Internet Changes Everything

Computer Worm Poses as E-Mail From FBI, CIA

Computer Worm Poses as E-Mail From FBI, CIA

'Sober X' Web Threat Spreads Quickly

By Arshad Mohammed and Brian Krebs
Washington Post Staff Writers
Thursday, November 24, 2005; Page D01

It's being called the worst computer worm of the year -- a fast-spreading Internet threat that looks like an official e-mail from the CIA or FBI but can leave your computer wide open to intruders.

The bogus e-mail claims the government has discovered you visiting "illegal" Web sites and asks you to open an attachment to answer some official questions. If you do, your computer gets infected with malware that can disable security and firewall programs and blast out similar e-mails to contacts in your address book. It can also keep you from getting to computer security Web sites that might help fix the problem, and it may open your Windows computer to intruders who can steal your personal data.

The worm -- named "Sober X" -- has spread so far so fast that the CIA and the FBI put prominent warnings on their Web sites making clear that they did not send out the e-mail and urging people to not open the attachment.

Across the Atlantic Ocean, Austria's equivalent to the FBI is investigating a flurry of similar bogus e-mails sent in its name to people in Austria, Germany and Switzerland, the Associated Press reported.

"This particular virus is a mass-mailer worm and is the largest one we have seen this year," said Alfred A. Huger, senior director of engineering at Symantec Corp., which sells Norton AntiVirus software. "It's as bad as it gets. With this particular type of virus on your system, there is a high probability that your personal information will be stolen."

Craig Schmugar, a virus-research manager at McAfee Inc.'s Avert Labs, said his company, which also makes anti-virus software, had logged more than 73,000 consumer computers reporting detection since the worm was discovered Monday.

British e-mail security company MessageLabs Ltd. said it has intercepted more than 2.7 million copies of Sober and its variants, noting that "the size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months."

Still, the Sober worm was listed as only a "medium-risk" worm by security companies, which noted that it was not as widespread as others in recent years, notably MyDoom, which hit computer systems early last year.

Sober is known to affect only those computers running the Windows operating system. It appears that Apple and Linux computer users were not affected.

The e-mail informs the recipient that the user's "IP-address" has accessed more than 30 illegal Web sites and that the attachment contains a list of questions that need to be answered. The e-mail also includes an authentic phone number for the FBI or CIA.

And that has kept government switchboard operators busy.

FBI operators have been routing calls and complaints to its Internet Crime Complaint Center in West Virginia, which received more than 4,000 complaints about the worm on Monday. The ICC typically receives 18,000 complaints each month, said FBI spokeswoman Cathy Milhoan.

The FBI is investigating the source of the attack, which closely resembles an e-mail worm that surfaced in February, Milhoan said, though she declined to comment on the progress of that investigation.

Brian Krebs is a reporter for washingtonpost.com.

November 24, 2005 at 12:08 AM in Virus | Permalink | TrackBack (101) | Top of page | Blog Home

Computer virus hits Canadian banks

TheStar.com - Computer virus hits Canadian banks

`Worm' attacks businesses that use Microsoft system

An apparently new virus that attacks business computers running Microsoft's Windows 2000 system hit at least two Canadian banks and several U.S. businesses yesterday.

At the Canadian Imperial Bank of Commerce, the Zotob virus affected computers in the trading division and head office.

"There were some temporary outages in isolated parts of our business," said spokesperson Rob McLeod.

Automated bank machines, Internet and phone banking were all fully functional, McLeod said.

"We expect to have functionality in all our areas ... (this) morning."

The virus also hit BMO Nesbitt Burns, but customer service was not affected, said spokesperson Ralph Marranca.

"We got through this with no real impact on our customers."

ABC News, one of the U.S. companies hit by the problem, reported that computers at DaimlerChrysler plants froze for nearly an hour yesterday. Other reports said UPS Inc., General Electric Co., and Caterpillar Inc. had also been affected.

The U.S. Federal Bureau of Investigation said the virus was low-risk and not widespread, but that it would investigate. McAfee Inc., a California-based firm that makes anti-virus software, also described Zotob as low-risk. The origin of the virus is unknown, it said.

Microsoft said on its website that the virus, which installs malicious software and then looks for other computers to infect, takes advantage of a security defect that has already been addressed by a security update.

"Our investigation has determined that only a small number of customers have been affected," Microsoft said.

star staff and DOW JONES

August 17, 2005 at 10:09 PM in Virus | Permalink | TrackBack (10) | Top of page | Blog Home

Mobile phone virus infects Helsinki championships

Mobile phone virus infects Helsinki championships - Yahoo! News

HELSINKI (Reuters) - Visitors to the world athletics championships in Finland have had to brave wind and rain, and officials say they now face the possibility of catching the world's first mobile phone virus.

Officials in mobile-mad Finland, home to the world's largest cellphone maker
Nokia, said there had been outbreaks of the Cabir virus at Helsinki's Olympic Stadium.

"At most we are speaking about dozens of infections, but during a short period and in one spot this is a huge number," said Jarmo Koski, a security official at telecoms firm TeliaSonera.

Cabir, first reported in June last year, uses Bluetooth short range wireless signals to jump between cellphones.

That means it can spread over distances of up to 10 metres (30 feet), which in a packed stadium could include dozens of phones.

The recipient needs to accept a download to be infected and, while telecoms security officials say the risk of catching a mobile virus is small, thousands of phones have already been hit around the world.

"There must be a lot of infected phones at the stadium and a lot of Bluetooth traffic," said Antti Vihavainen, head of the mobile unit at antivirus software firm F-Secure.

"It is the early version of Cabir, which can infect only one phone at a time. Later versions of Cabir are much more fierce.

Since it was invented, the virus has so far spread to more than 20 countries, from the United States to Japan and from Finland to South Africa.

F-Secure says there are 55 viruses or other malicious programmes spreading between cellphones and other mobile devices.

Cabir drains the power of the infected phone as it tries to replicate itself on nearby mobiles but the most damaging viruses could disable a phone, requiring a factory reset.

August 11, 2005 at 06:49 PM in Virus | Permalink | TrackBack (26) | Top of page | Blog Home

New Skulls Cellphone Virus

IT Observer - New Skulls Cellphone Virus

Author: Jeremy C. Wright, Staff Writer
Monday, 10 January 2005, 22:00 GMT
Reader Comments | Post your comment

A new version of the Skulls smartphone virus has begun to appear on various cellphone download sites. Infected users risk losing all of the data on their phones.

Security firm F-Secure issued a directive earlier this week on the new Skulls.D Trojan. Skulls.D masks itself as a new version of Macromedia’s popular Flash animation player for Symbian Series 60 phones – which also includes a number of Nokia smartphones.

The virus also puts a version of the SymbOS/Cabir.M worm on the phone and disables system apps and data.

The original virus killed applications and replaced their icons with a skull image. Affected phones display a flashing picture of a skull and includes the text "WARNING!!! Device Have been Attact By Virus".

F-Secure has said that their Mobile Anti-Virus was already "capable of detecting the Skulls.D with generic detection even before we got the first sample of this from a customer.

F-Secure Mobile Anti-Virus is also capable of detecting Cabir.M, contained in Skulls.

Infected, users can either install anti-virus software to disinfect the phone or return their equipment to factory settings, which will destroy their personal data.

F-Secure said it has only had reports of Skulls.D from two people, whose phones were infected after they downloaded an application from a Web forum. Phone owners can reduce the risk of infection by exercising caution, said Mikko Hypponen, the director of antivirus research at F-Secure, which has posted an advisory.

"Be careful about what you download and where you download it from," Hypponen said. "You are most at risk if you are downloading illegal copies of applications, especially from peer-to-peer networks."

Hypponen warned there are likely to be more Skulls in the future. "We are waiting for the next variant," he said.

January 10, 2005 at 11:31 PM in Virus | Permalink | TrackBack (15) | Top of page | Blog Home

Microsoft App Aims To Attack Spyware Jan. 10, 2005

InformationWeek > Microsoft Security > Microsoft App Aims To Attack Spyware > January 10, 2005

Vendor plans release of virus- and worm-cleaning tool, as well
By George V. Hulme
InformationWeek

Spyware will be one of the top security threats business-technology professionals face this year. Last week, Microsoft joined a number of vendors jumping into the anti-spyware market with the beta release of its Windows AntiSpyware application.

Microsoft estimates that one-third of PC crashes can be attributed to spyware infections, says Amy Carroll, director of Microsoft's security business unit. Dell has placed the number of tech support calls attributed to spyware at around 15%.

Spyware and adware have become as much, if not more, of a problem than viruses, says Mark Sidden, IT director at textile provider Unifi Inc. "Most of the antivirus applications are fairly mature. That's not true yet with spyware solutions," he says. "The spyware problem caught security vendors off-guard. It'll be a year or more before the tools are probably ready for large businesses."

But the push is on. McAfee Inc. and Symantec Corp. added enhanced anti-spyware features to their security applications last year, while Computer Associates acquired anti-spyware vendor PestPatrol Inc. last summer. Webroot Software Inc. recently released software to help businesses rid their systems of spyware. And in the first half of this year, patch-management software maker Shavlik Technologies LLC will unveil its anti-spyware application designed for businesses.

Windows AntiSpyware, based on technology Microsoft acquired when it bought Giant Company Software Inc. in December, detects and removes known spyware threats from PCs, Carroll says. The application will protect users from more than 50 techniques that Web sites and malicious apps use to plant spyware on PCs. Microsoft won't say if it will begin charging for Windows AntiSpyware after the beta program. "We want to get the beta out there to focus on customer feedback," Carroll says, adding that specific decisions about the final product haven't been made.

Microsoft also will release a malicious-software-removal tool on Jan. 11. The software will help users remove viruses and worms such as Blaster and Download.Ject from infected PCs. The virus- and worm- cleaning tool will be updated monthly or as needed if a fast-spreading outbreak occurs, Carroll says.

There has been a lot of speculation about if and how Microsoft would begin selling antivirus security software for what Merrill Lynch projects will be a $395 million market this year. In June 2003, Microsoft bought the intellectual property and technology assets of Romanian antivirus company GeCAD Software Srl. Before that, Microsoft acquired Israeli security software startup Pelican Security, which developed software that determines the behavior of applications and stops malicious activity.

Industry analysts are skeptical that Microsoft will immediately target Windows AntiSpyware for business use. "The initial impact will be purely consumer and home offices, but by 2006 small and midsize businesses could begin using Microsoft," Gartner analyst John Pescatore says. "It won't be until after Longhorn ships that enterprises begin to take a look at Microsoft as a security provider."

If Microsoft is to succeed at becoming a trusted provider of security software, the company will have to overcome the perception held by many that it's scrambling to fix a problem created by the security flaws in its own software. "They're sending out a program to fix their own programs," says Glenn Wright, senior telecommunications technologist for the Delaware department of technology and information. Says Wright: "You don't want a bug to fix a bug."

January 10, 2005 at 01:46 AM in Virus | Permalink | TrackBack (36) | Top of page | Blog Home

In cyberspace, a dark alliance

In cyberspace, a dark alliance | csmonitor.com

By Gregory M. Lamb | Staff writer of The Christian Science Monitor
For years, they worked in shadowy corners of the electronic world. Spammers tried to get around filters and other network defenses to plant their junk e-mail. Virus writers exploited computers to take them over. Now, they're starting to work together.

Their emerging alliance is straining already embattled spam and virus defenses. For users, it means the Internet has grown more risky.

"They're learning from each other," says John Pironti, a security consultant at Unisys, the multinational information technology company. "The collaboration has begun."

Internet security experts are fighting back in the ongoing arms race of attack and defend. But right now the criminals are on the offensive. "We're way behind," says Stefan Savage, a computer science professor at the University of California at San Diego. Since 2001, he says, there have been "incredible advances in sophistication on the part of the bad guys. And yet what we do to defend is pretty much what we did five years ago."

Statistics seem to back him up. Today, not only is 63 percent of all e-mail spam, but 1 in 12 e-mail messages contains a virus, says MessageLabs, an e-mail security firm. That's a dramatic change from 20 years ago, when computer viruses spread slowly within limited networks or as floppy disks that had to be manually moved between machines. Today, the Internet zips these programs around the world at light speed.

Viruses can now enter computers as programs attached to e-mails sent by spammers. Once embedded in a machine, the viruses return the favor. By secretly taking control of computers, the viruses can create networks of "bots," programs that turn computers into "zombies." These computers are then employed by spammers to send out floods of anonymous spam messages.

These spams often include "phishing" scams - e-mails that appear to be from a bank or credit-card company but are really trying to steal account passwords or other financial information. Phishing has victimized some 1.8 million consumers and cost banks and credit-card issuers nearly $1.2 billion in the past year, estimates Symantec, a maker of computer-security software in Cupertino, Calif.

In the first half of 2003, the average number of bot networks monitored per day by Symantec was 2,000. By the first half of 2004, the number mushroomed to 30,000. Each bot network can contain thousands of infected computers.

Motivations have changed too. Early virusmakers wanted to show off. Today, criminals target individuals and businesses to try to make easy money. "We've definitely seen the motivation shift," says Brian Czarny, vice president of marketing at MessageLabs. His company first started noticing spammers and virusmakers working together back in the spring of 2003, he says. "Since then, it's grown exponentially."

Outlaws at the cafe

Setting up in an Internet cafe anywhere in the world, these pirates can hit and run in a matter of hours. "They get somebody's identity, clear out their bank account, and then take off," Mr. Czarny says.

Other criminals hunt for personal data or a company's intellectual property for the purposes of extortion. "They send tidbits back to the organization and say, 'Look, I have your stuff,' " says Mr. Pironti, and then threaten to post the material on the Internet if their demands aren't met. In one recent example a British man was arrested last month in connection with stealing source code from Cisco Systems.

Big companies already spend a lot of time and money on state-of-the-art computer security. But in a new twist, criminals are sneaking in by attacking the less formidable defenses of smaller vendors who are linked into corporate computer networks. "That's one of our biggest challenges right now," Pironti says.

Not only are attacks more frequent and malicious, they're more skillful too. Some viruses are "sleepers" that quietly embed themselves in a computer system for months before starting up, Pironti says. That way they become copied onto the backup version of the operating system, making them very difficult to root out. Once activated, they can also "phone home" to get new instructions.

The speed of virus attacks and the skill of the virusmakers today require new defense strategies, says Professor Savage, who is also the project director of the Center for Internet Epidemiology and Defenses. The virus-fighting initiative, funded by a $6.2 million grant from the National Science Foundation, officially begins this month.

Fast virus, slow response

Even top-notch computer scientists may take hours to design a "patch" to stop a virus, a response time that's far too slow, Savage says. The Slammer worm, for example, doubled in size every 8.5 seconds and spread around the world within 10 minutes. "At these kinds of speeds, any solution that involves a human in the loop, which is our state of the practice today, isn't going to fly," he says.

Savage and his partner, Vern Paxson at the International Computer Science Institute in Berkeley, Calif., have set two goals for their center: One is to understand better how worms and viruses spread, accumulating minute detail on their limitations and characteristics. They also want to better predict how fast a virus will spread and how destructive it will be.

Using that knowledge, they hope to build fully automated defenses "that take whole classes of attacks off the playing field, as opposed to addressing one particular attack that happened last week," he says. Right now, "it's like you're constantly trying to come up with a flu vaccine, but a new version [of flu] is coming out every day."

He and Dr. Paxson have been working on concepts such as "content sifting" and "scan detection," ways of identifying "very untypical behavior" of computers - such as suddenly contacting thousands of other computers - before an actual virus is discovered. They've been able to detect signs that a virus was at work 12 hours before the virus was found. Their aim is to identify a new class of worms or viruses and devise a way to block it in less than a minute.

Disruptive by design

While thinking of these Internet-borne attacks as "viruses" is a helpful model, it isn't perfect, Savage points out. A computer virus is used by people who, like bioterrorists, have a malicious intent. It's not a random act of nature, he says.

Virusmakers also monitor online discussions about new defense techniques to learn how to get around them. Savage says he doesn't want to release information that can help attackers, but in the end, sharing information among colleagues will build the strongest defenses. "We're not going to be keeping all this stuff secret," he says.

While all attacks may never be stopped, he says he'll be satisfied if he can limit them to those from only a few really talented, if malevolent, people. "A 12-year-old shouldn't be able to take down the Internet," he says.

Growing danger of spam

Not only is the stream of junk e-mail, or spam, rising, but an increasing share of the messages contain viruses, security firms warn. Among their findings:

• Nearly two-thirds - 63.5 percent - of e-mail in the first half of this year was spam, according to one analysis. That's up from 37.9 percent in 2003 and 1.5 percent in 2002.

• In January, 1 out of every 129 of those e-mails contained a virus; by June, 1 in 10 had one.

• The most common virus found in e-mail was the Netsky.P. worm, which accounted for 28.4 percent of all viruses discovered in August.

• US sites originated 42 percent of August's spam, followed by South Korea and China (14 percent) and Brazil (4 percent).

Sources: MessageLabs, Postini

November 22, 2004 at 12:05 AM in Virus | Permalink | TrackBack (18) | Top of page | Blog Home

Gotcha! The spyware epidemic

TheStar.com - Gotcha! The spyware epidemic

U.S. survey found it on 80 per cent of computers
Once on your PC or Mac, it can render it unusable

ANICK JESDANUN
ASSOCIATED PRESS

NEW YORK—David Eckstein turned on his computer one day and launched his Web browser, just as he had every day. This time, however, CNN.com did not automatically open. Instead, the page was a search engine he'd never heard of.

Eckstein tried changing the browser settings back to CNN but the search engine would return whenever he rebooted. Finally, he just gave up.

The San Francisco marketing consultant is yet another victim of spyware, an amorphous class of software that mostly gets on to people's computers without their knowledge. So resource-hungry, it often renders the machines unusable.

"It makes you want to throw your computer out the window,'' Eckstein said.

In the past year, the problem has become epidemic as people spend more time online and spyware developers get more aggressive.

"It makes spam look like a walk in the park," said Bob Bowman, chief executive of Major League Baseball's Internet unit, which in June started banning new advertisers from using such techniques.

As part of a government-backed study, technicians visited Jenna Dye recently in Young Harris, Ga., and found 1,300 spyware-related items on her machine.

"It would shut itself down in the middle of doing stuff. We had lots of pop-ups. The (CD-ROM) drawers would pop open," the mother of two complained. "It's frustrating. We spent $1,800 on our computer and we didn't want to use it.''

Until the machine was cleaned up, Dye and her husband would make 2 1/2 hour trips to the nearest mall to avoid shopping online. "We use it every day now again," she said.

Spyware was found on the computers of 80 per cent of participants in the study, conducted by America Online Inc. and the National Cyber Security Alliance.

Since EarthLink Inc. began offering free anti-spyware tools, each scan has found an average of six such programs. When including ``cookie" data files that online sources use to track user behaviour, the average rises to 26.

The most common type of spyware is more properly termed adware, its main goal to generate pop-up and other ads.

Browser hijackers, the kind Eckstein got, direct users to rogue search engines, from which spyware developers or distributors get a commission. Dialers scam users by making international phone calls that carry hefty per-minute surcharges. A rare but malicious form can steal passwords and other confidential data.

The intrusive programs aren't always well-written and can use resources inefficiently.

"Often, you don't just have one. You might have a half-dozen or even a dozen that can bring your computer to a screeching halt,'' said Tim Lordan, staff director of the Internet Education Foundation. "They are undermining confidence in the Internet. People are getting fed up.''

The most common way to get spyware, including adware, is to download file-sharing software, screensavers and other free programs that rely on revenues from such tag-along programs to cover costs. Spyware developers consider it part of the bargain, though they also depend on users' fascination with freebies.

"A lot of them say, `I'm going to get free smileys in my e-mail or some sort of free ... download without realizing the resource drain the sponsoring software is going to cause," said Wayne Porter, co-founder of SpywareGuide.com.

Users themselves invite spyware by breezing through prompts and not reading licensing agreements they are required to accept. Consent to spyware is often buried there.

Many of the larger companies whose software is delivered online with freebies have tried to clean up their act to the point that many don't actually harvest data anymore, though the term ``spyware" has stuck.

And their methods for disclosure and removal have improved in response to consumer complaints.

But for every reputable operation, scores of shadier ones, often located abroad, are intent on tricking users into accepting spyware without any accompanying software.

In a technique known as drive-by downloading, code embedded within pop-up ads or on Web sites that offer free songs, games or even pornography can instruct computers to begin downloading the rogue programs with minimal warning.

Sometimes, those warning prompts even are programmed to keep popping up until users finally give up and say "yes," said Neel Mehta of Internet Security Systems Inc.

And exploiting known flaws with Microsoft Corp.'s Windows operating system or the Internet Explorer browser, spyware developers can bypass the prompts entirely.

"In the rush of doing things, people get confused and end up hitting one wrong button, and all of a sudden stuff is on your computer and you can't get it off," restaurant manager Damien LaRuffa said.

His Washington, D.C., restaurants lost two computers for a few days because an assistant manager apparently was tricked into accepting a fake pitch for anti-spyware software. LaRuffa said the repair bill exceeded $400.

Matt Davin, technical services manager at a repair shop in Walla Walla, Wash., estimates that half his jobs are directly tied to spyware. Customers, he said, often blame it on their kids downloading free programs.

Spyware can infect power users as well. Just ask Ricky Rodrigue, who runs Dell Inc.'s customer support centre. His son invited spyware onto his home machine while downloading games, and he once found more than 100 spyware items on his work machine.

"That's how creative (they are) and how challenging it is to protect PCs," Rodrigue said.

The less innocuous programs can usually be removed manually or by running one of several anti-spyware tools, many free. The nastier ones, however, immunize themselves and persist.

"Almost every new threat released today comes with a reinstaller so that as soon as you try to remove it, it goes and reloads it," said Ron Franczyk, co-founder of anti-spyware vendor Giant Company Software Inc.

Many spyware files carry names that mimic key Windows components and even hide among them in folders typically reserved for system files.

"How do you know if you need a spool.exe?" asked Vilis Ositis, chief technology officer at Blue Coat Systems Inc. "Windows comes with thousands of files. How do you know which ones you need and which ones are spyware?''

The U.S. Congress is working on a ban, and industry groups have launched efforts to educate consumers and fight back with technology. Experts believe a solution will ultimately involve a combination of law enforcement, education and engineering.

"We're at a crossroads," said Ari Schwartz, associate director of the Centre for Democracy and Technology, a privacy-advocacy group.

Fail to properly address spyware, Schwartz warned, and "users will not want to use the Internet for commerce, for government services, for interaction with other people. We'll lose the great potential of the Internet.''

› Subscribe now and Save 50%!

November 1, 2004 at 07:57 AM in Virus | Permalink | TrackBack (18) | Top of page | Blog Home

New Worm Variant Spreads, Clogging E-Mail

Yahoo! News - New Worm Variant Spreads, Clogging E-Mail

Fri Oct 29, 9:31 PM
By CHRISTINE NUZUM, Associated Press Writer

NEW YORK - At least one new variant of a worm spread rapidly from Asia and Europe to U.S. computers Friday morning, filling up people's e-mail accounts, but otherwise causing little apparent damage

Alex Shipp, senior antivirus technologist at the e-mail filtering company MessageLabs Inc., said the variant of the so-called Bagle worm was "comparable in size to MyDoom," the virus that slowed Google and other Internet search sites in January. MessageLabs recently had received about 900,000 e-mails containing the virus. Ship estimates that MessageLabs receives about 1 percent of the e-mails containing a given virus or worm.

"We were seeing 165,000 an hour, but it's leveled off at 100,000 an hour, if you can call that leveling off," Shipp said.

Because multiple e-mails containing a worm or virus are often sent to one computer, it's difficult to estimate the number of affected users, said Shipp.

One software security company, McAfee Inc., said another variant of the Bagle worm was also quickly spreading Friday, but similarly did not seem to be destroying files or damaging software.

Both versions can be transferred through shared network files as well as through e-mail.

They attach themselves to files and then send themselves to e-mail addresses that they find on infected machines. Viruses or worms often use e-mail addresses from computers they infect to fool the recipients into opening an attachment.

If a recipient opens the attachment, the worm creates a so-called back-door, "a small program that sits on your machine quietly listening for someone to contact it," said Kevin Hogan, senior manager of security response at Symantec Corp. A computer user who contacts the backdoor can transfer files between his machine and the infected one, Hogan said. The worm variants can also disable security software, experts said.

"It's pretty much a vanilla mass-mailing worm," said Hogan. "It does a lot of the things that we've seen these sorts of worms do in the past."

McAfee first received reports of the worm variants from Europe. Symantec said the first complaints it fielded were from Japan. Antivirus providers received a rash of reports of a worm in the United States at the start of the workday Friday.

Symantec, McAFee and Computer Associates International Inc.'s eTrust division had received no reports Friday of disabled files or other damage.

Much of the standard security software can readily detect and protect against these latest variants of the Bagle worm, which spreads through shared network files as well as e-mail messages, experts said.

"Most of the major antivirus vendors already have detection and so does Computer Associates," said Stefana Ribaudo, product manager for consumer products at Computer Associates' security division. "Users are receiving the latest signature files from their vendors, which will keep them protected."

McAfee said computer users who don't subscribe to antivirus software can go to its Web site download a free remedy, called "Stinger," that will detect and remove the worm.

__

Christine Nuzum is a correspondent for Dow Jones Newswires.

October 30, 2004 at 01:38 AM in Virus | Permalink | TrackBack (9) | Top of page | Blog Home

Security for Internet Users Deemed Weak

Yahoo! News - Security for Internet Users Deemed Weak

Mon Oct 25,10:00 AM
By TED BRIDIS, AP Technology Writer

WASHINGTON - Internet users at home are not nearly as safe online as they believe, according to a nationwide inspection by researchers. They found most consumers have no firewall protection, outdated antivirus software and dozens of spyware programs secretly running on their computers.

One beleaguered home user in the government-backed study had more than 1,000 spyware programs running on his sluggish computer when researchers examined it.

Bill Mines, a personal trainer in South Riding, Va., did not fare much better. His family's 3-year-old Dell computer was found infected with viruses and more than 600 pieces of spyware surreptitiously monitoring his online activities.

"I was blown away," Mines said. "I had a lot of viruses and other things I didn't know about. I had no idea things like this could happen."

The Internet always has had its share of risky neighborhoods and dark alleys. But with increasingly sophisticated threats from hackers, viruses, spam e-mails and spyware, trouble is finding computer users no matter how cautiously they roam online.

The technology industry is feeling the pain, too.

Spurred by the high costs of support calls from irritated customers — and fearful that frustrated consumers will stop buying new products — Internet providers, software companies and computer-makers are making efforts to increase awareness of threats and provide customers with new tools to protect themselves.

Still, many computer users appear remarkably unprepared for the dangers they face.

The study being released Monday by America Online and the National Cyber Security Alliance found that 77 percent of 326 adults in 12 states assured researchers in a telephone poll they were safe from online threats. Nearly as many people felt confident they were already protected specifically from viruses and hackers.

When experts visited those same homes to examine computers, they found two-thirds of adults using antivirus software that was not updated in at least seven days.

Two-thirds of the computer users also were not using any type of protective firewall program, and spyware was found on the computers of 80 percent of those in the study.

The survey participants all were AOL subscribers selected in 22 cities and towns by an independent market analysis organization.

The alliance, a nonprofit group, is backed by the Homeland Security Department and the Federal Trade Commission, plus leading technology companies, including Cisco Systems, Microsoft, eBay and Dell.

The group's chief, Ken Watson, said consumers suffer from complacency and a lack of expert advice on keeping their computers secure. "Just like you don't expect to get hit by a car, you don't believe a computer attack can happen to you," Watson said.

"There really is quite a perception gap," agreed Daniel W. Caprio, the Commerce Department (news - web sites)'s deputy assistant secretary for technology policy. "Clearly there is confusion. We need to do a better job making information and practical tips for home users and small businesses available."

Wendy Avino, an interior decorator in Lansdowne, Va., said researchers found 14 spyware programs on her borrowed laptop and noticed that her $50 antivirus software was not properly configured to scan her computer at least monthly for possible infections.

"We don't go in funny chat rooms, I don't open funny mail," Avino said. "If it says 'hot girls,' I delete it. We do everything in the right way, so how does stuff get in there?"

She complained she was misled believing her commercial antivirus and firewall programs would protect her from all varieties of online threats; most do not detect common types of spyware.

"It is very complicated for the average home user," said Ari Schwartz, an expert on Internet threats for the Center for Democracy and Technology, a Washington civil liberties group.

"There's a lack of accountability all around, from consumers who don't believe they should have to do this to companies who blame the consumer. It's finger-pointing back and forth," Schwartz said.

Microsoft's chairman, Bill Gates (news - web sites), said the company spent nearly $1 billion on its recent upgrade to improve security for customers using the latest version of its Windows software.

AOL purchased full-page advertisements in major newspapers this month pledging better security for its subscribers. Dell has begun a campaign to educate customers how to detect and remove spyware themselves.

The government is increasingly involved, too.

The FTC this month filed its first federal court case over spyware. The House overwhelmingly approved two bills to increase criminal penalties and fines over spyware. The Homeland Security Department offers free e-mail tips for home Internet users to keep themselves secure.

___

On the Net:

Cyber Security Alliance: www.staysafeonline.info

Homeland Security tips: www.uscert.gov

October 26, 2004 at 07:43 AM in Virus | Permalink | TrackBack (9) | Top of page | Blog Home

UK banks and police warn of new Trojan banking threat

finextra news: UK banks and police warn of new Trojan banking threat

13 August 2004 - The National Hi-Tech Crime Unit and UK payments association Apacs are alerting consumers to a new Trojan e-mail attack targeting online banking customers.

The spam e-mails contain details of a fictitious order for Web hosting or computer goods and credit card billing information.

The e-mail also contains a link to a Web address in order to view the order in more detail. The site, which appears to be under construction, exploits vulnerabilities in unpatched versions of Internet Explorer to download malicious software to user computers.

The next time the customer uses their computer to access their own online banking site, the Trojan can potentially record their secret passwords and PINs used to log-on. In addition, the code opens a backdoor for the attacker to assume remote control of the end-user machine.

Detective chief superintendent Len Hynds, head of the NHTCU comments: "The NHTCU is continuing to work hard to bring the perpetrators of these elaborate scams to justice. The criminals behind these attacks are constantly evolving their techniques and changing tactics to target a wider range of victims."

August 19, 2004 at 07:26 AM in Virus | Permalink | TrackBack (23) | Top of page | Blog Home

E-Mail Viruses Getting Smarter, Report Says

Yahoo! News - E-Mail Viruses Getting Smarter, Report Says

Tue Aug 17,10:07 PM ETAdd Technology - Reuters Internet Report to My Yahoo!

SAN FRANCISCO (Reuters) - Computer viruses spread by e-mail are growing more sophisticated as virus writers and "spammers" are thought to be joining forces in an effort to make smarter bugs, a computer security group said on Tuesday.

New York-based MessageLabs, which scans client e-mails for viruses to block, said it picked apart some 5.6 billion e-mails from January to June this year and found 1-in-12 contained some sort of virus that penetrated firewalls meant to block them.

MessageLabs typically scans about 50 million customer e-mails daily, and its customers include major government and corporate entities from the British government to The Bank Of New York and Japanese technology giant Fujitsu Ltd. (6702.T).

While the number of e-mails sent globally was not covered by the study, the problem of computer viruses can be massive. They can overload computers with messages, automatically reboot systems and sometimes disable them.

In August last year, the "Blaster" worm spread rapidly around the world, infecting some 230,000 to 300,000 computers, based on estimates from sources ranging from U.S.-based Symantec Corp. to Moscow's Kaspersky Labs.

Soon after, a worm called "SoBig.F" raced around the globe crashing e-mail networks. At that time, America Online said it blocked 23.2 million copies of SoBif.F, and MessageLabs said about 1-in-17 e-mails were infected by the virus.

A separate MessageLabs study in the first six months of 2003 showed that 1-in-208 e-mails contained a virus, up from a ratio of 1-in-392 for the first six months of 2002.

MessageLabs said it believes the biggest e-mail security threat during the first half of 2004 was closer cooperation between virus writers and spammers, writers of unsolicited messages that often advertise products or get people to spend money.

The reason the two groups are getting together is profit, MessageLabs has learned through monitoring chat rooms to infiltrate the secretive world of virus writers and spammers.

With the recent proliferation of software blocking spam, the spammers are paying virus writers to create viruses that attach to their e-mails and circumvent the spam blockers.

MessageLabs said its employees who monitor chat rooms have learned that virus writers and spam writers are increasingly exchanging messages about joining ranks.

"There is little or no monetary profit to be gained from simply distributing viruses, but when you combine the capabilities of a virus and the profit that can be earned from spam, suddenly you have an altogether more materialistic proposition," MessageLabs said in its report.

MessageLabs said its belief about the increasing cooperation was based both on its research through its clients and on industry research.

August 18, 2004 at 03:08 PM in Virus | Permalink | TrackBack (5) | Top of page | Blog Home

Peer-to-peer networks carry surprising cargo

Peer-to-peer networks carry surprising cargo

By Ina Fried, CNET News.com
The latest Windows patch is being distributed on networks more known for their illegal content
Advocates of file sharing are distributing the latest Windows update in an effort to show that peer-to-peer networks could play a legitimate role in the distribution of commercial software.

Peer-to-peer advocacy group Downhill Battle has made a copy of Microsoft's Windows XP Service Pack 2 available at a site called SP2torrent.com through the BitTorrent file-sharing system.

"Now is a crucial time to demonstrate ways that peer-to-peer can be useful," Downhill Battle co-founder Nicholas Reville told ZDNet UK sister site CNET News.com. "We are facing a situation where Congress is seriously considering outlawing peer-to-peer for all intents and purposes."

Reville said he was referring to the Induce Act, a bill before Congress that says "whoever intentionally induces any violation" of copyright law is liable for that infraction.

In addition to distributing SP2, Downhill Battle also used peer-to-peer technology to distribute video of the congressional hearings on the Induce Act.

By distributing Microsoft's code, the company might be putting itself in violation of other laws, analysts say. Although the SP2 upgrade is free, the peer-to-peer distribution of it could well be in violation of Microsoft's licence agreement.

The software maker declined to comment specifically on Downhill Battle's action but reiterated that it feels the best way for consumers to get SP2 is to turn on the Automatic Upgrade feature in Windows and wait for the update to be pulled down automatically.

"We are always looking at ways of doing it," said Stephen Toulouse, security program manager at Microsoft. "The challenge with peer-to-peer is that you never know what you are getting."

Downhill Battle's effort plays on the fact that although the SP2 code was released to PC makers last week, Microsoft has said it will not be available for manual download until later this month.

Indeed, what Downhill Battle is distributing is not the individual PC download of the upgrade -- which is still not available -- but rather the network installation kit that Microsoft released on Monday for IT professionals. That download, which is roughly 270 megabytes, is more than three times larger than the download the typical user would get via automatic update and is designed for companies that need to upgrade many machines running different versions of Windows XP.

The network installer is also freely downloadable directly from Microsoft, though the company has posted a warning that it is not intended for individual users to upgrade their machines.

"Do not click 'Download' if you are updating just one computer," Microsoft states in bold, capital letters. "A smaller, more appropriate download will be available soon on Windows Update."

The demand from enthusiasts for individual upgrades comes as many corporations are opting to test, rather than quickly roll out, the security-oriented update.

Reville said the fact that Microsoft is taking weeks to get the software to users is a sign that there is an opportunity for file sharing to play a part.

"Even Microsoft -- the biggest of the big -- is rolling this out gradually," he said. "The combined power of every Internet user with a broadband connection is bigger even than Microsoft."

Analysts say that maybe true, but there are other issues at play.

"There's a certain logic to that," Jupiter Research analyst Michael Gartenberg said. "Of course, that gets balanced against, 'How do I make sure that I am getting Service Pack 2 unmodified as opposed to something that might have a virus or a Trojan horse linked to it?'"

And there is little benefit to the consumer, Gartenberg said.

"It's certainly not going to come any faster," he said. "As long as a company like Microsoft has resources to download this type of content, there is no reason for consumers to want to turn to a peer-to-peer method."

The move is also a bit of a twist for BitTorrent, which is often used to distribute various versions of the open-source Linux operating system. Even in posting SP2, Downhill Battle worked in a plug for Linux.

"And since we're fervent advocates of open-source software around here, SP2torrent.com wouldn't be complete (without) a link to Knoppix, the zero-commitment Linux Live CD."

Wednesday August 11, 09:00 AM

August 13, 2004 at 01:40 PM in Virus | Permalink | TrackBack (15) | Top of page | Blog Home

New Bagle Variant Sweeps the Internet

Yahoo! News - New Bagle Variant Sweeps the Internet

Tue Aug 10, 3:06 PM
Erika Morphy, www.newsfactor.com
Antivirus companies are sounding the alarm about a new variant from the long-lived Bagle virus family: On Monday, Bagle.AM, also known as "Bagle.AQ" and "Bagle.AC," began spreading rapidly and infecting users.

Due to the high number of incidences, antivirus firms are ranking this new virus on the higher end of the threat spectrum.

Mass-Mailing Threat

Bagle.AQ is a mass-mailing threat that contains its own SMTP engine to construct outgoing messages, according to McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team). The virus mass mails itself to addresses harvested from local files. It produces a message with a spoofed "From" address and contains a remote-access component -- with the notification sent to the hacker. It then copies itself to folders that have "shar" in the name, typically found in P2P applications, such as Kazaa, Bearshare and LimeWire.

The worm sends out a ZIP file that contains an HTML file. On vulnerable systems, it automatically runs an EXE file that is a downloader Trojan. The downloader Trojan then contacts a large number of remote Web sites to retrieve the virus itself.

"Users should be very wary and should most likely delete any e-mail containing "From : (address is spoofed); Subject : (blank); Body Text: * new price," McAfee said.

The virus also has been successful in shutting down various security processes, Panda Software CTO Patrick Hinojosa told NewsFactor. "That is why it was able to spread so quickly. It had a chance to really jumpstart infections."

The virus was already at the top of the list of 20 most-detected viruses this month, Hinojosa said.

Suspicious Timing

So far it does not appear as though the worm was designed to initiate a denial of service attack against a company. "It was obviously a launched worm," Hinojosa says, "aimed at individual machines."

The timing is a little suspect, though, considering the ire most hackers have towards Microsoft (Nasdaq: MSFT - news). "Microsoft came out with its new security service pack on the same day, so I am assuming this was done to take a shot at Microsoft," Hinojosa says.

August 10, 2004 at 08:13 PM in Virus | Permalink | TrackBack (15) | Top of page | Blog Home

First Pocket PC virus discovered

BBC NEWS | Technology | First Pocket PC virus discovered

The first virus to attack handheld computers running Microsoft's Windows Pocket PC software has been found.
It is called "Duts", and its existence has been revealed by the Romanian security firm BitDefender.

The company said the virus posed no threat and was produced only as a "proof of concept" by its creators.

The program comes from the same virus writing group that put together similar code that could spread between smartphones running Symbian software.

Polite virus

BitDefender said Duts had been created by someone calling themselves Ratter, who was part of the 29A VX virus writing group.

In a statement, the company said it had written the code to show that it was possible to create programs that could spread via handhelds and mobile devices running the cut-down version of Windows.

BitDefender estimated that there were about 17 million Windows Pocket PC devices in use around the world.

The company said: "The code was first sent to anti-virus experts instead of being released in the wild."

The virus has been written to be polite as it asks permission to spread to a new host when infected applications are being run.

"You're more likely to have a meteorite strike your house than be hit by this virus," said Carole Theriault, anti-virus consultant for Sophos.

"Owners of PDAs running the Pocket PC operating system should not lose any sleep over this virus, although it might be a taste of things to come in the future."

Mobile bugs

The virus is named after a technology called Dust dreamed up by science-fiction writer Greg Egan in his novel Permutation City.

However, the privilege of naming viruses rests with the anti-virus firms, which have decided to call it Duts.

Last month, the 29A group released another proof-of-concept virus called Cabir that was aimed at devices using the Symbian operating system.

Phones vulnerable to this virus include Nokia's 3650, 7650 and the N-Gage gaming/mobile hybrid.

The Cabir virus uses the Bluetooth short-range radio system to spread between devices and disguises itself as a security program. It also asks permission to install itself.

Any device running the Symbian's Series 60 software could be vulnerable but anti-virus firms say there is little evidence that the virus is spreading in the wild.

July 19, 2004 at 07:23 PM in Virus | Permalink | TrackBack (8) | Top of page | Blog Home

World's First Mobile Virus Is Not Lethal, Yet

Yahoo! News - World's First Mobile Virus Is Not Lethal, Yet

By Lucas van Grinsven, European Technology Correspondent
AMSTERDAM (Reuters) - A group of underground virus writers has showed off what is believed to be the world's first worm that can spread on advanced mobile phones, but security software companies say the virus had no malicious code attached.

The worm, named Cabir, was sent to security software firms Kapersky Lab of Russia and U.S.-based Symantec by a member of 29a, a group of virus writers from the Czech Republic and Slovakia who pride themselves in creating "proof of concept malicious viruses," Kapersky Labs spokesman Denis Zenkin said.

"This is the very first version of a network worm which propagates via mobile phones," he said on Wednesday.

The worm is designed to work in smartphones running on Symbian and Series 60 software, Symantec said on its Web site.

This software is used to power millions of Nokia (news - web sites) phones, such as the popular 6600 model.

Nokia was not immediately available to comment.

The worm is not regarded as dangerous because even if it spreads it carries no code that destroys files or executes other damaging operations, the security software firms said. The virus attempts to jump from phone to phone by using the handset's wireless short-range Bluetooth connection. It scans the environment for other Bluetooth-enabled devices.

Once it has found one, it sends itself disguised as a security file. The file must be accepted by the mobile phone owner and then installed before it can propagate.

Mobile viruses will become more dangerous when they can spread without human intervention, said Matias Impivaara, business manager for mobile security services at Finnish security software firm F-Secure.

"The main (turning) point will be when the virus-writing community knows the software well enough... to find holes," he said.

"The information about the (Symbian) operating system is very close to the hands of the virus writers.... (Cabir) could be a trigger to start developing these ideas earlier."

A spokesman at London-based technology firm Symbian said that, unlike personal computers, it was not possible to penetrate the software of its smartphones without approval.

"But we can never say it's not going to be possible. Smartphones have been designed... as open, programmable networked devices," he said, adding that users should be careful before accepting to install new software. (Additional reporting by Brett Young in Helsinki)

June 16, 2004 at 08:13 AM in Virus | Permalink | TrackBack (10) | Top of page | Blog Home

THE MISSISSAUGA NEWS: Virus infected computers worldwide Mounties get their hacker

Mississauga News Online

Computer users urged to update protection

LOUIE ROSELLA
May 28, 2004

A Mississauga teen who allegedly hacked into more than 9,000 computers worldwide and launched a virus that caused many systems to crash now faces charges following an investigation by the Royal Canadian Mounted Police (RCMP).

The 16-year-old boy, who cannot be identified under the Youth Criminal Justice Act, is charged with a number of computer-related offences, including mischief to data, fraudulent use of computer systems and aiding/abetting mischief to data.

The RCMP's technological crime unit in London tracked a variant of the well-known Randex virus, which had weaved into the computers of more than 9,000 unsuspecting internet users since November through such popular file-sharing programs as Kazaa and Limewire, which are often used to download music and movie files. Once inside an online computer, the virus received commands sent from the original hacker over a chat room.

"The affected computers automatically responded to malicious commands issued on particular channels of certain internet relay chat networks," said RCMP Sgt. George Wiegers yesterday.

The virus installed a "Trojan" program, according to police, allowing unauthorized access to, and use of the victim computers. The hacker could then make use of the victim computers in multiple ways, including sending out large amounts of junk e-mail, or cause the computer to crash at any given time, police said.

Wiegers wouldn't get into the specifics of the case, but said people and businesses did suffer from the crippling virus.

"The target could be a computer or network critical to one company that needs the computer up and running," he said. "The company may suffer financially and may suffer in numerous ways."

The RCMP are advising home internet users to be aware of the risks posed by such viruses.

"People who are connected to the internet need to take proactive steps to protect their system," Wiegers said.

"Try to look at the computer system you have now and ask 'Is this computer system secure?' While there are no certainties in the ever-growing world of internet crime, Wiegers advised internet users to update their anti-virus, anti-trojan and firewall software.

Just last summer, stubborn computer worm known as "Blaster" wiggled its way into thousands of homes and offices in Mississauga

The infamous worm, designed to shut down infected computers repeatedly, hit households and businesses worldwide, exposing a vulnerability in the Microsoft system.

Also last summer, a variant of the Blaster worm, Welchia, hit Air Canada's computers at Pearson International Airport, creating massive delays and line-ups. Affected users were forced to download special anti-virus equipment that should be installed regularly anyway, according to police.

"Nothing's going to guarantee you're going to be 100 per cent secure but (you should) take steps to protect your computer," said Wiegers.

"This will significantly reduce the vulnerability of a person's computer from being accessed without permission."

THE MISSISSAUGA NEWS

May 28, 2004 at 11:20 PM in Virus | Permalink | TrackBack (39) | Top of page | Blog Home

OS X flaw may leave Macs open to virus attacks

OS X flaw may leave Macs open to virus attacks

By David Becker, CNET News.com
Apple on Friday was investigating a security flaw in OS X that may allow people to fool Macs into opening dangerous files such as Trojan horses and viruses.
The flaw was reported by Intego, a French security firm specializing in Apple systems. The company said in a statement that it had encountered a proof-of-concept Trojan horse for OS X disguised as an MP3 music file.

"Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it," according to Intego. "But double-clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then (launches) iTunes to play the music contained in the file, to make users think that it is really an MP3 file."

Proof-of-concept bugs are typically created by security researchers to prove the existence of a software flaw. They exploit the flaw but don't do any damage. The OS X Trojan began circulating last month via a newsgroup posting.

Apple said in a statement that it was looking into the matter. "We are aware of the potential issue identified by Intego and are working proactively to investigate it," the statement said. "While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."

An Intego researcher said that exploit works by embedding a file with code written for Carbon, the OS X component that allows older programs to be updated to run natively in the new operating system. OS X's Finder application, which associates file types with appropriate applications, doesn't see the Carbon code and launches the malicious file.

A number of such spoofing exploits have surfaced for Microsoft's Windows operating systems, but Macs have been relatively safe from such exploits and other types of attacks. Apple released a security update for the latest version of OS X earlier this week.

Christophe Guillemin of ZDNet France contributed to this report

April 10, 2004 at 04:18 PM in Virus | Permalink | TrackBack (21) | Top of page | Blog Home

Wave of viruses, worms sweep cyberspace: experts

Wave of viruses, worms sweep cyberspace: experts

WASHINGTON (AFP) - A wave of new computer worms and viruses has been sweeping cyberspace over the past few days, wreaking havoc on some systems and testing the software defenses of networks, experts said.
California-based Panda Software said the spread of viruses and the variants "has reached epidemic proportions worldwide."

In the wake of the Mydoom outbreak, described as the worst in Internet history, Panda said there are several versions of the Netsky virus and the Bagle worm spreading quickly.

"They are all spreading at an alarming rate and causing an increasing number of incidents around the globe," Panda said. "According to the data collated by PandaLabs, there are now millions of infected e-mails in circulation."

The British firm mi2g called the latest outbreak a "tsunami" of malicious computer code, or malware, saying it is "overwhelming both its victim organizations as well as anti-virus toolkit companies and security professionals across the world."

Most security companies, Internet service providers and systems administrators have been severely overworked since the initial outbreak of Mydoom in late January, mi2g said.

The company said the latest outbreaks appear to mark a shift from adventurous teens to criminals seeking to make money through various schemes, including one called "phishing" to obtain credit card or financial information.

"This is not the activity of hobbyists but organized criminals," mi2g said.

This epidemic "is particularly worrying for companies, as all the viruses propagate aggressively, meaning that they can rapidly collapse corporate networks," Panda said in a statement. "At present some 95 percent of infected computers belong to companies."

Panda said Netsky.D is proving to be the most dangerous of all of them, spreading the fastest.

According to Luis Corrons, head of PandaLabs, "The idea that an epidemic is caused by a single virus clearly needs reconsidering. Virus creators are aware of the effectiveness of launching waves of malicious code and the increased probability of infection, and so we can expect to see more of these tactics in the future."

MX Logic, a security firm based in Denver, Colorado, said the Netsky.D worm "has reached a critical threat level, with one in every 71 e-mails infected by the worm."

"The first two months of this year have been marked by an unrelenting onslaught of mass mailing worms and their variants, including Mydoom, Mydoom.F, Bagle and Netsky.D. We are convinced that the frequency and potency of mass mailing worms and their variants is likely to increase -- making it critical that email users take every precaution to protect their inboxes," said Scott Chasin, chief technology officer, MX Logic.

Netsky.D does not delete files or damage computers, but contaminated computers played a jingle for three hours Tuesday morning.

"The author may be amused by the thought of an office full of infected PCs, all beeping away," said Graham Cluley of the software firm Sophos. "But the Netsky worm causes real harm by clogging up email systems and making unauthorized changes to computer systems."

Over the past days, virus fighters have battled a number of new releases of the Bagle and Netsky Internet worm families, and on Tuesday afternoon some 10 percent of all e-mails in Europe were contaminated by bugs, statistics showed.

In contrast to most other viruses, Netsky.D does not have an expiration date, and it will therefore remain a menace for some time to come, experts pointed out.

March 2, 2004 at 11:49 PM in Virus | Permalink | TrackBack (11) | Top of page | Blog Home

New Netsky-D Worm Spreading Through E-Mail

Yahoo! News - New Netsky-D Worm Spreading Through E-Mail

LONDON (Reuters) - A new computer worm dubbed "Netsky-D" was clogging e-mail systems around the world after emerging on Monday, a security expert said.

The worm is particularly difficult to root out because it lands in e-mail boxes using a number of different subject lines such as "re:details" or "re:here is the document."

"It arrives with an attached pif file (program information file) and it's already extremely widespread," said Graham Cluley, senior technology consultant at Sophos Plc.

He said experts do not think the new virus is as big as MyDoom, which brought havoc to computer users and targeted Microsoft's Web Site, but that the full extent of Netsky-D's spread would be known as North America logs on.

When opened, the virus pif file will rapidly replicate itself, slowing down computers and e-mail bandwidth.

"We suspect people are more laid back about pif files because they may not have heard of them and may not realize they can contain dangerous code," Cluley said. "The best thing to do with this file is to delete it, don't open it."

Netsky-B, an earlier variant of the latest worm, was rated the third worst computer virus in February after MyDoom-A and Sober-C, according to Sophos, which writes anti-virus and anti-spam software.

March 1, 2004 at 11:55 AM in Virus | Permalink | TrackBack (28) | Top of page | Blog Home

Bagle.B Internet worm third most virulent in history: experts

Yahoo! News - Bagle.B Internet worm third most virulent in history: experts

Wed Feb 18, 7:20 AM ETAdd Technology - AFP to My Yahoo!

HELSINKI (AFP) - The Bagle.B Internet worm continued to propagate itself throughout the world, with experts ranking the virus as the third most dangerous computer bug after the notorious Sobig.F and Mydoom.A.

"This is a very serious worm, it's spread itself quite rapidly, but it will probably not reach the same catastrophic proportions as Mydoom.A and Sobig.F," Snorre Fagerland, with Norwegian Internet security company Norman, told AFP.

"On the scale of the most dangerous viruses, it gets a third place," he added.

The Mydoom.A Internet worm discovered last month, is the most virulent computer virus so far, reaching a peak infection rate of one in 12 e-mails.

The Sobig.F virus, which struck in August of 2003, had a peak infection rate of one in 17 e-mails and generated over 300 million contaminated messages during the first week alone.

According to US-based e-mail security firm MessageLabs, Bagle.B had by early Wednesday been found in 66 countries, and had reached an infection rate of one in every 16 e-mails worldwide, but experts expected that the outbreak would fizzle out soon, well before the bug's programmed expiration date of February 25.

"It's still spreading fairly rapidly. It's a big case. But the technical features of the virus are not that special," Mikael Albrecht, of the Finnish Internet security company F-Secure, told AFP.

"As soon as most people have updated their anti-virus protection, it will die out," Albrecht said.

Bagle.B first appeared in Poland and Germany on Tuesday afternoon, and propagated itself throughout Europe and the Americas overnight. Asia, however, appeared to have largely escaped the outbreak, experts said.

Most affected were the United States, where 16 percent of the infected e-mails were found, closely followed by the UK with 13 percent and Germany with 10 percent, MessageLabs said.

The bug installs a backdoor function on infected computers, enabling its creator and hackers to access the machines for malicious purposes, such as stealing confidential information like passwords stored on them, analysts said.

In addition, Bagle.B makes infected computers access four web pages on the Internet, possibly to download software or to count the number of contaminated machines, Albrecht said.

The first variant of the Bagle bug was found on January 18, and both bugs are believed to be linked to spammers -- senders of unsolicited bulk e-mail advertisements -- as they retrieve e-mail addresses from the infected computers.

Bagle.B also seemed to be related to the earlier Mitglied worm family, Norman's Fargerland said.

February 19, 2004 at 12:44 AM in Virus | Permalink | TrackBack (20) | Top of page | Blog Home

New Netsky.B Worm Spreading on Internet

Yahoo! News - New Netsky.B Worm Spreading on Internet

Wed Feb 18, 2:44 PM ETAdd Technology - Reuters Internet Report to My Yahoo!

SEATTLE (Reuters) - A new worm called "Netsky.B" emerged on the Internet on Wednesday, spreading by mimicking familiar e-mail addresses and enticing users to open file attachments containing malicious software, security experts said.

Most computer security companies rated the worm a medium-grade threat, describing it more of an annoyance rather than a malicious virus that destroys files or makes computer vulnerable to attacks.

"It's a very low infection rate virus," said David Perry, global education director at Trend Micro Inc. (NasdaqNM:TMIC - news) (4704.T), adding that newer, more infectious versions could be in the pipeline.

The worm, once activated, forwards itself to e-mail addresses found on an infected computer's hard drive.

Netsky.B usually arrives in e-mail boxes appearing as e-mail from a familiar person with an attachment that appears to be a Microsoft Word document with the words "read it immediately" or "something for you" making it tricky to identify.

Anti-virus software and services provider Network Associates Inc. (NYSE:NET - news) said the worm's activity appeared to be concentrated in Europe, particularly the Netherlands.

Both businesses and consumers were being hit by the fast-spreading worm.

February 18, 2004 at 11:38 PM in Virus | Permalink | TrackBack (20) | Top of page | Blog Home

The stealth worm era

TheStar.com - The stealth worm era

With the pace of virus development accelerating, experts fear even nastier criminal attacks in future

CLIVE THOMPSON
SPECIAL TO THE TORONTO STAR

Many people might wonder why virus writers aren't simply rounded up and arrested for producing their creations. But in most countries, writing viruses is not illegal.
Indeed, in the United States some legal scholars argue that it is protected as free speech. Software is a type of language, and writing a program is akin to writing a recipe for beef stew. It is merely a bunch of instructions for the computer to follow, in the same way that a recipe is a set of instructions for a cook to follow.

Virus writers like Kefi - a.k.a. Stephen Mathieson, a 16 year old from Detroit - complain about "the kids" who download what he considers legitimate experimental code and release it to the world

A virus or worm becomes illegal only when it is activated — when someone sends it to a victim and starts it spreading in the wild, and it does measurable damage to computer systems. The top malware authors are acutely aware of this distinction.

Most every virus-writer Web site includes a disclaimer stating that it exists purely for educational purposes, and that if a visitor downloads a virus to spread, the responsibility is entirely the visitor's.

Benny's main virus-writing computer at home has no Internet connection at all; he has walled it off like an airlocked biological-weapons lab, so that nothing can escape, even by accident.

Virus writers argue that they shouldn't be held accountable for other people's actions. They are merely pursuing an interest in writing self-replicating computer code.

"I'm not responsible for people who do silly things and distribute them among their friends,'' Benny said defiantly. "I'm not responsible for those. What I like to do is programming, and I like to show it to people — who may then do something with it.''

A young woman who goes by the handle Gigabyte told me in an online chat room that if the authorities wanted to arrest her and other virus writers, then "they should arrest the creators of guns as well.''

One of the youngest virus writers I visited was Stephen Mathieson, a 16-year-old in Detroit whose screen name is Kefi. He also belongs to Philet0ast3r's Ready Rangers Liberation Front. A year ago, Mathieson became annoyed when he found members of another virus-writers group called Catfish_VX plagiarizing his code. So he wrote Evion, a worm specifically designed to taunt the Catfish guys. He put it up on his Web site for everyone to see. Like most of Mathieson's work, the worm had no destructive intent. It merely popped up a few cocky messages, including: Catfish_VX are lamers. This virus was constructed for them to steal.

Someone did in fact steal it, because pretty soon Mathieson heard reports of it being spotted in the wild. To this day, he does not know who circulated Evion. But he suspects it was probably a random troublemaker, a script kiddie who swiped it from his site. "The kids,'' he said, shaking his head, "just cut and paste.''

Quite aside from the strangeness of listening to a 16-year-old complain about "the kids,'' Mathieson's rhetoric glosses over a charged ethical and legal debate. It is tempting to wonder if the leading malware authors are lying — whether they do in fact circulate their worms on the sly, obsessed with a desire to see whether they will really work.

While security officials say that may occasionally happen, they also say the top virus writers are quite likely telling the truth.

"If you're writing important virus code, you're probably well trained,'' says David Perry, global director of education for Trend Micro, an antivirus firm. "You know a number of tricks to write good code, but you don't want to go to prison. You have an income and stuff. It takes someone unaware of the consequences to release a virus.''

But worm authors are hardly absolved of blame. By putting their code freely on the Web, virus writers essentially dangle temptation in front of every disgruntled teenager who goes online looking for a way to rebel. A cynic might say that malware authors rely on clueless script kiddies the same way that a drug dealer uses 13-year-olds to carry illegal goods — passing the liability off to a hapless mule.

"You've got several levels here,'' says Marc Rogers, a former police officer who now researches computer forensics at Purdue University. "You've got the guys who write it, and they know they shouldn't release it because it's illegal. So they put it out there knowing that some script kiddie who wants to feel like a big shot in the virus underground will put it out.

"They know these neophytes will jump on it. So they're grinning ear to ear, because their baby, their creation, is out there. But they didn't officially release it, so they don't get in trouble.''

Rogers says he thinks that the original authors are just as blameworthy as the spreaders.

Symantec's Sarah Gordon also says the authors are ethically naive.

"If you're going to say it's an artistic statement, there are more responsible ways to be artistic than to create code that costs people millions,'' she says.

Critics like Reitinger, the Microsoft security chief, are even harsher. "To me, it's online arson,'' he says. "Launching a virus is no different from burning down a building.

There are people who would never toss a Molotov cocktail into a warehouse, but they wouldn't think for a second about launching a virus.''

What makes this issue particularly fuzzy is the nature of computer code. It skews the traditional intellectual question about studying dangerous topics. Academics who research nuclear-fission techniques, for example, worry that their research could help a terrorist make a weapon. Many publish their findings anyway, believing that the mere knowledge of how fission works won't help Al-Qaeda get access to uranium or rocket parts.

But computer code is a different type of knowledge. The code for a virus is itself the weapon. You could read it in the same way you read a book, to help educate yourself about malware. Or you could set it running, turning it instantly into an active agent.

Computer code blurs the line between speech and action. "It's like taking a gun and sticking bullets in it and sitting it on the counter and saying, `Hey, free gun'!'' Rogers says.

Some U.S. academics have pondered whether virus authors could be charged under conspiracy laws. Creating a virus, they theorize, might be considered a form of abetting a crime by providing materials.

Ken Dunham, the head of "malicious code intelligence'' for iDefense, a computer security company, notes that there are certainly many examples of virus authors assisting newcomers. He has been in chat rooms, he says, "where I can see people saying, `How can I find vulnerable hosts?' And another guy says, `Oh, go here, you can use this tool.' They're helping each other out.''

There are virus writers who appreciate these complexities. But they are certain that the viruses they write count as protected speech. They insist they have a right to explore their interests. Indeed, a number of them say they are making the world a better place, because they openly expose the weaknesses of computer systems.

When Philet0ast3r or Mario or Mathieson finishes a new virus, they say, they will immediately e-mail a copy of it to antivirus companies. That way, they explained, the companies can program their software to recognize and delete the virus should some script kiddie ever release it into the wild. This is further proof that they mean no harm with their hobby, as Mathieson pointed out. On the contrary, he said, their virus-writing strengthens the "immune system'' of the Internet.

These moral nuances fall apart in the case of virus authors who are themselves willing to release worms into the wild. They're more rare, for obvious reasons. Usually they are overseas, in countries where the police are less concerned with software crimes.

One such author is Melhacker, a young man who reportedly lives in Malaysia and has expressed sympathy for Osama bin Laden. Antivirus companies have linked him to the development of several worms, including one that claims to come from the "Qaeda network.'' Before the Iraq war, he told a computer magazine he would release a virulent worm if the U.S. attacked Iraq — a threat that proved hollow.

February 15, 2004 at 11:36 AM in Virus | Permalink | TrackBack (8) | Top of page | Blog Home

Work of idle hands

TheStar.com - Work of idle hands

Intelligent but alienated young men are creating forces they cannot control

2003 was `the Year of the Worm' and the pace

CLIVE THOMPSON
SPECIAL TO THE STAR

This is how easy it has become.
Mario stubs out his cigarette and sits down at the desk in his bedroom. He pops into his laptop the CD of Iron Maiden's "Number of the Beast," his latest favourite album. "I really like it," he says. "My girlfriend bought it for me." He gestures to the 15-year-old girl with straight dark hair lounging on his neatly made bed. Mario, 16, is a secondary-school student in a small town in the foothills of southern Austria. (He didn't want me to use his last name.) His shiny shoulder-length hair covers half his face and his sleepy green eyes, making him look like a very young, languid Mick Jagger.

Philet0ast3r, a 21-year old German, is one of the world's most skilled Internet virus writers, but his viruses are often surprisingly mild things carrying goofy payloads.

When Mario is bored — and out here in the countryside, surrounded by soaring mountains and little else, he's bored a lot — he likes to sit at his laptop and create computer viruses and worms. Online, he goes by the name Second Part to Hell, and he has written more than 150 examples of what computer experts call "malware": tiny programs that exist solely to self-replicate, infecting computers hooked up to the Internet. Sometimes these programs cause damage, and sometimes they don't. Mario says he prefers to create viruses that don't intentionally wreck data. "Anyone can rewrite a hard drive with one or two lines of code," he says. "It makes no sense. It's really lame." Besides which, it's mean, he says, and he likes to be friendly.

But still — just to see if he could do it — a year ago he created a dangerous tool: a program that autogenerates viruses. It's called a Batch Trojan Generator, and anyone can download it freely from Mario's Web site. With a few simple mouse clicks, you can use the tool to create your own malicious "Trojan horse." Like its ancient namesake, a Trojan virus arrives in someone's e-mail looking like a gift, a JPEG picture or a video, for example, but actually bearing dangerous cargo.

Mario starts up the tool to show me how it works. A little box appears on his laptop screen, politely asking me to name my Trojan. I call it the "Clive" virus. Then it asks me what I'd like the virus to do. Shall the Trojan Horse format drive C:? Yes, I click. Shall the Trojan Horse overwrite every file? Yes. It asks me if I'd like to have the virus activate the next time the computer is restarted, and I say yes again. Then it's done. The generator spits out the virus on to Mario's hard drive, a tiny 3k file. It also displays a warning that spreading your creation is illegal.

The generator, he says, is just for educational purposes, a way to help curious programmers learn how Trojans work.

But of course I could ignore that advice. I could give this virus an enticing name, like "britney—spears—wedding—clip.mpeg," to fool people into thinking it's a video. If I were to e-mail it to a victim, and if he clicked on it — and didn't have up-to-date antivirus software — then disaster would strike his computer. The virus would activate. It would reach into the victim's Microsoft Windows operating system and insert commands telling the computer to erase its own hard drive. The next time the victim started up his computer, it would find those new commands and guilelessly follow them. Poof: everything on his hard drive would vanish — e-mail, pictures, documents, games.

I'd never contemplated writing a virus before. Even if I had, I wouldn't have known how to do it. But thanks to a teenager in Austria, it took me less than a minute to master the art.

Mario drags the virus over to the trash bin on his computer's desktop and discards it. "I don't think we should touch that," he says hastily.

Computer experts called 2003 "the Year of the Worm." For 12 months, digital infections swarmed across the Internet with the intensity of a biblical plague. It began in January, when the Slammer worm infected nearly 75,000 servers in 10 minutes, clogging Bank of America's ATM network and causing sporadic flight delays. In the summer, the Blaster worm struck, spreading by exploiting a flaw in Windows; it carried taunting messages directed at Bill Gates, infected hundreds of thousands of computers and tried to use them to bombard a Microsoft Web site with data. Then in August, a worm called Sobig.F exploded with even more force, spreading via e-mail that it generated by stealing addresses from victims' computers. It propagated so rapidly that at one point, one out of every 17 e-mail messages travelling through the Internet was a copy of Sobig.F. The computer-security firm mi2g estimated that the worldwide cost of these attacks in 2003, including clean-up and lost productivity, was at least $82 billion (U.S.).

The pace of contagion seems to be escalating. When the My-doom.A e-mail virus struck in late January, it spread even faster than Sobig.F; at its peak, experts estimated, one out of every five e-mail messages was a copy of Mydoom.A. It also carried a nasty payload: it reprogrammed victim computers to attack the Web site of SCO, a software firm vilified by geeks in the "open source" software community.

You might assume that the blame — and the legal repercussions — for the destruction would land directly at the feet of people like Mario. But as the police around the globe have cracked down on cybercrime in the past few years, virus writers have become more cautious, or at least more crafty. These days, many elite writers do not spread their works at all. Instead, they "publish" them, posting their code on Web sites, often with detailed descriptions of how the program works. Essentially, they leave their viruses lying around for anyone to use.

Invariably, someone does. The people who release the viruses are often anonymous mischief-makers, or "script kiddies." That's a derisive term for aspiring young hackers, usually teenagers or curious college students, who don't yet have the skill to program computers but like to pretend they do. They download the viruses, claim to have written them themselves and then set them free in an attempt to assume the role of a fearsome digital menace.

Our modern virus epidemic is thus born of a symbiotic relationship between the people smart enough to write a virus and the people dumb enough — or malicious enough — to spread it. Without these two groups of people, many viruses would never see the light of day. Script kiddies, for example, were responsible for some of the damage the Blaster worm caused. The original version of Blaster, which struck on Aug. 11, was clearly written by a skilled programmer (who is still unknown and at large). Three days later, a second version of Blaster circulated online, infecting an estimated 7,000 computers. This time the FBI tracked the release to Jeffrey Lee Parson, an 18 year old in Minnesota who had found, slightly altered and re-released the Blaster code, prosecutors claim. Parson did nothing to hide his identity and even included a reference to his personal Web site in the code. He was arrested and charged with intentionally causing damage to computers; when his trial begins, probably this spring, he faces up to 10 years in jail. A few weeks later, a similar scene unfolded: another variant of Blaster was found in the wild. This time it was traced to a college student in Romania who also had left obvious clues to his identity in the code.

This development worries security experts, because it means that virus-writing is no longer exclusively a high-skill profession. By so freely sharing their work, the elite virus writers have made it easy for almost anyone to wreak havoc online. When the damage occurs, as it inevitably does, the original authors just shrug. We may have created the monster, they'll say, but we didn't set it loose. This dodge infuriates security professionals and the police, who say it is legally precise but morally corrupt.

"When they publish a virus online, they know someone's going to release it," says Eugene Spafford, a computer-science professor and security expert at Purdue University. Like a collection of young Dr. Frankensteins, the virus writers are increasingly creating forces they cannot control — and for which they explicitly refuse to take responsibility.

"Where's the beer?" Philet0ast3r wondered.

An hour earlier, he had dispatched three friends to pick up another case, but they were nowhere in sight. He looked out over the controlled chaos of his tiny one-bedroom apartment in small-town Bavaria. (Most of the virus writers I visited live in Europe; there have been very few active in the United States since 9/11, because of fears of prosecution.) Philet0ast3r's party was crammed with 20 friends who were blasting the punk band Deftones, playing cards, smoking furiously and arguing about politics. Three girls sat on the floor, rolling another girl's hair into thick dreadlocks, the hairstyle of choice among the crowd. Philet0ast3r himself — a 21-year-old with a small silver hoop piercing his lower lip — wears his brown hair in thick dreads. (Philet0ast3r is an online handle; he didn't want me to use his name.)

Philet0ast3r's friends finally arrived with a fresh case of ale, and his blue eyes lit up. A tall blond friend in a jacket festooned with anti-Nike logos put his arm around Philet0ast3r and beamed.

"This guy," he proclaimed, "is the best at Visual Basic."

In the virus underground, that's love. Visual Basic is a computer language popular among malware authors for its simplicity; Philet0ast3r has used it to create several of the two dozen viruses he's written. From this tiny tourist town, he works as an assistant in a home for the mentally disabled and in his spare time runs an international virus-writers' group called the "Ready Rangers Liberation Front." He founded the group three years ago with a few bored high-school friends in his even tinier hometown nearby. I met him, like everyone profiled in this article, online, first e-mailing him, then chatting in an Internet Relay Chat channel where virus writers meet and trade tips and war stories.

February 14, 2004 at 10:03 AM in Virus | Permalink | TrackBack (25) | Top of page | Blog Home

Virus infects 10 per cent of e-mail

TheStar.com - Virus infects 10 per cent of e-mail

Causes damage estimated at more than $1 billion U.S.

TYLER HAMILTON
TECHNOLOGY REPORTER

Don't blame Microsoft — not this time.
The latest Internet worm to infect personal computers and clog up corporate networks has nothing to do with a software glitch or a hole associated with Microsoft Corp. products. The problem, experts say, has everything to do with our curious human nature.
"It's not a Microsoft vulnerability, it's a human vulnerability," said Al Huger, director of engineering for the security response team at Symantec Corp., a maker of anti-virus software.

Huger said the "Mydoom" or "Novarg" worm is a classic mass-mailer virus, meaning it is designed to trick people into opening up seemingly benign e-mail attachments that are actually malicious programs. When the attachments are opened, Mydoom spreads to the contact list of an e-mail program's address book.

Once inside a computer, it e-mails itself to anybody in a person's address book but also opens a back door on the computer to a hacker, spammer or anybody else wanting to gain remote control of the machine at a later date.

"The back door allows anybody to connect to infected machines and do anything they want to it," said Huger.

Jack Sebbag, Canadian general manager of anti-virus software firm Network Associates Inc., said one out of every 10 e-mail messages sent across North America yesterday afternoon was the result of the Mydoom worm.

This slowed down the Internet considerably. According to some reports, top Web sites on the Internet were taking twice as long to download.

It's the most virulent Internet virus to hit the continent since August, when a double whammy from the Blaster and SoBig bugs played havoc with home computers and gummed up corporate networks, even grounding some Air Canada operations.

At its worst, one in every 17 e-mails contained the SoBig virus, meaning Mydoom is the most aggressively spreading mass-mailing virus on record.

Sebbag said spread of the worm seemed to be slowing yesterday, though he added that a number of Canadian industries had been affected, including manufacturing, financial services and government.

Canada's telephone watchdog, the Canadian Radio-television and Telecommunications Commission, warned on its Web site that it was blocking all e-mail messages with ".zip" attachments for the next few days because of what it described as a "worldwide virus outbreak."

Mikko Hypponen, manager of anti-virus research at F-Secure Corp. in Finland, estimated that 200,000 to 300,000 computers were hit worldwide, while U.K.-based computer security firm mi2g estimated that worldwide damage and lost productivity likely surpassed $1 billion (U.S.) in costs by end of day yesterday.

E-mails with the Mydoom worm will contain a number of messages that appear to be an error response from an e-mail server. One message states, "The message contains Unicode characters and has been sent as a binary attachment" and comes with the subject line "Mail Delivery System" or "Mail Transaction Failed."

The worm also makes it seem like you sent somebody else an e-mail message that was rejected, when in fact you sent nothing.

Mydoom targets users of Windows operating systems who are using the Microsoft Outlook e-mail program or any Web-based e-mail service, or the file-sharing program Kazaa.

With files from ASSOCIATED PRESS

Additional articles by Tyler Hamilton

February 8, 2004 at 12:38 AM in Virus | Permalink | TrackBack (16) | Top of page | Blog Home

SCO Changes Its Web Site After Attack

SCO Changes Its Web Site After Attack

By REUTERS
Published: February 3, 2004

he SCO Group started a new Web site yesterday, a day after the potent MyDoom computer worm knocked SCO off the Internet.

The surprising severity of the MyDoom attack has sent a shiver through the Internet security community. In gathering an army of zombie PC's - many of which are unsuspecting home computer users - to silence an online target, MyDoom represents a new level of Internet warfare, security officials said.

"With such a program you could really take out any major Web site on the Internet," said Raimund Genes, European president of the security software firm Trend Micro. SCO has drawn the ire of supporters of the Linux computer operating system, which is a rival to both SCO's Unix and Microsoft's Windows. Linux was developed by volunteer programmers and can be downloaded free.

Linux advocates object to an effort by SCO to collect license fees for the freely available software, leading some security experts to assume that MyDoom is the work of a protester.

Microsoft, another target of Linux advocates, is next in line to be hit by the worm. A variant, known as MyDoom.B, is programmed to unleash a similar digital barrage today on both SCO and Microsoft's site.

Security experts are more confident Microsoft.com will withstand the attack as its considered one of the most stable sites on the Internet. Also, MyDoom.B has infected far fewer machines than the original MyDoom.A outbreak.

Still, the two companies have dangled separate $250,000 bounties on the virus writers and are working with law enforcement authorities to flush out the culprit.

Yesterday, SCO said it had started www.thescogroup.com as a temporary Web site until the digital barrage ceases on www.sco.com.

"We expect hundreds of thousands of attacks on www.sco.com because of these viruses. Starting on Feb. 1 and running through Feb. 12, SCO has developed layers of contingency plans to communicate with customers, resellers, developers, partners and shareholders," the company said in a statement.

February 4, 2004 at 01:06 AM in Virus | Permalink | TrackBack (30) | Top of page | Blog Home

Grand federal plans for cybersecurity falter

Grand federal plans for cybersecurity falter | csmonitor.com

from the September 19, 2002 edition

Task force on computer terrorism drops stiff rules, asks individuals to guard their own corners of cyberspace.

By Mark Sappenfield | Staff writer of The Christian Science Monitor

SAN FRANCISCO – Nearly one year ago, Richard Clarke stood before a gathering of Silicon Valley business leaders and told them that unless the lessons of Sept. 11 were heeded, the terror of that day would someday be repeated on the Internet.
In his first public address as President Bush's adviser on cybersecurity, Mr. Clarke issued a stark warning: "We still have a system ... that is vulnerable to sophisticated attacks," he said. "If done at a time of national security crisis, [they] could lead to catastrophic damage to our national defense."

Wednesday, Clarke returned to the Bay Area to announce the administration's response to this challenge, but the mood was dramatically different. Gone was the Jeremiad of last November, and in its place was a plan that one industry analyst derided as "worthless."

As airports ask Congress to delay a Dec. 31 deadline for screening all checked luggage and the TIPS program for citizen surveillance is trimmed, the cyberplan is a parable of how grand visions of greater security can be scaled back by practical limitations and Beltway politics.

With the tech economy already broken, Internet providers balked at added burdens, critics say, and a Republican administration frowned on creating a new tangle of laws.

The result is a series of well-worn guidelines that, in essence, simply ask users to pay more attention. Any sterner attempt to impel more accountability industry-wide, say analysts, has vanished.

"The government is telling every individual that it's up to them to protect their portion of cyberspace," says Russ Cooper of TruSecure, a data security company in Herndon, Va.

Among its nearly 60 suggestions, for example, the National Strategy to Secure Cyberspace says people should devise tougher passwords. It asks users to get antivirus software. It implores businesses to share information about hackers. It encourages government officials to do less of their work on wireless networks, which are less secure.

The hope is that the plan will provide the framework for businesses and tech companies to increase security on their own. Don't count on it, says Bruce Schneier.

"If you're the government, and you want people to do something, you pass a law," says Mr. Schneier of Counterpane, an Internet security company in Cupertino, Calif. "When push comes to shove, [a CEO] is not going to do something that puts [the company] at a competitive disadvantage," because it costs money.

"Cajoling only does so much," he says.

Yet cajoling is what Clarke is left with. The plan presented Wednesday is not even the final draft. Technology companies can lobby to reshape it for another 60 days.

According to sources, the plan has been reshaped a lot already. The Associated Press reports that an earlier draft asked Internet providers to give customers security software. Mr. Cooper adds that the government abandoned an outright ban on using wireless networks after wireless companies complained that it made them look bad.

The administration denies that corporations have had any influence in fashioning the plan, but critics say it has gradually become more friendly to businesses than consumers.

"As time passes, the guidelines get weaker and weaker," says Cooper.

Still, some look at the Internet infrastructure and say it is in businesses' best interests to invest.

They say hackers – be they enemy nations or terrorists – could cause chaos. Power grids could be shut down. Internet trading on the stock markets could be spiked. Entire sections of the e-economy could be upended.

"An attack would not be difficult to launch," says Sushil Jajodia, director of the Center for Secure Information Systems at George Mason University in Fairfax, Va. "Because the country is so connected to the Internet, we now are vulnerable."

Other analysts, though, say the risk of cyberterror is overstated.

Compared with the devastation physical attacks can cause, cyberattacks would merely be temporary inconveniences, they say.

"I don't see Al Qaeda sitting in their caves talking about how to crash our pager network," says Cooper.

Instead, these critics would rather the government focus on what they see as the real threat – economic damage caused by hackers out for an Internet joy ride.

Computer security cannot be accomplished through a user's antivirus package, they say. It's done by making Internet service providers and software companies – either through laws or public pressure – take more responsibility.

The Code Red worm, which wriggled its way across the Internet through holes in Microsoft software, cost companies more than $2 billion last year. Service providers could have shut down the link that fueled the virus, some say, and Microsoft – while taking steps to patch gaps in its software – could do more, as well.

"Any recommendation where the home user is expected to do much isn't going to work," because they can't track all the updates, says Richard Smith, an Internet security consultant in Cambridge, Mass. "It's a lot easier to get Microsoft to do something."

February 4, 2004 at 12:57 AM in Virus | Permalink | TrackBack (16) | Top of page | Blog Home

Microsoft Deflects Mydoom Attack

Yahoo! News - Microsoft Deflects Mydoom Attack

Tue Feb 3, 9:00 AM ET

Laura Rohde, IDG News Service
Microsoft says it has yet to be affected by a Mydoom-B worm-induced distributed denial of service attack, which antivirus software companies predicted would be fairly easy for the software company to fend off.

Unlike The SCO Group's site, which has been assailed by a denial of service attack from Mydoom-A worm since Sunday and continues to fight off attacks from both the A and B variant of the Mydoom worm, a Microsoft spokesperson says that "everything on the Microsoft site seems to be working fine."

The Mydoom-B worm is similar to the Mydoom-A worm, but contains an added DOS attack against Microsoft's Web site and a feature that blocks access to antivirus Web sites on infected machines.

According to the code in the worm, the DOS attacks against SCO, a Unix (news - web sites) vendor based in Lindon, Utah, are scheduled to continue through February 12.

Well Prepared

Microsoft has classified the second variant of the worm as a moderate threat and says it has been well prepared for the DDOS attack which it expected to begin on Sunday, the spokesperson says.

"Although Microsoft is unable to discuss the specific remedies it is taking to prevent the reported DDOS attack, we are doing everything we can to ensure that Microsoft properties remain fully available to our customers," the Redmond, Washington, company says on its Web site. "Microsoft is aggressively working with our Virus Information Alliance partners to help protect customers from this outbreak."

The Mydoom-B worm is generally considered by leading antivirus software companies and e-mail security firms to be less effective than Mydoom-A at propagating itself and causing widespread damage to computer systems. London-based Sophos on Tuesday says it has received very few reports of actual Mydoom-B infected computers.

Only an Afterthought?

The small number of reports of Mydoom-B suggests that the attack on Microsoft will fail, according to Graham Cluley, senior technology consultant at Sophos.

"There was only about a day's separation between Mydoom-A and Mydoom-B, so it's my guess that the real target of the virus writer was SCO while an attack against Microsoft was something of an afterthought," Cluley says. "When it comes to being able to spread itself, Mydoom-B didn't get as lucky as Mydoom-A, which still poses a significant threat."

Although both SCO and Microsoft are offering rewards of $250,000 each for information leading to the arrest and conviction of the person or persons responsible for creating and releasing both versions of the Mydoom worm, Cluley sees little chance the money will lead to an arrest.

"It is a long shot, to be honest, but bounties or rewards don't do any harm either and may actually discourage virus writers in the future as it shows companies are serious about catching those responsible," Cluley says. "If virus writers know there is a strong cash incentive for someone to grass them up, they may think twice about unleashing a virus."

February 4, 2004 at 12:54 AM in Virus | Permalink | TrackBack (10) | Top of page | Blog Home

UK companies report slack security awareness

UK companies report slack security awareness

By Matthew Broersma, ZDNet UK
Most staffers in UK organisations don't take IT security seriously, creating a situation that will lead to trouble, according to a National Computing Centre survey
UK organisations are failing to communicate the business importance of security policies to staff, according to a new survey, with most staff reporting that they regarded security as a technical issue. This situation is likely to lead to security breaches, warned the National Computing Centre (NCC), which published the survey results on Thursday.

The NCC, an independent research organisation with members that include universities, government bodies, small businesses and enterprises, said organisations' IT security culture is not keeping pace with their growing reliance on computing systems, with security breaches leading to financial losses and business disruption.

"IT managers need to convey this message in business terms, by highlighting the financial impact of information security failures," said NCC chief executive Michael Gough, in a statement. "The key issue here is raising the profile of information and IT security so that it is on the business agenda, not just the IT agenda."

