Imageryfx News

Gozi Trojan - New and Improved Version

Mon, 21 May 2007 04:05:45 GMT

A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Net since April 17 and has already stolen personal data from more than 2000 home users worldwide.

The compromised information includes bank and credit card account numbers (including CVV codes), Social Security numbers, and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted SSL streams and send the stolen information to a server based in Russia.

The variant was discovered by Don Jackson, a security researcher with Atlanta-based SecureWorks Inc., who also discovered the original Gozi Trojan back in January.

Two core "enhancements"

According to Jackson, the new version is very similar to the original Gozi code in its purpose, but features two core enhancements. One of them is its use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan code to evade detection by standard signature-based anti-virus tools. The original Gozi Trojan, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.

This version of Gozi also has a new keystroke logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information, Jackson said.

Apart from those two differences, the variant is identical to Gozi, Jackson said. The Trojan takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.

Trojan Piggybacks on Windows Updater

Wed, 16 May 2007 12:54:27 GMT

At least one Trojan virus writer is now using an integral part of the Windows operating system�BITS (Background Intelligent Transfer Service)�to download files to already infected systems.

Windows Update uses BITS as an asynchronous download service to fetch patches, updates and other files�and, in this instance, malware.

Security researcher Frank Boldewin, along with Symantec's Elia Florio, discovered the technique the week of May 7 after analyzing a recent Trojan distributed via spam e-mail in Germany toward the end of March. According to Florio's May 10 posting on Symantec's site, Boldewin determined that the Trojan�which he detected as "Downloader"�was using BITS to bypass the firewall and download files without firewall inspection. As part of the operating system, BITS is trusted and gets passed through without having to go through the firewall.

According to Florio, more common methods used by malware to bypass firewalls include running a continuous thread that sends "Yes, accept" messages to the firewall window, which warns users about strange network connections; shutting down the firewall or killing its processes; injecting malicious code into Internet Explorer or other processes in the firewall's trusted applications list; and patching network drivers to disable firewall filtering.

IE7 Download Disguised as Virus

Thu, 12 Apr 2007 11:36:28 GMT

If you receive an e-mail offering a download of Internet Explorer 7 Beta 2, delete it. A new virus is making the rounds that comes disguised as a test version of Microsoft's current Web browser.

Security experts reported no widespread damage Friday morning, but they said the virus is notable for a couple of reasons. The e-mail includes a convincing graphic that looks like it could really be from Microsoft, and the virus is delivered when recipients click on a link rather than in an attachment, which makes it harder to stop it from reaching in-boxes.

"The idea of sending a link seems to be a trend among attackers; it's still fairly new and it works much better than sending a file," said Mikko Hypponen, chief research officer at F-Secure.

The e-mails carry the subject line "Internet Explorer 7 Downloads" and appear to come from admin@microsoft.com. They include a blue, Microsoft-style graphic offering a download of IE 7 beta 2. Clicking the graphic will download an executable file called IE 7.exe.

NOD32 - Best Antivirus Product of 2006

Fri, 26 Jan 2007 09:49:36 GMT

ESET today announced that NOD32 has been named the overall best antivirus product of 2006 by the independent testing group AV-Comparatives.org. Of the 16 antivirus products tested across multiple categories, ESET NOD32 antivirus solution earned the top rank in proactive on-demand detection, and on-demand scanning speed.

ESET NOD32 was recognized for its advanced heuristics scanning capabilities at a high-rate of speed and accuracy. In contrast, many competing antivirus products consume significantly more system resources which slow computer and network performance and response times, resulting in poor end-user experience. AV-Comparative test results reveal that NOD32 has consistently distinguished itself with high proactive detection and performance.

Security threats continue to be one of the most critical challenges confronting both enterprises and consumers. With cyber crime emerging as multi-billion dollar industry, hackers continue to look for new ways to reap financial rewards and obtain valuable intellectual property. Consequently, security experts predict 2007 will reflect an increase in the frequency and complexity of malicious, covert malware attacks. This new online world significantly ups the ante for the baseline requirements in an anti-malware solution.

"This year's report shows that ESET NOD32 leads not just in one, but multiple categories of comparison," said Andreas Clementi, project manager at AV-comparatives.org. "NOD32 proactively identifies and eliminates the type of complicated malware threats that are emerging now and which will continue to evolve. When you combine the speed, accuracy and advanced heuristics capabilities of ESET's solution, it is clearly the best performing AV product on the market today."

According to the 2006 end-of-year report, ESET NOD32 was the winner in three different individual categories, including "Overall," "Proactive On-Demand Detection," and "Highest on-demand scanning speed." ESET NOD32 was recognized as the best overall solution because it received the highest award, Advanced+, in two on-demand and two proactive scanning tests in 2006.

