13 Dec Loophole in Safari Vyacheslav Zakorzhevsky
12 Dec Forecasts for 2014 – expert opinion GReAT
11 Dec The inevitable move - 64-bit ZeuS has come enhanced with Tor Dmitry Tarakanov
10 Dec Microsoft Updates December 2013 - Patching Critical 0day Exploited in the Wild Kurt Baumgartner
05 Dec Corporate threats in 2013 - the expert opinion GReAT
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A report yesterday suggested that a hacked server used by employees at Novell, Inc. was employed to scan large numbers of machines worldwide.
Of course, Novell is not the first company to fall victim to hackers, nor will it be the last: it's just the latest in a long line over recent years.
It seems that the hacked server ran a mail server for a gaming site called 'Neticus.com'. The main web page for the game was hosted on a separate server, also belonging to Novell. Novell insists that the machine conducting the scans and the game web site lay outside the corporate firewalls.
We live in a world where online games are increasingly being subverted to distribute malicious code, as previously reported on viruslist.com. So the compromise of servers belonging to a major software vendor is of great concern.
Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example.
Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b
This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.
The infected files have now been removed, but it took some time. And this isn't the first time that infected binary or source code files have been placed on public servers. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.
As the previous post says, there have been a lot of new Bagle modifications in the last 24 hours. And they're continuing, either being spammed, or by previous versions downloading updates to themselves from the Internet. All of this frantic activity is aimed at maintaining the network of infected computers, by finding new victim machines, infecting them, and conscripting them into the network.
We've intercepted at least 20 new versions, and are now up to Bagle.dh. They are showing no signs of stopping at the moment.
As usual, our antivirus databases have been updated with detection for all the latest variants.
During the last six hours or so we've seen another flurry of Bagle variants.
The first variant of the day was detected as Email-Worm.Win32.Bagle.cx while we are up to Bagle.dc right now.
And an urgent update for Bagle.de is already on its way, talk about a busy day.
We have a moderate alert on Bagle.cy out and contrary to the spam run of almost a week ago, all these samples dó work on NT platforms.
Again the word "price" is popular with these Bagles, so keep a look out for it.
Around the end of August we started to see the next logical step in the evolution of IM malware.
People were complaining about a new IM-Worm. The message which the user receives is actually a link, which when clicked takes the user to a site where a specific piece of IM related software can be downloaded.
There is a single executable which is responsible for spreading these promotional links for this software site across the AOL, MSN and Yahoo instant messaging networks. You guessed it, the first AdWare which spreads via IM.
But it gives rise to a very interesting question: are we dealing with AdWare or with an IM-Worm?
The EULA for the IM related software does explicitly state that this software will send messages to all contacts in the user's IM client. Because of this, and the way in which the program spreads, it could be classified as AdWare. However, the executable file is designed purely to spread the site link, and it doesn't warn the user of its behaviour.
We therefore decided to classify this file as an IM-Worm. We may see similar files in the future and these files might be classified differently because of the way in which they behave.
The company has now changed its policy, and is offering the IM related software without this feature. Why, we don't know. But there is nothing to stop other vendors picking up on this approach and using it to promote their products.
Over the course of the last 10 hours or so we've seen a number of new Bagle variants.
We've just released an urgent update for the fourth spammed Bagle. And just like before these Bagles don't spread any further.
We have also detected a Bagle which does have email spreading functionality, it sends the spammed samples.
The spammed Bagles arrive in a zip archive as a .cpl file. Most likely with "price" in one of the filenames. The .cpl files are all 14340 bytes in size.
All four variants are equal to each other, the only difference is in the .cpl dropper.
The .cpl file functions as Trojan-Dropper to drop the actual Bagle executable.
The most interesting part of this Bagle case is that the Bagle executable does not work on Windows XP or 2000, it only seems to work on Windows 98.
Currently we can only speculate as to the author's motives to create malware which will only function on Windows 98.
We detect the .cpl droppers and mailer as Email-Worm.Win32.Bagle.cs, Bagle.ct and Bagle.cu.
The dropped files are detected as Bagle.cs.
MD5 checksums for the spammed Bagles:
Slapper, one of the best known worms for Linux, is three years old tomorrow. It caused an outbreak back in 2002. This anniversary started me thinking about Linux malware:
Before Slapper, Linux viruses had been around for a while. Bliss, a virus which appeared in 1997, was the first to demonstrate that Linux was vulnerable to viruses. And once Bliss opened the door, other types of malware followed.
Many Linux viruses infect ELF [Executable and Linkable Format] files, the most common Linux file type. However, this is not the only technique. Some viruses use Unix shell scripts which are supported by most Linux distributions. These are powerful and easy to write. The Ramen worm, for example, uses known system exploits to gain root access to vulnerable Linux servers and then employs ELF binaries and shell scripts to find other servers to infect.
The number of Linux threats has increased slowly. But they have grown more sophisticated. Multi.Etapux, for example, is a complex polymorphic virus which uses entry-point obfuscation to evade detection. It is also able to infect Windows 32 PE files as well as Linux ELF files. There are also Linux threats which exploit system vulnerabilities in order to attack. The Slapper worm, for example, utilizes a known vulnerability in the Open SSL library to infect Apache web servers. And the Adore worm uses a random port scan to identify systems that have a root access vulnerability in the BIND.DNS service on Linux servers.
