Trojan Steeplechase
May 24, 2008
Eccles has just installed his first virus checker (the impeccable Kapersky Labs) after getting snagged by a couple of trojans. They couldnt do what they wanted because I keep an eye on unusual activity on our LAN for him and can often crack them by booting in Safe Mode and using Stinger, for example. Most importantly he has Mike Linn’s “Startup Manager” installed which would come up with a message like “The application xfs3124mz wants run the program bed327.exe at startup – allow or disallow? “. Startup Manager is an essential tool for XP – not sure about Vista.
It seems people most at risk from computer viruses are big corporations with poor security, followed by downloaders of cracked software, pornography, DVD movies and music.
Last year Slashdot.org reported:
The problem of drive-by downloads from seemingly safe websites is worse than previously thought, according to Google, which counted hundreds of thousands of such malicious sites in a recent study.
In addition, the malware spread by such sites appears to be creating botnet-like structures, placing compromised user machines under the control of remote attackers, Google said.
“Computer users have become the target of an underground economy that infects hosts with malware or adware for financial gain,” said researcher Provos in the report. “Even a single visit to an infected website enables the attacker to detect vulnerabilities in the user’s applications and force the download a multitude of malware binaries.”
This situation is a direct result of Web 2.0, Google found. The typical web portals now uses many complex applications on top of the simple web browser, allowing user feedback for instance, but since those applications are often not kept up to date, it is a cinch for hackers to compromise them.
The most common compromise methods containing trojan programs included web server security, user-contributed content, advertising and third-party widgets. (like the “click here to win a prize” boxes). Some previous studies, including 2005 report from the University of Washington, have found that many thousand websites carry malicious downloads such as spyware or adware.
But Google’s study found a higher proportion of malicious sites: around 450,000 sites that were successfully launching , and another 700,000 URLs that seemed malicious but about which researchers had lower confidence.
The figures were based on an initial analysis of several billion sites already crawled by Google, followed by a more in-depth analysis of about 4.5 million URLs, Google said.
Trojans were the most frequently installed type of malware, with more than 300,000 URLs – This malicious code puts users’ systems under remote control, Google said.
“Frequently, this malware allows the adversary to gain full control of the compromised systems leading to the ex-filtration of sensitive information or installation of utilities that facilitate remote control of the host”, Provos wrote. “We believe that such behavior is similar to our traditional understanding of botnets.“
The main difference is that web-based malware infections are pull-based and as a result the command feedback loop is much looser, he said.
On the other hand, “the population of potential victims is much larger as web proxies and NAT-devices pose no barrier to infection“, Provos wrote. “Tracking and infiltrating botnets created by web-based malware is also made more difficult due to the size and complexity of the web.”
Hackers use scripting languages to determine which vulnerabilities are present on a visitor’s computer and use the information to request appropriate exploits from a central server, Google said.
Malware binaries also change frequently, possibly to thwart detection by anti-virus programs, the study found. Google said it marks potentially dangerous pages with a label which can allow users to avoid exposure to such sites.
Refer to Wikipedia for an example of a “botnet”
The Storm botnet or Storm worm botnet is a remotely-controlled network of ” zombie” computers (or “botnet“) that has been linked by the Storm Worm, …
Scary reading!