About 80 percent of UK organisations have a formal IT security policy, the NCC said. The survey found a direct relationship between the security awareness of top managers and that of the staff generally, suggesting that support from the upper echelons of management is necessary to create a strong IT security culture in the rest of the company.

Particular techniques of maintaining security awareness also appeared to make a difference, the NCC said. Organisations that used an ongoing, varied process to keep staff up to date on IT security issues reported the highest levels of staff awareness.

The group recommended that organisations take tough disciplinary action for Internet abuse, encourage genuine management involvement in IT security issues and include IT security issues in senior management performance appraisals.

February 2, 2004 at 07:40 AM in Virus | Permalink | TrackBack (154) | Top of page | Blog Home

MyDoom Net Worm Scores Hit, Knocks Out SCO Site

Yahoo! News - MyDoom Net Worm Scores Hit, Knocks Out SCO Site

Sun Feb 1, 7:31 AM ETAdd Technology - Reuters Internet Report to My Yahoo!

By Bernhard Warner, European Internet Correspondent
LONDON (Reuters) - The MyDoom Internet worm claimed its first scalp Sunday, paralyzing the Web site of American software firm SCO Group with a massive data blitz.

In a statement issued Sunday morning, the Utah-based company confirmed MyDoom knocked its site, http://www.sco.com, out of commission.

"Internet traffic began building momentum Saturday evening and by midnight Eastern Time the SCO Web site was flooded with requests beyond its capacity," the statement read.

"While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning," Jeff Carlon, worldwide director of Information Technology infrastructure, The SCO Group, said in the statement.

The speed and severity of the attack surprised security officials. "It was spectacularly successful," said Mikko Hypponen, research manager at Finnish anti-virus firm F-Secure.

As intended, Sco.com was the only discernible victim on Sunday. There were no other reports of outages or slowdowns elsewhere online due to the worm.

MyDoom.A, also known as Novarg or Shimgapi, emerged on Monday in the form of a spam e-mail message that contained a well-disguised virus attachment.

It was programmed to take control of unsuspecting computer users' PCs from which it would launch a debilitating denial-of-service attack on SCO Sunday.

SCO has drawn the ire of the so-called "open source" programming community who object to SCO's claims they have copyright control over key pieces of the Linux (news - web sites) operating system.

The MyDoom attack trigger was set for 1609 GMT Sunday. But with so many computer clocks incorrectly set, the infected machines began firing off data requests at SCO.com hours earlier, Hypponen said. "It will only get worse for SCO as time goes on," he added.

SCO is not alone. Microsoft Corp has been targeted by a second variant of MyDoom, dubbed MyDoom.B. That attack is timed to kick off Tuesday.

The MyDoom.B variant, which is also programmed to attack SCO, has not spread nearly as rapidly as MyDoom.A. MyDoom.A is believed to have infected hundreds of thousands, and possibly over one million, PCs.

Both Microsoft and SCO have issued $250,000 rewards for tips leading to the arrest and conviction of the author or authors, which some security experts believe can be traced to Russia.

In building an army of zombie PCs over a six-day span, the MyDoom outbreak underscores a new digital security threat for corporations, governments and news operations.

Security officials and law enforcement experts believe such viruses will only become more sophisticated and could be used to silence entities for a commercial or ideological stance.

"This is an effective weapon to censor your critics," Hypponen said.

Security officials have warned computer users to delete suspicious e-mail messages that appear to come from "Mail Administrator" and other official-looking addresses that contains a file attachment.

A free patch capable of wiping the program from an infected machine is available at many anti-virus sites including http://www.sophos.com/virusinfo/articles/maindoom.html and http://www.f-secure.com/v-descs/novarg.shtml.

February 1, 2004 at 09:46 PM in Virus | Permalink | Top of page | Blog Home

Senator Finds Fault in New US Virus Alert System

Senator Finds Fault in New US Virus Alert System

ComputerWire Staff
A US Senator has described the Department of Homeland Security's newly implemented National Cyber Alert System, which emails advice and warnings about internet security problems, as flawed, with the potential to exacerbate the virus problem.
Senator Charles Schumer said the system, launched by the National Cyber Security Division of the DHS on Wednesday, "would likely lead to more viruses and lacks mandatory reporting requirements."

If I were a betting man, I'd put a few dollars down that the next virus that clogs computer networks is going to be transmitted through an email that looks like one of these DHS email alerts," Schumer said.

Schumer's alternative proposal calls for a system of "secure hotlines" between the NCSD and ISPs that would be used "to quickly locate and disable remotely hijacked 'bot' computers used in massive virus attacks".

The senator also suggests that funding for Carnegie Mellon University's Computer Emergency Response Team Coordination Center, CERT/CC, be increased from its current level of $25m per year.

February 1, 2004 at 03:36 AM in Virus | Permalink | Top of page | Blog Home

Mydoom Internet worm likely from Russia, linked to spam mail: security firm

Mydoom Internet worm likely from Russia, linked to spam mail: security firm

MOSCOW (AFP) - Russia is 80 percent likely to be the origin of the Mydoom computer worm, which has become the worst ever Internet epidemic, and could be an attempt to distribute spam mail, a top Russian anti-virus firm said.
The Russian security firm Kaspersky Labs said it had traced the first emails infected with Mydoom to addresses with Russian Internet providers.

"We have special software to monitor Internet traffic across the world. This detected that the first emails infected by the worm came from Russian providers," the firm's spokesman Denis Zenkin, told AFP.

"But there is a still a 20-percent chance that this was an attempt to mislead. Virus programmers from other countries could have registered an email address in Russia and transmitted their harmful programmes via it," he added.

Microsoft and SCO, the owner of the Unix operating system, have together offered 500,000 dollars (more than 400,000 euros) in rewards for information leading to the arrest and prosecution of Mydoom's creators.

"This worm is a criminal attack," said Brad Smith, senior vice president and general counsel at the Microsoft software giant.

MyDoom.B, detected on Wednesday, is a variant of the earlier released MyDoom.A worm, also known as the Novarg worm, which became the worst epidemic on the Internet. It installs a programme that directs infected computers to launch so-called denial-of-service attacks on Microsoft's main corporate website.

Mydoom spreads through e-mail attachments and downloads from the popular Kazaa file-sharing service, which lets Internet surfers share content such as games, movies and music.

California-based Panda Software said Mydoom.A was still spreading rapidly, even though individual computer users may be seeing fewer infected e-mails.

It said one in every five e-mails is carrying this worm, making four million infected e-mails in circulation and slowing down Internet traffic around the world.

An expert from Kaspersky Labs, Alexander Gostiyev, told a press conference in Moscow that the creators of the virus were not aiming to disrupt Internet traffic but use infected computers to distribute unsolicited junk mail.

The attack "was very well planned and prepared, perhaps for several months and at least 1,000 computers were infected in advance," Gostiyev said.

"The virus could be of use above all to criminal groups seeking to distribute spams," he added.

Another representative of the Internet security firm said that the generation of computer experts in Russia who unleashed viruses in the 1990s merely wanted to create havoc but this was no longer the case.

"The virus creators have moved onto a commercial footing. They are financed by groups which make their money from spam," Alexei Zernov told AFP.

Kaspersky Labs describes itself as one of the world's top 10 anti-virus firms and has offices in nine countries including the United States, Germany, Britain, Japan and France.

According to the security firm, some 600,000 or so computers have been infected by the bug.

Zenkin said the attack appeared to have organized by a group of "very professional" computer programmers from Russia.

"We have to admit that for the past half a year Russia has been the main source of harmful programmes in the world.

"There are several virus epidemics right now. The Mydoom worm is the worst, but there are others and the two main ones were created in Russia," he said.

February 1, 2004 at 03:32 AM in Virus | Permalink | Top of page | Blog Home

Experts worry about Mydoom Internet worm after-effects

Yahoo! News - Experts worry about Mydoom Internet worm after-effects

Fri Jan 30,12:35 PM ETAdd Technology - AFP to My Yahoo!

WASHINGTON (AFP) - With half-a-million dollars in reward as a lure, computer users and security experts scrambled to curb the spread of the Mydoom computer worm amid concerns of serious after-effects from the world's worst Internet epidemic.

The original Mydoom bug was still propagating worldwide along with a variant called Mydoom.B that some said could be more dangerous but may not be spreading as quickly.

In Moscow, a top anti-virus firm said Friday that Russia was 80-percent likely to be the origin of the Mydoom worm and could be an attempt to distribute unsolicited spam mail.

The Russian security firm Kaspersky Labs said it had traced the first emails infected with Mydoom to addresses with Russian Internet providers.

"We have special software to monitor Internet traffic across the world. This detected that the first emails infected by the worm came from Russian providers," the firm's spokesman Denis Zenkin, told AFP.

"But there is a still a 20-percent chance that this was an attempt to mislead. Virus programmers from other countries could have registered an email address in Russia and transmitted their harmful programs via it," he added.

Indeed some experts saw the attacks against Microsoft and SCO, the Utah-based software vendor, as a diversion aimed at hiding the real goal -- to create email relays that can be re-sold to the spam industry.

The SoBig virus of last year "turned out to be piloted by members of organized crime which now use tools in a coordinated way created by spammers, virus instigators and hackers to spread their operations", according to Clusif Clusif, a group of information technology security systems.

Microsoft and SCO, the owner of the Unix (news - web sites) operating system, have together offered 500,000 dollars in rewards for information leading to the arrest and prosecution of Mydoom's creators.

"This worm is a criminal attack," said Brad Smith, senior vice president and general counsel at Microsoft.

"Its intent is to disrupt computer users, but also to keep them from getting to anti-virus locations and other sites that could help them. Microsoft wants to help the authorities catch this criminal."

Alexander Gostiyev, a Kaspersky Labs expert, told a press conference in Moscow that the attack "was very well planned and prepared, perhaps for several months and at least 1,000 computers were infected in advance."

Kaspersky Labs, which describes itself as one of the world's top-10 anti-virus firms, said some 600,000 or so computers had been infected by the bug.

Mydoom spreads through e-mail attachments and downloads from the popular Kazaa file-sharing service, which lets Internet surfers share content such as games, movies and music.

Part of Mydoom's "success" is that it -- unlike many earlier bugs -- poses as an error note with the main text message attached, prompting users to open the attachment to read it, thereby inadvertently launching the virus.

"The truly worrying phenomenon with these new viruses is the spread of undetectable open access on users' machines, be it by Mydoom or old viruses," said Francois Paget, director of research at Network Associates.

He said it was leading to a large number of vulnerable machines since there were 20,000 attempts at creating open access on computers every month.

Consequently, Internet access providers are becoming ever more pressing in their recommendations to customers to equip themselves not only with anti-virus software but also a firewall to oversee traffic leaving the computer as well.

This is all the more important because of the explosion of high-speed connections, which means that ever more computers are being permanently left "on-line".

California-based Panda Software said Mydoom.A was still spreading rapidly, even though individual computer users may be seeing fewer infected e-mails.

It said one in every five e-mails is carrying this worm, making four million infected e-mails in circulation.

January 31, 2004 at 12:13 AM in Virus | Permalink | Top of page | Blog Home

MyDoom Worm Spreads as Hunt for Author Intensifies

Yahoo! News - MyDoom Worm Spreads as Hunt for Author Intensifies

By Bernhard Warner, European Internet Correspondent
LONDON (Reuters) - A cyber dragnet aiming to flush out the author of the MyDoom computer worm intensified Friday as the outbreak crippled still more e-mail networks.

Investigators and security experts hoped their hunt would get a boost after Microsoft Corp. offered a $250,000 reward Thursday for information leading to the arrest and conviction of the creator of one variant, MyDoom.B.

The offer follows a similar $250,000 bounty from software firm SCO Group Inc . The "doom" viruses are programmed to unleash digital attacks aimed at overwhelming both firms' Internet sites starting this weekend.

"If there is a break, it will come from the bounties," said Mikko Hypponen, research manager at Finnish anti-virus firm F-Secure.

MyDoom.A, also known as Novarg or Shimgapi, emerged on Monday often masquerading as an e-mail error message from a "Mail Administrator" and other official-looking addresses that contains a file attachment.

Hundreds of thousands of computer users have clicked on the seemingly benign attachment, infecting their computers.

The attachment releases a program capable of taking over the victim's computer, experts warned, before scouring the Internet for more vulnerable machines.

The effect is a massive logjam of data traffic that bogs down e-mail servers and rejects many incoming and outgoing messages.

Computers running any of the latest versions of Microsoft's Windows operating system are at risk of being infected, although the worm does not exploit any flaws in Windows or software.

Patches capable of wiping the virus off a machine are available at anti-virus sites.

NO RESPITE

Friday, there was no sign of a let-up.

"It's still spreading voraciously. We've intercepted in excess of eight million viruses since the very first copy started Monday," said Paul Wood, chief information analyst with MessageLabs, an e-mail security firm.

After dissecting the malicious program, security experts got a little closer to unmasking the perpetrator. The author apparently signed the worm with the name "Andy" and left the message: "I'm just doing my job, nothing personal, sorry."

The first infected e-mails detected appear to have originated in Russia, but, Wood said, it was unclear if they were the engineers behind MyDoom or just early victims.

Nabbing virus writers is a difficult undertaking. Such clues have been used in the past to form a picture of the suspect. "Most often virus authors are caught when bragging about their exploits somewhere," said Wood.

Still, a series of bounties Microsoft placed on the heads of the Blaster and Sobig.F virus writers in November have come to nothing as chatter about their exploits has been scarce in the usual online forums.

Given the tight-lipped approach, security experts and police suspect the authors may be a new breed of virus writers that possibly have a connection to organized crime groups or spam e-mail peddling syndicates.

January 31, 2004 at 12:11 AM in Virus | Permalink | Top of page | Blog Home

Mydoom spreading as fast as Sobig

BBC NEWS | Technology | Mydoom spreading as fast as Sobig

A malicious computer virus spread via e-mail is clogging networks and may allow unauthorised access to personal computers, experts have warned.
The worm, Mydoom or Novarg, is carried as an e-mail attachment in a text file and sends itself out to other e-mail addresses once opened by the recipient.

The virus may also open a "back door" to the computer to give hackers access.

It is also spread through file-sharing networks and experts think it could be worse than last summer's Sobig worm.

Thousands of e-mails triggered by the worm, which only affects computers using Microsoft Windows, were bombarding networks within hours of its discovery on Monday.

E-mail security firm MessageLabs said it had stopped over 580,000 copies of the worm in the last 24 hours, and Symantec have had more than 150 reports an hour from companies and individuals who have received it.

Website attack?

The mass-mailing worm is very similar to other types, such as 2003's Bugbear and Sobig, and relies on e-mail to get from place to place, Symantec's Kevin Hogan explained to BBC News Online.

"It is very much in line with Bugbear or Sobig. We are seeing almost exactly the same number of reports of the virus, which means it has the same rate of spread.

"It is a very simple example. It simply relies on a human to double click on an attachment to run it."

MYDOOM DETAILS
From: random e-mail address
To: address of the recipient
Subject: random words
Message body: several different mail error messages, such as: Mail transaction failed. Partial message is available
Attachment (with a textfile icon): random name ending with ZIP, BAT, CMD, EXE, PIF or SCR extension
When a user clicks on the attachment, the worm will start Notepad, filled with random characters

If the attachment is opened, it will do two things, Mr Hogan said. It deposits a back door, or a piece of software that listens to commands sent remotely over the net and acts on them.

"But it also seems it will attempt to perform a denial of service attack on SCO from 1 February to the 12th," said Mr Hogan.

SCO is one of the largest Unix open-source vendors in the world. It has been in the news recently because it has claimed that key parts of the open-source operating system, Linux, are under SCO's copyright.

Last year's Blaster worm attempted a similar attack on Microsoft's website, which was stopped.

No porn promise

Unlike many of its predecessors, Mydoom does not entice the recipient to open the attachment by promising nude pictures or personal messages.

Instead, the e-mail carrying the virus often bears the subject "Test" or "Status". The message inside may read: "The message contains Unicode characters and has been sent as a binary attachment".

Many of the e-mails have look like they have been sent from organisations like charities or educational institutions, in an attempt to fool the recipient into opening the e-mail.

PROTECT YOURSELF FROM VIRUSES
Install an anti-virus program.
Keep it up to date
Get the latest patches and updates for your operating system
Never automatically open e-mail attachments
Download or purchase software from trusted, reputable sources
Make backups of important files

This happens when the virus sends itself out to all other addresses on an infected machine, "spoofing" the sender's e-mail address as it does so.

