Spyware is becoming more
common, and getting harder to fight.
On December 22, an Internet investigator got a tip that child pornography
was being housed on an adult Web site. When he visited the site to verify
the information, he didn't find any illegal images. But what he did find
was a Trojan horse that disabled the ActiveX security controls on his
browser and took control of it.
"I heard my hard drive churning
and clicked on my task manager and saw three executable programs were
installing themselves," says Chris Brandon of Brandon Internet
Services. "I knew I was in trouble when I couldn't get my task
manager to cancel the programs." By the time he checked his
registry, the Trojan had installed dozens of programs that replaced the
default Web page with its own, and loaded its own IP addresses in his
favorite places, short cuts and safe zones. When he tried to erase the
programs and reboot the machine, the virus reinstalled.
Spyware Spreads
This program is a perfect example of spyware gone amok. It installed
itself by taking advantage of a vulnerability in Internet Explorer 4.x and
5.x that lets an unsigned applet to create and use ActiveX controls. Then
it hijacked Brandon's browser, a term called "Web-jacking." But
it could have been worse. Some variants evoke dialers to call up 1-900
numbers if the victim is using telephone dialup for Internet access.
"We're seeing more of this type of
virus activity in recent months," says Ken Dunham, director of
malicious code for IDefense, a security intelligence firm in Reston,
Virginia. "Trojans promote going to certain pornography sites and
other sites they affiliate with because they get money for the clicks from
advertisers. They terminate regedit.exe [registry editor], and they can be
very difficult to remove."
Anti-spyware vendor PestPatrol
reports staggering growth over the past few months of the virus that
Symantec dubbed Trojan.Norio. And at least 24 variants of the virus now
exist in the wild, according to the anti-spyware site Spywareinfo.com.
Each variant is designed to do something
different. One variant changes your customized search settings to
allhyperlinks.com, for example. Another variant redirects all searches
through a bogus site called Coolwebsearch.com. Another redirects
Verisign's Site Finder to a fraudulent Site Finder site. Another evokes
the auto-dialer. And so on.
What Lies Ahead
Expect these types of Trojan viruses to be used for even more malicious
purposes, such as the culling of credit cards and passwords, Dunham says.
"In the case of the Norio Trojan, it
changes the registry and the host file," he says. "You type in a
name like Microsoft.com, it will redirect you to a site they want you to
go to. You could make it redirect you to a fake Citibank.com Web site and
get you to fill in sensitive information."
Brandon removed the malicious code by
using Spywareinfo's remediation kit called CWSweep. (PestPatrol
also provides a removal kit.) He's since been tracking down the IP
addresses and domain names that the virus loaded into his registry. Many
of the domain names are a variation of Coolwebsearch.com.
"I want to find the people
responsible for this, the affiliates in collusion with this, and turn them
into Microsoft for that bounty it promises on virus writers," he
says.
With the IP addresses and Web site names
so easy to find, you'd think tracking the virus writers would be easy for
someone with Internet tracking skills. But most of the IP addresses
Brandon's investigated led to bogus hosting providers and anonymized
administrative contacts. Meanwhile, the PestPatrol
report on the virus lists an address for Coolwebsearch.com, the originator
of the virus, to be in Natick, Massachusetts.
Article Originally by Deborah Radcliff,
Network World Monday, January 26, 2004
(Posted on Spycops.com 06/04/04):
Pc
World Mag |
