Beware Evaman

The Sydney Morning Herald is warning of a new Doomsday with ”a new internet virus is expected to clog mail servers, cause severe slowdown and wreak financial damage as it spreads rapidly around the world when businesses return to work today”.

It is a mass-mailer worm called Evaman, and Symantec is likening it to MyDoom, using a false email address to generate messages with an attachment that carries the virus. By opening the attachment, recipients “unleash the virus onto their computer, where it automatically starts sending out dozens of new messages”.

As with an increasing number of these viruses, the worry is that the infection rate will be worsened because of the weekend factor: Tim Hartman, senior technical director at the security firm Symantec, “estimated the virus would spread at an uncontrollable rate as people returned to work”. He’s quoted as saying: “There’s so many unprotected machines out there that the likelihood that this will spread significantly is quite high. We have to wait until everyone gets back to work from their weekend around the world.”

What’s not quite clear to me is how exactly this works, and for what purpose. Symantec says the worm “generates random queries to (an email search engine), and collects email addresses from the search results”. It then sends copies of itself to the addresses that it finds with a spoofed From address”. But why?

I can only assume it is trying to verify email addresses in bulk. If so, it’s proof, if it were needed, that spamming and virus writing is all pretty much the same business these days.

More On Korgo

More on the phishing worm I mentioned in a previous post.

Mikko H. Hypponen of F-Secure has passed on a little more information. He says it’s “pretty big, but still far away from outbreaks like Sasser or Mydoom”. So far “at least 50,000 machines are infected worldwide, possibly more”. He says Korgo does “specifically target at least three online banking systems, but I don’t want to go into details”. But since it also “collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password”. That would mean a lot of data to shovel back to scam HQ; I’m assuming it limits keylogging to when the user is browsing, but Mikko doesn’t say more on that.

He points out that while this is the first automatic — in other words, it doesn’t use email or other methods to get around — worm to do this bank website keylogging, it’s not the first virus. In fact, the same Russian hacker group he believes is responsible for this worm, the HangUP Team, were also believed to be behind Webber and Banker, two other bank-related viruses.

Mikko also reminds us of the history of bank-related viruses, including the Bugbear.B worm, which contained a long list of target banks, and collected cached passwords. Which I suppose raises the old question: Does a phisher have to involve some sort of social engineering to be a phisher? Given that the guys doing this kind of thing all seem to be members of the same gang, does it matter what name we give it?

Virus Writers As Spotty Juveniles Or Hardened Criminals? Take Your Pick

Was the recent virus war just between kids, or something more sinister?
Mi2g, the British Internet security consultants, reckon not. “Upon analysing the juvenile dialogue between the malware writers of NetSky, Bagle and MyDoom it has been prematurely concluded by a range of commentators that this is a turf war between teenagers or college students seeking global notoriety.  Whilst script kiddies are active in large numbers around the globe benefiting from freely available online hacking and malware authoring tools, a coincidental release of malware variants that have contributed to a tsunami is highly unlikely to be merely the work of teenagers.”
Some folk have pointed to discussion on some online bulletin boards as evidence of the gangstyle war behind these recent viruses. Mi2g see it differently: “It could well be that the teenager-type messages were deliberately left behind by more mature malevolents to benefit from the publicity of their intended disguise that delivers obscurity to the real motives behind this rapid release of malware variants and the colonisation of millions of zombie computers in homes, places of learning, government departments and corporations.”
The fact that Bagle and its many variaents involved advanced social engineering — tricks to persuade you to open, and therefore activate, the virus-laden attachment — suggests a high level of specificity in what the malware writers seek,” mi2g reckon. The email containing the virus mimics the email address domain to which it is being sent, thereby confusing the user (and confusing me too). Other elements convince mi2g these guys are not just mucking about:
  • The backdoors that are left open by MyDoom, for example, cannot be exploited easily by a novice;
  • Hundreds of thousands of tailor-made emails received over the last week carry a Bagle variant, for example, within an encrypted attachment that bypasses the defences of many corporations and ISPs;
  • The rapacious way in which the address books are then plundered across the corporate network also suggests a more legitimate email address harvesting motive than simply an intellectual challenge frenzy between rivals.

