Viruses, worms, trojans and other stuff

Saturday, October 15, 2005

No need to panic over first Nintendo DS malware, reports Sophos

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have urged owners of Nintendo DS consoles not to panic following the discovery of two Trojan horses which target the popular handheld games device.

The Troj/DSTahen-A and Troj/DSTahen-B Trojan horses attempt to wipe out the flash memory, preventing the Nintendo DS from booting. However, because both Trojan horses are unapproved custom applications, and not endorsed by Nintendo, they are only capable of running on modified consoles which have been altered to allow unsigned code to be run.

"Nintendo DS owners don't need to rush out to buy anti-virus software for their games console alongside "Super Mario", "Nintendogs" and "Yoshi Touch & Go". These Trojan horses are harmless unless you have deliberately modified your console to let it run unauthorized software," said Graham Cluley, senior technology consultant for Sophos. "These Trojan horses are not viruses, and cannot replicate. For now Nintendo DS owners need to worry more about scratching their touch screen through excessive playing rather than having their console turned into a useless lump of plastic by these Trojans."

Users of Sophos anti-virus products were automatically protected against the new Trojan horses. Last week the first Trojan horse for Sony's PSP games console was discovered.

Sophos continues to recommend that users exercise caution about what software they run on their computers, and run the very latest security software.

Tuesday, October 11, 2005

October's Microsoft Security Updates

Microsoft released today updates for Windows covering 8 vulnerabilities affecting Windows and 1 affecting both Windows and Exchange.

The vulnerabilities rated Critical are MS05-050, MS05-051 and MS05-052. All of them could allow remote code execution, the first two due to vulnerabilities in DirectShow and MSDC/COM+ respectively; the latter one involves Internet Explorer and could be used to gain control of an unpatched system.

Four vulnerabilities are rated as Important MS05-046, MS05-047, MS05-048, MS05-049. All of them involve remote code execution. The affected components are “Client Services for NetWare”, “Plug and Play”, “Microsoft Collaboration Data Objects” and the “Windows Shell”. These are rated as Important as they require either user interaction, the attacker to log on locally, services not installed by default or services not vulnerable in their default configurations.

The last two, rated as Moderate are MS05-044 and MS05-045 affecting the Windows FTP client and the Network Connection Manager respectively.

Of all these, the three rated as critical might end up being used with malicious intent against unpatched machines. As usual, it’s recommended to update as soon as possible.

Suspected zombie kings who ran botnet of 100,000 PCs arrested, reports Sophos

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis center, have welcomed the news that authorities in the Netherlands have arrested three men suspected of running a zombie network of more than 100,000 computers.

The men, aged 19, 22 and 27, are accused of computer hacking, installing adware and spyware and using innocent people's compromised computers without their permission. Police confiscated computers, cash and a sports car during a search of the suspects' homes.

Prosecutors claim that the men ran a zombie network of 100,000 infected computers, one of the largest ever detected, which included computers around the world. Such zombie networks, also known as botnets, are often used to launch distributed denial of service attacks (DDOS) or to launch spam campaigns.

The suspects are alleged to have used the W32/Codbot worm (also known as Toxbot) to take remote control of the PCs of innocent computer users. A number of new versions of the Codbot worm have appeared since the start of 2005, as its authors changed its appearance in an attempt to avoid detection by anti-virus software. Some versions of the Codbot worm captured keypresses, in an attempt to commit identity fraud by stealing bank account information and credit card numbers.

Dutch authorities are investigating claims that the gang attempted to blackmail a North American organization. It is not unusual for criminal gangs to use zombie networks to extort money from online companies, forcing them to pay to prevent a DDOS attack against their websites.

"Zombie botnets are becoming an increasing security problem as they pump out spam campaigns, steal information, or launch attacks against corporate networks," said Graham Cluley, senior technology consultant for Sophos. "The Dutch authorities should be applauded for investigating this case, but with many other internet criminals in operation these arrests are unlikely to make a dramatic impact on the safety of the internet."

In August, an American teenager was sentenced to five years juvenile detention for launching DDOS attacks against online sportswear retailers.

Saturday, October 08, 2005

Two British virus writers jailed

Two UK men were sentenced today at Newcastle Crown Court for their part in an international hacking group.

They were charged for writing the "TK Worm" in 2003. This was one of the early botnet clients.

TK Worm is detected by our antivirus as Backdoor.IRC.Demfire. The name comes from "Fire Daemon", which is the name of the service started by the virus.

Andrew Harvey (23) from Durham pleaded guilty to conspiring to "effect unauthorised modifications to the contents of computers with the intent to impair the operation of those computers" and was sentenced to six months.

