research the vector. watch
the profits. close the
door.
|
|
|
March 2005 VECTORBLOG
March 29, 2005 and your friend The update to the Mytob Alert is posted, the same strategy has been employed in the 12+ recent variants: LSASS overflow, mass mail of MyDoom worm, knock over security software - and a few new goodies thrown in: RPC DCOM exploit reported by Symantec, fileshare propagation noted by Trend, and a few new subject lines for the mass email. Nice work.
March 28, 2005 take one on us The latest vector space report is out, "Free Samples: A Trojan on the Job." It examines the notion of spyware as a distinct set of Trojans and specifically at 2 companion pieces of malware that try to drag users to ad sites all over the web.
March 24, 2005 all mine Mytob has hit again, as with the spyware report, look for an update soon - as soon as the variants slow down. In a move reminiscent of the Beagle/Mitglieder releases, the Mytob author (remember, looks like MyDoom with SDbot attached) is dumping slightly different variants in succession.
March 21, 2005 free sample An excerpt from the soon-to-be-released spyware-Trojan Downloader article:
Trojans are not a new classification of malware. One characteristic of many modern Trojans is the clear profit motive behind them, they are often "sponsored" by organizations that generate revenue by delivering ads to users (or more appropriately, delivering users to advertisers). Although the terms "spyware" and "adware" are often used to describe this type of Trojan, the only distinction in the software is this obvious profit-motive. The same, however, can be seen in many other types of malware, such as the mass mailers Sobig and Beagle - both with clear spamming interests at their hearts. These revenue-generating worms are still mass mailing worms, not "adware."
March 20, 2005 you say tomato The world of malware is constantly evolving; as is the terminology. One term that many analysts are rejecting is the use of "spyware/adware" to classify a certain brand of Trojan that doesn't seem quite as nasty because it is just trying to get ads in front of your face. There have been many good articles out already explaining why that is incorrect, so I won't add to that. However, we have been examining a couple of such "spyware" Trojans and plan to get a report out in the next week - stay tuned. And, if you have an opinion on the matter, send it to the vectorblog for inclusion here.
March 17, 2005 little layoff After a few days of fairly uneventful virus monitoring, a new report has found its way into the Emergency Preparedness forum. Originally inspired by the press coverage of the US intelligence reorganization, this report takes a look at creating a malware response team within any sized enterprise from the talent that currently runs the network. The feature, Reorganizing Intelligence is available here and as a PDF here.
March 10, 2005 long weekend March is the first month in recent memory without new Microsoft security bulletins (really, check for yourself). Of course, there will be the required jokes written about how flawed the OS truly is, the tortuous months with a dozen advisories, etc. But, it is a real feat to dodge an entire month without a single bulletin. Is there any platform with the scope of Windows that can boast such a claim (given, there is no other OS with the installation base of MS Windows, but how about an equivalent security patch-free period relative to size of product? Send your feedback to vectorblog). There is a new report in the MS Bulletins section, regarding patch management this month. Enjoy.
March 8, 2005 wattage exceeded Catalogued this weekend by Symantec is a Trojan named Blinder. This malcode hides the address bar contents in IE behind a phony URL, making the contents of the currently loaded web page appear to be from somewhere they are not. Sound like a tool that might come in handy to phishers? It has been seen as part of a few scams, including numerous fraudulent ebay messages, which seem to be the heaviest hitters based on the samples received. Check out the report here.
March 7, 2005 net benefits Some questions exist on exactly why we saw so many variants of Beagle and companion Trojan Mitglieder/Tooso last week all at once (4 of each on a single day) without a "war" of the worms like last year. The benefits of such a strategy are alluded to in the "Year of the Beagle" feature: stay ahead of the antivirus companies. Again in the Beagle.BG-BJ Propagation report, the analysts at Kaspersky make the observation: the author released a new variant as signatures were available. This ensures that the worm/Trojan make the biggest impact possible. The system works like this:
When new signatures would prevent the spread of the existing version, a new one is injected into the system, allowing the currently infected machines to spread new versions, which (hopefully) avoid detection.
March 4, 2005 in the air F-Secure has kept an extremely interesting watch on the Cabir worm's travels around the globe. In their weblog today is the report of country 17 in the list, France. Although Cabir was built as more demonstration than attack (requires multiple user acceptances before installation), the speed with which it spreads is an important benchmark for this new path of mobile code.
March 3, 2005 another revolution The industry that is the Beagle worm continues to roll on, after another 4 variants of the code have hit the streets it is now clear how well planned each attack really is. The addresses lifted last time around (and for the first time posted to an external server) appear to be those used to seed the mass mail this time. The latest versions of Mitglieder (known by the name Tooso at most sites as mentioned below) are sent to a user, if executed, the Trojan retrieves the worm proper, which sends the Trojan... The scheme is laid out in detail in the latest report, found in the Hotzone here and available as a PDF here.
March 1, 2005 important notify As readers of the features have deduced, this site has a special interest in the Beagle worm in all its forms. Today, we received the following familiar message in our mailbox:
From: staff@infectionvectors.com Subject: Important notify about your e-mail account Message:
Dear user of Infectionvectors.com gateway e-mail server... A copy of the Beagle.J worm, which hadn't shown up in our Inbox for some time. It was almost immediately followed by a copy of what appeared to be Beagle.AO on first glance. The email has "new_price.zip" as the attachment and reads just like the version of the worm from last summer. This is a new version of the code however, known as BG and BH. Beagle.BG/BH drops a copy of a Trojan called Tooso, a new piece of code from the Beagle authors that deletes Registry keys on the local machine associated with security applications, kills security -related processes, and goes the extra mile and deletes security application files. Of course, the program reaches out to a long list of domains in search of a file (zo2.jpg), which does not appear to be posted yet (as is standard practice at this point). So far there have been at least 4 confirmed variants of this Trojan, all with virtually identical functionality.
This variant is correctly known as a Trojan (like earlier copies that did not propagate) as it has no mass mail, file share, or parasitic routines built into it. Check out today's coverage in the Malagent report update and the supplement in the hotzone.
|
Copyright Ó 2005 infectionvectors.com. All rights reserved.
