Home > Security News > Trojan trio disables Windows, AV updates
Security News:
EMAIL THIS LICENSING & REPRINTS

Trojan trio disables Windows, AV updates

By Bill Brenner, News Writer
02 Jun 2005 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

A trio of malicious programs is working together to hijack as many machines as they can in a short period, antivirus experts warned Thursday. Their apparent mission -- grow an army of zombie machines that can be sold on the black market and used to steal identities, lift bank account numbers and launch other attacks.

"This is all about money," said Roger Thompson, director of malicious content research for New York-based Computer Associates [CA]. "It's about the simple theft of credit card and bank account numbers, and there's probably a nexus with adware."

In the last 24 hours, CA has discovered coordination between three Trojan horse programs -- Glieder, Fantibag and Mitglieder.

Trio of trouble
According to CA, here's how the Trojans operate:

  • Glieder goes out and "seeds" cyberspace. On June 1, CA watched eight variants spread in quick succession. The whole point is to get to as many victims as fast as possible with a lightweight piece of malware, CA said.
  • Fantibag then creates a "shields down" on compromised systems, exploiting the infected machines' networking features to prevent them from communicating with antivirus companies or with Microsoft's update site. This means the security software can't call for updates.
  • Mitglieder then turns the compromised machine into a zombie that can be used to generate future attacks and act in concert with countless other zombie PCs. Machines infected with Mitglieder act as a proxy to force traffic to malicious sites, track user behavior, record keystrokes and set up spam relays.

Glendale, Calif.-based PandaLabs has also been tracking Mitglieder, saying it has been spammed to thousands of users around the world.

"Malware creators try to distribute their creations rapidly to prevent users from having time to update their antivirus solutions. They're trying to exploit the vulnerability window, i.e. the time that it takes between new malware appearing and users installing the updates on their computers," PandaLabs director Luis Corrons said in a statement. "New techniques are frequently being used in order to spread malware as rapidly as possible. So for example, as in this case, thousands of infected mails could be sent simultaneously as spam, or numerous variations can be launched at the same time."

The Bagle connection
Thompson said there's also a connection between the Trojans and this week's outbreak of new Bagle worm variants. "It's hard to tell the difference between Bagle and Mitglieder," he said. "Most of these share common code and they get mixed together."
Related news items

Bagle, Mytob back for more trouble

Botnets more menacing than ever

Which points to a much larger problem, he said: "The bad guys have figured out that if they make a minor variation in their worms, viruses and Trojans and perhaps pack them a bit differently, these things can spread more rapidly and infect more computers before antivirus software has a chance to catch up."

With the first two Trojans spreading too quickly for AV to keep up, Fantibag arrives and cuts access to the security updates, Thompson said. "The attackers are being very cunning," he said. "They could launch one big program but instead they use smaller pieces that can easily be replaced. It's easier to change the smaller bits than fix the big part. It's a very sophisticated approach."

All about the botnets
For now, attackers don't seem to be aiming directly at enterprise networks, Thompson said. "I don't think this is about targeting a large corporation," he said. "I think it's about these guys trying to build botnets out of home systems."

But he said these botnets can eventually be used to hack into corporate databases to steal sensitive data or to launch other attacks.

In recent days security experts have also expressed alarm that hackers are successfully using zombie machines to launch brute force attacks against Secure Shell [SSH] servers that are accessible via the Internet.

Since there's no limit to what the bad guys can do with a zombie army, Thompson said there's growing demand on the black market for compromised machines. "The world is getting exceptionally scary," he said.

Tags: Viruses, Worms and Other MalwareVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts