Tricky new malware unnerves security vendors
What does it want to be when it grows up?
IDG News Service - A tricky malicious program has become more prevalent in spam, but experts don't know what its creators plan to do with it.
Many vendors are rating the malware -- called "Warezov," "Stration" and "Stratio" -- as a low risk. But they also say that it is tricky to deal with.
The malware is a mass-mailing worm that affects machines running Microsoft Corp.'s Windows operating system. When the malware infects a computer -- usually after the user has opened an attachment containing the worm in a spam e-mail -- it sends itself out again to other e-mail addresses found on the computer. The code is then capable of downloading new versions of itself as frequently as every 30 minutes from a batch of Web sites, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki.
Those new versions are created by a program on a server controlled by the hacker, Hypponen said.
In the past, malware has been known to create variations of itself, but the code to create those variations was contained inside the malware. So when a sample was obtained, security analysts could study it and identify potential new versions, he said.
Now, the hacker's program is compiling the code and rapidly churning out new versions, but analysts don't know how the new code is generated.
That characteristic is a headache for security software firms that issue special updates to their software to detect the malware. F-Secure alone has issued at least 150 signatures for the malware.
"It gets very complex to detect an attack like that because the code keeps changing," Hypponen said.
Security firm Sophos PLC has detected some 300 versions of the malware. For October, the malware was one of the most common pieces of malicious code found in spam messages, said Carole Theriault, senior security consultant with Sophos.
Since infected computers look to other domains to receive updated code, F-Secure has worked with ISPs (Internet service providers) to shut down domains hosting the new variants. So far, nine of 10 domains have been shut down, Hypponen said.
Oddly, the malware doesn't appear to do anything yet on the victim's computers. It's estimated up to a few hundred thousand computers are infected, a sizable number but not quite on the scale of large malware problems from a few years ago, Hypponen said.
A hacker could be waiting to harness enough infected computers to start a denial-of-service attack or send spam or rent out the network to a spammer, Hypponen said.
"We hope to one day find out why they are doing this," Hypponen said. "We hope it's nothing too bad."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts