Now that different Netsky variants rule the earth (there are 7 different Netsky variants in top 10 right now), it's easy to forget how big problem the Mydoom worm was just three months ago.
To put things into perspective, here's out stats for 2004 so far, sorted by the percent of all infections:
The big peak caused by Mydoom in the end of January is also nicely visible in this graph:
PS. F-Secure's website is ten years old this April. We'll be posting an anniversary site next week...along the lines of the party we threw when our site was two years old...in 1996!
The latest Netsky attack does not seem to cause big hit for most of the sites it attempts to attack. At the time of writing both www.nibis.de and www.educa.ch are up and running. Only www.medinfo.ufl.edu seems to have problems - it is not respoding at all.
Two new worms are spreading fast this evening - Netsky.AB and Bagle.Z, so we just upgraded them to Radar level 2. Netsky.AB attachment file's extension is always ".pif". Bagle.Z is similar to Bagle.Y variant, but does not send images in its e-mails.
We have received many reports about a new variant of Bagle worm - Bagle.Z. This new variant is similar to the previous one, but it does not send pictures in e-mails.
New Netsky variant was found early this morning. In our book, this is Netsky.AA - the first Netsky to roll into "double digits". Next one will be Netsky.AB, Netsky.AC etc.
For reference, many large virus families have done this before, including many macro viruses - which typically had tons of minor variants.
The largest malware family ever seems to be Agobot (aka Gaobot or Phatbot), with over 450 variants. Right now the latest variant is Agobot.RO.
So the latest Bagle variant tries to fool users into clicking the attachment by sending messages with contents such as:
I am a honest, kind,loving,with good sense of humor...etc.,looking for true love... or maybe for pen friend.I like cats
And these messages include a JPEG picture of a girl - and another attachment which is actually the virus. The infectious attachment might have a cherry icon.
The virus contains three different pictures of girls, most likely taken from some dating site. The pictures are shown here blurred, as these girls obviously have nothing to do with the virus.
We received several reports about a new Bagle variant: Bagle.Y. This variant has some new features, it uses encryption for its entire file and adds random garbage to the end of its file as a decoy.
For several years, this day used to mean worldwide damage caused by the CIH virus. This virus was very widespready during 1998-2000. It was programmed to activate destructively every year on this date, overwriting most of the data on the hard drive and attempting to overwrite the Flash BIOS chip of the computer, making it unbootable.
The CIH virus family is no longer widespread. Last time we saw significant amount of damage (mostly in Asia) was in April 2001. We expect to see no damage now in April 2004.
It looks like the Netsky's author mistyped the domain suffix for Turkey - he put '.tc' instead of '.tr'. We came to that conclusion after verifying that the text that is sent to addresses in .tc domain is in Turkish (word by word translation from a online dictionary such as this).
So now we are running out of letters. Netsky.Z was found two hours ago.
First Netsky was found on 16th of February this year. So that's 26 variants in 65 days. Two new variants for every five days...
Like some previous Netsky variants, this one starts a DDoS attack againts three websites:
www.educa.ch - The Swiss Education Server www.medinfo.ufl.edu - Office of Medical Informatics at University of Florida www.nibis.de - Niedersächsischer Bildungsserver in Germany
We have no clue why these sites are being targeted.
So last night we spent with Mimail, Mydoom and Netskies. Today so far we've been fighting with a minor .S variant of Blaster (aka Lovsan) as well as a new Dumador variant (Dumador.Q).
There seems to be a lot of code-sharing going on. Open source viruses, perhaps? In fact, the source code of Phatbot is now circulating in the underground, and it starts with this:
The new Netsky that we got earlier is not just repacked, but also slightly modified so we are calling it Netsky.Y
This variant sends itself using attachment name that is build from random domain name, random user name and random number: The random number is used as ID in the subject of the infected email.
First we had the new Netsky.X variant (matching nicely the Bagle.X found yesterday) - which talks nine different languages in the emails it send. Then a new Mimail variant (Mimail.V) was found, and we just got a report of a new Mydoom variant. This will be Mydoom.J.
Interestingly, this new Mydoom has code parts resembling the Bugbear variants...which might mean one of two things: Mydoom authors are recycling code from Bugbear - or both these viruses are done by the same author. The great Mydoom-Bugbear conspiracy!
Netsky.X sends messages in many different languages: English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German and possibly the language of some small island called Turks and Caicos, located in the Atlantic ocean. In many cases the messages are composed incorrectly suggesting that the worm's author did not ask native speakers for translation or used an on-line translation service like Babel Fish.
A new variant of Bagle has been found: Bagle.X. This variant does not have it's own replication system - it only drops a version of the Mitglieder trojan to a computer. Apparently Bagle.X is being spread actively by spamming it.
Today we found another new Netsky variant: Netsky.W. It is similar to previous NetSky.P or NetSky.Q variants and it removes Bagle worm if it finds it on an infected computer.
A new Netsky variant was found - Netsky.V. It does not send itself as an attachment but uses HTML emails which exploit vulnerability known as Microsoft Internet Explorer XML Page Object Type Validation Vulnerability and tries to download and execute itself from an infected host.
