» Virus News

Computer viruses make it to orbit

Christopher Jones — Mon, 01 Sep 2008 03:16:13 +0000

A computer virus is alive and well on the International Space Station (ISS). Nasa has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games. Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected.

Read the full story >

(Source: BBC)

Hackers Score Big by Thinking Small (from ComputerWorld)

admin — Tue, 21 Jun 2005 03:42:40 +0000

The days of hackers sending out viruses for kicks and the creation of general mayhem are giving way to a world of sophisticated, targeted attacks that can reap big rewards for criminals and degrade consumer trust in companies. Organizations that one might think would be the most secure have recently been compromised. Is your company ready to guard against the prying eyes of hackers?

“A recent computer security breach that left 40 million credit cards vulnerable to fraud shows how online criminals are scoring big by thinking small. Cybercriminals are increasingly crafting more focused attacks with a potential for profit as they target one or two companies at a time, rather than blasting out Internet virus attacks across the globe, according to security experts.

The payoffs can be enormous. MasterCard International Inc. said on Friday that an outsider gained access to as many as 40 million credit and debit cards from CardSystems Solutions Inc., a payment processor (see “Security breach may have exposed 40M credit cards”). A MasterCard spokeswoman said yesterday that the attacker had placed a malicious computer script on CardSystems computers…”

(Information excerpted from Andy Sullivan’s ComputerWorld story.)

Massive Internet Attack Threatens Millions with Trojan

admin — Fri, 25 Jun 2004 18:47:39 +0000

A massive attack on the World Wide Web has been underway affecting thousands of popular websites. Simply visiting an affected page can cause users to become infected with a Trojan horse that can allow hackers to obtain passwords and other critical information from remote systems.SearchSecurity.com has reported on the issue: “A widespread Internet attack has hit thousands of Web sites in the past week, planting malware on vulnerable machines that may be designed to steal credit card and other information then marketed to organized identity theft markets, according to government officials and information security experts.” Read the full SearchSecurity.com story.

Builder.com has also identified the source of the attack in an e-mail security brief: “An attack launched this week by crackers was nipped in the bud on Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code for the attack. However, compromised Web sites are still attempting to infect Web surfers’ PCs by referring them to the server in Russia, but that computer can no longer be reached.” Visit Builder.com for the most recent information.

Bytware urges all system administrators and managers to ensure that scanning engines and DAT files are up-to-date.

For more information about iSeries virus protection, visit the main StandGuard Anti-Virus page

Mydoom.F Strikes iSeries Shops

admin — Wed, 25 Feb 2004 19:43:52 +0000

A new variant of the Mydoom worm began making its way around the Internet last Friday, and this particularly nasty worm has already caused a great deal of damage to users—including iSeries shops—thanks to its ability to delete files. W32/Mydoom.f@MM, or simply Mydoom.F, is a mass-mailing and share-hopping worm based upon the original Mydoom code. The second variation, Mydoom.B, dropped the worm’s code making it readily available to virus writers. Experts believe that Mydoom.F originates from a different author than the original.

Like earlier variants of Mydoom, this new worm launches distributed denial of service (DDoS) attacks, this time against Microsoft and the Recording Industry Association of America (RIAA). In addition, Mydoom.F searches for and deletes files on local and mapped drives. Primarily the worm targets images files and Microsoft Word and Excel documents and searches for extensions .bmp, .avi, .jpg, .sav, .xls, .doc, and .mdb. The worm runs in a loop and deletes additional files on each pass.

Mapped drives need not be physically located on the infected system in order to be affected by Mydoom.F. Drives located on other platforms that can house Windows files can be equally affected.

Bytware, Inc., the Reno, Nevada-based developer of StandGuard Anti-Virus for the IBM eServer iSeries, has been contacted by several iSeries shops that have suffered data loss caused by Mydoom.F infection of networked PCs. The iSeries is generally viewed as invulnerable to viruses. A common practice of scanning the iSeries with a Windows PC through a mapped drive can open a door for worms and viruses to the iSeries.

In addition to file deletion and DDoS attacks, the Mydoom.F worm opens TCP port 1080, and additional ports in the range of 3000 to 5000, in an attempt to allow the author access to infected machines.

Mydoom.F arrives as an e-mail attachment of a variety of files types, including .zip. Upon identifying shared or mapped drives, the worm makes copies of itself as .zip archives or .exe files in different directories using random file names. It also propagates by harvesting e-mail addresses from infected systems and mass mailing itself using its own SMTP engine.

Most AV vendors have added definitions for Mydoom.F and experts urge users to update their anti-virus software and to protect all systems, including non-Windows platforms that may act as file servers and are attached to Windows PCs via mapped drives.

For more information about Mydoom.F, visit the Network Associates Virus Information Library at http://vil.nai.com/vil/content/v_101038.htm

For more information about iSeries anti-virus protection, visit the main StandGuard Anti-Virus page.

