November 10th, 2004, 08:12 PM
Swiss Army MyDoom variant?
November 09, 2004, 14:53 GMT
The latest MyDoom variant may be something entirely new - a hybrid worm that combines many different security attacks in one. It also appeared with remarkable speed
A new 'Swiss Army' worm initially thought to be MyDoom is exploiting a vulnerability discovered just five days ago.
The worm combines multiple attack techniques in an innovative way: spamming, social engineering, virus infection and Trojans. It has also appeared in record time.
According to antivirus company F-Secure, the virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.
Versions A, B and C of the Bofra (buffer overflow frame exploit) worm were first thought to be the most recent additions to the MyDoom family, which targets a weakness in Microsoft Internet Explorer 6.0.
But further research has showed that the worms, which spam themselves using social engineering tactics, share too few similarities with MyDoom to be classed as one of the family.
"It's exploiting a hole for which there is not a fix," said Graham Cluley, senior technology consultant for Sophos. "This must be the fastest turnaround yet between finding a vulnerability and a full blown worm."
"It's not a MyDoom virus. There are some similarities, but there are some differences too," said Cluley.
Sophos said it had seen a high number of the messages at the Internet gateway, which implied that they had initially been spammed out. The messages use fake PayPal messages to trick users into clicking on a link. According to F-Secure, the message reads:
"Congratulations! PayPal has successfully charged 5 to your credit card. Your order tracking number is 866DEC0A, and your item will be shipped within three business days.
To see details please click this link"
Cluley added: "Although it mentions PayPal, we haven't seen any phishing. But you'd be so outraged about credit card forgery you would probably click on the link."
Microsoft has yet to release a patch for the IE vulnerability, which security company Secunia issued an advisory about last week. The new worm turned up with surprising speed.
"By Monday we've got a full-blown worm," added Cluley. "Microsoft is meant to be releasing its [monthly] pack of fixes soon, and they didn't mention this. There's a good chance they won't fix this today."
F-Secure also agreed that it was likely that the virus could be something other than MyDoom because the worms only shared half of the properties with MyDoom patterns.
"They are not that similar to existing MyDooms," said Patrik Runald, technical manager for F-Secure. "We haven't received that many reports. But it's interesting because it is only days since the vulnerability was announced."
The viruses, F-Secure added, exploit a vulnerability in Microsoft Internet Explorer 6.0 on Windows 2000 and Windows XP SP1. Windows XP SP2 users are said to be unaffected.
"This uses the same technology as Sasser or Blaster," said Runald. "Most worms use some download functionality on the Internet, and it's fairly easy to close those down. But this makes it much more difficult."
"Really the only way to protect yourself is to not click on the link, to delete unwanted emails, to run antivirus software and to upgrade to [Windows XP SP2]. Only IE is affected by this. If you run Mozilla, Netscape or Opera, you'll be fine," he said.
yet ANOTHER reason to switch to Firefox
November 10th, 2004, 08:38 PM
It will not be long until hybrid [swiss army] entities will exist on the cyberspace... if there would really innovative programmers, I suppose even a cross-platform virus/worm could exist, something along the lines of a Java application or what have you.
November 10th, 2004, 10:27 PM
What you are talking about is called a Blended Threat. It's not actually new. Klez was a mass mailing virus that dropped the Elkern worm which was network aware. That's a bummer if it gets into you corporate network.... It only takes one fool to trash a network for weeks.
The difference here is that the vector, (the email), doesn't carry it's own payload... it gets it by download from somewhere else. Technically this isn't a worm, it's a mass mailing virus. There isn't any indication of worm like behaviour whatsoever. The issue with it is that the AV scanners cannot determine the malicious intent or not of the remote url without reprogramming to download the remote page and scan that for malicious intent.
It's simply a new twist on an old concept.... A mass mailing virus..... This one just avoids the AV scanner by intelligent use of a flaw in IE.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides