RealTime IT News

A Particularly Nasty Week For Malware

This is turning into quite a week for computer security. Microsoft issued a rare out of band security alert concerning Excel; BusinessWeek's home page has been the victim of a hack and more than 400 banks are the targets of a new Trojan. If that wasn't enough, the one year anniversary of the Storm worm is approaching, with the associated Trojan  looking to rear its ugly head again. Plus, Apple today issued its own set of fixes for QuickTime.

First up was the Microsoft alert, something the company rarely does outside of Patch Tuesday unless the threat is severe. It issued an alert late on Tuesday that older versions of Excel, from Excel 2000 to Excel 2003 with Service Pack 2, are affected by a vulnerability.

People who open a malicious e-mail attachment or visit a Web site hosting malicious code may find that their systems are compromised and remote code is executed on their system. Microsoft said that so far the exploit is not being used widely, but for "specific targeted attacks" and it is investigating further.

The vulnerability does not affect Microsoft Excel 2003 Service Pack 3, Excel 2007 or Microsoft Excel 2008 for Mac. Computers with administrative privileges are more vulnerable to the exploit than those with more restrictions. The primary workaround for now is to not open Excel files from unknown sources.

That's not the only problem facing the Internet today. Symantec has noted a new banking Trojan, called Trojan.Silentbanker, which the company found worrying by even its seen-it-all standards.

More than 400 banks in the U.S. and worldwide have been targeted. The Trojan can intercept transactions that require two-factor authentication and can silently change the user-entered destination bank account details to the attacker's account details instead. All of this is done without presenting anything unusual to the victim. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL, the attack is still valid.

It's not just confined to banks. The Trojan can steal FTP, POP, Web mail, protected storage, and cached passwords. "Then we start to see the capabilities of this Trojan," wrote researcher Liam OMurchu.

Staying with trusted sites won't even keep you safe any more, as Trend Micro noted with its report on a compromised page at BusinessWeek. A week earlier, the security products page for CA was compromised with an IFrame  exploit.

Paul Ferguson, a network architect for Trend Micro, first spotted the malicious code in the BusinessWeek page and alerted the company. He said that in a recent Google search of malicious JavaScript code used in SQL injections, Trend found more than 100,000 infected sites.

"The days of being able to put a page up and not constantly maintaining that site and not applying underlying patches, those days are long gone," he told InternetNews.com. "There's some basic security features not being adhered to. A SQL database should not be reachable from the Web interface. A lot of these issues are finally coming to a head because they are actively being exploited by the bad guys."

Trend, Symantec and the Internet Storm Center all noted that the durable Storm worm is rearing its ugly head again, this time in the form of Valentine's Day exploits. ISC noted that the ever-mutating Storm worm was only detected by four of 32 anti-virus programs in a recent test, but since that post was made the major players have updated their signatures.

Still, Ferguson said you need more than signatures. "You can't do just antivirus detection because they will get so far ahead, you will lose. So we use domain reputation and URL filtering and bad domain lists in our products," he said.