MoMusings

Oh dear, the scumware authors are once more showing how low they are prepared to go to infect the computers of the unsuspecting and curious, or the downright ghoulish.

This just in, a new trojan has been found which is being e-mailed out; according to MessageLabs, the e-mail containing the trojan is not yet widespread, however as it is the start of the weekend don’t expect it to stay that way for long. This trojan was being e-mailed out just hours after the attacks in London.

The details I have so far are:

Sample e-mail:

From: breakingnews@cnnonline.com
Subject: TERROR HITS LONDON
Filename:LondonTerrorMovie.zip

This [zip file] contains a file called ‘London Terror Moovie.avi <124 spaces> Checked By Norton Antivirus.exe’

As you can see the from address line is forged. The <124 spaces> is 124 space charcters, so that you won’t notice the .EXE extension and believe that the file in the zip attachment is an AVI [movie] file. The checked by Norton Antivirus.exe is there to try and convince you that the file has been scanned and is safe, when in reality it is just a way to hide th fact that the file is an executable. The executable in the zip is packed using UPX, a common sign of a ’suspect’ or ‘malicious’ file.

More details:
The e-mail arrives pretending to be a CNN newsletter, see the screenshot below:

If you open the attached zip file and run the file it contains your system will become infected. The trojan creates a file in the %windir% directory [e.g. C:\WINDOWS or C:\WINNT] and adds itslef to the registry to ensure that it gets loaded when the system starts.

Once running the trojan will search for a list of SMTP [mail] servers that your system is configured to use and uses these to send large quantities of SPAM.

At this time none of the 14 virus scanners I have at hand can detect this.

The use of disasters, celebrities and other topical news items as methods to spread malware is nothing new. We have seen a number of similar trojans so far this year, and I’ll be very surprised if we don’t see more ‘London Bombing’ trojans over the next few weeks.

If you needed any more proof that you should avoid the temptation to open unsolicited email attachments, then add this to the existing pile of reasons not to become a ‘click-a-holic’.

Links:
http://www.theregister.co.uk/2005/07/08/london_bombing_spambot/

Following on from my earlier report on the result of the Sasser worm author trial….

This just in from Cnet:

“The Sasser case is the only success so far for Microsoft’s Anti-Virus Reward Program, which was launched in November 2003. The program has offered a total of $1 million to informants who help close official investigations into four major viruses and worms, including Sasser, and has another $4 million earmarked for future rewards.

Microsoft has not disclosed the identity of the informants in the Sasser case, but the software giant said Friday it will pay the reward money to two individuals who helped identify the worm’s author. They will share the $250,000.“

According to various sources Jaschan was ‘fingered’ by a couple of his mates who were after the ‘Microsoft Anti-Virus Reward’ of $250,000 US Dollars.

If you are interested, according to Microsoft’s Web site, rewards of $250,000 can still be collected for information that leads to the arrest and conviction of those responsible for launching the MyDoom.B worm, the Sobig virus and the MSBlast.A [aka Blaster] worm.

Any budding Wyatt Earp wannabes out there

But only gets a suspended sentence of 21 months and ordered to do 30 hours of community service - meaning he will walk free!

Here’s a quote from one of the reports:

“Sven Jaschan, 19, was found guilty of computer sabotage and illegally altering data, said Katharina Kruetzfeld, a spokeswoman for the court in the northwestern town of Verden.“

Jaschan admitted creating the worm at the start of the trial on Tuesday the 5th July.

He was arrested back in May 2004 “sitting at his computer” at his home in the small northern German town of Waffensen after Microsoft received a tip-off from an informant seeking the reward of $250,000 that they were offering for information on those responsible for Sasser.

Sasser exploited a flaw [vulnerability] in the Windows 2000 and Windows XP operating systems. It started to infect systems and spread to other systems which had not been patched on its release date of the 1st of May 2004.

Microsoft had released a patch for this loophole on 13th of April 2004 and an updated patch on the 28 April 2004, however many companies at that time took on average 2-4 months to test new patches before deploying them to fix vulnerable systems.

Windows error messages displayed when a system became infected by Sasser.

According to the news item: “Authorities who questioned Jaschan said they got the impression his motive was to gain fame as a programmer.” He got infamy instead and offered a job at a security software company.

SecurePoint employed Jaschan the [now convicted] creator of a number of Netsky variants [many of which were quite destructive] and Sasser, as a trainee software developer, working on the companies firewall products. Would you buy a firewall from this company, knowing a self-confessed virus author may have had a hand in it?

As I mentioned before in my rant on this very blog back in November last year:

“What sort of message is being given out by the current trend of a small minority of security firms who seem to be going out of their way to actively seek out and employ virus writers and ex-virus writers?“

I think that some elements in society see malware authors as some form of glorified digital freedom fighters, talented programmers or uber geeks….when in reality they are nothing more than criminals and should be treated as such!

This quote from Graham Cluley of Sophos, clearly shows that Jaschan’s creation are a real threat: “Even a year after his arrest, it is more likely that you will be infected by a worm written by Sven Jaschan than any other virus author“.

The sentence he has received is well short of the maximum sentence of five years in jail that a conviction of computer sabotage carries under German law.

What do you think, both on his level of sentencing and his working for a company that makes security software?

Links:
http://news.bbc.co.uk/1/hi/technology/4659329.stm
http://www.sophos.com/virusinfo/articles/sasserfree.html