Mydoom hits the iSeries

admin — Thu, 29 Jan 2004 17:42:26 +0000

As the original Mydoom worm (W32/Mydoom@MM) continues to spread at blazing speeds around the world, a second variant has been unleashed and is adding to the already overwhelming bandwidth consumption worldwide. In another twist that may have been unexpected by many IT administrators, Mydoom has also hit the iSeries. While the payload of these worms does not directly affect OS/400, a lack of anti-virus protection on the iSeries allows the worm to enter through OS/400 mail and reside in files stored on the iSeries.

StandGuard Anti-Virus, the award-winning anti-virus solution that runs natively on OS/400, has been detecting and removing copies of Mydoom found on the iSeries, according to Bytware customers. StandGuard Anti-Virus is powered by the McAfee scanning engine from Network Associates, rated the top scanning engine by the University of Hamburg Virus Test Center for three consecutive years.

Mydoom can enter the iSeries either through mail that passes through OS/400 or by copying itself to the iSeries from a client PC without the user’s knowledge. Only active scanning of the iSeries can detect the worm once it finds its way onto the system. Leaving the worm undetected can spread the infection to client PCs on your network as well as to other companies and networks with which you exchange information.

Experts say that the best way to fight Mydoom is through the use of standard anti-virus solutions. “Companies that are following recommended practices relating to secure e-mail use should be largely protected against the Mydoom virus and its variants,” explain experts in a new article on Computerworld’s Security website. These practices include vigilantly maintaining up-to-date virus definitions. iSeries security experts, including Carol Woodbury and Patrick Botz, recommend that administrators apply the same virus prevention procedures to their iSeries systems that they apply to their other platforms as a general security best practice.

More about Mydoom

The Mydoom worm has been labeled the most prolific worm ever by some security experts according to an article at SearchSecurity.com. It has shattered the records set in 2003 by the Sobig.F virus, and a new CNN article cites infection rates as high as one in three e-mails. Sobig.F peaked at an infection rate of 1 in 17 e-mails. British security firm MessageLabs reports that they have caught 1.8 million copies of Mydoom in more than 168 countries as of Wednesday, January 28. StandGuard Anti-Virus users are also reporting infections appearing on the iSeries.

The worm is particularly difficult to manage as it utilizes new techniques called “social engineering.” Using these techniques, virus writers attach their work to mail that appears to be a machine-generated error message. The idea is that users trust messages that they believe were generated by a computer as they are accustomed to receiving such messages from administrators and mail servers, especially in corporate settings.

Mydoom arrives as an attachment that can carry one of a number of different file extensions, some of which are routinely allowed by companies including the ZIP format. Many report an attachment that appears to be a text document, but has 60 spaces between the .txt and .exe extensions, preventing users from seeing the true file type. Many users view text documents as innocuous. Security experts say that these techniques are convincing many users who are normally very cautious to open and execute the worm. Mydoom also attempts to spread through file sharing services such as Kazaa if the software is found on an infected system.

The purpose of Mydoom appears to be multifaceted. Both variants target SCO, the Utah-based software company embroiled in a legal battle with IBM over Linux, for a denial of service attack (DOS) on Sunday, February 1, and install a key logger that captures any text entered into the computer, including credit card numbers and passwords. The worms also open ports on the infected system, including ports 80, 1080, 3127, 3128, 8080, and 10080, and can allow the attacker to gain complete control of the computer. The Mydoom.B variant also targets Microsoft for a DOS attack on Tuesday, February 3, and modifies systems to prevent them from utilizing anti-virus software or accessing security websites.

Mydoom is also know as Novarg, Shimgapi, and Mimail.R.

Learn more in the Midrange Server, Four Hundred Stuff article by Alex Woodie.

Lovsan, Nachi, and SoBig.F Make for Active August

admin — Fri, 22 Aug 2003 04:01:51 +0000

What a month August has been. First Lovsan, also known as the Microsoft Blaster, took over machines in an attempt to coordinate an attack against Microsoft. Then Nachi—or White Hat—took over machines in an attempt to force them to install a patch to close the door on Lovsan. Now SoBig.F has shattered the record set by Klez as the most prolific worm to date. These worms are more than a nuisance; they are affecting real business. SoBig.F’s replication during its first 24 hours not only exceeds the record set by Klez, it completely blows it away. Whereas Klez mailed out 250,000 copies of itself during the first day, SoBig.F passed the 1 million mark. All of these infected e-mails have been clogging networks and creating productivity problems for many companies and organizations worldwide.

We are seeing a move from the days of viruses being mere annoyances to a new world in which viruses can wreak real havoc on our economy and infrastructure. Attention to security is more important today than ever before. The following list of links to news stories demonstrates a sampling of the real effects of recent viruses.

Virus Infect Air Canada Check-in (CNN)
Slammer Worm Crashed Ohio Nuke Plant (The Register)
Computer Virus Shuts Maryland Motor Vehicle Administration (AP)
New Worm Affects Computers at Lockheed Martin (AP)