Internet Changes Everything

Computer Worm Poses as E-Mail From FBI, CIA

Computer Worm Poses as E-Mail From FBI, CIA

'Sober X' Web Threat Spreads Quickly

By Arshad Mohammed and Brian Krebs
Washington Post Staff Writers
Thursday, November 24, 2005; Page D01

It's being called the worst computer worm of the year -- a fast-spreading Internet threat that looks like an official e-mail from the CIA or FBI but can leave your computer wide open to intruders.

The bogus e-mail claims the government has discovered you visiting "illegal" Web sites and asks you to open an attachment to answer some official questions. If you do, your computer gets infected with malware that can disable security and firewall programs and blast out similar e-mails to contacts in your address book. It can also keep you from getting to computer security Web sites that might help fix the problem, and it may open your Windows computer to intruders who can steal your personal data.

The worm -- named "Sober X" -- has spread so far so fast that the CIA and the FBI put prominent warnings on their Web sites making clear that they did not send out the e-mail and urging people to not open the attachment.

Across the Atlantic Ocean, Austria's equivalent to the FBI is investigating a flurry of similar bogus e-mails sent in its name to people in Austria, Germany and Switzerland, the Associated Press reported.

"This particular virus is a mass-mailer worm and is the largest one we have seen this year," said Alfred A. Huger, senior director of engineering at Symantec Corp., which sells Norton AntiVirus software. "It's as bad as it gets. With this particular type of virus on your system, there is a high probability that your personal information will be stolen."

Craig Schmugar, a virus-research manager at McAfee Inc.'s Avert Labs, said his company, which also makes anti-virus software, had logged more than 73,000 consumer computers reporting detection since the worm was discovered Monday.

British e-mail security company MessageLabs Ltd. said it has intercepted more than 2.7 million copies of Sober and its variants, noting that "the size of the attack indicates that this is a major offensive, certainly one of the largest in the last few months."

Still, the Sober worm was listed as only a "medium-risk" worm by security companies, which noted that it was not as widespread as others in recent years, notably MyDoom, which hit computer systems early last year.

Sober is known to affect only those computers running the Windows operating system. It appears that Apple and Linux computer users were not affected.

The e-mail informs the recipient that the user's "IP-address" has accessed more than 30 illegal Web sites and that the attachment contains a list of questions that need to be answered. The e-mail also includes an authentic phone number for the FBI or CIA.

And that has kept government switchboard operators busy.

FBI operators have been routing calls and complaints to its Internet Crime Complaint Center in West Virginia, which received more than 4,000 complaints about the worm on Monday. The ICC typically receives 18,000 complaints each month, said FBI spokeswoman Cathy Milhoan.

The FBI is investigating the source of the attack, which closely resembles an e-mail worm that surfaced in February, Milhoan said, though she declined to comment on the progress of that investigation.

Brian Krebs is a reporter for washingtonpost.com.

November 24, 2005 at 12:08 AM in Virus | Permalink | TrackBack (101) | Top of page | Blog Home

Computer virus hits Canadian banks

TheStar.com - Computer virus hits Canadian banks

`Worm' attacks businesses that use Microsoft system

An apparently new virus that attacks business computers running Microsoft's Windows 2000 system hit at least two Canadian banks and several U.S. businesses yesterday.

At the Canadian Imperial Bank of Commerce, the Zotob virus affected computers in the trading division and head office.

"There were some temporary outages in isolated parts of our business," said spokesperson Rob McLeod.

Automated bank machines, Internet and phone banking were all fully functional, McLeod said.

"We expect to have functionality in all our areas ... (this) morning."

The virus also hit BMO Nesbitt Burns, but customer service was not affected, said spokesperson Ralph Marranca.

"We got through this with no real impact on our customers."

ABC News, one of the U.S. companies hit by the problem, reported that computers at DaimlerChrysler plants froze for nearly an hour yesterday. Other reports said UPS Inc., General Electric Co., and Caterpillar Inc. had also been affected.

The U.S. Federal Bureau of Investigation said the virus was low-risk and not widespread, but that it would investigate. McAfee Inc., a California-based firm that makes anti-virus software, also described Zotob as low-risk. The origin of the virus is unknown, it said.

Microsoft said on its website that the virus, which installs malicious software and then looks for other computers to infect, takes advantage of a security defect that has already been addressed by a security update.

"Our investigation has determined that only a small number of customers have been affected," Microsoft said.

star staff and DOW JONES

August 17, 2005 at 10:09 PM in Virus | Permalink | TrackBack (3) | Top of page | Blog Home

Mobile phone virus infects Helsinki championships

Mobile phone virus infects Helsinki championships - Yahoo! News

HELSINKI (Reuters) - Visitors to the world athletics championships in Finland have had to brave wind and rain, and officials say they now face the possibility of catching the world's first mobile phone virus.

Officials in mobile-mad Finland, home to the world's largest cellphone maker
Nokia, said there had been outbreaks of the Cabir virus at Helsinki's Olympic Stadium.

"At most we are speaking about dozens of infections, but during a short period and in one spot this is a huge number," said Jarmo Koski, a security official at telecoms firm TeliaSonera.

Cabir, first reported in June last year, uses Bluetooth short range wireless signals to jump between cellphones.

That means it can spread over distances of up to 10 metres (30 feet), which in a packed stadium could include dozens of phones.

The recipient needs to accept a download to be infected and, while telecoms security officials say the risk of catching a mobile virus is small, thousands of phones have already been hit around the world.

"There must be a lot of infected phones at the stadium and a lot of Bluetooth traffic," said Antti Vihavainen, head of the mobile unit at antivirus software firm F-Secure.

"It is the early version of Cabir, which can infect only one phone at a time. Later versions of Cabir are much more fierce.

Since it was invented, the virus has so far spread to more than 20 countries, from the United States to Japan and from Finland to South Africa.

F-Secure says there are 55 viruses or other malicious programmes spreading between cellphones and other mobile devices.

Cabir drains the power of the infected phone as it tries to replicate itself on nearby mobiles but the most damaging viruses could disable a phone, requiring a factory reset.

August 11, 2005 at 06:49 PM in Virus | Permalink | TrackBack (11) | Top of page | Blog Home

New Skulls Cellphone Virus

IT Observer - New Skulls Cellphone Virus

Author: Jeremy C. Wright, Staff Writer
Monday, 10 January 2005, 22:00 GMT
Reader Comments | Post your comment

A new version of the Skulls smartphone virus has begun to appear on various cellphone download sites. Infected users risk losing all of the data on their phones.

Security firm F-Secure issued a directive earlier this week on the new Skulls.D Trojan. Skulls.D masks itself as a new version of Macromedia’s popular Flash animation player for Symbian Series 60 phones – which also includes a number of Nokia smartphones.

The virus also puts a version of the SymbOS/Cabir.M worm on the phone and disables system apps and data.

The original virus killed applications and replaced their icons with a skull image. Affected phones display a flashing picture of a skull and includes the text "WARNING!!! Device Have been Attact By Virus".

F-Secure has said that their Mobile Anti-Virus was already "capable of detecting the Skulls.D with generic detection even before we got the first sample of this from a customer.

F-Secure Mobile Anti-Virus is also capable of detecting Cabir.M, contained in Skulls.

Infected, users can either install anti-virus software to disinfect the phone or return their equipment to factory settings, which will destroy their personal data.

F-Secure said it has only had reports of Skulls.D from two people, whose phones were infected after they downloaded an application from a Web forum. Phone owners can reduce the risk of infection by exercising caution, said Mikko Hypponen, the director of antivirus research at F-Secure, which has posted an advisory.

"Be careful about what you download and where you download it from," Hypponen said. "You are most at risk if you are downloading illegal copies of applications, especially from peer-to-peer networks."

Hypponen warned there are likely to be more Skulls in the future. "We are waiting for the next variant," he said.

January 10, 2005 at 11:31 PM in Virus | Permalink | TrackBack (10) | Top of page | Blog Home

Microsoft App Aims To Attack Spyware Jan. 10, 2005

InformationWeek > Microsoft Security > Microsoft App Aims To Attack Spyware > January 10, 2005

Vendor plans release of virus- and worm-cleaning tool, as well
By George V. Hulme
InformationWeek

Spyware will be one of the top security threats business-technology professionals face this year. Last week, Microsoft joined a number of vendors jumping into the anti-spyware market with the beta release of its Windows AntiSpyware application.

Microsoft estimates that one-third of PC crashes can be attributed to spyware infections, says Amy Carroll, director of Microsoft's security business unit. Dell has placed the number of tech support calls attributed to spyware at around 15%.

Spyware and adware have become as much, if not more, of a problem than viruses, says Mark Sidden, IT director at textile provider Unifi Inc. "Most of the antivirus applications are fairly mature. That's not true yet with spyware solutions," he says. "The spyware problem caught security vendors off-guard. It'll be a year or more before the tools are probably ready for large businesses."

But the push is on. McAfee Inc. and Symantec Corp. added enhanced anti-spyware features to their security applications last year, while Computer Associates acquired anti-spyware vendor PestPatrol Inc. last summer. Webroot Software Inc. recently released software to help businesses rid their systems of spyware. And in the first half of this year, patch-management software maker Shavlik Technologies LLC will unveil its anti-spyware application designed for businesses.