"Mydoom can pose as a technical-sounding message, claiming that the e-mail body has been put in an attached file," said Graham Cluley from security firm Sophos.

"Of course, if you launch that file you are potentially putting your data and computer straight into the hands of hackers."

Users are advised to delete or ignore the e-mail attachment - which usually ends .exe, .scr, .zip, .cmd or .pif - to avoid damage.

Symantec have advised anyone who has received the worm to avoid opening or double clicking the attachment.

Users should also ensure their anti-virus software is up-to-date, so that if the attachment is opened by accident, the software will catch it.

If anti-virus software does not spot an infection once the attachment is launched, users should download the free tools available to deal with it.

The security firm added if users start getting unusual pop-up messages from their desktop firewall, the chances are the computer has been infected.

The top two viruses of 2003, Sobig-F and Blaster-A, accounted for more than one-third of all the malicious programs seen during 2003.

January 27, 2004 at 10:21 AM in Virus | Permalink | Top of page | Blog Home

Trend Micro Says 2003 Viruses Caused $55 Billion Damage

Yahoo! News - Trend Micro Says 2003 Viruses Caused $55 Billion Damage

By Jennifer Tan
SINGAPORE (Reuters) - Trend Micro Inc., the world's third-largest anti-virus software maker, said on Friday computer virus attacks cost global businesses an estimated $55 billion in damages in 2003, a sum that would rise this year.

Companies lost roughly $20 billion to $30 billion in 2002 from the virus attacks, up from about $13 billion in 2001, according to various industry estimates.

"The economic and financial impact of virus attacks will continue to climb in 2004," Lionel Phang, Trend Micro's Managing Director told Reuters in an interview. He did not have a forecast for the year.

Spam threats and network viruses will likely become more prevalent in 2004, he said.

"The spam threat will increase exponentially, and will become the hideouts for viruses and hacking programs trying to gain an entry into the network," he added.

"Blended threats also will remain the standard way to attack networks, where one virus file will create four to five different activities within the system."

Phang offered the following example of a blended threat: a spam-generating virus causes a surge in the company's network traffic and prompts its network administrators to block the junk email, and while technicians try to fix the spam problem the virus drops a program into the system that monitors keystrokes and steals company passwords and user IDs.

Viruses can gain entry into computer networks via instant messaging channels, such as Internet Relay Chat (IRC) programs and Time Warner Inc.'s ICQ service, Phang added.

Natasha David, an analyst with International Data Corp (IDC), said spam would emerge as the key transmission vehicle for viruses in 2004.

"Spammers are going to put viruses and worms in email attachments, so (junk email) will become more than just a nuisance," she said.

According to IDC, the global market for secure content management, which includes anti-virus solutions, message security and web filtering, is expected to hit $6.4 billion in 2007, representing a compound annual growth rate of 19 percent.

ONE ATTACK EVERY MONTH

Last year, there was almost one major virus attack every month, including the well-known Slammer worm, which shut down Internet service providers in South Korea (news - web sites), disrupted plane schedules and knocked out automatic teller machines in January.

The Lovegate Internet email worm surfaced in February, while the Bugbear and SoBig viruses, which spread via infected emails, appeared in June.

Analysts said the number of attacks between January and June 2003 exceeded 70,000, which is about twice the rate for 2002.

"About 20 to 40 new and variant virus threats were reported to Trend Micro on a daily basis worldwide in 2003," Phang said.

The company plans to focus on products and services for the small and medium businesses this year.

"This is the most vulnerable market segment in 2004 as their awareness level is really low, they do not have the dedicated IT expertise, and have a false sense of security about virus attacks, thinking they are too small a target for such attacks," Phang said.

January 16, 2004 at 08:57 AM in Virus | Permalink | Top of page | Blog Home

Are you sophisticated enough to recognize an Internet scam?

Mercury News | 12/19/2003 | Are you sophisticated enough to recognize an Internet scam?

Computer attacks have moved into the third wave, named by Bruce as "semantic" attacks. ie attacks against the user, whereas the first two waves were against computers and systems.

By Bruce Schneier
Posted on Fri, Dec. 19, 2003
MercuryNews.com

Recently I have been receiving e-mails from PayPal. At least, they look like they're from PayPal. They send me to a Web site that looks like it's from PayPal. And it asks for my password, just like PayPal. The problem is that it's not from PayPal, and if I do what the Web site says, some criminal is going to siphon money out of my bank account.

Welcome to the third wave of network attacks, what I have named ``semantic attacks.'' They are much more serious and harder to defend against because they attack the user and not the computers. And they're the future of fraud on the Internet.

The first wave of attacks against the Internet was physical: against the computers, wires and electronics. The Internet defended itself through distributed protocols, which reduced the dependency on any one computer, and through redundancy. These are largely problems with a known solution.

The second wave is syntactic: attacks against the operating logic of computers and networks. Modern worms propagate and can infect millions of computers worldwide within hours. Traditional computer security has focused on this second wave, which aims to exploit programming errors in software products. It would be a lie to say that security experts know how to protect computers absolutely against these kinds of attacks, but we're getting better. Better software quality, more pro-active patching capabilities and better network monitoring will give us some measure of security in the coming years.

But this new wave of semantic attacks targets the way people assign meaning to content.

Many worms arrive as e-mail attachments. A user receives an e-mail message from someone he knew. It has an enticing subject line and a plausible message body. Of course a recipient is going to click on the attachment. And that's exactly what causes the infection.

People tend to believe what they read. How often have you needed the answer to a question and searched for it on the Web? How often have you taken the time to corroborate the accuracy of that information, by examining the credentials of the site, finding alternate opinions or other means?

People have long been taking advantage of others' naivete. Many old scams have been adapted to e-mail and the Web. Unscrupulous stockbrokers use the Internet to fuel their ``pump and dump'' strategies. In 1999, a fake press release circulated on the Web caused the stock of the Emulex Corp. to temporarily drop 61 percent. More recently, we've seen newspaper archives on the Web changed and fake Web sites purporting to be something they're not.

Against computers, semantic attacks become even more serious, simply because the computer cannot demand all the corroborating data that people instinctively rely on. Despite what you see in movies, real-world software is incredibly primitive when it comes to what is known as simple common sense. Ever increasing numbers of sensors and data collection devices are on the Internet. What happens when hackers realize that these devices can be fed bad data?

People have long been the victims of bad statistics, urban legends and hoaxes. Any communications medium can be used to exploit credulity and stupidity, and people have been doing that for eons. The difference is the scale. A single forged e-mail, a single fake press release, can affect millions.

Current computer security technologies are largely irrelevant against semantic attacks. These attacks aim directly at the human-computer interface, the most insecure portion on the Internet. Defending against them will take more than technology -- it will take education, experience and skepticism. Too many Internet users don't have enough of those three qualities.

BRUCE SCHNEIER is the chief technical officer of Counterpane Internet Security Inc. in Mountain View. His new book, ``Beyond Fear: Thinking Sensibly About Security in an Uncertain World,'' was published this fall. He wrote this column for the Mercury News.

December 31, 2003 at 02:34 AM in Online crime, Security, Virus | Permalink | Top of page | Blog Home

Yahoo! News - Web Virus Authors 'Winning Battle'--Microsoft

Yahoo! News - Web Virus Authors 'Winning Battle'--Microsoft

Wed Dec 3, 1:22 PM ETAdd Technology - Reuters Internet Report to My Yahoo!

By Mark Trevelyan, Security Correspondent
WIESBADEN, Germany (Reuters) - Creators of computer viruses are winning the battle with law enforcers and getting away with crimes that cost the global economy some $13 billion this year, a Microsoft official said Wednesday.

Counterfeit centers are shifting from California and Western Europe to countries including Paraguay, Colombia and Ukraine said David Finn, Microsoft's director of digital integrity for Europe, the Middle East and Africa.

In Asia, pirate plants have emerged in Vietnam, Macao, and Myanmar (Burma) in addition to more established facilities in Indonesia, Malaysia and Thailand.

"So far they are getting away with it. They are winning by a considerable margin. Very few have been identified or prosecuted or punished," Finn said.

He cited estimates by Business Week that financial damage this year from bugs like the Blaster worm and the SoBig.F e-mail virus, which crashed systems and disrupted Internet traffic around the world, would total some $13 billion.

The cost of protecting networks against such cyberattacks was put at $3.8 billion.

Finn also said neither civil lawsuits nor criminal prosecutions were doing an adequate job of stamping out software piracy and seizing the multimillion dollar profits it generates.

Finn said the number of counterfeit Microsoft products intercepted had more than doubled to four million units this year from 1.75 million two years ago. But the value of pirate software seized -- $1.3 billion over three years -- was "a small fraction of what's really out there."

He estimated the profit margin on counterfeit software at 900 percent -- nine times higher than for distributing cocaine.

SOBERING PICTURE

Finn was addressing a cybercrime conference in Germany at which experts presented a sobering picture of progress against hackers, fraudsters, drug runners, child pornographers and other assorted criminals exploiting the World Wide Web.

Britain's top high-tech crime officer told Reuters in an interview that drug dealers and arms traffickers were recruiting experts from the computer industry using cash inducements or threats.

"Organized crime is identifying those kinds of skills and buying them in," said Len Hynds, head of the National High-Tech Crime Unit.

"I know of sophisticated drug-trafficking organizations, arms-trafficking organizations that are now making use of hacking skills and hacking into the servers of unsuspecting businesses so that they can then launch attacks and hide their activity and their illicit material."

He said "we shouldn't be surprised" if terror organizations were looking to recruit computer expertise.

Hynds said gangs were recruiting people with IT skills not only to help them commit cybercrime but to secure their own communications networks and avoid detection.

"Organized crime, whatever its commodity, is driven by a desire for profit, and often its Achilles' heel is its communications processes. We're aware that organized crime is now using sophisticated methods to make its communications more secure, and it will recruit people to assist in the process."

He said companies needed to recruit more carefully.

"They need to look at how they recruit staff, how they vet staff, how they recruit consultants who may only be with them for a very short period of time. Although remote attack is becoming more prevalent, it's still a fact that most threats come from inside a company," he said.

Hynds said British police were also seeing a sharp rise in 'spoof' Web sites of financial institutions, intended to dupe customers into revealing their account details and passwords.

He said the number of cases had risen to 40 so far this year from just seven in 2002 and the fake sites had become "far more sophisticated."

December 3, 2003 at 01:40 PM in Virus | Permalink | TrackBack (13) | Top of page | Blog Home

Invasion on ATM OS shut down machines in August | ATM Marketplace News

Invasion on ATM OS shut down machines in August | ATM Marketplace News

ABM machines hit by a computer virus. Pervasiveness of Windows and viruses, means Microsoft have to get really serious about the security of their software. The defaults within Windows need to be much tighter.

As an aside, I noticed in my own new laptop, that the deault for "Remote Registry Control" is On. Why?? Why would I ever want to give up control of my registry to anyone outside? So I turned it off, and not only does my laptop run fine, I no longer get Gator changing my registry.

26 November 2003
NORTH CANTON, Ohio, ATMs belonging to two financial institutions were shut down when the computer worm Welchia invaded their embedded Windows XP operating systems in August. Diebold, manufacturer of the machines, revealed the security breach on Nov. 25, according to a report in New Scientist.

It is the first known case of a worm installing itself on individual ATM operating systems, said Peter Lind, a security expert at Spire Security in Malvern, Penn. Earlier in 2003, the Blaster worm shut down Bank of America ATMs, but only by causing a flood of traffic that clogged the network's bandwidth.

In the Welchia case, the only harm done was that the traffic generated by the worm trying to contact other machines shut down the ATMs.

To infect the ATMs, Welchia exploited a vulnerability in Windows XP called RPC DCOM. Diebold adapted Microsoft's RPC DCOM patch for its ATMs and offered it to its customers. But the two financial institutions did not apply the patch and were infected, said Diebold spokesperson Mike Jacobsen.

Diebold does not know how the worm made it to the closed financial network. But security experts suggest it could have been carried on an infected laptop computer. The laptop would have contracted Welchia while connected to the Internet, and then transferred it when later connected to the financial network.

The worm, also known as Nochi, was not particularly malicious. But it is indicative of a worrying trend, Lind told New Scientist.

"Nowadays it seems that any device that supports any kind of networking is opening the door to access and sometimes that access might be malicious," he said.

Programming an ATM to spew out cash would require access to the private source code that controls the mechanical opening and shutting of the machine. But someone might be able to use a worm that exploited a vulnerability to gain access to that source code, Lind said.

"It doesn't strike me as outside the realm of possibility, although it is a little far-fetched," he said.

Diebold's will install all new ATMs with firewall software, beginning in December. (See related story Diebold and Sygate to boost security for Windows-based ATMs)

December 1, 2003 at 09:15 AM in Virus | Permalink | TrackBack (20) | Top of page | Blog Home

TheStar.com - Bill Gates beats back bugs

TheStar.com - Bill Gates beats back bugs

Microsoft fights back, and will embed virus software within Windows for Longhorn. Since first announcing Trustworty Computing in 2001, the association with Computer Associates is vrey significant, and doesn't bode well for McAfee and Symantec.

TYLER HAMILTON
TECHNOLOGY REPORTER

When the Blaster and SoBig viruses hit the Internet in August, they infected millions of Microsoft-based home and business computers, bogged down corporate networks and caused billions of dollars in direct and indirect damages.

It was another payday for security-software firms, which have typically benefited over the years from highly publicized Internet attacks that exploit new-found vulnerabilities in Microsoft software.

Not surprisingly, the Blaster and SoBig scares boosted sales of anti-virus products from industry leaders such as Symantec Corp. and Network Associates Inc. Knee-jerk investors, excited by dire predictions of more frequent and destructive cyber attacks, bid up these companies' shares in the weeks that followed.

But the party was short-lived. Investors were given notice Nov. 18 that the security-software industry was anything but a secure bet. On this day, software titan Microsoft Corp. announced a seemingly innocuous partnership with Computer Associates International Inc. that, as part of a one-year deal, would put free anti-virus software into the hands of millions of consumers.

"Make no mistake, this free security product offering is a tectonic shift in thinking," wrote D.K. Matai, executive chairman of British-based computer-security consultancy Mi2g, in a report titled "The day the computer software industry changed."

Matai and other analysts read between the lines. They recognized the Microsoft-CA partnership as a one-year delay of the inevitable.

It is now widely believed that Microsoft has plans to integrate anti-virus software directly into its next-generation Windows operating system, dubbed Longhorn. The move is expected to virtually annihilate competing retail products and further extend the giant's monopoly into specific areas of computer security, perhaps including anti-spam software.

"Once the anti-virus feature is available as part of the Microsoft platform, a lot of the consumer market will go away," said Laura Koetzle, senior analyst with Forrester Research, a technology consultancy in Cambridge, Mass.

It may seem like the makings of another antitrust battle, but good or bad, the general consensus is that Microsoft has no choice.

Two years earlier, a number of gutsy hacker attacks and high-profile viruses such as Code Red and Nimda called into question whether the security of Microsoft's operating systems and applications could be trusted. The problem was exacerbated when Microsoft's own internal corporate network had been the target of a successful cyber attack.

Eager to avoid more damage to its brand, Microsoft chairman Bill Gates released an employee memo Jan. 15, 2001, titled "Trustworthy Computing." In it, he announced that security had become a top priority for the company at every level, "from the way we develop software, to our support efforts, to our operational and business practices."

Despite this initiative, the public-relations crisis Gates was hoping to silence has since amplified. Software is getting more complex, not simpler, and as more consumers and corporations conduct online transactions over high-speed links, they expose themselves to greater risk.

In September, a report from Symantec concluded the global epidemic of Internet viruses is intensifying dramatically, resulting in "overloads to network hardware, crippling networking traffic and seriously preventing both individuals and businesses from using the Internet."

It's a view supported by rival Network Associates. "This is a part of life now," said Parveen Jain, president of the company's network security technologies unit. "We've got to live with it because it's a criminal activity that's going to continue."

Microsoft, whose Windows operating system has a near-monopoly grip on the market, has been and continues to be the biggest sitting duck for hackers and virus writers. Not a week goes by without at least one new security flaw being discovered in Windows or some other Microsoft application, requiring each time that a software "patch" be issued to repair flawed computer code.

But as Microsoft and its customers increasingly realize, simply issuing a patch won't eliminate the problem. Even if 90 per cent of all computers are regularly updated with patches, the 10 per cent that remain vulnerable can become infected and dangerous.

Once infiltrated, these computers can launch denial-of-service attacks on Web sites or become automated distributors of spam, ultimately flooding the Internet with digital garbage that can also cripple corporate networks. In this sense, everybody feels the impact of a virus outbreak — even those who take necessary measures to protect their own computers.

"Every moment a network is down a company loses money," said Jain. "The network is for revenue generation now, rather than just information transportation."

Bell Sympatico, Canada's largest Internet service provider, discovered first-hand what happens when a small number of people neglect to download the latest security patch or update their anti-virus software, assuming they even have it.

In mid-October, half of the estimated 10 million e-mail messages that moved each day through Sympatico's network were identified as spam. Of all legitimate messages, about 5 per cent were found to have malicious viruses attached.

In one instance, a virus was turning the computers of some Sympatico customers into spam machines. The resulting flood of unsolicited e-mail pumping through the ISP's network was causing e-mail delays for all Sympatico customers, forcing the company to take action by identifying infected machine and putting accounts in quarantine.

Bell has begun offering some of its customers a free one-year trial of anti-virus software to help combat the problem. Rival Telus Corp. has offered free anti-virus protection to its high-speed Internet customers since August, and recently began offering anti-spam software at no charge.

"Absolutely, there is cost associated with this," said Charlotte Burke, senior vice-president of consumer Internet services at Bell.

Corporate networks can be affected the same way. According to Mi2g, viruses and other malicious attacks against Microsoft systems in August and September alone caused $64.5 billion (U.S.) worth of damages worldwide, including lost productivity, the cost of upgrading software and hardware to prevent future outbreaks and recovery costs.

It is this measurable cost being incurred by Microsoft customers that could force real change in the industry. Last month, Microsoft cited security fears as a reason why some of its corporate and government customers were hesitant to commit themselves to long-term software contracts, contributing to a surprising $768 million (U.S.) shortfall in unearned revenues.

November 29, 2003 at 10:39 AM in Microsoft, Virus | Permalink | TrackBack (66) | Top of page | Blog Home

Another virus

The Sysbug Trojan poses as a misdirected email with photographic attachments.

Virus writers are getting good at making emails seem quite realistic and luring unsuspecting people into clicking things, and BOOM they've got you!!

Story

November 25, 2003 at 04:50 PM in Virus | Permalink | Top of page | Blog Home

Yahoo! News - Microsoft Security Flaws Infecting Its Finances

Yahoo! News - Microsoft Security Flaws Infecting Its Finances

Nothing like getting hit in the pocket book to get your attention. Microsoft are going to have to address the real/ percieved/ security issues which accompanies their products.

Yahoo News - Microsoft Security Flaws Infecting Its Finances
Yahoo! News - Microsoft Security Flaws Infecting Its Finances: "Fri Oct 24, 4:56 PM ET

By Reed Stevenson
SEATTLE (Reuters) - Security flaws in Microsoft Corp.'s (Nasdaq:MSFT - news) software has hurt users, businesses and governments for years, but until now has caused little pain for the world's largest software maker's bottom line.

That changed this week when Microsoft reported an unexpected dip in corporate contracts during the September quarter due to customer concerns over the security of its products, triggering on Friday the sharpest drop in Microsoft's share price since Sept. 17, 2001, the day markets reopened after the World Trade Center attacks.

Shares in the Redmond, Washington-based company fell by about 8 percent to close at $26.61 on the Nasdaq, where it was by far the most actively traded issue, with more than 210 million shares trading hands.

Analysts said the security issue was diverting the company's energies, as sales representatives spent more time putting out fires and mending fences with clients and less time making new sales.

The maker of the Windows operating system posted a rise in profit and revenue in its fiscal first quarter, but analysts and investors focused instead on the $768 million drop in so-called unearned revenue -- a key measure of Microsoft's future sales.

Unearned revenue, which reflects sales from contracts that span several years, fell to $8.25 billion from $9 billion in the previous quarter. Microsoft had been expecting a decline of $200 million to $300 million.

Chief Financial Officer John Connors conceded in Thursday's conference call that the drop was driven in large part by security concerns among customers during the latest quarter, when the Blaster worm emerged and devastated computers worldwide.

Analysts said the hit to Microsoft's results could be more of an incentive for the software maker to fix its security woes.

"Microsoft is not a charity, they're not going to fix security out of the kindness of their heart," said Bruce Schneier, a computer security expert and chief technology officer at Counterpane Internet Security.

"They're going to fix it because its good business for them, but only to the extent of the financial impact."

Although Microsoft launched a major push to improve the security and reliability of its products in early 2002, its critics have said that the software giant is not doing enough.

The Slammer worm that in January targeted Microsoft' SQL database software nearly brought Internet traffic to a halt, while the Blaster worm in August erased data in hundreds of thousands of computers.

Microsoft did not have immediate comment on whether the recent results would lead a new push for security.

A BRUISE OR A GASH?

Analysts cautioned, however, that it was too early to tell whether concern over security would continue to be a drag on the company's financial performance.

"I hesitate to extrapolate a trend based on one data point," said Charles Di Bona, analyst at Sanford C. Bernstein and Co.

While Microsoft is forecasting another sequential decline in unearned revenue in the fiscal second quarter, Di Bona pointed out that Microsoft has a pipeline of commitments from its customers that has remained steady at $6 billion.

Still, a drop in contract sales is not the only thing threatening Microsoft's bottom line.

Earlier this month, a group of users proposed a class-action lawsuit in California claiming that Microsoft's market-dominant software is vulnerable to viruses capable of triggering "massive, cascading failures" in global computer networks.

The lawsuit, the first proposed class-action against Microsoft for lapses in security, was aimed at making a fundamental change to protect consumers and businesses, said attorney Dana Taschner of Newport Beach, California.

Microsoft, in its defense, argues that the problem with computer security lies not only with those who make software but those who write malicious software code, a criminal act.

In a speech this week for the launch of Microsoft's latest version of Office, Microsoft Chief Executive Steve Ballmer said that Microsoft is preparing to train more than 500,000 technology professionals from December on how to secure corporate systems using Microsoft software.

"There is no silver bullet here, but we think we're going to make dramatic improvements in the next year," Ballmer said."

October 25, 2003 at 09:38 PM in Microsoft, Virus | Permalink | Top of page | Blog Home

Race to stop SoBig virus next move

Google News U.K.: "Race to stop SoBig virus next move
Friday, August 22, 2003 Posted: 1705 GMT
LONDON, England (CNN) -- Computer security experts have been trying to locate about 20 computers that could have been targeted by the SoBig.F virus to wreak further havoc."

CNN.com - Race to stop SoBig virus next move - Aug. 22, 2003
CNN.com - Race to stop SoBig virus next move - Aug. 22, 2003: "LONDON, England (CNN) -- Computer security experts have been trying to locate about 20 computers that could have been targeted by the SoBig.F virus to wreak further havoc.
As companies worldwide ramped up their protection systems Friday and home users downloaded anti-virus software, the hunt was on for a small number of infected machines that could have been chosen by the virus to bombard the Internet with more data.
The identities of the 20 are not known and it is not clear why they have been targeted. "
SoBig.F -- the sixth strain of the same virus -- is the fastest spreading virus ever, hitting hundreds of thousands of computers. (Full story)

It arrives in e-mail attachments with subject headers, such as: Your details, Thank you!, Re: Thank you!, Re: Details, Re: Re: My details, Re: Approved, Re: Your application, Re: Wicked screensaver or Re: That movie.

The body of the message is short and usually contains either "See the attached file for details" or "Please see the attached file for details."

Once the attachment is opened, the virus creates a security hole in the computer, allowing someone else to use it to send on many more e-mails.

By Thursday, one in 17 e-mails contained SoBig.F worldwide. As systems have become clogged with data, corporate victims include Air Canada and defense giant Lockheed Martin.

On Friday, anti-virus experts were trying to predict its next move. Some feared it could unleash a mystery program across infected machines.

These computers would act as "master servers," receiving instructions from the author of the virus unless they were switched off.

"We don't know what that program is. It could mean a smiley faces dances across your screen or it could be something massive," Carole Theriault of Sophos Anti-Virus told Reuters.

But Paul Wood of Internet security company MessageLabs said the author of the virus might choose to hold off causing further damage, fearing that the massive spread of the virus increases the chance of being caught.

"On this occasion the writer of the virus has probably been too successful for his own good," Wood told CNN.

He added the culprit could be using the virus to spread spam -- mass marketing e-mail. (Full story)

Home computer users are advised to regularly scan their machines with anti-virus software.

If you have been infected, you may receive unfamiliar pop-up prompts or your machine might slow down. If in doubt, contact an anti-virus company or the Internet service provider.

August 23, 2003 at 01:01 AM in Virus | Permalink | Top of page | Blog Home

Yahoo! News - Officials Look to Unearth Internet Worm Writers

By Elinor Mills Abreu and Bernhard Warner
Thu Aug 21, 7:51 PM ET

SAN FRANCISCO/LONDON (Reuters) - They write menacing software with names like "Blaster," "Welchia" and "Sobig" that worm around the Internet leaving destruction in their path, and on Thursday detectives and computer security firms were hot on their trail.

Yahoo! News - Officials Look to Unearth Internet Worm Writers

Officials Look to Unearth Internet Worm Writers
By Elinor Mills Abreu and Bernhard Warner

SAN FRANCISCO/LONDON (Reuters) - They write menacing software with names like "Blaster," "Welchia" and "Sobig" that worm around the Internet leaving destruction in their path, and on Thursday detectives and computer security firms were hot on their trail.

Computer virus writers have unleashed an unprecedented outbreak of computer worms this past week and while finding them will not be easy, experts generally believe they are ego-filled computing geeks out to impress others.

"Every major law enforcement agency is looking into this. At the end of the day, we want to prosecute," said a cyber crime investigator at the UK's National Hi-Tech Crime Unit, who asked to remain anonymous.

In the past two weeks, major computer infestations by Blaster, also called "LovSan," and Welchia, also dubbed "Nachi," have crawled through holes in computers using Microsoft Corp.'s Windows operating system. A third worm, Sobig.F worm, has spread via Microsoft e-mail programs.

The result is that hundreds of thousands of PCs worldwide have crashed and many computer networks have slowed to a crawl.

The full economic impact of this recent infestation may never be known, but the growing list of victims includes the U.S. Navy (news - web sites) and Air Canada . Experts are calling this recent computer infestation, the most damaging worm outbreak yet.

To catch the suspects, investigators are piecing together suspect profiles from strings of computer code to try to trace their destination through a maze of Internet addresses.

This new group of worms is believed to be the work of different parties. The most perplexing may be the author of Welchia, a worm that tries to stop the Blaster worm.

EGO-DRIVEN GEEKS

Welchia is the brainchild of either a misguided digital do-gooder or an ego-driven programmer, which is the typical virus writer, computer security experts said on Thursday.

"Any kind of worm that intrudes upon your PC is not good," said America Online spokesman Nicholas Graham.

The Welchia worm arguably does more damage than Blaster, which merely crashes systems. In its zeal to find computers that are infected with Blaster, Welchia is conducting a lot of Internet scanning that paralyzes and slows many computing networks.

Welchia's creator is believed to be from China because in the code are Chinese words and names. The author also includes a phrase saying it was created for a good cause, said Jimmy Kuo of anti-virus vendor Network Associates Inc. .

Blaster is thought to have begun in an English-speaking country because of the impeccable English in the software code, said Mikko Hypponen of anti-virus company F-Secure of Finland.

The reference to "San," (in Blaster's other name, LovSan) possibly short for "Sandy," could be the handiwork of a male virus writer looking to impress a girl, he said.

Virus writing "gives underworld cachet to what is otherwise a pretty geeky existence," said David Perry, global director of education for Tokyo-based anti-virus provider Trend Micro. "To impress a girl ... you go out and write a computer virus."

Last year, police tracked down convicted Welsh virus writer Simon Valler after he named his friends and included comments about Wales in the text of his computer virus, dubbed GoKar, investigators said.

August 22, 2003 at 08:36 AM in Virus | Permalink | Top of page | Blog Home

Spread of Virus Is Fastest Ever

The New York Times: Technology: "A computer virus that circulated across the Internet this week, hard on the heels of another nasty online infection, has been declared the fastest e-mail outbreak ever" - 'Sobig.F'

August 22, 2003 at 12:15 AM in Virus | Permalink | Top of page | Blog Home

Most potent virus

Yahoo! News - Technology - Reuters Internet Report: "A new computer virus feared to be the most potent ever spread like wildfire Thursday, sending e-mail networks crashing and frazzling technicians already overstretched by a plague of computer bugs."

Sobig Worm Aims to Turn PCs Into Spam Machines
Reuters Internet Report
By Elinor Mills Abreu

SAN FRANCISCO (Reuters) - Several Internet worms that have besieged computers for over a week played havoc again on Wednesday, including one called Sobig.F whose aim was to turn PCs into spam machines and was believed to be the fastest growing virus ever, experts said.

"Sobig.F drops software onto infected Windows computers that open them to be used later for distributing Internet spam -- unwanted e-mails and product promotions, experts said. It also represents a new trend in converging e-mail spamming and virus software writing, they said.
'We believe (Sobig.F) has been written by a spammer or spammers' looking for ways to get past spam filters, said Mikko Hypponen, manager of anti-virus research for Finnish security firm F-Secure. 'For once, we have a clear motive for a virus -- money.'
Security experts said it was difficult to ascertain how many computers had been infected by the Sobig.F worm. Worms are viruses that spread through networks.
Internet service America Online, however, said it blocked about 11.5 million copies while security firm MessageLabs stopped more than 1 million copies within the first 24 hours and dubbed Sobig.F the fastest growing e-mail virus ever.
Sobig.F hit the computing world as corporations were still recovering from several worms that spread through holes in Microsoft Corp.'s Windows operating systems, including the 'Blaster' worm. Also called 'LovSan,' it has infected and crashed hundreds of thousands of computers since last week.
The 'Welchia' or 'Nachi' worm, which surfaced on Monday, infected 72,000 computers used by the U.S. Navy (news - web sites) and Marine Corps and crippled Air Canada's reservation counters and call centers.
CSX Transportation said on Wednesday that a virus infection had slowed its dispatching and signal systems, forcing it to halt passenger and freight train traffic, including the morning commuter train service in Washington, D.C.

NEW TREND, SPAM-VIRUS CONVERGENCE

Sobig.F hit home users particularly hard, experts said. It arrives in an e-mail with an attachment that when opened infects the computer and sends itself on to other victims using a random e-mail address from the address book, making it difficult to trace the worm back to its source.

The Sobig family of worms represents a new trend in the convergence of worm and spam techniques for more widespread and faster deployment, experts said.

Virus writers are utilizing software that spammers employ to send bulk spam messages. Conversely, spammers are starting to use methods incorporated by virus writers to spread their messages and avoid detection, said Brian Czarny, marketing director at e-mail security company MessageLabs.

Previous Sobig versions loaded a program onto infected PCs that broadcast spam to other computers, thus turning the PCs into so-called "spam relays."

Sobig.F downloads a Trojan onto infected computers, which could later be remotely activated to send spam, experts said.

"There are computers scanning the Internet for open relays so spammers can jump from one machine to the next and be able to send millions of spam messages and have them not be traced back to them or be blocked," said Jimmy Kuo, research fellow at anti-virus vendor Network Associates Inc.

Sobig.F, which expires on Sept. 10, is spreading quickly because it sends multiple e-mails simultaneously and spreads to other computers on a shared network, said experts, who predict there will be another version in the near future. (Additional reporting by Bernhard Warner in London and Charles Grandmont in Montreal.)

August 21, 2003 at 12:16 PM in Virus | Permalink | Top of page | Blog Home

Viruses, hackers hit 1/3 of Net users

Aug. 12: Nearly 32 percent of Internet users surveyed in mid-July said they had been affected by a hacker or computer virus in the past two years. About 43 percent of them said they felt vulnerable on their home computers, while 17 percent felt they were vulnerable from viruses and hackers at work.

Full Story

It seems the frequency and depth of problem with viruses is overwhelming. Yet no-one uses internet more than me, becuase I am online 24 hours a day and I never get anything, including the latest MS Blaster virus. Yet I never actually do anyting to protect myself each day - no need because tis automatic. It turns out in that case my saviour is my auto update for Windows. I also have auto update for McAfee.

In my organisation there have been 20,000 cases of the worm blaster, because no-one has the auto update turned on ... of course they can't because they don't have Admin access. So the very thing designed to address user created problems hinders one source of a fix. But that is not enough in and of itself .. ost wouldn't know how to turn it on anyway, so I blame my organisation for not having auto update as part of the "locked down" computer image.

Bottom line is that viruses are here to stay, so organisations need to address them, and Microsoft do too. Home users assume their computer is safe and shouldn't need to have to fix by themselves.

August 16, 2003 at 12:31 AM in Virus | Permalink | Top of page | Blog Home