Attack Launches 19 Forms of Malware

Security outfit PandaLabs said today a sophisticated “chain” attack, perpetrated through the SpamNet.A Trojan, is at work. The Trojan was discovered on a Web page hosted on a server in the United States but with a domain registered from Moscow.

PandaLabs Director Luis Corrons said the attacks are highly complex and can infect a system with up to 19 different forms of malware. The goal of the coordinated strikes is to send out junk mail. So far, it has compiled more than 3 million e-mail addresses worldwide.

“This attack is far more elaborate than usual,” Corrons said in a statement. “Users of TruPrevent Technologies have been protected from the outset, but this is one of the most complex organized attacks that we have ever witnessed at PandaLabs.”

PandaLabs said it has contacted the companies that host the files and Web pages that are the main part of this organized attack.

The infection chain begins when a user visits the Web page and uses the Iframe tag to try to open two new pages. This initiates two parallel processes, Corrons said.

When the first of the two pages opens, it in turn opens six other pages, which redirect the user to several pages with pornographic content. It also directs the user to a another page, which starts the principal attack process. This page exploits two possible vulnerabilities to carry out its actions: Ani/anr and Htmredir.

If the attack is successful, it then installs and executes one of two identical files — Web.exe or Win32.exe — on the computer. When run, these files create seven files on the computer, one of which is a copy of itself, according to PandLabs security team.

“The fact that more than three million addresses have been compiled to send
spam to is an indication of the success the creator of this attack is enjoying,” Corrons said. “The primary motivation of these attacks is financial gain over and above notoriety, and spam is one of the chief sources of income for malware creators.”

To prevent infection from SpamNet.A or any other malicious code, PandaLabs advises users to keep their security software up-to-date. Panda clients already have the updates at their disposal to detect and disinfect this new malicious code.

“In addition to having an antivirus solution, users need to ensure their systems are updated, as the success of SpamNet.A depends largely on vulnerability exploits,” Corrons said.

News Around the Web