"ThreatSense� technology distinguishes us from the rest of the market, and the proof is further validated with ESET NOD32 being declared the best solution in 2006," said Rick Moy, vice president of marketing, ESET LLC. "The developers have continued to stay true to the mission of delivering the smallest, fastest and most accurate protection. With security risks continuing to evolve and accelerate, it's important to have a proactive solution that doesn't incur unnecessary management overhead. NOD32 allows customers to focus on what is important to their business."

ESET NOD32 Antivirus version 2.7 utilizes ThreatSense� technology, a sophisticated detection system based on advanced heuristics, to proactively identify previously unknown viruses, Trojans, spyware, rootkits and phishing attacks in real-time. ThreatSense is built into NOD32's unified scanning engine to provide comprehensive protection so users do not need to rely on additional point solutions for spyware and adware protection.

Storm Worm Virus

Sat, 20 Jan 2007 06:18:45 GMT

Finnish data security company F-Secure told reporters today that a computer virus called "Storm Worm" was sent to hundreds of thousands of email addresses globally. Knowing how many e-mail users do not blind-copy (BCC) their friends when sending mass e-mails, the numbers could be much higher. According to F-Secure, "Storm Worm" is spreading very quickly.

Representatives from F-Secure said "the Small.DAM (Storm-Worm) we posted on earlier spread very fast during the night, Helsinki time. The heavy seeding through spam was quickly obvious on our tracking screens. The worm was spread throughout the world very rapidly." The actual virus is called Small.DAM and at this time the origin of the virus is unknown.

Happy New Year Worm

Mon, 01 Jan 2007 08:33:43 GMT

Worm-laden messages are titled "Happy New Year" and contain an attachment called either postcard.exe or postcard.zip, according to experts at VeriSign's iDefense Labs, which provides information on security flaws and exploits. If the attachment is opened, malicious software is downloaded from the Internet and can infect computers running Windows operating systems.

Once a computer is infected, it looks for open mail proxies and begins spamming mail to infect other computers. The worm is already moving quickly across the Internet, at a rate of five e-mails per second on at least one large network, according to the iDefense Labs Web site.

Chip Can Stop PC Viruses

Tue, 28 Nov 2006 07:52:40 GMT

Researchers in Japan have developed a microchip that blocks computer viruses before they enter PCs, an advance that could change how security software is used.

Chips in routers can stop viruses without slowing down programmes running on computers the way security software does, according to researcher Eiichi Takahashi at the government-funded National Institute of Advanced Industrial Science and Technology.

But the chips need to be rewritable so they can be updated with online information about new viruses, and that creates a problem, because rewritable chips now can recognise only a few hundred viruses each.

CCleaner - Optimization and Privacy Tool

Fri, 24 Nov 2006 23:08:16 GMT

CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. But the best part is that it's fast (normally taking less than a second to run) and contains NO Spyware or Adware!

Spam Back With A Vengeance

Sun, 19 Nov 2006 00:04:00 GMT

Postini, the industry's leading provider of on-demand Integrated Message Management services making electronic communications like email, instant messaging (IM) and the web more compliant, productive, secure and reliable, today announced that spammers are out in full force, severely threatening corporate networks while seeking financial gain. Postini processed nearly 70 billion email connections from September to November, and saw a 59 percent spike in spam over that period. Unwanted email is currently 91 percent of all email, and over the past 12 months the daily volume of spam rose by 120 percent. Postini also saw a dramatic increase in overall email traffic with 10 billion more connections in October than in September.

"This dramatic rise in spam attacks on corporate networks has the Internet under a state of siege," said Daniel Druker, executive vice president of marketing at Postini. "Spammers are increasingly aggressive and sophisticated in their techniques, and protection from spam has become a front-burner issue again. Spam has evolved from a tool for nuisance hackers and annoying marketers to one for criminal enterprises."

Spam Trojan Installs Own Antivirus Scanner

Sun, 22 Oct 2006 10:35:07 GMT

Veteran malware researcher Joe Stewart was fairly sure he'd seen it all until he started poking at the SpamThru Trojan-a piece of malware designed to send spam from an infected computer.

The Trojan, which uses peer-to-peer technology to send commands to hijacked computers, has been fitted with its own anti-virus scanner-a level of complexity and sophistication that rivals some commercial software.
"This the first time I've seen this done. [It] gets points for originality," says Stewart, senior security researcher at SecureWorks, in Atlanta, Ga.

"It is simply to keep all the system resources for themselves-if they have to compete with, say, a mass-mailer virus, it really puts a damper on how much spam they can send," he added.