Mutating viruses are nothing new, they are used to infect machines in a way that can’t be stopped by traditional anti-virus software. The problem comes in with a new report from Softwin, the Romania based anti-virus software company that makes BitDefender, that says they have found multiple instances of computers being infected by worms that have previously been infected by a virus. They consider it a new “Frankenstein piece of malware” that has the potential to cause a lot of damage.

For those who perhaps don’t know a lot of viruses and worms, a worm is usually an executable file while a virus infects executables. The inevitable problem arises when a virus infects the executable that a worm resides in.

Fortunately, the researchers at BitDefender have no evidence at this point that the new super virus is any worse than a traditional virus. The concern is that worms are better at moving through systems, so a virus attached to a worm will have an easier time moving through a system.

The research team found 40,000 instances of the mutated malware out of a sample of 10 million files. One example was a virus designed to create back doors for hackers infected a worm that steals passwords. Their combination resulted in a mutation that could steal passwords while simultaneously creating a backdoor for the hacker to access the stolen information.

PhysOrg brings up an interesting point in that a virus’ main goal is to cause destruction. So in theory, a virus should destroy whatever it infects including the worm. The researchers never addressed this, but there’s a possibility that the virus could destroy the worm before it does any damage.

The researchers say that the combination of the two malware types was unintentional. The issue raised now is that hackers know it’s possible to combine the two. If it does occur, it could “pose a very serious threat to computers and networks the world over.”

For more examples of how this new super virus can destroy your computer, check out an expert analysis here.

The men involved in this enterprise have been the subject of much investigation by Facebook’s security team, as well as by independent researcher Jan Droemer. But, it’s not like they are taking pains to hide. They post photos of their vacation trips to Monte Carlo, Spain and casinos in Germany. They check in on FourSquare.

“We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” said Ryan McGeehan, manager of investigations and incident response at Facebook.

The five men in this “gang” are:

* Anton Korotchenko AKA “KrotReal”
* Stanislav Avdeyko AKA “leDed”
* Svyatoslav E. Polichuck AKA “PsViat” and “PsycoMan”
* Roman P. Koturbach AKA “PoMuc”
* Alexander Koltysehv AKA “Floppy.”

Yes, they are Russian. And they operate openly in central St. Petersburg. Which explains why the FBI have not nabbed them. In the absence of cooperation with the police in Russia, Facebook decided to out these guys publicly.

“People who engage in this type of stuff need to know that their name and real identity are going to come out eventually and they’re going to get arrested and they’re going to be targeted,” Joe Sullivan, chief security officer at Facebook said. “People are fighting back.”

How Koobface works, and how you can protect yourself from it, was the topic of an excellent write-up on Sophos.

Spammers experimented with attaching encoded messages in a variety of file formats including MP3, Zip, Excel, Word and PDF. MP3 spam proved to be short lived. Spammers attached MP3 files named after popular songs and artists. When a recipient opened the attachment an electronic voice delivered a message promoting a stock for a particular company.

2007 was also the year of the "Worm". The storm worm was created to infect PCs for the purpose of sending spam, or as a host computer that is able to infect other PCs. Experts have estimated the number of infected PCs could be as high as 10 million.

Phishing scams were also wide spread. Banking, IRS, eBay and PayPal phishing attacks increased significantly in 2007.

"2007 was a challenging year for the antispam industry and a phenomenal year for us," said Ted Green, President of SpamStopsHere. "With spam reaching such critical levels, our customer base has grown substantially due to the simple fact that many of our competitors have difficulty keeping their antispam solutions up to date with the latest spam campaigns."

"SpamStopsHere has a team of technicians that review spam 24 hours, seven days a week. This allows us to update our system every minute and block the latest spam campaigns."
 

McAfee researcher Vinoo Thomas said on the Avert Labs blog that the spammers now use a couple of ways to get the worm onto someone’s system. In the easiest scenario, a victim on a vulnerable system click the link and triggers an onslaught of browser and application exploits.

If those don’t take hold on a system, the person visiting the fake YouTube page is encouraged to download and launch the attack manually. A screenshot of the scam showed dialog typical for download sites, where the viewer is told to click another link if the download does not begin within a short period of time.

“We expect these spammers to continue to use these types of tactics,” said Dave Marcus, security research and communications manager at McAfee.

GET FREE ABERCROMBIE, HOLLISTER, AE CLOTHING! Currently I have around fifteen messages of that nature, and some of an explicit nature, in my MySpace message inbox. What’s worse is that they appear to be sent from someone I know personally.

Hundreds of user profiles were inundated with similar content from contacts on their friends’ lists, and many victims were left wondering why they had been removed as a friend.

A worm that directed users to a phishing site, which MySpace discovered on Friday, caused the solicitation of messages.

Users who were redirected by the worm to one of the phishing sites were asked for their username and password, which was in turn used to gain access to their personal profiles on the site.

Once access was gained, any number of spam mail could be sent to the contacts on the user’s profile.

The worm used Javascript to exploit Apple’s Quick Time player, which can be embedded into MySpace profiles.

Once a profile was vulnerable, legitimate links on MySpace were replaced with infected links which led to the phishing sites.

MySpace’s over 70 million registered users could even have their profile infected simply by viewing a profile that had the worm.

In order to rectify the situation, MySpace shut down all infected user profiles over the weekend, also shutting down five of the six phishing sites used to gain profile access. The “place for friends” assures users that all profiles containing the infection have been deactivated.

Add to Del.icio.us | Digg | Reddit | Furl

Autmn Davis is a staff writer for WebProNews covering ebusiness and technology.

