Cracker: Real or virtual?
The fine line separating a real cracker and completely automated
attack tools is blurring rapidly. Today's worms can spread and break open networks
in a manner similar to a human intruder. And this is evident from the attack
mechanisms of the Gaobot (W32.Gaobot.AZT) worm. This worm is a variant of the
earlier W32.Gaobot.WO (Symantec).
W32.Gaobot.AZT uses the same attack strategy as an attacker on the network armed
with a weak password cracking tool. This worm exploits weak passwords on shared
folders in the network. Multiple vulnerabilities like the DCOM RPC vulnerability
are used by the worm to spread. The worm allows black hat hackers to utilize
a predetermined IRC channel for accessing the infected PC. The worm affects
only Windows 2000/NT/XP operating systems. Other Windows versions are unaffected.
Although W32.Gaobot.AZT has not been accorded a top threat
rating by any anti-virus vendor or security advisory, it is still a pointer
towards future threats that might arise. Worms are increasing in complexity
and the amount of damage they can inflict. With capabilities like password crackers
in-built, these worms can do damage of magnitudes much larger than other automated
cracking tools like auto-rooters. Another threat is the free availability of
worm code and tool writing kits that allows even non programmers to increase
damage levels by making easy alterations. This makes possible threats of a scale
that would have been unimaginable earlier.
McAfee's list of top 10 malicious threats
McAfee has announced the top 10 malicious threats identified by McAfee AVERT,
the company's anti-virus and vulnerability emergency response team. This covers
threats affecting both enterprise and home users worldwide in the first half
According to the report, mass mailers are still the predominant
method by which virus writers impact enterprises, whereas Potentially Unwanted
Programs (PUPs) like spyware/adware related malware account for 60 percent of
the malicious threats tracked, significantly impacting consumer and home users.
Based on reports, McAfee AVERT also anticipates phishing schemes will continue
to increase throughout the remainder of 2004 due to general lack of consumer
Overall, McAfee says that computer virus attacks reaching
a medium risk assessment or higher have dramatically increased in the first
half of 2004, compared to all of last year. By the end of the first quarter
of 2004 alone, there were more viruses reaching a medium assessment or higher
than in all of 2003 with over 21 medium or higher viruses in the first quarter
of 2004 compared to 20 medium or higher viruses in all of 2003. In the first
half of 2004, 50 new computer viruses were unleashed everyday.
The top 10 threats in the first half of 2004 all fall into
one of the following three key areas: email-borne virus threats, malware threats
delivered by spam, and spyware/adware threats. Listed in order of significance,
the top threats are:
The recent war between the Bagle and Netsky authors caused a tremendous increase
in the number of virus attacks seen this year. In the first six months of this
year, the Bagle and Netsky viruses have been reported in 215 countries. Today,
there are still three Bagle variants and three Netsky variants that are rated
as a medium threat by McAfee AVERT. Let's take a closer look at the major threats.
Mass Mailers still lead: Mass mailers consist of standalone programs that send
themselves out in the form of an e-mail attachment to e-mail addresses that
are harvested from infected computers. This results in a large number of machines
getting infected within a short period. In addition, worms that carry viruses
and backdoors inside them, or which have additional features such as local network
spreading, or password or data stealing, have become more popular. Overall,
enterprises tend to be more affected than consumers by e-mail-borne viruses,
because corporate employees are less likely to use free software applications
that happen to also deliver spyware or adware.
Spyware/ adware threats continue to climb: Today's adware is more often categorized
as surveillance-driven spyware, programs that are dropped onto a user's system
and installed without their knowledge. In addition, spam that is encoded with
exploit capabilities to also install spyware has become an increasing issue
among consumers. McAfee AVERT's top two listed threats, MhtRedir and Psyme,
are of this class. Overall, consumers are more affected by spyware/adware threats
and less by e-mail-borne threats because most consumers use Internet Service
Providers that proactively scan and clean e-mail viruses before being delivered
to the consumer.
Phishing and identity theft become an increasing concern: Phishing attacks use
spoofed e-mails and fraudulent websites designed to fool recipients into divulging
personal financial data such as credit card numbers and social security numbers.
According to Gartner, 92 percent of phishing attacks occurred just within the
last year. McAfee says that phishing schemes and identity theft will continue
to be a problem among the consumer community until further education and widespread
acceptance of proactive protection occurs.
The first Trojan for PDAs has been reported by Sophos. Christened
Brador (Troj/Brador-A), the virus installs backdoors on PDAs running the PocketPC
This comes in the wake of Cabir, a worm affecting Symbian OS and Duts, a PocketPC
virus, both of the proof of concept variety. Brador's differing factor is that
it contains a deadly payload. This virus affects only PocketPC based PDAs that
use the ARM processor. The virus spreads through Web downloads. When the Trojan
is run, it copies itself in the folder \windows\startup on the infected computer
(to which the PDA is connected) as svchost.exe. It then continually tries to
send an e-mail to the virus author with the infected PDA's IP address. After
this Brador opens TCP port 2989, making the infected PDA open for access to
Brador virus is also known as Backdoor.WinCE.Brador.a, Backdoor.Brador.A, Brador,
WINCE_BRADOR.A, and WinCE/BackDoor-CHK. The good news is that major anti-virus
vendors have reported only low spread of the virus.
The latest Beagle flavor W32.Beagle.AO@mm, the latest variant
of the Beagle worm combines the mass mailing functions with backdoor capabilities.
This just serves to illustrate how deadly viruses can be when their code is
freely available for others to modify them into deadlier versions.
According to Symantec, the W32.Beagle.AO@mm is a mass mailing worm that uses
its own SMTP engine to spread. The email attachment is a Mitglieder-like downloader
that brings the worm from external sources. The worm also has a backdoor functionality,
opening UDP and TCP port 80. This worm affects Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, and Windows XP. Other systems are not affected by
the virus. Symantec has accorded a threat rating of three to the worm, five
being the most severe.
The worm is also known as W32/Bagle.aq@MM (McAfee), WORM_BAGLE.AC (Trend) and
Win32.Bagle.AG (Computer Associates). Most of the major anti-virus vendors have
issued updates for the latest Beagle mutant.
CA raises Mydoom.O worm to high threat Computer Associates
has raised the threat level for the Mydoom.O worm to high, based on extremely
intensive activity levels and exponential growth.
Mydoom.O uniquely uses search engines and websites as it seeks to find new targets,
and the sheer volume of such traffic effectively causes denial of service attacks.
CA reports more than 1,000 samples from enterprise customers on Mydoom.O, which
is abusing the following sites with intense search activity:
search.lycos.com; altavista.com; search.yahoo.com; google.com