It’s difficult to have a week go by when there isn’t another virus alert for some new destructive malware variant and this week has been no different.
Despite an increased focus on security this week, Trojans, worms, and virus continue to mutate into new variants and new attacks against internet users and infrastructure.
US-Cert, the U.S Computer Emergency Readiness Team that is part of the U.S Department of Homeland Security currently lists no less than 12 high-impact security ‘incidents’, four of which are new.
Topping the list is the W32/Netsky.C virus which in less than 2 days of proliferation has already pushed the Netsky family of viruses to become the 8th most destructive piece of malware ever, according to London based security firm mi2g. Infections have been reported by mi2g in over 190 countries. This particular variant, like its’ predecessors, spread via e-mail or network file shares and contains its own SMTP engine.
According to Ken Dunham, director of malicious code at Reston, Virginia-based iDefense, Inc., a security and anti-virus company, “Using their own SMTP is now a trend it allows for the virus authors to get around restrictions placed by local networks. Basically it allows them to use their own email program to send out viruses without restriction.”
Weighing in at number two of the US-Cert list is the W32/Bizex instant messaging virus. This is an ICQ instant messaging client borne virus that exploits a number of previously identified vulnerabilities. Bizex is an IM message that includes a link that when clicked downloads a Trojan that activates a keylogger when certain financial Web sites are loaded in Internet Explorer. As of Wednesday, ICQ steward AOL
said it has taken action to stop the continued spread of the virus.
At number three is the ever-popular latest MyDoom variant, this time called W32MydoomF. This particular version now also targets the Recording Industry of Association of America Website if the system date is between the 17th and the 22nd of the month.
RIAA spokesperson Amanda Collins told internetnews.com the recording industry does not comment on its Web site status or security. Netcraft statistics, however, would seem to indicate that the RIAA is in indeed being targeted by a DoS attack
On a positive note though, Ken Dunham of iDefence has told internetnews.com that the previously disclosed Microsoft ASN.1 heap overflow vulnerability is too difficult at this point in time for hackers to exploit. Though he noted that the DoS attacks based on ASN.1 have now been reported and are expected to continue against un-patched machines.
Like many other security firms Dunham said an increase in so called ‘zero-day’ exploits (an attack that takes place against a new vulnerability that has no patch) is expected to continue in 2004.
“It’s a massive trend we’ve seen moving forward,” says Dunham. “We’re seeing more zero-day attacks than ever before and we’re seeing more rapid exploitation of vulnerabilities than we’ve ever seen before.”