Jordan Bradley (22) from Darlington pleaded guilty to the same and was sentenced to three months.

Wednesday, October 05, 2005

SpreadFirefox Site Hacked, Data Leaked

The Mozilla foundation's marketing site was hacked with intent to use it to send spam.

The hackers gained entry by exploiting an un-patched security vulnerability in the software which the site operates.

A Mozilla representative on Friday confirmed that the attack took place over last weekend, but the breach was not discovered until Tuesday.

Asa Dotzler, engineer, Mozilla, posted this message on the site, "It doesn't look like the attacker accessed any personal data on the site, but to be safe, we're encouraging all of our users to log in and change their passwords."

Mozilla took the site down for a few days to investigate the implications behind the attack. The company also issued an e-mail alert to registered users on Thursday. The e-mail alert adds that the vulnerability has now been patched and that there is no danger of it being exploited again.

This incident is a major blow for the company that has been pushing Firefox as a safe browser in comparison to Internet Explorer. was launched in September 2004 as a part of the initiative to promote Firefox 1.0.

A statement issued by the company said that it deeply regretted the incident and that it has taken steps to ensure that such incidents do not occur again.

Virus writers: four general types

( Virus writers belong to one of four broad groups: cyber-vandals, who can be divided into two categories, and more serious programmers, who can again be split into two groups.

Cyber vandalism - stage 1

In the past, most malware was written by young programmers: kids who just had learned to program who wanted to test their skills. Fortunately most of these programs did not spread widely - the majority of such malware died when disks were reformatted or upgraded. Viruses like these were not written with a concrete aim or a definite target, but simply for the writers to assert themselves.

Cyber vandalism - stage 2

The second largest group of contributors to malware coding were young people, usually students. They were still learning programming, but had already made a conscious decision to devote their skills to virus writing. These were people who had chosen to disrupt the computing community by committing acts of cyber hooliganism and cyber vandalism. Viruses authored by members of this group were usually extremely primitive and the code contained a large number of errors.

However, the development of the Internet provided space and new opportunities for these would-be virus writers.Numerous sites, chat rooms and other resources sprang up where anyone could learn about virus writing: by talking to experienced authors and downloading everything from tools for constructing and concealing malware to malicious program source code.

Professional virus writers

And then these 'script kiddies' grew up. Unfortunately, some of them did not grow out of virus writing. Instead, they looked for commercial applications for their dubious talents. This group remains the most secretive and dangerous section of the computer underground: they have created a network of professional and talented programmers who are very serious about writing and spreading viruses.

Professional virus writers often write innovative code designed to penetrate computers and networks; they research software and hardware vulnerabilities and use social engineering in original ways to ensure that their malicious creations will not only survive, but also spread widely.

Virus researchers: the 'proof-of-concept' malware authors

The fourth and smallest group of virus writers is rather unusual. These virus writers call themselves researchers, and they are often talented programmers who devote their skills to developing new methods for penetrating and infecting systems, fooling antivirus programs and so forth. They are usually among the first to penetrate new operating systems and hardware. Nevertheless, these virus writers are not writing viruses for money, but for research purposes. They usually do not spread the source code of their 'proof of concept viruses', but do actively discuss their innovations on Internet resources devoted to virus writing.

All of this may sound innocent or even beneficial. However, a virus remains a virus and research into new threats should be conducted by people devoted to curing the disease, not by amateurs who take no responsibility for the results of their research. Many proof of concept viruses can turn into serious threats once the professional virus writers gain access to them, since virus writing is a source of income for this group.

Tuesday, October 04, 2005

Nordic Phishing

Phishing attacks have been jumping from one geographical area to another. First we saw them in USA. Then in Australia. Then UK. Then in Germany, localized to German language. In early 2005, we saw isolated phishing cases in Denmark.

Last night an unknown party launched a large-scale attack against Nordea Sweden. Nordea is the largest bank in Nordic countries. It also operates one of the largest internet banks in the world, with over 4 million internet customers in eight countries.

Basically this was a normal phishing scam: somebody spammed a large amount of spoofed emails with links pointing to a fake bank. What made it different was two things:

  1. The phishing emails were in Swedish
  2. Nordea operates a one-time password system

The one-time password system in use by Nordea Sweden consists of a scratch sheet, where you will scratch to uncover the next available pin code for login.

Attacking a site like this is quite a bit more challenging than attacking banks authenticating users with a bank account number and a constant 4-number pin which never changes.

However, that's just what has now been attempted.

The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at or (fake sites hosted in South Korea).

The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.