Mi2g also points to the NetSky variants which also “sniff for evidence of MyDoom and Bagle infections as well as their previous incarnations before attempting to deactivate them”.  Mi2g concludes that “groups of malware authors are battling for market share of infected computers and there is a protracted turf war underway, where large sums of money or valuable assets are involved. ”

I tend to agree, and have said so, in my usual quiet way. But I think there’s a slight difference in my analysis and theirs. While mi2g say “It would be a folly to assume that all these groups of malware writers, who masquerade as juvenile teenagers, are not linked to trans-national criminal syndicate activity.  All this suggests a grander financial plan than mere bragging rights”, I don’t believe they are grown-ups masquerading as kids. I think they are probably kids who are sharing some of the loot with the gangs.
In fact, I think it may be wrong to think of the people behind these scams as big established gangs. They may be relatively large in number for a culture not known to cooperate but, at a pop, I’d say there were no more than 10 or so per group — and, importantly, they are fluid and ad-hoc. For a scam to work you need someone with the brains to figure out how to extract money (the scammer), someone to do the coding (the coder), and someone to distribute it (the spammer). All of them could, in effect, be kids. To see what life among these kind of folk is like, look no further than Robin Miller’s interview on NewsForge with Andrew D Kirch, a security administrator who recently infiltrated some script kiddie groups. While script kiddies — generally derided for the belief they copy most of the code they use, they don’t write it themselves — may not be up to creating the viruses we’re talking about here, one gets a pretty good general idea of the culture.

A New Trick To Lure The Unwary?

I don’t know whether this is new or not, but I ain’t seen it before. Could virus senders be making use of a new social engineering tweak?

The problem, it seems to me is that a lot of anti-virus manufacturers and system administrators insist on including automated alerts which supposedly inform users when their email addresses are being used to send viruses. Of course, in 9 cases out of 10 the user is not infected; their email address is being spoofed. But to the casual user, it’s annoying and somewhat scary. But are virus writers now using this ridiculous waste of time to lure more victims?

It goes like this: This morning I got four emails, all from support(at) The headers were all warnings:

  • Important notify about your e-mail account
  • Warning about your e-mail account
  • E-mail account disabling warning

The contents were varied, but credible:

Dear  user of gateway e-mail server, Our antivirus  software has detected a large ammount of viruses outgoing  from  your  email account, you may  use  our free anti-virus  tool to clean up your computer  software. Pay attention on attached file.  For security  reasons attached file  is password protected. The  password  is “22578”.  Sincerely, The team 

Another one said:

Dear user of, Some of our clients complained  about the spam (negative e-mail content) outgoing from your  e-mail account. Probably, you have been  infected by a proxy-relay trojan server. In  order to keep your computer safe, follow  the instructions. For  details see the attach. For  security purposes  the attached file is  password protected. Password is “28284”. Best wishes,    The team        

The company’s virus software had removed the virus (not clear what, probably MyDoom). But it had me fooled long enough to fire off an angry reply to our support staff (sorry, guys). I’ve not seen similar wording to this on the virus sites, so this could well be a new trick. If so, it’s a good one.

The Virus Turf War

More on who’s behind the latest wave of virus attacks.

Mary Landesman of looks at text strings contained in the viruses of Bagle (sometimes Bagel) and MyDoom to show how ”a battle is waging between three groups of virus writers, each attempting to prove superiority over the other.” It’s a very good piece.

But it’s not quite that simple, I suspect. While she quotes a virus analyst at Norman Data Defense Systems, the excellently named Snorre Fagerland, as saying, “We suspect that several virus authors – or factions of virus authors – are competing in creating the most successfully spreading worm. So far we see three different groups or persons, each responsible for their own worm family; NetSky, Bagle, and MyDoom. Text messages inside these worms points in this direction. It seems like they are accusing each other of stealing ideas and code, in an attempt to achieve the highest number of copies spread on the Internet as fast as possible.”

I believe it’s more complex than that. A message in Bagle.J goes: “Hey,NetSky, [expletive] off you [expletive], don’t ruine our bussiness, wanna start a war?” This, Landesman points out, is apparently in response to a string contained in Netsky.C that reads, “]MyDoom.F is a thief of our idea! – -“

My belief is this: A lot of viruses nowadays are business ventures, cobbled together by an informal cabal of computer nerds and folk who want to make money (spammers, scammers). Of course some viruses are just kids in dorms and bedsits messing about for fun. But when the guy(s) behind Bagle.J say ‘don’t ruin our business’ they’re not speaking metaphorically. The Internet is like any other turf, and there’s only so much to go round. What we’re seeing here, I believe, is a turf war among criminals, or possibly between criminals and script kiddies (amateur, and amateurish, virus writers who do it for fun.)

