The latest Netsky attack does not seem to cause big hit for most of the sites it attempts to attack. At the time of writing both www.nibis.de and www.educa.ch are up and running. Only www.medinfo.ufl.edu seems to have problems - it is not respoding at all.
Two new worms are spreading fast this evening - Netsky.AB and Bagle.Z, so we just upgraded them to Radar level 2. Netsky.AB attachment file's extension is always ".pif". Bagle.Z is similar to Bagle.Y variant, but does not send images in its e-mails.
For several years, this day used to mean worldwide damage caused by the CIH virus. This virus was very widespready during 1998-2000. It was programmed to activate destructively every year on this date, overwriting most of the data on the hard drive and attempting to overwrite the Flash BIOS chip of the computer, making it unbootable.
The CIH virus family is no longer widespread. Last time we saw significant amount of damage (mostly in Asia) was in April 2001. We expect to see no damage now in April 2004.
It looks like the Netsky's author mistyped the domain suffix for Turkey - he put '.tc' instead of '.tr'. We came to that conclusion after verifying that the text that is sent to addresses in .tc domain is in Turkish (word by word translation from a online dictionary such as this).
First we had the new Netsky.X variant (matching nicely the Bagle.X found yesterday) - which talks nine different languages in the emails it send. Then a new Mimail variant (Mimail.V) was found, and we just got a report of a new Mydoom variant. This will be Mydoom.J.
Interestingly, this new Mydoom has code parts resembling the Bugbear variants...which might mean one of two things: Mydoom authors are recycling code from Bugbear - or both these viruses are done by the same author. The great Mydoom-Bugbear conspiracy!
Netsky.X sends messages in many different languages: English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German and possibly the language of some small island called Turks and Caicos, located in the Atlantic ocean. In many cases the messages are composed incorrectly suggesting that the worm's author did not ask native speakers for translation or used an on-line translation service like Babel Fish.
A new variant of Bagle has been found: Bagle.X. This variant does not have it's own replication system - it only drops a version of the Mitglieder trojan to a computer. Apparently Bagle.X is being spread actively by spamming it.
A new Netsky variant was found - Netsky.V. It does not send itself as an attachment but uses HTML emails which exploit vulnerability known as Microsoft Internet Explorer XML Page Object Type Validation Vulnerability and tries to download and execute itself from an infected host.
After years of silence, things are happening on the Macintosh platform. A new trojan known as MP3Concept was found recently. This is not a virus, and it has not been seen in the wild, ie. IT'S NOT SPREADING AND INFECTING MACINTOSHES. We're talking about a proof-of-concept example...but an interesting one; partly because it's on a Mac, partly because it's an MP3 file.
Macintosh used to have lots of viruses. In fact, during late 1980s viruses we're considered to be largly a Macintosh problem, not a PC problem. Nowadays of course situation is exactly the opposite, with less than 100 known Macintosh-only viruses and around 90,000 PC viruses (and a couple of hundred macro viruses which work under Microsoft Office in both Mac and Windows).
In fact, with the release of the new Mac OS X, several expert-techie type of users have migrated to the new Macintosh laptops. Partly because the machines are really nice and look cool, partly because they come with 16:9 wide screens, partly because they are faster than the PC counterparts and partly because the operating system nowadays actually runs on top of unix.
Viruses and MP3 audio files have had a long relationship. There are tons of PC viruses which use filenames like SONG.MP3.PIF and try to fool the user to click on them, expecting to get a song. We've also had several vulnerabilities in common MP3 players such as WinAMP and Windows Media Player. But we haven't seen a "real" MP3 virus.
And this new Mac thing is not a virus either.
In fact, this whole thing has been blown way out of proportion. What happened was that two weeks ago there was discussion in newsgroup comp.sys.mac.programmer.misc about how resources forks operate under Mac, and a Swedish programmer called Bo Lindbergh posted example code to illustrate the issue. The original thread is accessible right here.
After a week or so, it became news. In fact, there's a headline called "The first Trojan horse virus to target Apple's latest operating system was discovered this week" on CNN.COM! Obviously this is not right.
What the MP3Concept trojan does is that when the MP3 file is opened under Mac OS 9 or Mac OS X, it is executed as an application because of fake resources inserted in it. The actual code is stored in the ID3 tag of the file, and it will display a message like this:
The audio data in the example MP3 file that was distributed actually contains man's laughter. Yeah, that's interesting, although it has no importance whatever. So we've extracted the laughter to a WAV file which you can listen to by clicking here.
Do note that F-Secure does not have a Macintosh antivirus. We used to, though. F-Secure was actively distributing and developing a Macintosh antivirus product between 1991 and 1998, but nowadays we only do Windows and Linux.
ZDNet is now covering the Netsky.Q DDoS attack which has been able to take down several of the sites it targets.
Sites such as www.kazaa.com and www.cracks.st seems to work fine, but www.cracks.am is seriously bogged down...and the owners of www.edonkey2000.com and www.emule-project.net have set the hosts to point to localhost.
The sites that Netsky.Q is attacking against right now seem to be working fairly well. Of the sites under attack only www.emule-project.net seems to be totally unreachable, and www.cracks.am is operating abnormally slow.
The Netsky.T variant has been found. It is very close to the yesterday's Netsky.S variant, but lacks one text string array (the one with fake anti-virus scan reports). Detection for this variant is available since yesterday.
We have found a new Netsky variant (Netsky.S). This new variant has a backdoor that allows to download and run executable files on an infected computer. Netsky doesn't uninstall Bagle any more, so is the war over ?
For reference, here's the sizes of the known Netsky variants:
New variant of the Lovgate family was found during Sunday-Monday night. There's been a burst of activity in this family recently.
The first Lovgate variants were already found more than a year ago, in February 2003. We saw a series of variants between February and June (variants A-M), then a lone N variant in September 2003 and now a new series (variants O-W) which started on March 13th 2004.
A new variant of the Sober family was found. Again on Sunday. The author of this worm apparently always distributes his latest variants on Sundays. Sober.E was found a week ago on Sunday afternoon and Sober.D was found three weeks before that on Sunday-Monday night.
This new one (known as Sober.F or also as I-Worm.Vb.C) sends highly variable German and English emails which always have an PIF or ZIP attachment. The virus is 42496 bytes long.
We expect most of the infections caused by this worm to be located in Central Europe.
Just finished adding a bunch of variants of Java/Needy Trojan family. This week we have added from Needy.D to Needy.I. Basically all of them are quite similar in functionality. A Trojan is downloaded from malicous web site and executes using vulnerability in Internet Exlorer Java runtime, and changes IE homepage and search settings and optionally download more trojans to the system.
The best protection against these trojans is to make sure that Internet Explorer has the latest security patches.