Here are some interesting videos from Panda Software.
Death to Digital Vandals One.
Death to Digital Vandals Two.
Panda Software company presentation.
Looks like we get another round of the Storm Worm, and it looks like it could be the biggest virus attack in over 2 years, according to security company Postini. They say this is the most sustained attack they have ever seen, and it has been going on for 9 to 10 days.
Swidler said in an interview with InformationWeek that the attack started a little more than a week ago, and Postini since then has recorded 200 million spam e-mails luring users to malicious Web sites. Before this attack, an average day sees about 1 million virus-laden e-mails, according to Postini. Last Thursday, however, the company tracked 42 million Storm-related messages in that day alone. As of Tuesday afternoon, Postini researchers were predicting they would see that day between 4 million and 6 million virus e-mails — 99% of them associated with the Storm worm.
While the number of spam e-mails has dropped significantly, it’s still far above normal levels, so Swidler isn’t ready to say the attack is over.
The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. This helps pull the computers into the malware authors’ growing botnet, while also leaving them open for further infection at a later date. Source: Storm Worm Erupts Into Worst Virus Attack In 2 Years
This is all about refilling their botnets full of willing computers so they can get back to the bigger fish, making money off of users. They are also sending out e-card spams, and we are at the level now that we were at back in December, one of the biggest months for that kind of spam because of the Christmas holiday. They assumed it would spike for Independence Day, but it has continued until now and shows no signs of letting up. Don’t click on any links in strange emails, and if you get e-cards from someone you know, I would email them first to see if they really sent it or not.
Categories: Virus Info Tags:
Here are a couple cute videos from Panda Software promoting their virus and intrusion prevention products. But first, here are some coupons for their products, Panda Internet Security 2007, Panda Antivirus and Firewall 2007, and one for Panda Antivirus all by itself. Their software will remove viruses, trojans, malware, spyware, adware, and protect you while online, all you are buying is peace of mind.
Grab a FREE 30 day trial of Panda Anti Virus, Panda Anti Virus plus Firewall, or Panda Internet Security, which contains Panda Antivirus, Panda AntiSyware, Panda Firewall, Panda TruPrevent, Panda IdentityProtect, Panda Antispam, and Panda Parental Control.
This is a cool video from F-Secure showing how fast the Storm Worm broke out.
Boy, there were some busy spammers and virus writers over the weekend, so you know our trusty anti-malware/virus fighters were busy as well, this time, fighting the Storm Worm. The guys pushing this malware, Small-DAM (AKA DwnLdr-FYD) Trojan, definitely had a flair for the headlines, as they pushed everything from violent storms, Saddam Hussein is alive, Chinese missile shot down, all the way to Internet love.
The original attack tried to trick users into executing malicious files containing Trojan horse code, posing as information about the inclement weather. The malware was distributed in messages with subject lines such as “230 dead as storm batters Europe”, supplied with attachments containing the Small-DAM (AKA DwnLdr-FYD) Trojan. Attachments may contain one of the following filenames: Full Clip.exe; Full Story.exe; Read More.exe and Video.exe.
The malware also came in emails carrying other provocative subject lines including: “British Muslims Genocide”, “Naked teens attack home director”, “A killer at 11, he’s free at 21 and kill again!” and “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel”.
If executed, the payload turns infected PCs into compromised, zombie clients under the control of hackers. Two in every three reports of malware tracked by anti-virus firm Sophos on Friday, 19 January involved reports of the Trojan. Source: Storm Trojan gang declare start of World War III
Checking the F-Secure Blog at different times throughout the week is always good, as they are usually on top of these things. Symantec says it is the worst malware outbreak since May 2005 when the Sober.O mass-mailing worm affected a similar number of computers.
Malicious software that was sent out in millions of spam messages over the weekend has now infected about 300,000 computers, making it the worst malware outbreak since 2005, Symantec said Monday.
The so called “Storm Worm” e-mail messages first started appearing last Wednesday, advertising attached news reports on topics like “230 Dead as storm batters Europe,” or “U.S. Secretary of Sate Condoleeza Rice has kicked German Chancellor.”
The attachments have names such as “Full Story.exe” or “Full Video.exe.” Once they are launched, these files install malicious software that then waits to receive further instructions over the Internet. Source: Symantec: Storm Trojan worst outbreak since 2005
The latest versions of the spam are using love terms, A Bouguet of Love, A Day in Bed Coupon, Love Birds and A Kiss Coupon to name a few. As always, never open attachments that you aren’t expecting, especially from someone you don’t know, and make sure your anti-virus and anti-spyware / malware programs are updated. And hey, let’s be careful out there.
Apparently, there is some confusion concerning the Skype worm I posted about yesterday, Websense now says it is a Trojan horse and it is not exploiting anything, it is just using the chat portion to send the file.
Yesterday Websense Security Labs reported on our blog that there was a potential Worm propagating via Skype (see: http://www.websense.com/securitylabs/blog/blog.php?BlogID=101). After investigation we have discovered that this is not a self propagating worm and is actually a Trojan Horse.
