know the threat. stop the virus.
Malicious Agent reports are brief outlines describing specific viruses in the wild. The focus is on how these programs infect your network and what they'll do when they arrive.
Malicious Agent reports are brief outlines describing specific viruses in the wild. The focus is on how these programs infect your network and what they'll do when they arrive. |
|
|
The Infection Vectors Virus List
Although it was once the most interesting worms circulating the virus world (based on infection rates, vector uniqueness, and potential impact), the list is now a monument to the the discrete threats that used to plague network administrators. Today's threats are much less conspicuous, hiding and waiting for clients to brush past them. Reader interest has lead to leaving the list here:
Novel in its use of the Skype IM client and contacts list, the worm is not truly a piece of VoIP malware in the strict sense. The use of well-worn tactics made this worm less interesting to analysts; the use of Skype's software made is more interesting to the media.
One of the more successful and widely distributed pure mass mailers. Its limited releases (compared to often-tweaked worms like Beagle) have so far stuck to a similar design, through its recent 9th iteration. Sober was first released in the fall of 2003, amongst successful Internet worms Blaster and Welchia. The pure mass mailer carries English and German versions of its messages. Updated in February and May of 2005 in response to the continued success and new variants of the worm.
Sober.X (CME-681) became the largest worm outbreak of 2005 in late November, using the same tricks that helped its cause in the past. Because of its widespread succes, an entire report was dedicated to the variant.
Within a week of the August security bulletins from Microsoft Zotob already had at least 5 variants on the Internet. The release of this worm has reinforced not only the issues surrounding exploit/malware times and patching schedules, but also the organization of professional malware.
In January of 2004 two mass mailers grabbed the attention of popular media, MyDoom and Beagle. The initial flood of MyDoom infections paved the way for these worms and Netsky to compromise more machines in 3 months than all worms of 2003 were capable of hitting. Although the heritage is debated, the Fall 2004 breed of MyDoom variants introduced new propagation mechanisms, including a near zero-day attack.
The family tree grew an interesting new branch in February 2005, the SDBot-inspired variant known as Mytob. This worm used the MyDoom mass mailer to carry a bot net client that exploits the LSASS overflow and connects to an IRC server to await additional commands. The spring of 2005 saw over a dozen new Mytob variants and a single MyDoom, the author used tricks other worm writers have employed, such as changing the versions quickly but significantly enough to require new detection mechanisms.
PGPCoder is a Trojan that attempts to take the victim machine’s files hostage, forcing a user to pay for a “decoder” to be able to read documents that are encrypted. The file, which often appears as just encoder32.exe, can arrive via email, file share, or any other means; however, it currently has not been linked to any self-propagation mechanism.
Initially targeted at just Smith Barney customers (hence the name), Smitfraud launches an attack that hopes to collect all the web requests made by a victim machine, as well as install a few extra goodies for the user.
Of special interest to infectionvectors.com because of the tremendous development effort put into the mass mailer, Beagle remains one of the top threats on the Internet. New variants in the winter of 2005 prove the ongoing dedication of the authors to improving this worm.
The March 2005 variants carried no propagation mechanism, but a deadly Trojan capable of attacking local security software from multiple angles.
Phishing has become more and more difficult for the average user to stay on top of, and Blinder adds to the confusion. This exploit is a few simple lines of java script added to a fraudulent web page to hide the true URL displayed in the address bar behind a small pop-up containing a phony one.
One of the many "add-ons" retrieved by the Beagle worm once it has infected a system, Formglieder has a special purpose: stealing personal banking information and system data.
This bot net agent infected machines and launched a DDoS before being catalogued by AV companies, and finally providing an answer to mysterious TCP 11768 traffic noticed around the world. This application, much like Agobot, allows an external controller to initiate new attacks.
A mass mailer comprised of common parts and one increasingly common part: a threat against Beagle/MyDoom. One more worm throws its hat into the ring.
The alerts above represent viruses that are unique, especially prevalent, or catastrophically damaging. For a complete catalog of viruses in the wild, see one of the Reference Info sites. |
Copyright © 2007 infectionvectors.com. All rights reserved.