Windows AntiSpyware, based on technology Microsoft acquired when it bought Giant Company Software Inc. in December, detects and removes known spyware threats from PCs, Carroll says. The application will protect users from more than 50 techniques that Web sites and malicious apps use to plant spyware on PCs. Microsoft won't say if it will begin charging for Windows AntiSpyware after the beta program. "We want to get the beta out there to focus on customer feedback," Carroll says, adding that specific decisions about the final product haven't been made.

Microsoft also will release a malicious-software-removal tool on Jan. 11. The software will help users remove viruses and worms such as Blaster and Download.Ject from infected PCs. The virus- and worm- cleaning tool will be updated monthly or as needed if a fast-spreading outbreak occurs, Carroll says.

There has been a lot of speculation about if and how Microsoft would begin selling antivirus security software for what Merrill Lynch projects will be a $395 million market this year. In June 2003, Microsoft bought the intellectual property and technology assets of Romanian antivirus company GeCAD Software Srl. Before that, Microsoft acquired Israeli security software startup Pelican Security, which developed software that determines the behavior of applications and stops malicious activity.

Industry analysts are skeptical that Microsoft will immediately target Windows AntiSpyware for business use. "The initial impact will be purely consumer and home offices, but by 2006 small and midsize businesses could begin using Microsoft," Gartner analyst John Pescatore says. "It won't be until after Longhorn ships that enterprises begin to take a look at Microsoft as a security provider."

If Microsoft is to succeed at becoming a trusted provider of security software, the company will have to overcome the perception held by many that it's scrambling to fix a problem created by the security flaws in its own software. "They're sending out a program to fix their own programs," says Glenn Wright, senior telecommunications technologist for the Delaware department of technology and information. Says Wright: "You don't want a bug to fix a bug."

January 10, 2005 at 01:46 AM in Virus | Permalink | TrackBack (19) | Top of page | Blog Home

In cyberspace, a dark alliance

In cyberspace, a dark alliance | csmonitor.com

By Gregory M. Lamb | Staff writer of The Christian Science Monitor
For years, they worked in shadowy corners of the electronic world. Spammers tried to get around filters and other network defenses to plant their junk e-mail. Virus writers exploited computers to take them over. Now, they're starting to work together.

Their emerging alliance is straining already embattled spam and virus defenses. For users, it means the Internet has grown more risky.

"They're learning from each other," says John Pironti, a security consultant at Unisys, the multinational information technology company. "The collaboration has begun."

Internet security experts are fighting back in the ongoing arms race of attack and defend. But right now the criminals are on the offensive. "We're way behind," says Stefan Savage, a computer science professor at the University of California at San Diego. Since 2001, he says, there have been "incredible advances in sophistication on the part of the bad guys. And yet what we do to defend is pretty much what we did five years ago."

Statistics seem to back him up. Today, not only is 63 percent of all e-mail spam, but 1 in 12 e-mail messages contains a virus, says MessageLabs, an e-mail security firm. That's a dramatic change from 20 years ago, when computer viruses spread slowly within limited networks or as floppy disks that had to be manually moved between machines. Today, the Internet zips these programs around the world at light speed.

Viruses can now enter computers as programs attached to e-mails sent by spammers. Once embedded in a machine, the viruses return the favor. By secretly taking control of computers, the viruses can create networks of "bots," programs that turn computers into "zombies." These computers are then employed by spammers to send out floods of anonymous spam messages.

These spams often include "phishing" scams - e-mails that appear to be from a bank or credit-card company but are really trying to steal account passwords or other financial information. Phishing has victimized some 1.8 million consumers and cost banks and credit-card issuers nearly $1.2 billion in the past year, estimates Symantec, a maker of computer-security software in Cupertino, Calif.

In the first half of 2003, the average number of bot networks monitored per day by Symantec was 2,000. By the first half of 2004, the number mushroomed to 30,000. Each bot network can contain thousands of infected computers.

Motivations have changed too. Early virusmakers wanted to show off. Today, criminals target individuals and businesses to try to make easy money. "We've definitely seen the motivation shift," says Brian Czarny, vice president of marketing at MessageLabs. His company first started noticing spammers and virusmakers working together back in the spring of 2003, he says. "Since then, it's grown exponentially."

Outlaws at the cafe

Setting up in an Internet cafe anywhere in the world, these pirates can hit and run in a matter of hours. "They get somebody's identity, clear out their bank account, and then take off," Mr. Czarny says.

Other criminals hunt for personal data or a company's intellectual property for the purposes of extortion. "They send tidbits back to the organization and say, 'Look, I have your stuff,' " says Mr. Pironti, and then threaten to post the material on the Internet if their demands aren't met. In one recent example a British man was arrested last month in connection with stealing source code from Cisco Systems.

Big companies already spend a lot of time and money on state-of-the-art computer security. But in a new twist, criminals are sneaking in by attacking the less formidable defenses of smaller vendors who are linked into corporate computer networks. "That's one of our biggest challenges right now," Pironti says.

Not only are attacks more frequent and malicious, they're more skillful too. Some viruses are "sleepers" that quietly embed themselves in a computer system for months before starting up, Pironti says. That way they become copied onto the backup version of the operating system, making them very difficult to root out. Once activated, they can also "phone home" to get new instructions.

The speed of virus attacks and the skill of the virusmakers today require new defense strategies, says Professor Savage, who is also the project director of the Center for Internet Epidemiology and Defenses. The virus-fighting initiative, funded by a $6.2 million grant from the National Science Foundation, officially begins this month.

Fast virus, slow response

Even top-notch computer scientists may take hours to design a "patch" to stop a virus, a response time that's far too slow, Savage says. The Slammer worm, for example, doubled in size every 8.5 seconds and spread around the world within 10 minutes. "At these kinds of speeds, any solution that involves a human in the loop, which is our state of the practice today, isn't going to fly," he says.

Savage and his partner, Vern Paxson at the International Computer Science Institute in Berkeley, Calif., have set two goals for their center: One is to understand better how worms and viruses spread, accumulating minute detail on their limitations and characteristics. They also want to better predict how fast a virus will spread and how destructive it will be.

Using that knowledge, they hope to build fully automated defenses "that take whole classes of attacks off the playing field, as opposed to addressing one particular attack that happened last week," he says. Right now, "it's like you're constantly trying to come up with a flu vaccine, but a new version [of flu] is coming out every day."

He and Dr. Paxson have been working on concepts such as "content sifting" and "scan detection," ways of identifying "very untypical behavior" of computers - such as suddenly contacting thousands of other computers - before an actual virus is discovered. They've been able to detect signs that a virus was at work 12 hours before the virus was found. Their aim is to identify a new class of worms or viruses and devise a way to block it in less than a minute.

Disruptive by design

While thinking of these Internet-borne attacks as "viruses" is a helpful model, it isn't perfect, Savage points out. A computer virus is used by people who, like bioterrorists, have a malicious intent. It's not a random act of nature, he says.

Virusmakers also monitor online discussions about new defense techniques to learn how to get around them. Savage says he doesn't want to release information that can help attackers, but in the end, sharing information among colleagues will build the strongest defenses. "We're not going to be keeping all this stuff secret," he says.

While all attacks may never be stopped, he says he'll be satisfied if he can limit them to those from only a few really talented, if malevolent, people. "A 12-year-old shouldn't be able to take down the Internet," he says.

Growing danger of spam

Not only is the stream of junk e-mail, or spam, rising, but an increasing share of the messages contain viruses, security firms warn. Among their findings:

• Nearly two-thirds - 63.5 percent - of e-mail in the first half of this year was spam, according to one analysis. That's up from 37.9 percent in 2003 and 1.5 percent in 2002.

• In January, 1 out of every 129 of those e-mails contained a virus; by June, 1 in 10 had one.

• The most common virus found in e-mail was the Netsky.P. worm, which accounted for 28.4 percent of all viruses discovered in August.

• US sites originated 42 percent of August's spam, followed by South Korea and China (14 percent) and Brazil (4 percent).

Sources: MessageLabs, Postini

November 22, 2004 at 12:05 AM in Virus | Permalink | TrackBack (9) | Top of page | Blog Home

Gotcha! The spyware epidemic

TheStar.com - Gotcha! The spyware epidemic

U.S. survey found it on 80 per cent of computers
Once on your PC or Mac, it can render it unusable

ANICK JESDANUN
ASSOCIATED PRESS

NEW YORK—David Eckstein turned on his computer one day and launched his Web browser, just as he had every day. This time, however, CNN.com did not automatically open. Instead, the page was a search engine he'd never heard of.

Eckstein tried changing the browser settings back to CNN but the search engine would return whenever he rebooted. Finally, he just gave up.

The San Francisco marketing consultant is yet another victim of spyware, an amorphous class of software that mostly gets on to people's computers without their knowledge. So resource-hungry, it often renders the machines unusable.

"It makes you want to throw your computer out the window,'' Eckstein said.

In the past year, the problem has become epidemic as people spend more time online and spyware developers get more aggressive.

"It makes spam look like a walk in the park," said Bob Bowman, chief executive of Major League Baseball's Internet unit, which in June started banning new advertisers from using such techniques.

As part of a government-backed study, technicians visited Jenna Dye recently in Young Harris, Ga., and found 1,300 spyware-related items on her machine.

"It would shut itself down in the middle of doing stuff. We had lots of pop-ups. The (CD-ROM) drawers would pop open," the mother of two complained. "It's frustrating. We spent $1,800 on our computer and we didn't want to use it.''

Until the machine was cleaned up, Dye and her husband would make 2 1/2 hour trips to the nearest mall to avoid shopping online. "We use it every day now again," she said.

Spyware was found on the computers of 80 per cent of participants in the study, conducted by America Online Inc. and the National Cyber Security Alliance.

Since EarthLink Inc. began offering free anti-spyware tools, each scan has found an average of six such programs. When including ``cookie" data files that online sources use to track user behaviour, the average rises to 26.

The most common type of spyware is more properly termed adware, its main goal to generate pop-up and other ads.

Browser hijackers, the kind Eckstein got, direct users to rogue search engines, from which spyware developers or distributors get a commission. Dialers scam users by making international phone calls that carry hefty per-minute surcharges. A rare but malicious form can steal passwords and other confidential data.

The intrusive programs aren't always well-written and can use resources inefficiently.

"Often, you don't just have one. You might have a half-dozen or even a dozen that can bring your computer to a screeching halt,'' said Tim Lordan, staff director of the Internet Education Foundation. "They are undermining confidence in the Internet. People are getting fed up.''

The most common way to get spyware, including adware, is to download file-sharing software, screensavers and other free programs that rely on revenues from such tag-along programs to cover costs. Spyware developers consider it part of the bargain, though they also depend on users' fascination with freebies.

"A lot of them say, `I'm going to get free smileys in my e-mail or some sort of free ... download without realizing the resource drain the sponsoring software is going to cause," said Wayne Porter, co-founder of SpywareGuide.com.

Users themselves invite spyware by breezing through prompts and not reading licensing agreements they are required to accept. Consent to spyware is often buried there.

Many of the larger companies whose software is delivered online with freebies have tried to clean up their act to the point that many don't actually harvest data anymore, though the term ``spyware" has stuck.

And their methods for disclosure and removal have improved in response to consumer complaints.

But for every reputable operation, scores of shadier ones, often located abroad, are intent on tricking users into accepting spyware without any accompanying software.

In a technique known as drive-by downloading, code embedded within pop-up ads or on Web sites that offer free songs, games or even pornography can instruct computers to begin downloading the rogue programs with minimal warning.

Sometimes, those warning prompts even are programmed to keep popping up until users finally give up and say "yes," said Neel Mehta of Internet Security Systems Inc.

And exploiting known flaws with Microsoft Corp.'s Windows operating system or the Internet Explorer browser, spyware developers can bypass the prompts entirely.

"In the rush of doing things, people get confused and end up hitting one wrong button, and all of a sudden stuff is on your computer and you can't get it off," restaurant manager Damien LaRuffa said.

His Washington, D.C., restaurants lost two computers for a few days because an assistant manager apparently was tricked into accepting a fake pitch for anti-spyware software. LaRuffa said the repair bill exceeded $400.

Matt Davin, technical services manager at a repair shop in Walla Walla, Wash., estimates that half his jobs are directly tied to spyware. Customers, he said, often blame it on their kids downloading free programs.

Spyware can infect power users as well. Just ask Ricky Rodrigue, who runs Dell Inc.'s customer support centre. His son invited spyware onto his home machine while downloading games, and he once found more than 100 spyware items on his work machine.

"That's how creative (they are) and how challenging it is to protect PCs," Rodrigue said.

The less innocuous programs can usually be removed manually or by running one of several anti-spyware tools, many free. The nastier ones, however, immunize themselves and persist.

"Almost every new threat released today comes with a reinstaller so that as soon as you try to remove it, it goes and reloads it," said Ron Franczyk, co-founder of anti-spyware vendor Giant Company Software Inc.

Many spyware files carry names that mimic key Windows components and even hide among them in folders typically reserved for system files.

"How do you know if you need a spool.exe?" asked Vilis Ositis, chief technology officer at Blue Coat Systems Inc. "Windows comes with thousands of files. How do you know which ones you need and which ones are spyware?''

The U.S. Congress is working on a ban, and industry groups have launched efforts to educate consumers and fight back with technology. Experts believe a solution will ultimately involve a combination of law enforcement, education and engineering.

"We're at a crossroads," said Ari Schwartz, associate director of the Centre for Democracy and Technology, a privacy-advocacy group.

Fail to properly address spyware, Schwartz warned, and "users will not want to use the Internet for commerce, for government services, for interaction with other people. We'll lose the great potential of the Internet.''

› Subscribe now and Save 50%!

November 1, 2004 at 07:57 AM in Virus | Permalink | TrackBack (11) | Top of page | Blog Home

New Worm Variant Spreads, Clogging E-Mail

Yahoo! News - New Worm Variant Spreads, Clogging E-Mail

Fri Oct 29, 9:31 PM
By CHRISTINE NUZUM, Associated Press Writer

NEW YORK - At least one new variant of a worm spread rapidly from Asia and Europe to U.S. computers Friday morning, filling up people's e-mail accounts, but otherwise causing little apparent damage

Alex Shipp, senior antivirus technologist at the e-mail filtering company MessageLabs Inc., said the variant of the so-called Bagle worm was "comparable in size to MyDoom," the virus that slowed Google and other Internet search sites in January. MessageLabs recently had received about 900,000 e-mails containing the virus. Ship estimates that MessageLabs receives about 1 percent of the e-mails containing a given virus or worm.

"We were seeing 165,000 an hour, but it's leveled off at 100,000 an hour, if you can call that leveling off," Shipp said.

Because multiple e-mails containing a worm or virus are often sent to one computer, it's difficult to estimate the number of affected users, said Shipp.

One software security company, McAfee Inc., said another variant of the Bagle worm was also quickly spreading Friday, but similarly did not seem to be destroying files or damaging software.

Both versions can be transferred through shared network files as well as through e-mail.

They attach themselves to files and then send themselves to e-mail addresses that they find on infected machines. Viruses or worms often use e-mail addresses from computers they infect to fool the recipients into opening an attachment.

If a recipient opens the attachment, the worm creates a so-called back-door, "a small program that sits on your machine quietly listening for someone to contact it," said Kevin Hogan, senior manager of security response at Symantec Corp. A computer user who contacts the backdoor can transfer files between his machine and the infected one, Hogan said. The worm variants can also disable security software, experts said.

"It's pretty much a vanilla mass-mailing worm," said Hogan. "It does a lot of the things that we've seen these sorts of worms do in the past."

McAfee first received reports of the worm variants from Europe. Symantec said the first complaints it fielded were from Japan. Antivirus providers received a rash of reports of a worm in the United States at the start of the workday Friday.

Symantec, McAFee and Computer Associates International Inc.'s eTrust division had received no reports Friday of disabled files or other damage.

Much of the standard security software can readily detect and protect against these latest variants of the Bagle worm, which spreads through shared network files as well as e-mail messages, experts said.

"Most of the major antivirus vendors already have detection and so does Computer Associates," said Stefana Ribaudo, product manager for consumer products at Computer Associates' security division. "Users are receiving the latest signature files from their vendors, which will keep them protected."

McAfee said computer users who don't subscribe to antivirus software can go to its Web site download a free remedy, called "Stinger," that will detect and remove the worm.

__

Christine Nuzum is a correspondent for Dow Jones Newswires.

October 30, 2004 at 01:38 AM in Virus | Permalink | TrackBack (8) | Top of page | Blog Home

Security for Internet Users Deemed Weak

Yahoo! News - Security for Internet Users Deemed Weak

Mon Oct 25,10:00 AM
By TED BRIDIS, AP Technology Writer

WASHINGTON - Internet users at home are not nearly as safe online as they believe, according to a nationwide inspection by researchers. They found most consumers have no firewall protection, outdated antivirus software and dozens of spyware programs secretly running on their computers.

One beleaguered home user in the government-backed study had more than 1,000 spyware programs running on his sluggish computer when researchers examined it.

Bill Mines, a personal trainer in South Riding, Va., did not fare much better. His family's 3-year-old Dell computer was found infected with viruses and more than 600 pieces of spyware surreptitiously monitoring his online activities.

"I was blown away," Mines said. "I had a lot of viruses and other things I didn't know about. I had no idea things like this could happen."

The Internet always has had its share of risky neighborhoods and dark alleys. But with increasingly sophisticated threats from hackers, viruses, spam e-mails and spyware, trouble is finding computer users no matter how cautiously they roam online.

The technology industry is feeling the pain, too.

Spurred by the high costs of support calls from irritated customers — and fearful that frustrated consumers will stop buying new products — Internet providers, software companies and computer-makers are making efforts to increase awareness of threats and provide customers with new tools to protect themselves.

Still, many computer users appear remarkably unprepared for the dangers they face.

The study being released Monday by America Online and the National Cyber Security Alliance found that 77 percent of 326 adults in 12 states assured researchers in a telephone poll they were safe from online threats. Nearly as many people felt confident they were already protected specifically from viruses and hackers.

When experts visited those same homes to examine computers, they found two-thirds of adults using antivirus software that was not updated in at least seven days.

