Trojan trio disables Windows, AV updates
A trio of malicious programs is working together to hijack as many machines as they can in a short period, antivirus experts warned Thursday. Their apparent mission -- grow an army of zombie machines that can be sold on the black market and used to steal identities, lift bank account numbers and launch other attacks.
"This is all about money," said Roger Thompson, director of malicious content research for New York-based Computer Associates [CA]. "It's about the simple theft of credit card and bank account numbers, and there's probably a nexus with adware."
In the last 24 hours, CA has discovered coordination between three Trojan horse programs -- Glieder, Fantibag and Mitglieder.
Trio of trouble
According to CA, here's how the Trojans operate:
Glieder goes out and "seeds" cyberspace. On June 1, CA watched eight variants spread in quick succession. The whole point is to get to as many victims as fast as possible with a lightweight piece of malware, CA said.
Fantibag then creates a "shields down" on compromised systems, exploiting the infected machines' networking features to prevent them from communicating with antivirus companies or with Microsoft's update site. This means the security software can't call for updates.
Mitglieder then turns the compromised machine into a zombie that can be used to generate future attacks and act in concert with countless other zombie PCs. Machines infected with Mitglieder act as a proxy to force traffic to malicious sites, track user behavior, record keystrokes and set up spam relays.
Glendale, Calif.-based PandaLabs has also been tracking Mitglieder, saying it has been spammed to thousands of users around the world.
"Malware creators try to distribute their creations rapidly to prevent users from having time to update their antivirus solutions. They're trying to exploit the vulnerability window, i.e. the time that it takes between new malware appearing and users installing the updates on their computers," PandaLabs director Luis Corrons said in a statement. "New techniques are frequently being used in order to spread malware as rapidly as possible. So for example, as in this case, thousands of infected mails could be sent simultaneously as spam, or numerous variations can be launched at the same time."
The Bagle connection
Thompson said there's also a connection between the Trojans and this week's outbreak of new Bagle worm variants. "It's hard to tell the difference between Bagle and Mitglieder," he said. "Most of these share common code and they get mixed together."
Which points to a much larger problem, he said: "The bad guys have figured out that if they make a minor variation in their worms, viruses and Trojans and perhaps pack them a bit differently, these things can spread more rapidly and infect more computers before antivirus software has a chance to catch up."
With the first two Trojans spreading too quickly for AV to keep up, Fantibag arrives and cuts access to the security updates, Thompson said. "The attackers are being very cunning," he said. "They could launch one big program but instead they use smaller pieces that can easily be replaced. It's easier to change the smaller bits than fix the big part. It's a very sophisticated approach."
All about the botnets
For now, attackers don't seem to be aiming directly at enterprise networks, Thompson said. "I don't think this is about targeting a large corporation," he said. "I think it's about these guys trying to build botnets out of home systems."
But he said these botnets can eventually be used to hack into corporate databases to steal sensitive data or to launch other attacks.
In recent days security experts have also expressed alarm that hackers are successfully using zombie machines to launch brute force attacks against Secure Shell [SSH] servers that are accessible via the Internet.
Since there's no limit to what the bad guys can do with a zombie army, Thompson said there's growing demand on the black market for compromised machines. "The world is getting exceptionally scary," he said.
Source: searchsecurity.techtarget