After years of silence, things are happening on the Macintosh platform. A new trojan known as MP3Concept was found recently. This is not a virus, and it has not been seen in the wild, ie. IT'S NOT SPREADING AND INFECTING MACINTOSHES. We're talking about a proof-of-concept example...but an interesting one; partly because it's on a Mac, partly because it's an MP3 file.
Macintosh used to have lots of viruses. In fact, during late 1980s viruses we're considered to be largly a Macintosh problem, not a PC problem. Nowadays of course situation is exactly the opposite, with less than 100 known Macintosh-only viruses and around 90,000 PC viruses (and a couple of hundred macro viruses which work under Microsoft Office in both Mac and Windows).
In fact, with the release of the new Mac OS X, several expert-techie type of users have migrated to the new Macintosh laptops. Partly because the machines are really nice and look cool, partly because they come with 16:9 wide screens, partly because they are faster than the PC counterparts and partly because the operating system nowadays actually runs on top of unix.
Viruses and MP3 audio files have had a long relationship. There are tons of PC viruses which use filenames like SONG.MP3.PIF and try to fool the user to click on them, expecting to get a song. We've also had several vulnerabilities in common MP3 players such as WinAMP and Windows Media Player. But we haven't seen a "real" MP3 virus.
And this new Mac thing is not a virus either.
In fact, this whole thing has been blown way out of proportion. What happened was that two weeks ago there was discussion in newsgroup comp.sys.mac.programmer.misc about how resources forks operate under Mac, and a Swedish programmer called Bo Lindbergh posted example code to illustrate the issue. The original thread is accessible right here.
After a week or so, it became news. In fact, there's a headline called "The first Trojan horse virus to target Apple's latest operating system was discovered this week" on CNN.COM! Obviously this is not right.
What the MP3Concept trojan does is that when the MP3 file is opened under Mac OS 9 or Mac OS X, it is executed as an application because of fake resources inserted in it. The actual code is stored in the ID3 tag of the file, and it will display a message like this:
The audio data in the example MP3 file that was distributed actually contains man's laughter. Yeah, that's interesting, although it has no importance whatever. So we've extracted the laughter to a WAV file which you can listen to by clicking here.
Do note that F-Secure does not have a Macintosh antivirus. We used to, though. F-Secure was actively distributing and developing a Macintosh antivirus product between 1991 and 1998, but nowadays we only do Windows and Linux.
ZDNet is now covering the Netsky.Q DDoS attack which has been able to take down several of the sites it targets.
Sites such as www.kazaa.com and www.cracks.st seems to work fine, but www.cracks.am is seriously bogged down...and the owners of www.edonkey2000.com and www.emule-project.net have set the hosts to point to localhost.
The sites that Netsky.Q is attacking against right now seem to be working fairly well. Of the sites under attack only www.emule-project.net seems to be totally unreachable, and www.cracks.am is operating abnormally slow.
A new variant of Mitglieder trojan was spammed in e-mail messages today: Mitglieder.AI. Similar trojan variants were dropped by Bagle worms in the past.
We have received a sample of a new variant of Bugbear (also known as Tanatos) worm. The Bugbear.E worm sends itself in e-mails and steals personal information.
Starting from yesterday, we have already seen several samples of Lovgate.W packed with ASPack and/or JDPack multiple times. Their functionality remains the same, the changes only afftect its size.
The Netsky.T variant has been found. It is very close to the yesterday's Netsky.S variant, but lacks one text string array (the one with fake anti-virus scan reports). Detection for this variant is available since yesterday.
We have found a new Netsky variant (Netsky.S). This new variant has a backdoor that allows to download and run executable files on an infected computer. Netsky doesn't uninstall Bagle any more, so is the war over ?
For reference, here's the sizes of the known Netsky variants:
New variant of the Lovgate family was found during Sunday-Monday night. There's been a burst of activity in this family recently.
The first Lovgate variants were already found more than a year ago, in February 2003. We saw a series of variants between February and June (variants A-M), then a lone N variant in September 2003 and now a new series (variants O-W) which started on March 13th 2004.
A new variant of the Sober family was found. Again on Sunday. The author of this worm apparently always distributes his latest variants on Sundays. Sober.E was found a week ago on Sunday afternoon and Sober.D was found three weeks before that on Sunday-Monday night.
This new one (known as Sober.F or also as I-Worm.Vb.C) sends highly variable German and English emails which always have an PIF or ZIP attachment. The virus is 42496 bytes long.
We expect most of the infections caused by this worm to be located in Central Europe.
Just finished adding a bunch of variants of Java/Needy Trojan family. This week we have added from Needy.D to Needy.I. Basically all of them are quite similar in functionality. A Trojan is downloaded from malicous web site and executes using vulnerability in Internet Exlorer Java runtime, and changes IE homepage and search settings and optionally download more trojans to the system.
The best protection against these trojans is to make sure that Internet Explorer has the latest security patches.