Two-thirds of the computer users also were not using any type of protective firewall program, and spyware was found on the computers of 80 percent of those in the study.

The survey participants all were AOL subscribers selected in 22 cities and towns by an independent market analysis organization.

The alliance, a nonprofit group, is backed by the Homeland Security Department and the Federal Trade Commission, plus leading technology companies, including Cisco Systems, Microsoft, eBay and Dell.

The group's chief, Ken Watson, said consumers suffer from complacency and a lack of expert advice on keeping their computers secure. "Just like you don't expect to get hit by a car, you don't believe a computer attack can happen to you," Watson said.

"There really is quite a perception gap," agreed Daniel W. Caprio, the Commerce Department (news - web sites)'s deputy assistant secretary for technology policy. "Clearly there is confusion. We need to do a better job making information and practical tips for home users and small businesses available."

Wendy Avino, an interior decorator in Lansdowne, Va., said researchers found 14 spyware programs on her borrowed laptop and noticed that her $50 antivirus software was not properly configured to scan her computer at least monthly for possible infections.

"We don't go in funny chat rooms, I don't open funny mail," Avino said. "If it says 'hot girls,' I delete it. We do everything in the right way, so how does stuff get in there?"

She complained she was misled believing her commercial antivirus and firewall programs would protect her from all varieties of online threats; most do not detect common types of spyware.

"It is very complicated for the average home user," said Ari Schwartz, an expert on Internet threats for the Center for Democracy and Technology, a Washington civil liberties group.

"There's a lack of accountability all around, from consumers who don't believe they should have to do this to companies who blame the consumer. It's finger-pointing back and forth," Schwartz said.

Microsoft's chairman, Bill Gates (news - web sites), said the company spent nearly $1 billion on its recent upgrade to improve security for customers using the latest version of its Windows software.

AOL purchased full-page advertisements in major newspapers this month pledging better security for its subscribers. Dell has begun a campaign to educate customers how to detect and remove spyware themselves.

The government is increasingly involved, too.

The FTC this month filed its first federal court case over spyware. The House overwhelmingly approved two bills to increase criminal penalties and fines over spyware. The Homeland Security Department offers free e-mail tips for home Internet users to keep themselves secure.

___

On the Net:

Cyber Security Alliance: www.staysafeonline.info

Homeland Security tips: www.uscert.gov

October 26, 2004 at 07:43 AM in Virus | Permalink | TrackBack (8) | Top of page | Blog Home

UK banks and police warn of new Trojan banking threat

finextra news: UK banks and police warn of new Trojan banking threat

13 August 2004 - The National Hi-Tech Crime Unit and UK payments association Apacs are alerting consumers to a new Trojan e-mail attack targeting online banking customers.

The spam e-mails contain details of a fictitious order for Web hosting or computer goods and credit card billing information.

The e-mail also contains a link to a Web address in order to view the order in more detail. The site, which appears to be under construction, exploits vulnerabilities in unpatched versions of Internet Explorer to download malicious software to user computers.

The next time the customer uses their computer to access their own online banking site, the Trojan can potentially record their secret passwords and PINs used to log-on. In addition, the code opens a backdoor for the attacker to assume remote control of the end-user machine.

Detective chief superintendent Len Hynds, head of the NHTCU comments: "The NHTCU is continuing to work hard to bring the perpetrators of these elaborate scams to justice. The criminals behind these attacks are constantly evolving their techniques and changing tactics to target a wider range of victims."

August 19, 2004 at 07:26 AM in Virus | Permalink | TrackBack (18) | Top of page | Blog Home

E-Mail Viruses Getting Smarter, Report Says

Yahoo! News - E-Mail Viruses Getting Smarter, Report Says

Tue Aug 17,10:07 PM ETAdd Technology - Reuters Internet Report to My Yahoo!

SAN FRANCISCO (Reuters) - Computer viruses spread by e-mail are growing more sophisticated as virus writers and "spammers" are thought to be joining forces in an effort to make smarter bugs, a computer security group said on Tuesday.

New York-based MessageLabs, which scans client e-mails for viruses to block, said it picked apart some 5.6 billion e-mails from January to June this year and found 1-in-12 contained some sort of virus that penetrated firewalls meant to block them.

MessageLabs typically scans about 50 million customer e-mails daily, and its customers include major government and corporate entities from the British government to The Bank Of New York and Japanese technology giant Fujitsu Ltd. (6702.T).

While the number of e-mails sent globally was not covered by the study, the problem of computer viruses can be massive. They can overload computers with messages, automatically reboot systems and sometimes disable them.

In August last year, the "Blaster" worm spread rapidly around the world, infecting some 230,000 to 300,000 computers, based on estimates from sources ranging from U.S.-based Symantec Corp. to Moscow's Kaspersky Labs.

Soon after, a worm called "SoBig.F" raced around the globe crashing e-mail networks. At that time, America Online said it blocked 23.2 million copies of SoBif.F, and MessageLabs said about 1-in-17 e-mails were infected by the virus.

A separate MessageLabs study in the first six months of 2003 showed that 1-in-208 e-mails contained a virus, up from a ratio of 1-in-392 for the first six months of 2002.

MessageLabs said it believes the biggest e-mail security threat during the first half of 2004 was closer cooperation between virus writers and spammers, writers of unsolicited messages that often advertise products or get people to spend money.

The reason the two groups are getting together is profit, MessageLabs has learned through monitoring chat rooms to infiltrate the secretive world of virus writers and spammers.

With the recent proliferation of software blocking spam, the spammers are paying virus writers to create viruses that attach to their e-mails and circumvent the spam blockers.

MessageLabs said its employees who monitor chat rooms have learned that virus writers and spam writers are increasingly exchanging messages about joining ranks.

"There is little or no monetary profit to be gained from simply distributing viruses, but when you combine the capabilities of a virus and the profit that can be earned from spam, suddenly you have an altogether more materialistic proposition," MessageLabs said in its report.

MessageLabs said its belief about the increasing cooperation was based both on its research through its clients and on industry research.

August 18, 2004 at 03:08 PM in Virus | Permalink | TrackBack (4) | Top of page | Blog Home

Peer-to-peer networks carry surprising cargo

Peer-to-peer networks carry surprising cargo

By Ina Fried, CNET News.com
The latest Windows patch is being distributed on networks more known for their illegal content
Advocates of file sharing are distributing the latest Windows update in an effort to show that peer-to-peer networks could play a legitimate role in the distribution of commercial software.

Peer-to-peer advocacy group Downhill Battle has made a copy of Microsoft's Windows XP Service Pack 2 available at a site called SP2torrent.com through the BitTorrent file-sharing system.

"Now is a crucial time to demonstrate ways that peer-to-peer can be useful," Downhill Battle co-founder Nicholas Reville told ZDNet UK sister site CNET News.com. "We are facing a situation where Congress is seriously considering outlawing peer-to-peer for all intents and purposes."

Reville said he was referring to the Induce Act, a bill before Congress that says "whoever intentionally induces any violation" of copyright law is liable for that infraction.

In addition to distributing SP2, Downhill Battle also used peer-to-peer technology to distribute video of the congressional hearings on the Induce Act.

By distributing Microsoft's code, the company might be putting itself in violation of other laws, analysts say. Although the SP2 upgrade is free, the peer-to-peer distribution of it could well be in violation of Microsoft's licence agreement.

The software maker declined to comment specifically on Downhill Battle's action but reiterated that it feels the best way for consumers to get SP2 is to turn on the Automatic Upgrade feature in Windows and wait for the update to be pulled down automatically.

"We are always looking at ways of doing it," said Stephen Toulouse, security program manager at Microsoft. "The challenge with peer-to-peer is that you never know what you are getting."

Downhill Battle's effort plays on the fact that although the SP2 code was released to PC makers last week, Microsoft has said it will not be available for manual download until later this month.

Indeed, what Downhill Battle is distributing is not the individual PC download of the upgrade -- which is still not available -- but rather the network installation kit that Microsoft released on Monday for IT professionals. That download, which is roughly 270 megabytes, is more than three times larger than the download the typical user would get via automatic update and is designed for companies that need to upgrade many machines running different versions of Windows XP.

The network installer is also freely downloadable directly from Microsoft, though the company has posted a warning that it is not intended for individual users to upgrade their machines.

"Do not click 'Download' if you are updating just one computer," Microsoft states in bold, capital letters. "A smaller, more appropriate download will be available soon on Windows Update."

The demand from enthusiasts for individual upgrades comes as many corporations are opting to test, rather than quickly roll out, the security-oriented update.

Reville said the fact that Microsoft is taking weeks to get the software to users is a sign that there is an opportunity for file sharing to play a part.

"Even Microsoft -- the biggest of the big -- is rolling this out gradually," he said. "The combined power of every Internet user with a broadband connection is bigger even than Microsoft."

Analysts say that maybe true, but there are other issues at play.

"There's a certain logic to that," Jupiter Research analyst Michael Gartenberg said. "Of course, that gets balanced against, 'How do I make sure that I am getting Service Pack 2 unmodified as opposed to something that might have a virus or a Trojan horse linked to it?'"

And there is little benefit to the consumer, Gartenberg said.

"It's certainly not going to come any faster," he said. "As long as a company like Microsoft has resources to download this type of content, there is no reason for consumers to want to turn to a peer-to-peer method."

The move is also a bit of a twist for BitTorrent, which is often used to distribute various versions of the open-source Linux operating system. Even in posting SP2, Downhill Battle worked in a plug for Linux.

"And since we're fervent advocates of open-source software around here, SP2torrent.com wouldn't be complete (without) a link to Knoppix, the zero-commitment Linux Live CD."

Wednesday August 11, 09:00 AM

August 13, 2004 at 01:40 PM in Virus | Permalink | TrackBack (12) | Top of page | Blog Home

New Bagle Variant Sweeps the Internet

Yahoo! News - New Bagle Variant Sweeps the Internet

Tue Aug 10, 3:06 PM
Erika Morphy, www.newsfactor.com
Antivirus companies are sounding the alarm about a new variant from the long-lived Bagle virus family: On Monday, Bagle.AM, also known as "Bagle.AQ" and "Bagle.AC," began spreading rapidly and infecting users.

Due to the high number of incidences, antivirus firms are ranking this new virus on the higher end of the threat spectrum.

Mass-Mailing Threat

Bagle.AQ is a mass-mailing threat that contains its own SMTP engine to construct outgoing messages, according to McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team). The virus mass mails itself to addresses harvested from local files. It produces a message with a spoofed "From" address and contains a remote-access component -- with the notification sent to the hacker. It then copies itself to folders that have "shar" in the name, typically found in P2P applications, such as Kazaa, Bearshare and LimeWire.

The worm sends out a ZIP file that contains an HTML file. On vulnerable systems, it automatically runs an EXE file that is a downloader Trojan. The downloader Trojan then contacts a large number of remote Web sites to retrieve the virus itself.

"Users should be very wary and should most likely delete any e-mail containing "From : (address is spoofed); Subject : (blank); Body Text: * new price," McAfee said.

The virus also has been successful in shutting down various security processes, Panda Software CTO Patrick Hinojosa told NewsFactor. "That is why it was able to spread so quickly. It had a chance to really jumpstart infections."

The virus was already at the top of the list of 20 most-detected viruses this month, Hinojosa said.

Suspicious Timing

So far it does not appear as though the worm was designed to initiate a denial of service attack against a company. "It was obviously a launched worm," Hinojosa says, "aimed at individual machines."

The timing is a little suspect, though, considering the ire most hackers have towards Microsoft (Nasdaq: MSFT - news). "Microsoft came out with its new security service pack on the same day, so I am assuming this was done to take a shot at Microsoft," Hinojosa says.

August 10, 2004 at 08:13 PM in Virus | Permalink | TrackBack (13) | Top of page | Blog Home

First Pocket PC virus discovered

BBC NEWS | Technology | First Pocket PC virus discovered

The first virus to attack handheld computers running Microsoft's Windows Pocket PC software has been found.
It is called "Duts", and its existence has been revealed by the Romanian security firm BitDefender.

The company said the virus posed no threat and was produced only as a "proof of concept" by its creators.

The program comes from the same virus writing group that put together similar code that could spread between smartphones running Symbian software.

Polite virus

BitDefender said Duts had been created by someone calling themselves Ratter, who was part of the 29A VX virus writing group.

In a statement, the company said it had written the code to show that it was possible to create programs that could spread via handhelds and mobile devices running the cut-down version of Windows.

BitDefender estimated that there were about 17 million Windows Pocket PC devices in use around the world.

The company said: "The code was first sent to anti-virus experts instead of being released in the wild."

The virus has been written to be polite as it asks permission to spread to a new host when infected applications are being run.

"You're more likely to have a meteorite strike your house than be hit by this virus," said Carole Theriault, anti-virus consultant for Sophos.

"Owners of PDAs running the Pocket PC operating system should not lose any sleep over this virus, although it might be a taste of things to come in the future."

Mobile bugs

The virus is named after a technology called Dust dreamed up by science-fiction writer Greg Egan in his novel Permutation City.

However, the privilege of naming viruses rests with the anti-virus firms, which have decided to call it Duts.

Last month, the 29A group released another proof-of-concept virus called Cabir that was aimed at devices using the Symbian operating system.

Phones vulnerable to this virus include Nokia's 3650, 7650 and the N-Gage gaming/mobile hybrid.

The Cabir virus uses the Bluetooth short-range radio system to spread between devices and disguises itself as a security program. It also asks permission to install itself.

Any device running the Symbian's Series 60 software could be vulnerable but anti-virus firms say there is little evidence that the virus is spreading in the wild.

July 19, 2004 at 07:23 PM in Virus | Permalink | TrackBack (7) | Top of page | Blog Home

World's First Mobile Virus Is Not Lethal, Yet

Yahoo! News - World's First Mobile Virus Is Not Lethal, Yet

By Lucas van Grinsven, European Technology Correspondent
AMSTERDAM (Reuters) - A group of underground virus writers has showed off what is believed to be the world's first worm that can spread on advanced mobile phones, but security software companies say the virus had no malicious code attached.

The worm, named Cabir, was sent to security software firms Kapersky Lab of Russia and U.S.-based Symantec by a member of 29a, a group of virus writers from the Czech Republic and Slovakia who pride themselves in creating "proof of concept malicious viruses," Kapersky Labs spokesman Denis Zenkin said.

"This is the very first version of a network worm which propagates via mobile phones," he said on Wednesday.

The worm is designed to work in smartphones running on Symbian and Series 60 software, Symantec said on its Web site.

This software is used to power millions of Nokia (news - web sites) phones, such as the popular 6600 model.

Nokia was not immediately available to comment.

The worm is not regarded as dangerous because even if it spreads it carries no code that destroys files or executes other damaging operations, the security software firms said. The virus attempts to jump from phone to phone by using the handset's wireless short-range Bluetooth connection. It scans the environment for other Bluetooth-enabled devices.

Once it has found one, it sends itself disguised as a security file. The file must be accepted by the mobile phone owner and then installed before it can propagate.

Mobile viruses will become more dangerous when they can spread without human intervention, said Matias Impivaara, business manager for mobile security services at Finnish security software firm F-Secure.

"The main (turning) point will be when the virus-writing community knows the software well enough... to find holes," he said.

"The information about the (Symbian) operating system is very close to the hands of the virus writers.... (Cabir) could be a trigger to start developing these ideas earlier."

A spokesman at London-based technology firm Symbian said that, unlike personal computers, it was not possible to penetrate the software of its smartphones without approval.

"But we can never say it's not going to be possible. Smartphones have been designed... as open, programmable networked devices," he said, adding that users should be careful before accepting to install new software. (Additional reporting by Brett Young in Helsinki)

June 16, 2004 at 08:13 AM in Virus | Permalink | TrackBack (8) | Top of page | Blog Home

THE MISSISSAUGA NEWS: Virus infected computers worldwide Mounties get their hacker

Mississauga News Online

Computer users urged to update protection

LOUIE ROSELLA
May 28, 2004

A Mississauga teen who allegedly hacked into more than 9,000 computers worldwide and launched a virus that caused many systems to crash now faces charges following an investigation by the Royal Canadian Mounted Police (RCMP).

The 16-year-old boy, who cannot be identified under the Youth Criminal Justice Act, is charged with a number of computer-related offences, including mischief to data, fraudulent use of computer systems and aiding/abetting mischief to data.

The RCMP's technological crime unit in London tracked a variant of the well-known Randex virus, which had weaved into the computers of more than 9,000 unsuspecting internet users since November through such popular file-sharing programs as Kazaa and Limewire, which are often used to download music and movie files. Once inside an online computer, the virus received commands sent from the original hacker over a chat room.

"The affected computers automatically responded to malicious commands issued on particular channels of certain internet relay chat networks," said RCMP Sgt. George Wiegers yesterday.

The virus installed a "Trojan" program, according to police, allowing unauthorized access to, and use of the victim computers. The hacker could then make use of the victim computers in multiple ways, including sending out large amounts of junk e-mail, or cause the computer to crash at any given time, police said.

Wiegers wouldn't get into the specifics of the case, but said people and businesses did suffer from the crippling virus.

"The target could be a computer or network critical to one company that needs the computer up and running," he said. "The company may suffer financially and may suffer in numerous ways."

The RCMP are advising home internet users to be aware of the risks posed by such viruses.

"People who are connected to the internet need to take proactive steps to protect their system," Wiegers said.

"Try to look at the computer system you have now and ask 'Is this computer system secure?' While there are no certainties in the ever-growing world of internet crime, Wiegers advised internet users to update their anti-virus, anti-trojan and firewall software.

Just last summer, stubborn computer worm known as "Blaster" wiggled its way into thousands of homes and offices in Mississauga

The infamous worm, designed to shut down infected computers repeatedly, hit households and businesses worldwide, exposing a vulnerability in the Microsoft system.

Also last summer, a variant of the Blaster worm, Welchia, hit Air Canada's computers at Pearson International Airport, creating massive delays and line-ups. Affected users were forced to download special anti-virus equipment that should be installed regularly anyway, according to police.

"Nothing's going to guarantee you're going to be 100 per cent secure but (you should) take steps to protect your computer," said Wiegers.

"This will significantly reduce the vulnerability of a person's computer from being accessed without permission."

