A botnet is a
collection of compromised (infected) computers under the collective
control of remote attackers. The malware on the infected computer is
known as a bot, a type of backdoor or remote access trojan (RAT). Here
is a collection of the most common botnets.
The Asprox botnet was
originally a botnet used primarily to deliver phishing scams. In 2008,
the Asprox botnet began employing the bots to discover and use SQL
injection on vulnerable Active Server pages on weakly configured
websites.
Gumblar, known in Japan
as Geno, is a unique botnet - it not only creates a botnet of
compromised PCs, it also backdoors compromised websites enabling
continued remote access and manipulation.
Koobface spreads
through social networking sites, most prevalently through Facebook.
Generally, Koobface relies on social engineering in order to spread. The
Koobface message is designed to trick recipients into clicking through
to a fraudulent website and either (a) enter their Facebook (or other
social networking) credentials or to accept the installation of malware
disguised as a video codec o…
Zeus, often spelled ZeuS,
is a crimeware botnet typically engaged in data theft. Zeus is also
often referred to as Zbot. Zeus is not a single botnet nor a single
trojan, but rather refers to an entire family of trojans and their
respective botnets.
The Storm bot is a
backdoor component that allows remote surreptitious access to infected
systems. The Storm-infected computers (collectively, the Storm botnet)
are outfitted with a spam relay component (to send spam through infected
computers) and a peer networking component (to enable the remote
attackers to communicate with the bot infected computers).
Mariposa is Spanish
for butterly. In computer lingo, Mariposa is a botnet created by the
Butterfly bot kit. Mariposa is typically spread via instant messaging,
peer-to-peer file sharing networks and as an autorun worm.
Waledec, also spelled Waledac,
is the name of a botnet used to relay malicious spam. The Waledec
distributed spam often consists of fraudulent greeting cards and
breaking news events.
Attackers
are sending email disguised as correspondence from the Centers for
Disease Control (CDC). The email claims an H1N1 vaccination registration
is required. Those who comply with the request won't be registering
with the CDC - instead they will be infecting their computer with a
version of the Banker trojan
securitytool
scareware rogue scanner process explorer safe mode registry editor
securitytool rogue scareware regedit blocked task manager security tool
Fear
sells. Whether intentional or otherwise, this can sometimes work to the
advantage of the media and the disadvantage of consumers. Have you ever
been influenced by fear-based reporting, only to find out later that
the reports were wrong?
Barely
a week after the 60 Minutes April Fools' Conficker doomsday update
failed to materialize, the closely watched Conflicker.C did finally
manage an update. And in an ironic twist, the worm itself debunks much
of the hype surrounding it.
Microsoft
has released Security Advisory 969136 warning of a newly discovered
zero day PowerPoint vulnerability. The flaw impacts PowerPoint versions
found in Windows versions of Office 2000, 2002, 2003, and Office 2004
for Mac.
Is
the Conficker worm set to detonate some evil payload on April 1st?
According to 60 Minutes, it seems so. Here's the non-FUD behind the
Conficker worm.
Downadup.AL
aka Conficker.B is a network worm that spreads via autorun, dictionary
attacks on weakly protected network shares, and by exploiting the
vulnerabilities described in MS08-067. The worm disables services
related to automatic updates, error reporting, the Windows Security
Center service, and the Windows Defender service. To prevent access to
protection and removal tools, the worm also b…
Autorun
worms spread from USB/thumb drives as well as fixed and mapped drives.
Autorun worms typically drop or download additional malware, usually
backdoors and password stealers. Here's how to remove an autorun worm.
Sality is a family of
file infecting viruses that spread by infecting exe and scr files. The
virus also includes an autorun worm component that allows it to spread
to any removable or discoverable drive. In addition, Sality includes a
downloader trojan component that installs additional malware via the
Web.
A
family of backdoor and autorun trojans are working together to plague
users. One symptom that may appear - the drive volume name and icon may
be changed. The more insiduous aspects of the infection are far more
silent and may be overlooked when users attempt manual removal.
In recent
weeks, a rash of spam has been sent that bear much resemblance to the
all-too-familiar tactics of the Storm botnet.
All malware is
bad, but some types of malware do more damage than others. That damage
can range from loss of files or total loss of security. This list (in no
particular order) provides an overview of the most damaging types of
malware.
The
MonaRonaDona 'virus' is a self-advertised 'virus' that isn't even a
virus at all. It's a non-replicating program (i.e., a Trojan) that loads
when Windows is started, changing the Internet Explorer title bar to
read MonaRonaDona and displaying a message which blocks access to your
legitimate running programs.
Many
users have experienced repeated warnings of infection by Psyme each
time they open their browser. Depending on the antivirus in use, the
name given in the warning may be any of the following: Downloader.Psyme
(Symantec), Troj/Psyme (Sophos), Trojan.VBS.KillAV (Kaspersky),
TrojanDownloader.VBS.Psyme (CA),Trojan.Downloader.JS.Psyme (Kaspersky),
VBS/Petch.A (F-Prot), VBS/Psyme (McAfee)
The so-called
Storm worm is actually not a worm, but rather a family of Trojans that
typically include a backdoor, SMTP relay, P2P communications, email
harvester, downloader, and often a rootkit.
The
so-called "U.Z.A. O/S Eliminator" worm appears to have originated in
Maldives sometime in late July or early August 2007. The worm exploits
the autorun feature, enabling it to spread from removable USB/thumb
drives to other computers.
The Freedom
'virus' is a worm that infects local and USB drives, disables access to
Task Manager, Registry Editor and other system utilities, and may try to
delete MP3 files found on infected systems. Here's how to clean it.
Instead
of relying on bots to do the dirty work, Trojan.MeSpam makes you the
culprit. Once infected, every forum post you make, every webmail you
send, and every blog comment you leave will also deposit a link pointing
to a nefarious website.
Is
Rinbot the little worm that isn't? Or is it simply the worm that no one
wants to acknowledge exists? Here's a timeline of this "non-threat".
The Storm worm spreads via
email, using a variety of subject lines and message text that may
masquerade as news articles or other current events.
Thanks
to the Chatosky worm, I uncovered some things about the Skype service
that I might not otherwise have known.
MySpace
users are yet again a victim of another targeted attack. Dubbed
JS_QSPACE.A by antivirus vendor Trend Micro and JS.Qspace by Symantec,
the Javascript worm exploits a cross-site scripting (XSS) vulnerability
embedded in a malicious Quicktime .MOV file.
A
mass-mailing email worm that also spreads via USB and thumb drives, the
Rontokbro worm - also know as Brontok - takes a multifacted approach to
defy detection and removal.
Stration is a
mass-mailing email worm that attempts to download a file from a remote
server. The worm may inject itself into certain running processes,
potentially causing it to bypass firewalls or other security software.
Stration is a
mass-mailing email worm that may attempt to download files from a remote
server.
There's a lot of
misinformation being disseminated around the recently discovered VML
vulnerability. Here's an attempt to address those misconceptions and
alleviate some of the fears.
A
zero-day vulnerability in the Windows implementation of Vector Markup
Language (VML) impacts all supported versions of Internet Explorer, all
supported versions of Microsoft Windows 2003, Windows XP, and Windows
2000, and recent versions of Outlook and Outlook Express.
With 12 million
infected systems under their control, botnet operators are controlling a
population rougly the size of Guatemala.
In fact, the number of infected systems would place it at about 70 out
of 230 sovereign states and territories worldwide.
The
more a story gets told, the more the original story gets changed by each
new storyteller. Sometimes, the story gets so far removed from the
original, that the entire intent of the story is lost and new intent
construed. Such is the case with the story of antivirus effectiveness,
which was recently put through the spin cycle, wrung out, and reformed
by Charlie White, editor of the Gizmodo gadget blog.
Vulnerability
researchers at eEye Digital uncovered serious flaws in McAfee security
products that could allow attackers to gain remote control of affected
systems.
An
early-morning report on a security mailing list led to the discovery of
Yamanner, a mass-mailing email worm that impacted Yahoo webmail users.
Every
successful gambler knows how to handle a certain amount of risk, and
how to minimize their losses. But a free tool that promised to help
gamblers get the most out of the game turned out to be a Trojan that
scammed them out of their winnings.
It seems a
disgruntled employee targeted their enterprise with a worm that causes
pictures of a rather odd looking owl to print on nearly 40 printers
specific to the targeted firm.
Nugache is a worm that
may spread via email, IM, or P2P networks.
