spamming multiple new versions of the Troj/BagleDl-U Trojan horse to millions of email addresses around the world.

The attacks were spreading across the net between 15:00 and 22:00 (GMT) yesterday, and a new phase began again at approximately the same time today. All of the different versions of the Trojan horse attempt to turn off anti-virus and security software, and block access to security websites, in an attempt to allow hackers to gain access to infected computers.

The latest series of malicious messages have strong similarities to yesterday's onslaught: the subject line is blank, the body message text is 'new price', and the malicious file attached can be identified with names such as '', '', and ''.

"This is the second massive email attack phase from this hacker in two days - the creator is obviously intent on infecting as many people as possible," said Carole Theriault, senior security consultant at Sophos. "All computer users should avoid opening unsolicited email attachments, and ensure that their anti-virus protection is up to date. Businesses should also consider blocking all executable code from entering their networks via email - most companies have no need to receive computer programs via this route, and it dramatically reduces the risk of infection".

Sophos is currently protecting its customers against these new threats.

Friday, September 16, 2005

Intel Capital To Acquire $16M Stake In Grisoft

Intel Capital, Intel Corporation’s venture investment program, today announced the signing of an agreement to acquire a $16M stake in Grisoft, one of the leading providers of anti-virus security software. The investment is subject to approval by the competition council of the Czech Republic.

The $52 million investment in Grisoft by Enterprise Investors and Intel Capital will result in a new ownership structure of the company, with a majority stake being acquired from current owners Benson Oak Capital. As a result of this strategic transaction, the two new investors will own a 65% stake in Grisoft.

Founded in 1991, Grisoft is a leading global provider of security software solutions. Specializing in anti-virus solutions, Grisoft’s primary goal is to deliver to the market the most comprehensive and proactive protection available. Distributed globally through resellers and through the Internet, the AVG Anti-Virus and firewall product line supports all major operating systems and platforms, and is now used by more than 25 million users around the world. Grisoft has offices in Brno, Czech Republic and in the United States.

17-year old confesses Paris Hilton phone hack

An American teenager has confessed hacking into Paris Hilton's mobile phone.

As you might or might not recall, this case had nothing to do with phone viruses or Bluetooth attacks: access to her Sidekick phone's web interface was gained with traditional social engineering tactics.

While at it, the kid also confessed hacking into AOL, hacking and later DDoSing the network of a telephone operator and calling in bomb threats to high schools.

This story was once again scooped by Brian Krebs at Securityfix.