THE MISSISSAUGA NEWS

May 28, 2004 at 11:20 PM in Virus | Permalink | TrackBack (35) | Top of page | Blog Home

OS X flaw may leave Macs open to virus attacks

OS X flaw may leave Macs open to virus attacks

By David Becker, CNET News.com
Apple on Friday was investigating a security flaw in OS X that may allow people to fool Macs into opening dangerous files such as Trojan horses and viruses.
The flaw was reported by Intego, a French security firm specializing in Apple systems. The company said in a statement that it had encountered a proof-of-concept Trojan horse for OS X disguised as an MP3 music file.

"Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it," according to Intego. "But double-clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then (launches) iTunes to play the music contained in the file, to make users think that it is really an MP3 file."

Proof-of-concept bugs are typically created by security researchers to prove the existence of a software flaw. They exploit the flaw but don't do any damage. The OS X Trojan began circulating last month via a newsgroup posting.

Apple said in a statement that it was looking into the matter. "We are aware of the potential issue identified by Intego and are working proactively to investigate it," the statement said. "While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."

An Intego researcher said that exploit works by embedding a file with code written for Carbon, the OS X component that allows older programs to be updated to run natively in the new operating system. OS X's Finder application, which associates file types with appropriate applications, doesn't see the Carbon code and launches the malicious file.

A number of such spoofing exploits have surfaced for Microsoft's Windows operating systems, but Macs have been relatively safe from such exploits and other types of attacks. Apple released a security update for the latest version of OS X earlier this week.

Christophe Guillemin of ZDNet France contributed to this report

April 10, 2004 at 04:18 PM in Virus | Permalink | TrackBack (15) | Top of page | Blog Home

Wave of viruses, worms sweep cyberspace: experts

Wave of viruses, worms sweep cyberspace: experts

WASHINGTON (AFP) - A wave of new computer worms and viruses has been sweeping cyberspace over the past few days, wreaking havoc on some systems and testing the software defenses of networks, experts said.
California-based Panda Software said the spread of viruses and the variants "has reached epidemic proportions worldwide."

In the wake of the Mydoom outbreak, described as the worst in Internet history, Panda said there are several versions of the Netsky virus and the Bagle worm spreading quickly.

"They are all spreading at an alarming rate and causing an increasing number of incidents around the globe," Panda said. "According to the data collated by PandaLabs, there are now millions of infected e-mails in circulation."

The British firm mi2g called the latest outbreak a "tsunami" of malicious computer code, or malware, saying it is "overwhelming both its victim organizations as well as anti-virus toolkit companies and security professionals across the world."

Most security companies, Internet service providers and systems administrators have been severely overworked since the initial outbreak of Mydoom in late January, mi2g said.

The company said the latest outbreaks appear to mark a shift from adventurous teens to criminals seeking to make money through various schemes, including one called "phishing" to obtain credit card or financial information.

"This is not the activity of hobbyists but organized criminals," mi2g said.

This epidemic "is particularly worrying for companies, as all the viruses propagate aggressively, meaning that they can rapidly collapse corporate networks," Panda said in a statement. "At present some 95 percent of infected computers belong to companies."

Panda said Netsky.D is proving to be the most dangerous of all of them, spreading the fastest.

According to Luis Corrons, head of PandaLabs, "The idea that an epidemic is caused by a single virus clearly needs reconsidering. Virus creators are aware of the effectiveness of launching waves of malicious code and the increased probability of infection, and so we can expect to see more of these tactics in the future."

MX Logic, a security firm based in Denver, Colorado, said the Netsky.D worm "has reached a critical threat level, with one in every 71 e-mails infected by the worm."

"The first two months of this year have been marked by an unrelenting onslaught of mass mailing worms and their variants, including Mydoom, Mydoom.F, Bagle and Netsky.D. We are convinced that the frequency and potency of mass mailing worms and their variants is likely to increase -- making it critical that email users take every precaution to protect their inboxes," said Scott Chasin, chief technology officer, MX Logic.

Netsky.D does not delete files or damage computers, but contaminated computers played a jingle for three hours Tuesday morning.

"The author may be amused by the thought of an office full of infected PCs, all beeping away," said Graham Cluley of the software firm Sophos. "But the Netsky worm causes real harm by clogging up email systems and making unauthorized changes to computer systems."

Over the past days, virus fighters have battled a number of new releases of the Bagle and Netsky Internet worm families, and on Tuesday afternoon some 10 percent of all e-mails in Europe were contaminated by bugs, statistics showed.

In contrast to most other viruses, Netsky.D does not have an expiration date, and it will therefore remain a menace for some time to come, experts pointed out.

March 2, 2004 at 11:49 PM in Virus | Permalink | TrackBack (8) | Top of page | Blog Home

New Netsky-D Worm Spreading Through E-Mail

Yahoo! News - New Netsky-D Worm Spreading Through E-Mail

LONDON (Reuters) - A new computer worm dubbed "Netsky-D" was clogging e-mail systems around the world after emerging on Monday, a security expert said.

The worm is particularly difficult to root out because it lands in e-mail boxes using a number of different subject lines such as "re:details" or "re:here is the document."

"It arrives with an attached pif file (program information file) and it's already extremely widespread," said Graham Cluley, senior technology consultant at Sophos Plc.

He said experts do not think the new virus is as big as MyDoom, which brought havoc to computer users and targeted Microsoft's Web Site, but that the full extent of Netsky-D's spread would be known as North America logs on.

When opened, the virus pif file will rapidly replicate itself, slowing down computers and e-mail bandwidth.

"We suspect people are more laid back about pif files because they may not have heard of them and may not realize they can contain dangerous code," Cluley said. "The best thing to do with this file is to delete it, don't open it."

Netsky-B, an earlier variant of the latest worm, was rated the third worst computer virus in February after MyDoom-A and Sober-C, according to Sophos, which writes anti-virus and anti-spam software.

March 1, 2004 at 11:55 AM in Virus | Permalink | TrackBack (18) | Top of page | Blog Home

Bagle.B Internet worm third most virulent in history: experts

Yahoo! News - Bagle.B Internet worm third most virulent in history: experts

Wed Feb 18, 7:20 AM ETAdd Technology - AFP to My Yahoo!

HELSINKI (AFP) - The Bagle.B Internet worm continued to propagate itself throughout the world, with experts ranking the virus as the third most dangerous computer bug after the notorious Sobig.F and Mydoom.A.

"This is a very serious worm, it's spread itself quite rapidly, but it will probably not reach the same catastrophic proportions as Mydoom.A and Sobig.F," Snorre Fagerland, with Norwegian Internet security company Norman, told AFP.

"On the scale of the most dangerous viruses, it gets a third place," he added.

The Mydoom.A Internet worm discovered last month, is the most virulent computer virus so far, reaching a peak infection rate of one in 12 e-mails.

The Sobig.F virus, which struck in August of 2003, had a peak infection rate of one in 17 e-mails and generated over 300 million contaminated messages during the first week alone.

According to US-based e-mail security firm MessageLabs, Bagle.B had by early Wednesday been found in 66 countries, and had reached an infection rate of one in every 16 e-mails worldwide, but experts expected that the outbreak would fizzle out soon, well before the bug's programmed expiration date of February 25.

"It's still spreading fairly rapidly. It's a big case. But the technical features of the virus are not that special," Mikael Albrecht, of the Finnish Internet security company F-Secure, told AFP.

"As soon as most people have updated their anti-virus protection, it will die out," Albrecht said.

Bagle.B first appeared in Poland and Germany on Tuesday afternoon, and propagated itself throughout Europe and the Americas overnight. Asia, however, appeared to have largely escaped the outbreak, experts said.

Most affected were the United States, where 16 percent of the infected e-mails were found, closely followed by the UK with 13 percent and Germany with 10 percent, MessageLabs said.

The bug installs a backdoor function on infected computers, enabling its creator and hackers to access the machines for malicious purposes, such as stealing confidential information like passwords stored on them, analysts said.

In addition, Bagle.B makes infected computers access four web pages on the Internet, possibly to download software or to count the number of contaminated machines, Albrecht said.

The first variant of the Bagle bug was found on January 18, and both bugs are believed to be linked to spammers -- senders of unsolicited bulk e-mail advertisements -- as they retrieve e-mail addresses from the infected computers.

Bagle.B also seemed to be related to the earlier Mitglied worm family, Norman's Fargerland said.

February 19, 2004 at 12:44 AM in Virus | Permalink | TrackBack (10) | Top of page | Blog Home

New Netsky.B Worm Spreading on Internet

Yahoo! News - New Netsky.B Worm Spreading on Internet

Wed Feb 18, 2:44 PM ETAdd Technology - Reuters Internet Report to My Yahoo!

SEATTLE (Reuters) - A new worm called "Netsky.B" emerged on the Internet on Wednesday, spreading by mimicking familiar e-mail addresses and enticing users to open file attachments containing malicious software, security experts said.

Most computer security companies rated the worm a medium-grade threat, describing it more of an annoyance rather than a malicious virus that destroys files or makes computer vulnerable to attacks.

"It's a very low infection rate virus," said David Perry, global education director at Trend Micro Inc. (NasdaqNM:TMIC - news) (4704.T), adding that newer, more infectious versions could be in the pipeline.