Having
your computer infected with a virus or other malicious software is
upsetting enough. But over the past year, a new type of attack promises
to be even more disconcerting. Dubbed ransomware, this new attack
infects the system, encrypts the files, and then demands payment from
its victims.
There
is no such thing as a good virus, but some viruses are more despicable
than others. Case in point, the newly discovered W32/QuickBatch.G!tr
Trojan that specifically targets members of the blind community.
Bagle worm variant that spreads via email and
fileshares/P2P networks warns of 'Lawsuit Against You'
Discovered on
January 17, 2006, the Nyxem worm has a dangerous payload that executes
on the 3rd of each month, overwriting files with specific extensions.
Here's
the best and worst of 2005 from a malware perspective.
It seems
appropriate that the Chinese dubbed 2003 as the Year of the Black
Sheep. Among other things, the sheep is a symbol of untidiness - and
from a virus standpoint, the year was indeed a mess.
The
year 2002 ushered in a new era of malicious marketing code
Detecting
email-borne viruses every 18 seconds, MessageLabs calls 2001 The Year of
the Virus
A serious
vulnerability in Windows Fax and Picture Viewer can allow remote
attackers to use .WMF image files to gain control of your system.
Sober.X is a
mass-mailing email worm that sends itself in either English or German
depending on the recipient's domain. In addition to mass-mailing,
Sober.X terminates processes related to various antivirus and security
programs.
Sober.U arrives in an
email message that may be in either German or English language,
depending on the recipient's domain.
Sober.T arrives in an
email message that may be in either German or English language,
depending on the recipient's domain.
sober.s arrives in an
email message that may be in either German or English language,
depending on the recipient's domain.
Sober.R arrives in an
email message that may be in either German or English language,
depending on the recipient's domain.
The Sony Stinx
Trojan exploits the Sony DRM cloaking technology (aka rootkit) installed
by music CDs published by Sony after March 2005. This allows the
malware to be hidden from view - effectively masking its presence even
from most antivirus scanners. The Sony Stinx Trojan installs an IRC
Backdoor Trojan that allows remote access to compromised PCs, downloads
other malware, and disables the Windows XP firewall.
The Linux Slapper worm has been given
a facelift and this time BBS admins and web bloggers are the target.
The new worm has been given a half dozen new names, including
Linux/Lupper worm Linux.Plupi, Backdoor.Linux.Smal, ELF_LUPPER.A and
Exploit.Linux.Lupii.
the
President of Sony BMG's Global Digital Business, Thomas Hesse, defends
Sony's installation of a rootkit by declaring, "Most people, I think,
don't even know what a Rootkit is, so why should they care about it?"
If
you've purchased a Sony-labeled music CD since March 2005 and used it on
your PC, chances are it installed a rootkit that can be easily
exploited by virus writers.
Dutch
police have announced the arrests of the alleged author of W32.Toxbot
and two alleged accomplices.
PSP.Brick
impacts the Sony PSP game console, flashing critical system files and
rendering the console unbootable. The newly discovered PSP.Brick isn't
technically a virus - it's a Trojan. But the news surrounding PSP.Brick
could be described as a polymorphic virus - it spreads fast and the
story changes with each reporter it infects.
Since
January 1, 2005, at least 358 descriptions have been published for
specific IM threats.
The
most prevalent IM worm is Kelvir family of worms that target MSN
Messenger users.
Just hours after BBC published a news report titled
"London attackers 'meant to kill'", the Agent.AD Trojan email stole the
headline and part of the copy, using it as a ruse to entice victims into
opening its infected attachment.
IM
worms continue to expand their repertoire of social engineering tricks.
W32/Olameg-net, a.k.a. Opanki.Y and AIM/Megalo, installs itself to the
Windows System directory as itunes.exe, presumably trying to disguise
itself as the popular Apple iTunes application.
Malware
authors eager to capitalize on the Michael Jackson trial have been
sending booby-trapped spam messages claiming the pop-singer has
attempted suicide.
Discovered May 31, 2005,
Mytob.BI is a mass-mailing email worm that compromises system security
by terminating processes related to various antivirus software,
disabling the XP SP2 firewall, and modifying the HOSTS file to prevent
access to antivirus updates and certain other websites.
Discovered May 30, 2005,
Mytob.AR is a mass-mailing email worm that compromises system security
by terminating processes related to various antivirus software,
disabling the XP SP2 firewall, and modifying the HOSTS file to prevent
access to antivirus updates and certain other websites.
The Mytob
variants are mass-mailing email worms that compromise system security by
terminating processes related to various antivirus software and
modifiying the Registry to disable the XP SP2 firewall.
The Sober.P worm
has morphed into a spam Trojan, sending politically-charged messages
from infected systems.
The Sober.P
worm abruptly stopped its mass-mailing at midnight GMT on May 9th,
presumably entering its second stage of infection.
Firefox
flaws rated extremely critical
Discovered May
2, 2005, Sober.P (also known as Sober.O) is a mass-mailing email that
sends itself in either German or English language, depending on the
intended recipient's domain.
The Crog worm edits the
system registry to lower security settings, modifies the HOSTS file to
redirect access to various security sites and shuts down processes
associated with various security software.
Three new IM worms,
Kelvir.A, Kelvir.B, and Kelvir.C were discovered by antivirus vendors on
March 6th and 7th, 2005.
Discovered on March 1,
2005 in conjunction with several mass-spammed Bagle-like Trojans,
Bagle.BE arrives in an email with a blank subject line
Troj/BagleDl-L is a
Trojan, not a worm, and does not contain mass-mailing capabilities.
However, Troj/BagleDl-L was mass-spammed via email during the morning of
March 1st, 2005.
Like Bagle.AY, Bagle.AZ
is a mass mailing email and P2P filesharing worm with downloader
capabilites.
Bagle.AY is a mass
mailing email and P2P filesharing worm with backdoor and downloader
capabilites. As with previous variants and most modern email worms, the
worm uses its own SMTP engine to spread via email and the From address
is spoofed.
MyDoom.AM is a
mass-mailing email and P2P filesharing worm that modifies the HOSTS
file to prevent infected users from accessing certain antivirus vendor
sites.
A mass-mailing email
and filesharing worm, Lovgate.W also contains backdoor capabilities
Ever wonder what Bill Gates
gets for Christmas? This year, the Chinese
security firm VenusTech delivered three new Windows exploits just in
time for the holidays.
A
new variant of the Zafi worm, dubbed Zafi.D, sends itself as a Christmas
greeting - in a variety of languages depending on the recipient's
domain.
Dubbed
TrojanDropper.FakeSpamFighter and Troj/Mdrop-IT, the Trojan masquerades
as the Lycos infamous MakeLOVEnotSPAM screensaver
Sober.I is a mass-mailing
email worm that sends itself in both German and English, depending on
the infected users' operating system language. Sober.I uses is own SMTP
engine to send itself to email address found on infected systems,
spoofing the From address.
Bofra.A
worm exploits SHDOCVW.DLL flaw
The Klez virus uses a
variety of techniques to fool and aggravate users
Also known as Homepage,
this e-mail worm was discovered in the wild on May 8th, 2001
Alleged
movie of Timothy McVeigh execution really the Subseven remote access
Trojan.
The Sobig.E worm spreads
via email. The Sobig.E worm attachment is a ZIP file.
From your
Antivirus.About.com guide, an encyclopedia of virus and hoax
descriptions. Includes PC, Macintosh, Unix, Active Content, and Wireless
infectors.
Timely
and searchable information concerning viruses currently in-the-wild and
even those that are not.
So
comprehensive, it might be somewhat difficult to navigate. Well worth
the effort, AVP delivers the definitive virus encyclopedia.
Though not a
virus, hoaxes and myths can still cause downtime and loss of
productivity due to unwarranted panic. Rob Rosenberger maintains a
plethora of information concerning these non-threatening threats.
From
F-Secure, an alphabetized database of virus descriptions. Search by
exact name or keyword.
From the
makers of Panda Antivirus, an encyclopedia searchable by name, category
or family. The database is prefaced by an introduction to computer
viruses and a handy glossary of terms.
Compiled from
various reporting agencies and individuals. Listing all viruses actually
causing active infections worldwide, the wildlist is updated monthly.
One very long list
of just some of the viruses detected by Sophos.
The
McAfee AVERT Virus Information Library includes detailed information on
viruses as well as popular hoaxes and myths.
F-Secure
simplifies the WildList by linking descriptions to the names of the
viruses reported to be in the wild. Updated monthly.
News & Bug reports