This move is due to recent past security issues, including a flash based worm “that had spread far and wide through the site and sent users to an off site page claiming that the U.S. government was behind the 9/11 terrorist attacks”:

Just as javascript has been unusable in MySpace, most flash objects are also now unable to link out to third party sites when viewed with Flash player 9. MySpace users are now being encouraged to download a beta version of Flash 9 in order to view MySpace hosted video. When they do so, almost all other widgets (YouTube, etc) no longer link out to third party sites because of code inserted by MySpace after a security breach last weekend. Some flash widgets appear unaffected but there is no clear reason why. Being displayed in a music section profile is the only thing that I and several friends could see as different between the few widgets that still link out and those that don’t.

What’s happening with MySpace is not dissimilar from what we saw occur with Oodle, when craigslist pulled their data. This change holds some pretty huge implications, including that so many new web services have been betting on the MySpace strategy to spur adoption and grow their userbase. Herein lies the problem of what we perceive is the “new web”. It’s not always as open and social, as we make it out to be. People are still concerned about dollar $igns.

Indeed, MySpace is showing more and more that they are very concerned about maintaining and protecting their little world from others monopolizing on and monteizing their investment (think SingleStat.us, DatingAnyone, and other services they shutdown). In other words, if you want to take advantage of MySpace, then fork over the cash for advertising.

MySpace was clever with this move though – they didn’t stop those widgets from being on the site. That would have caused a huge backlash from the MySpace crowd. Instead, they put an additional step between the widget and the user. Now, they have to do a search for the widget, instead of just clicking it. With the pathetic attention span of most MySpacers, that’s actually pretty significant (and at the same time, quite sad).

» Del.icio.us | DiggThis | Yahoo! My Web | Furl

Ken Yarmosh is a consultant who helps organizations get the most out of their technology investments. He works with technology users and creators across various industries, focusing on technology education and strategy. With over 7 years IT experience, Ken has worked with small businesses, non-profits, federal agencies, and multi-million dollar companies.

His online efforts include acting as the Editor for the Corante Technology Hub and authoring the TECHNOSIGHT blog.

This gift is one you’ll wish you’d never opened. The IM.GiftCom.All worm arriving by those IM systems or over Windows Messenger appears to be a URL linked to a picture of Santa Claus. IMLogic, which discovered the worm, posted that clicking the URL launches an executable file.

Once that file gets started, it embeds itself into the PC as a rootkit, and scans the registry, file system, and Internet cache. IMLogic also said the process hides from antivirus and other system tools that might detect it. The worm also logs keystrokes and may also try to spread itself to other users over IM to usernames it grabs from those services on the infected PC.

While its method of distribution doesn’t make it a big threat, the amount of damage it can do to a system caused IMLogic to rate it as a Medium threat, a company executive told CNet News.

Users and administrators should ensure they are running the most current versions of their antivirus engines and that signature files have been updated to help repel the threat. Also, people will want to be careful about clicking on links in messages that arrive unexpectedly, even if they appear to be from a legitimate messaging buddy.

—
Email the author here.

Add to | Yahoo My Web

David Utter is a staff writer for WebProNews covering technology and business.

Another huge outbreak of the Sober worm has been scheduled to happen on January 6th, 2006. However, thanks to Mikko Hyppnen and Finnish security firm F-Secure, admins everywhere now have the information to take steps and block infected machines from hitting a URL where a new version of Sober can be obtained and installed.

F-Secure has had the information since May 2005. “(W)e informed the local police in Germany as well as the affected ISPs (in May). But we didn’t want to talk about it publicly then – we didn’t want to fill in the virus writer on this. But he must know this by now,” Hyppnen wrote.

An algorithm in Sober generates pseudorandom URLs based on the date. 99 percent of the URLs created don’t exist. The URLs, which point to free hosting servers in Germany and Austria, can be determined by Sober’s creator ahead of time.

Then he can create the URL at the free hosting site at the right date to get the latest version of the worm onto any infected machine that can connect to the URL.

That list changes every 14 days, and a change has already been scheduled in existing versions of Sober on January 6th. Admins who block connections at the firewall to freenet.de, pages.at, and arcor.de should thwart any undetected Sober-infected machines on their networks, according to the report.

Previous outbreaks of Sober have delivered millions of Nazi propaganda messages to inboxes worldwide. Putting that to an end would be a tremendous benefit to users everywhere.

David Utter is a staff writer for WebProNews covering technology and business.

The message on the CIA’s website reads:

Some members of the public have in the past few days received a bogus e-mail falsely attributed to CIA’s Office of Public Affairs. CIA did not send that message. In fact, it does not send unsolicited e-mail to the general public, period. If you have gotten such a message, we strongly encourage you not to open the attachment, which contains a destructive virus.

SecurityProNews did a story on the FBI email yesterday. It seems some individuals felt particularly testosterone laden and elected to choose not only the FBI, but also the CIA for their malicious endeavors.

Like the FBI emails, the CIA emails look official, coming from addresses tagged with cia.gov. They will tell users to fill out the form attached. When users open the attachment, it turns out to be the virus. The email says the user has been visiting illegal websites and the CIA/FBI knows about it (not entirely implausible) and that the user should answer the attached questions.

One might question the sanity of those spreading such maliciousness using the name of the FBI or the CIA. They might think they really won’t get caught. Chances are though, this is just an odd form of job application.

John Stith is a staff writer for WebProNews covering technology and business.

You’ve got rootkit, and spyware, and a host of problems if your antivirus software isn’t up to date. A worm circulating through the AIM network can be a serious problem for PCs, FaceTime said in a release.

A machine victimized by the worm will experience a whole bunch of problems:

AIM PC users should verify with their antivirus companies that their virus signatures and scanning engines have been updated, as always.

David Utter is a staff writer for WebProNews covering technology and business. Email him here.