The worm, once activated, forwards itself to e-mail addresses found on an infected computer's hard drive.

Netsky.B usually arrives in e-mail boxes appearing as e-mail from a familiar person with an attachment that appears to be a Microsoft Word document with the words "read it immediately" or "something for you" making it tricky to identify.

Anti-virus software and services provider Network Associates Inc. (NYSE:NET - news) said the worm's activity appeared to be concentrated in Europe, particularly the Netherlands.

Both businesses and consumers were being hit by the fast-spreading worm.

February 18, 2004 at 11:38 PM in Virus | Permalink | TrackBack (16) | Top of page | Blog Home

The stealth worm era

TheStar.com - The stealth worm era

With the pace of virus development accelerating, experts fear even nastier criminal attacks in future

CLIVE THOMPSON
SPECIAL TO THE TORONTO STAR

Many people might wonder why virus writers aren't simply rounded up and arrested for producing their creations. But in most countries, writing viruses is not illegal.
Indeed, in the United States some legal scholars argue that it is protected as free speech. Software is a type of language, and writing a program is akin to writing a recipe for beef stew. It is merely a bunch of instructions for the computer to follow, in the same way that a recipe is a set of instructions for a cook to follow.

Virus writers like Kefi - a.k.a. Stephen Mathieson, a 16 year old from Detroit - complain about "the kids" who download what he considers legitimate experimental code and release it to the world

A virus or worm becomes illegal only when it is activated — when someone sends it to a victim and starts it spreading in the wild, and it does measurable damage to computer systems. The top malware authors are acutely aware of this distinction.

Most every virus-writer Web site includes a disclaimer stating that it exists purely for educational purposes, and that if a visitor downloads a virus to spread, the responsibility is entirely the visitor's.

Benny's main virus-writing computer at home has no Internet connection at all; he has walled it off like an airlocked biological-weapons lab, so that nothing can escape, even by accident.

Virus writers argue that they shouldn't be held accountable for other people's actions. They are merely pursuing an interest in writing self-replicating computer code.

"I'm not responsible for people who do silly things and distribute them among their friends,'' Benny said defiantly. "I'm not responsible for those. What I like to do is programming, and I like to show it to people — who may then do something with it.''

A young woman who goes by the handle Gigabyte told me in an online chat room that if the authorities wanted to arrest her and other virus writers, then "they should arrest the creators of guns as well.''

One of the youngest virus writers I visited was Stephen Mathieson, a 16-year-old in Detroit whose screen name is Kefi. He also belongs to Philet0ast3r's Ready Rangers Liberation Front. A year ago, Mathieson became annoyed when he found members of another virus-writers group called Catfish_VX plagiarizing his code. So he wrote Evion, a worm specifically designed to taunt the Catfish guys. He put it up on his Web site for everyone to see. Like most of Mathieson's work, the worm had no destructive intent. It merely popped up a few cocky messages, including: Catfish_VX are lamers. This virus was constructed for them to steal.

Someone did in fact steal it, because pretty soon Mathieson heard reports of it being spotted in the wild. To this day, he does not know who circulated Evion. But he suspects it was probably a random troublemaker, a script kiddie who swiped it from his site. "The kids,'' he said, shaking his head, "just cut and paste.''

Quite aside from the strangeness of listening to a 16-year-old complain about "the kids,'' Mathieson's rhetoric glosses over a charged ethical and legal debate. It is tempting to wonder if the leading malware authors are lying — whether they do in fact circulate their worms on the sly, obsessed with a desire to see whether they will really work.

While security officials say that may occasionally happen, they also say the top virus writers are quite likely telling the truth.

"If you're writing important virus code, you're probably well trained,'' says David Perry, global director of education for Trend Micro, an antivirus firm. "You know a number of tricks to write good code, but you don't want to go to prison. You have an income and stuff. It takes someone unaware of the consequences to release a virus.''

But worm authors are hardly absolved of blame. By putting their code freely on the Web, virus writers essentially dangle temptation in front of every disgruntled teenager who goes online looking for a way to rebel. A cynic might say that malware authors rely on clueless script kiddies the same way that a drug dealer uses 13-year-olds to carry illegal goods — passing the liability off to a hapless mule.

"You've got several levels here,'' says Marc Rogers, a former police officer who now researches computer forensics at Purdue University. "You've got the guys who write it, and they know they shouldn't release it because it's illegal. So they put it out there knowing that some script kiddie who wants to feel like a big shot in the virus underground will put it out.

"They know these neophytes will jump on it. So they're grinning ear to ear, because their baby, their creation, is out there. But they didn't officially release it, so they don't get in trouble.''

Rogers says he thinks that the original authors are just as blameworthy as the spreaders.

Symantec's Sarah Gordon also says the authors are ethically naive.

"If you're going to say it's an artistic statement, there are more responsible ways to be artistic than to create code that costs people millions,'' she says.

Critics like Reitinger, the Microsoft security chief, are even harsher. "To me, it's online arson,'' he says. "Launching a virus is no different from burning down a building.

There are people who would never toss a Molotov cocktail into a warehouse, but they wouldn't think for a second about launching a virus.''

What makes this issue particularly fuzzy is the nature of computer code. It skews the traditional intellectual question about studying dangerous topics. Academics who research nuclear-fission techniques, for example, worry that their research could help a terrorist make a weapon. Many publish their findings anyway, believing that the mere knowledge of how fission works won't help Al-Qaeda get access to uranium or rocket parts.

But computer code is a different type of knowledge. The code for a virus is itself the weapon. You could read it in the same way you read a book, to help educate yourself about malware. Or you could set it running, turning it instantly into an active agent.

Computer code blurs the line between speech and action. "It's like taking a gun and sticking bullets in it and sitting it on the counter and saying, `Hey, free gun'!'' Rogers says.

Some U.S. academics have pondered whether virus authors could be charged under conspiracy laws. Creating a virus, they theorize, might be considered a form of abetting a crime by providing materials.

Ken Dunham, the head of "malicious code intelligence'' for iDefense, a computer security company, notes that there are certainly many examples of virus authors assisting newcomers. He has been in chat rooms, he says, "where I can see people saying, `How can I find vulnerable hosts?' And another guy says, `Oh, go here, you can use this tool.' They're helping each other out.''

There are virus writers who appreciate these complexities. But they are certain that the viruses they write count as protected speech. They insist they have a right to explore their interests. Indeed, a number of them say they are making the world a better place, because they openly expose the weaknesses of computer systems.

When Philet0ast3r or Mario or Mathieson finishes a new virus, they say, they will immediately e-mail a copy of it to antivirus companies. That way, they explained, the companies can program their software to recognize and delete the virus should some script kiddie ever release it into the wild. This is further proof that they mean no harm with their hobby, as Mathieson pointed out. On the contrary, he said, their virus-writing strengthens the "immune system'' of the Internet.

These moral nuances fall apart in the case of virus authors who are themselves willing to release worms into the wild. They're more rare, for obvious reasons. Usually they are overseas, in countries where the police are less concerned with software crimes.

One such author is Melhacker, a young man who reportedly lives in Malaysia and has expressed sympathy for Osama bin Laden. Antivirus companies have linked him to the development of several worms, including one that claims to come from the "Qaeda network.'' Before the Iraq war, he told a computer magazine he would release a virulent worm if the U.S. attacked Iraq — a threat that proved hollow.

February 15, 2004 at 11:36 AM in Virus | Permalink | TrackBack (8) | Top of page | Blog Home

Work of idle hands

TheStar.com - Work of idle hands

Intelligent but alienated young men are creating forces they cannot control

2003 was `the Year of the Worm' and the pace

CLIVE THOMPSON
SPECIAL TO THE STAR

This is how easy it has become.
Mario stubs out his cigarette and sits down at the desk in his bedroom. He pops into his laptop the CD of Iron Maiden's "Number of the Beast," his latest favourite album. "I really like it," he says. "My girlfriend bought it for me." He gestures to the 15-year-old girl with straight dark hair lounging on his neatly made bed. Mario, 16, is a secondary-school student in a small town in the foothills of southern Austria. (He didn't want me to use his last name.) His shiny shoulder-length hair covers half his face and his sleepy green eyes, making him look like a very young, languid Mick Jagger.

Philet0ast3r, a 21-year old German, is one of the world's most skilled Internet virus writers, but his viruses are often surprisingly mild things carrying goofy payloads.

When Mario is bored — and out here in the countryside, surrounded by soaring mountains and little else, he's bored a lot — he likes to sit at his laptop and create computer viruses and worms. Online, he goes by the name Second Part to Hell, and he has written more than 150 examples of what computer experts call "malware": tiny programs that exist solely to self-replicate, infecting computers hooked up to the Internet. Sometimes these programs cause damage, and sometimes they don't. Mario says he prefers to create viruses that don't intentionally wreck data. "Anyone can rewrite a hard drive with one or two lines of code," he says. "It makes no sense. It's really lame." Besides which, it's mean, he says, and he likes to be friendly.