Linux virus writers (and all other Unix flavours) face quite a few difficulties. For example, to modify ELF binaries, it's necessary to have root administration rights. And there may be specific dependencies related to specific Linux versions, making it hard for a virus writer to create a single virus for all implementations of Linux. But such obstacles can be overcome. The use of scripts, for example, makes a virus or worm less dependent on a specific Linux distribution. One of the early Linux viruses, Staog, uses a vulnerability to get root access to the system. Slapper uploads itself as a uuencoded source file. It then decodes and compiles the source into an ELF binary, re-compiling itself using a local copy of the 'C' compiler.
So why hasn't there been more malicious code for Linux? The dominance of Windows, particularly as a desktop operating system, is the key reason. Malware authors want the biggest possible bang for their buck so they target the operating system that is most widely used. Linux simply isn't widespread enough to be a serious target - at the moment.
That said, the use of Linux as an operating system is increasing, partly due to the popularity of Linux distributions such as RedHat and SuSE. Currently there are 712 pieces of malware that target Linux. This number will almost certainly increase as the popularity of Linux itself increases.
And one other thing to consider - more and more organizations are starting to use Linux alongside Windows, with a Linux file-server storing Windows applications. These files can be infected at desktop level, with infected files then being stored on the server. Organizations must therefore accept the necessity of scanning the Linux server to protect against malicious code attacks.
Next to the more or less daily scams mentioned in the previous post, we're seeing a resurgence in another scamming tactic.
Over the last couple of weeks more people are reporting charges of $9.95 to their credit cards - for no reason whatsoever.
About a year ago we saw a similar trend and now it has been picked up again.
The scammers hope that because the amount of money is so small, the charge will go unnoticed. They're also using names which closely resemble real company names to make the charges look (at first glance) more legitimate.
So be sure to check your accounts for odd charges on a regular basis.
There's been a lot written about how the Hurricane Katrina situation is being exploited: fake websites distributing malware, fake charity sites collecting donations, and people setting up sites or spamming email to score political points.
As you can see from the graph at ISC hundreds of Katrina related domains are being registered each day.
Unfortunately it's not always easy to distinguish between scam sites and legitimate sites, so they should all be treated with great caution.
Sadly, the 419 scammers have also decided to see if they can get a piece of the pie - here's an example of a Katrina-related 419 scam which has been mass-spammed during the last day or so.
It's got all the hallmarks of a classic 419 - grammar and spelling mistakes and a large sum of money. If you get a mail with any of these characteristics, make sure you check the source, and think at least twice before disclosing any personal information.
Subject: (Urgent) New Orleans>> Hurricane Katrina
Please help me out in this desperate situation. I am a Mexican national and
also an illegal immigrant living in the state of New Orleans of the disaster
hit area of the U.S.A. I presently work as a member of a rescue team, following
the event of the recent disaster in New Orleans which is caused by "Hurricane
In a relief effort to save the lives of the indigenes, I personally made
a recovery of some treasure boxes which belong to a private banking firm,
here in New Orleans. These boxes which are currently in my possession were
found to be containing uncountable number of defaced foreign currencies,
which ranges from United States Dollars down to Japanese Yens, thus running
into hundreds of millions of U.S. Dollars when converted.
I have so far decided to undisclose these funds to the "Federal Emergency
Management Agency", pending my personal use, soon after this disaster as
things come back to normal in New Orleans.
Dear colleague, I have already made prior arrangements with a private courier
services firm who will assist me to convey these boxes, out of the U.S.A.
I am desperately searching for a trustworthy individual who would provide
me with a valid home or business address, in outside U.S.A (particularly
in Europe or Asia), where these boxes can be conveyed, so as to start immediate
I am sorry, I may not be able to leave U.S.A at present due to lack of authentic
travel document, but I would like to entrust these funds in you, and I will
make my way out of U.S.A as soon as the boxes are moved out of U.S.A.
Thank you for taking out time to read about my problem. I look forward to
Please you can always reply me on email: marklyford2005@[removed].com
Your contact information will required for easy communication.
Mr markly ford.
Book yourself something to look forward to in 2005.
Cheap flights - http://www.[removed].co.uk/travel/flights/
Bargain holidays - http://www.[removed].co.uk/travel/holidays/
Since we last reported on Nsag infectors, we've seen quite a lot of new malware related to Nsag.
There's no real point in continuing to refer to this malware as Smitfraud, so we won't.
Overall, the malware is the same old thing, but in slightly different clothing. Nsag.b infectors have taken the place of Nsag.a infectors. Although these new infectors aren't really innovating, the Trojan-Downloaders that install these infectors are.
Most Trojan-Downloader.Win32.Zlob variants download numerous pieces of malware - most notably a Nsag.b infector and Trojan.Win32.Puper variants.
Zlob is interesting because of the technique it uses to download files.
It uses a new method to inject code into explorer.exe. This way it can download the malicious files without alerting the firewall.
It would seem that the creators are refining the way the Nsag infector gets introduced to the system rather then building new features into the infector itself.
This once again shows that the author(s) means business. This story is far from over.