ILL_Natured_gr’s team Weblog

ILL_Natured_gr’s team Weblog at WordPress

Posts Tagged ‘Trojans’

Five of the Dirtiest Malware Tricks

Posted by ILL Natured_gr on September 28, 2007

Five of the Dirtiest Malware Tricks
From disguising applets to look like part of Windows to co-opting security tools, Web crooks use a variety of methods to bypass your system’s safeguards.

Erik Larkin
PC World
Thursday, September 27, 2007; 12:19 AM

If the crooks behind viruses, Trojan horses, and other malicious software were as stupid as they are scummy, we’d have a lot less to worry about. But as protective measures get better at stopping the obvious attacks, online creeps respond with underhanded moves to invade your PC. Here are five of their dirtiest tricks, all based on Trojan horses.

Don’t mind me–I’m only here to break your PC: It’s like sending in a different scout each time to open the gate for the rest of the invaders. The “Glieder Trojan” and many others use a multistage infection process whose first step is a tiny program that the crooks can change constantly so your antivirus watchdog is less likely to recognize it. Once it gets in, the downloader tries to disable your security before pulling down the real payload, which could be a data stealer or anything else the attacker wants.

Locked and encrypted Web sites? No problem: Web sites can and should use secure socket layer (SSL) to encrypt and protect sensitive data such as bank account log-ins. (When a lock icon appears in the address bar, that indicates the site is using SSL.) But the “Gozi Trojan” and its ilk evade SSL protections by making Windows think they’re part of the process, so your data leaves IE and goes through Gozi before it’s encrypted and sent out on the network. Instead of spying on your keyboard, which many security programs watch for, these apps roll into the OS as fake layered-service providers (LSPs).

The SpamThru, SpyAgent, and Jowspry Threats

Malware that scans your PC for malware: An extra antivirus scan can only be a good thing, right? Not when it just gets rid of rivals to the “SpamThru Trojan.” This nasty introduced a pirated, pared-down version of Kaspersky AntiVirus (which Kaspersky has since shut down) to delete other malware so it could have the victim PC to itself to use as a spam sender. If the PC had a real antivirus app, SpamThru would attempt to block its updates, preventing it from identifying new threats.

Equal-opportunity encryption: Encrypting sensitive data and protecting it with a password helps shield it from prying eyes. But the “SpyAgent Trojan” enters the encryption game, too. When installed on a Windows PC with the Encrypting File System (which is included in Windows 2000, XP Pro, 2003 Server, and 2005 Media Center), SpyAgent establishes its own administrator-level user account and uses this account to encrypt its files. You–or your antivirus software–would have to guess the account’s random password to decrypt and scan the malicious files to confirm they weren’t supposed to be there.

Hi, firewall. I’m Windows Update. Honest: Firewalls protect computers and networks from bad guys’ efforts to go in or out. So the “Jowspry Trojan” masquerades as something known and approved–Windows Update. The crafty malware makes its connections look like the Background Intelligent Transfer Service used by Windows Update, and unsuspecting firewalls let it download more attack programs to your PC.

To pull off these sneaky ploys, malware first has to get on your PC. If you keep Windows and other programs up-to-date, avoid opening attachments or clicking links in unsolicited e-mail, and use a good antivirus program, you won’t give the crooks a chance to put their Trojan horses to work.

Descriptions based on research and analysis from Peter Gutmann at the University of Auckland, Craig Schmugar and Aditya Kapoor at McAfee’s Avert Labs, and Joe Stewart at SecureWorks.

For an inside look at the way Internet attackers buy and sell their insidious tools, read “An Inside Look at Internet Attackers’ Black Markets.” To ensure that you’ve closed critical software holes, read “Close the Holes Targeted by the MPack Attack Kit.”

Source : Washingtonpost.com

Posted in Internet, PC Security | Tagged: , , , | Leave a Comment »

C-level employees targeted in trojan attack

Posted by ILL Natured_gr on September 26, 2007

C-level employees targeted in trojan attack
Liam Tung, ZDNet Australia

25 September 2007 01:43 PM

C-level employees of publicly listed companies are being targeted by cybercriminals using malware-infected RTF (Rich Text File) documents disguised as recruitment letters.

Security vendor MesssageLabs reported that 1,100 e-mails containing malware-infected RTF attachments have been recorded over a 16-hour period this month. Four separate waves appeared between 13 and 14 September, the company said.

“All [the emails] were going after C-level management. The e-mails included the company name in subject field, purporting to be a recruitment company. What it had in the attachment is an executable RTF file,” a MessageLabs spokesperson said.

Similar e-mails were noticed in June this year, he said.

The e-mail, which contained no body text, included an .SCR screen saver dummy file within an executable RTF file, the spokesperson said. When recipients attempt to open the file, a message is displayed stating: “Microsoft has encountered an error and had to close.” The recipient is then advised: “To view this, double click on the message.”

Once activated, the RTF file starts a chain of downloads which establish a secure connection between the attacker’s server and the infected computer.

The C-level nature of the targets clearly indicates that the attackers are after information, MessageLabs spokesperson said, but the greater concern is the social engineering technique used to spread the trojan-harbouring e-mail.

“The way that this works has the potential to be so effective. You are getting that top down approach — if they forward that e-mail on internally, that e-mail is coming from a trusted source,” he said.

The spokesperson added that all the e-mails were addressed to a single person, which helps diminish their conspicuousness.

F-Secure security expert Patrik Runald recently postulated that the perfect attack would be a zero-day attack using a rootkit-cloaked trojan sent to an HR manager who, due to company policy, would be compelled to open the document.

He told ZDNet Australia: “These are scary cases because it’s really hard to protect yourself against. We have to run Office and we have to allow Word, RTF, PowerPoint and Excel files through. It shows that signature based antivirus is not enough; you need more technology than that.”

Runald said there is little organisations can do to protect against these threat types besides educating users of the risks because banning the receipt of common file types is impractical.

Heuristic or behavioural-based monitoring is proving to be more effective at blocking these attacks since the behaviour of the file remains the same despite different signatures being used, he said.

Source : zdnet.com.au

Posted in Internet, News, PC Security | Tagged: , , , | 2 Comments »