But still — just to see if he could do it — a year ago he created a dangerous tool: a program that autogenerates viruses. It's called a Batch Trojan Generator, and anyone can download it freely from Mario's Web site. With a few simple mouse clicks, you can use the tool to create your own malicious "Trojan horse." Like its ancient namesake, a Trojan virus arrives in someone's e-mail looking like a gift, a JPEG picture or a video, for example, but actually bearing dangerous cargo.

Mario starts up the tool to show me how it works. A little box appears on his laptop screen, politely asking me to name my Trojan. I call it the "Clive" virus. Then it asks me what I'd like the virus to do. Shall the Trojan Horse format drive C:? Yes, I click. Shall the Trojan Horse overwrite every file? Yes. It asks me if I'd like to have the virus activate the next time the computer is restarted, and I say yes again. Then it's done. The generator spits out the virus on to Mario's hard drive, a tiny 3k file. It also displays a warning that spreading your creation is illegal.

The generator, he says, is just for educational purposes, a way to help curious programmers learn how Trojans work.

But of course I could ignore that advice. I could give this virus an enticing name, like "britney—spears—wedding—clip.mpeg," to fool people into thinking it's a video. If I were to e-mail it to a victim, and if he clicked on it — and didn't have up-to-date antivirus software — then disaster would strike his computer. The virus would activate. It would reach into the victim's Microsoft Windows operating system and insert commands telling the computer to erase its own hard drive. The next time the victim started up his computer, it would find those new commands and guilelessly follow them. Poof: everything on his hard drive would vanish — e-mail, pictures, documents, games.

I'd never contemplated writing a virus before. Even if I had, I wouldn't have known how to do it. But thanks to a teenager in Austria, it took me less than a minute to master the art.

Mario drags the virus over to the trash bin on his computer's desktop and discards it. "I don't think we should touch that," he says hastily.

Computer experts called 2003 "the Year of the Worm." For 12 months, digital infections swarmed across the Internet with the intensity of a biblical plague. It began in January, when the Slammer worm infected nearly 75,000 servers in 10 minutes, clogging Bank of America's ATM network and causing sporadic flight delays. In the summer, the Blaster worm struck, spreading by exploiting a flaw in Windows; it carried taunting messages directed at Bill Gates, infected hundreds of thousands of computers and tried to use them to bombard a Microsoft Web site with data. Then in August, a worm called Sobig.F exploded with even more force, spreading via e-mail that it generated by stealing addresses from victims' computers. It propagated so rapidly that at one point, one out of every 17 e-mail messages travelling through the Internet was a copy of Sobig.F. The computer-security firm mi2g estimated that the worldwide cost of these attacks in 2003, including clean-up and lost productivity, was at least $82 billion (U.S.).

The pace of contagion seems to be escalating. When the My-doom.A e-mail virus struck in late January, it spread even faster than Sobig.F; at its peak, experts estimated, one out of every five e-mail messages was a copy of Mydoom.A. It also carried a nasty payload: it reprogrammed victim computers to attack the Web site of SCO, a software firm vilified by geeks in the "open source" software community.

You might assume that the blame — and the legal repercussions — for the destruction would land directly at the feet of people like Mario. But as the police around the globe have cracked down on cybercrime in the past few years, virus writers have become more cautious, or at least more crafty. These days, many elite writers do not spread their works at all. Instead, they "publish" them, posting their code on Web sites, often with detailed descriptions of how the program works. Essentially, they leave their viruses lying around for anyone to use.

Invariably, someone does. The people who release the viruses are often anonymous mischief-makers, or "script kiddies." That's a derisive term for aspiring young hackers, usually teenagers or curious college students, who don't yet have the skill to program computers but like to pretend they do. They download the viruses, claim to have written them themselves and then set them free in an attempt to assume the role of a fearsome digital menace.

Our modern virus epidemic is thus born of a symbiotic relationship between the people smart enough to write a virus and the people dumb enough — or malicious enough — to spread it. Without these two groups of people, many viruses would never see the light of day. Script kiddies, for example, were responsible for some of the damage the Blaster worm caused. The original version of Blaster, which struck on Aug. 11, was clearly written by a skilled programmer (who is still unknown and at large). Three days later, a second version of Blaster circulated online, infecting an estimated 7,000 computers. This time the FBI tracked the release to Jeffrey Lee Parson, an 18 year old in Minnesota who had found, slightly altered and re-released the Blaster code, prosecutors claim. Parson did nothing to hide his identity and even included a reference to his personal Web site in the code. He was arrested and charged with intentionally causing damage to computers; when his trial begins, probably this spring, he faces up to 10 years in jail. A few weeks later, a similar scene unfolded: another variant of Blaster was found in the wild. This time it was traced to a college student in Romania who also had left obvious clues to his identity in the code.

This development worries security experts, because it means that virus-writing is no longer exclusively a high-skill profession. By so freely sharing their work, the elite virus writers have made it easy for almost anyone to wreak havoc online. When the damage occurs, as it inevitably does, the original authors just shrug. We may have created the monster, they'll say, but we didn't set it loose. This dodge infuriates security professionals and the police, who say it is legally precise but morally corrupt.

"When they publish a virus online, they know someone's going to release it," says Eugene Spafford, a computer-science professor and security expert at Purdue University. Like a collection of young Dr. Frankensteins, the virus writers are increasingly creating forces they cannot control — and for which they explicitly refuse to take responsibility.

"Where's the beer?" Philet0ast3r wondered.

An hour earlier, he had dispatched three friends to pick up another case, but they were nowhere in sight. He looked out over the controlled chaos of his tiny one-bedroom apartment in small-town Bavaria. (Most of the virus writers I visited live in Europe; there have been very few active in the United States since 9/11, because of fears of prosecution.) Philet0ast3r's party was crammed with 20 friends who were blasting the punk band Deftones, playing cards, smoking furiously and arguing about politics. Three girls sat on the floor, rolling another girl's hair into thick dreadlocks, the hairstyle of choice among the crowd. Philet0ast3r himself — a 21-year-old with a small silver hoop piercing his lower lip — wears his brown hair in thick dreads. (Philet0ast3r is an online handle; he didn't want me to use his name.)

Philet0ast3r's friends finally arrived with a fresh case of ale, and his blue eyes lit up. A tall blond friend in a jacket festooned with anti-Nike logos put his arm around Philet0ast3r and beamed.

"This guy," he proclaimed, "is the best at Visual Basic."

In the virus underground, that's love. Visual Basic is a computer language popular among malware authors for its simplicity; Philet0ast3r has used it to create several of the two dozen viruses he's written. From this tiny tourist town, he works as an assistant in a home for the mentally disabled and in his spare time runs an international virus-writers' group called the "Ready Rangers Liberation Front." He founded the group three years ago with a few bored high-school friends in his even tinier hometown nearby. I met him, like everyone profiled in this article, online, first e-mailing him, then chatting in an Internet Relay Chat channel where virus writers meet and trade tips and war stories.

February 14, 2004 at 10:03 AM in Virus | Permalink | TrackBack (12) | Top of page | Blog Home

Virus infects 10 per cent of e-mail

TheStar.com - Virus infects 10 per cent of e-mail

Causes damage estimated at more than $1 billion U.S.

TYLER HAMILTON
TECHNOLOGY REPORTER

Don't blame Microsoft — not this time.
The latest Internet worm to infect personal computers and clog up corporate networks has nothing to do with a software glitch or a hole associated with Microsoft Corp. products. The problem, experts say, has everything to do with our curious human nature.
"It's not a Microsoft vulnerability, it's a human vulnerability," said Al Huger, director of engineering for the security response team at Symantec Corp., a maker of anti-virus software.

Huger said the "Mydoom" or "Novarg" worm is a classic mass-mailer virus, meaning it is designed to trick people into opening up seemingly benign e-mail attachments that are actually malicious programs. When the attachments are opened, Mydoom spreads to the contact list of an e-mail program's address book.

Once inside a computer, it e-mails itself to anybody in a person's address book but also opens a back door on the computer to a hacker, spammer or anybody else wanting to gain remote control of the machine at a later date.

"The back door allows anybody to connect to infected machines and do anything they want to it," said Huger.

Jack Sebbag, Canadian general manager of anti-virus software firm Network Associates Inc., said one out of every 10 e-mail messages sent across North America yesterday afternoon was the result of the Mydoom worm.

This slowed down the Internet considerably. According to some reports, top Web sites on the Internet were taking twice as long to download.

It's the most virulent Internet virus to hit the continent since August, when a double whammy from the Blaster and SoBig bugs played havoc with home computers and gummed up corporate networks, even grounding some Air Canada operations.

At its worst, one in every 17 e-mails contained the SoBig virus, meaning Mydoom is the most aggressively spreading mass-mailing virus on record.

Sebbag said spread of the worm seemed to be slowing yesterday, though he added that a number of Canadian industries had been affected, including manufacturing, financial services and government.

Canada's telephone watchdog, the Canadian Radio-television and Telecommunications Commission, warned on its Web site that it was blocking all e-mail messages with ".zip" attachments for the next few days because of what it described as a "worldwide virus outbreak."

Mikko Hypponen, manager of anti-virus research at F-Secure Corp. in Finland, estimated that 200,000 to 300,000 computers were hit worldwide, while U.K.-based computer security firm mi2g estimated that worldwide damage and lost productivity likely surpassed $1 billion (U.S.) in costs by end of day yesterday.

E-mails with th