After discussions with the very helpful Skype security team, the behavior of this Trojan using the Skype API is as per the specifications of the API. The end-user who is running Skype does get notified that a program is attempting to access it and must acknowledge it. Source: Websense
Here is what F-Secure says about it.
- There is no massive outbreak going on
- There is something spreading on [tag]Skype[/tag], but only in limited numbers
- It is not exploiting a vulnerability in Skype but simply sending chat messages asking you to download and run the infected executable
- There are two different and separate malware samples being talked about relating to this case, confusing things further
- One of them is named “sp.exe”. We received a sample of this yesterday and added detection. This one is connecting to nsdf.no-ip.biz in its attempt to download additional components
- The other one is described in here. This one downloads additional components from marx2.altervista.org, and it’s actually not new at all: we’ve detected it since beginning of October.
So, this puppy will probably start showing up using some other chat programs, and is probably one of many variants to come. As we all know, these guys are getting lazy and just pumping crap out into the internet hoping to snag a few users.
Microsoft today released the first draft of their Patchguard APIs that will allow independent security vendors to get around the new kernel protection of Patchguard. They also released an evaluation document that details the processes Microsoft used in evaluating vendor requests for APIs to the Vista, and they are wanting feedback on the feedback criteria as well as the Patchguard API by the end of January 2007.
Today’s draft APIs are based on feedback from 26 security vendors and address four major areas, Fathi said. They include APIs for tamper protection, memory-based controls and image-loading operations. Together, the APIs address a majority of the issues raised by third-party security vendors in discussions over the past few months, Fathi said.
“Over the next few weeks, we will work with them to see if there are any changes that are needed,” he said. “Hopefully, everybody will agree this is the right set of APIs and this is what we will deliver in Vista SP1,” he said. Microsoft also plans to continue to work with vendors in gathering requirements from them and delivering new APIs as needed.
At the same time, however, Microsoft has not changed its position regarding third-party access to the Vista kernel, Fathi said. Some vendors have asked the company to consider allowing qualified security vendors to modify the kernel. They point to the fact that they have been allowed to do so with 32-bit versions of Windows and argue that it should be allowed on 64-bit Vista as well. Source: Computerworld
Security vendors still want to be able to manipulate the kernel, like they have been able to do until the release of Patchguard, but Microsoft says it is key to the prevention of malware such as rootkits, if the security vendors can get around it, then so, one day, will some of the malicious programmers. Some of the vendors like Symantec say Microsoft is hindering their abilities to deliver some features of their software and that they need to be able to manipulate the kernel to use host based intrusion-prevention and tamper protections. I say, just do antivirus, I worked on a pc today that had Symantec Security suite installed, which has a firewall, spyware protection, the intrusion detection and loads of stuff running. Even with all of that, it was still ate up with spyware and crap, and after uninstalling it, the system acted like I had reloaded the operating system, it was that much faster. So, Symantec, MacAfee and whoever else that might be listening, just make good antivirus like we are used to, your software slows down our machines more than the spyware and malware does.
A new worm is spreading it way around the internet using Skype, the first, I believe to use Skype, although I could be wrong, this virus affects all these versions of Windows, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. So, pretty much , all of them but the newest and the oldest.
Here is the info Websense has o it,
- users receive messages via Skype Chat to download and run a file
- the filename is called sp.exe
- assuming the file is run it appears to drop and run a password stealing Trojan Horse
- the file also appears to run another set of code that uses Skype to propagate the original file
- the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
- the file connects to a remote server for additional code
- the original site has been black holed and is not serving the code anymore
- the number of victims is still TBD
- the original infections appear to be in APAC region (Korea in particular)
Symantec has more info on their site, and they are calling it W32.Chatosky.
When W32.Chatosky is executed, it performs the following actions:
Searches the registry for the location of the Skype application.
Displays the following message and then exits if it cannot find the registry:
I could not find Skype !
Executes the Skype application and displays the following message if it finds the registry:
Allow this program in skype!
Queries Skype for random users every 3 minutes.
Starts the Skype application and sends the following message to the users:
Check this! Here is where it displays a url containing the worm body.
To remove it, disable System Restore (Windows Me/XP), update the virus definitions and run a full system scan.
A vulnerability that was patched in May by Symantec is being used to attack computers running the corporate version of their Norton Antivirus software. The update is not automatic by any means and would need to be applied to corporations running it.
EEye Digital Security, based in Aliso Viejo, said the worm, dubbed ‘Big Yellow,’ began attacking some computer systems on Thursday _ seven months after eEye first discovered the flaw.
Symantec released a patch to address the flaw in May but it’s up to its corporate customers to install it. Officials at the Cupertino-based security software company said Friday it had so far received three reports of systems affected by the worm. Source: Topix
Big Yellow infects machines through the security hole and once infected will try to spread the bot program to other computers, one of the common ways for botnets to proliferate. Symantec said it is not widespread and is definitely not an outbreak by any means as they have had only three reports so far.
Here is a video of the Grey Goo worm that was attacking Second Life recently.