Do Anti-Virus Companies Love Viruses?

Are anti-virus companies behind the viruses?

Avecho, Britain’s ‘complete worry-free mail service’, reckons “the world needs to wake up to the fact that the anti-virus industry is not an anti-virus industry, it is a definition-selling industry and they just love these viruses. The more afraid you are, the more money you spend with them.”

This problem is solvable, quickly, according to avecho. It points to avecho’s own ThreatCENSOR, which “applies a wonderful, simple piece of logic which has stopped MiMail, SoBig, MyDoom and all variations of Bagel and NetSky. It is not rocket science, it is simple and fool-proof. It is based upon the reality of how we work.” ThreatCENSOR works on the simple premise that:

  • viruses are executable code — in other words, globs of computer programs that attach themselves to emails and try to get you, the recipient, to open them.
  • 99% or more of all normal communications do not contain any executable code. “These are documents, graphics, sounds or text. If you want a piece of executable code, you invariably know that you want it, and from whom.”
  • by applying a simple rule ‘I will only accept executable code from people I know – and that I am expecting’, ThreatCENSOR stops over 98% of all viruses, with no traditional anti-virus at all.

It’s not a bad idea, a bit like one mentioned in this blog a week or so back. Of course, avecho have an axe to grind, and they’ve been doing it entertainingly for months, if their press releases are anything to go by (all links are to PDF files):

  • industry passes the blame for infection and propagation of email viruses onto the users;
  • Are viruses here to stay? Only 18 months left for the £2bn traditional anti-virus industry;
  • stopped sobig A technology has existed for over a year which could have completely stopped Sobig. Why are the AV vendors still beating the same old drum?
  • On Wednesday 6th August 03 avecho GlassWall stopped a variation of the MiMail virus that had already successfully passed through a leading industry virus scanner, with up to date virus definitions.

But they do have a point. Somehow we’ve got to find a better way to stop viruses than using updating libraries. What I want to know is: Is there something like this that can work on end-users’ machines, or does everything have to be server based?

Who Is Behind Bagel, NetSky and MyDoom?

Who is behind this latest crop of viruses, and variants on viruses?
Mi2g, a London-based technology security company, reckon that MyDoom and Bagle ”is not the activity of hobbyists but organised criminals” and that Doomjuice.a, which carried the source code of MyDoom.a was “clearly written by the same perpetrators” with the motive of covering their tracks.

That said, mi2g reckon the original NetSky author may merely have been “involved in a turf war with MyDoom and then another turf war with Bagel”. (Yes, it does sound like a bad police series). “That,” mi2g says, “suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain.” Evidence? ”NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the “au.exe” file used by two variants of the Bagle malware.”
This large number of variants in such a short timeframe, mi2g say, “is historically unprecedented”. It’s not clear who is behind these, mi2g say, but whoever it is, “the net beneficiary is organised crime as the number of compromised computers or zombies continues to increase”. These slave computers can be used for anything, from spam to phishing scams to DDoS extortions to working as fileservers for illicit or pirated material.
My guess? Success breeds copycat attacks, and there are an awful lot of folk out there who have the knowledge and the inclination for this kind of thing. It’s no surprise that these attacks are getting worse, and that there is a clear link between virus writing and scams. Hold onto your hat.

Is Zip The Way To Thwart Viruses?

I like this idea from a Slashdot poster: Eliminate most viruses by zipping everything.

It works (I think) like this: Most viruses arrive as an attachment to an email. These are called executables in that if you click on them, something happens. (As opposed to a file attachment such as a Word document, or a web page, which just opens — although it may contain some malicious script.) Some email programs, like Microsoft Outlook, block these executables by default, but many other programs don’t, or else users change the default setting because they find they cannot access one or two attachments which are kosher. Result: virus mayhem like MyDoom.

The poster suggests that if all attachments are zipped. Zip files by definition have to be unzipped before they can be launched, opened or whatever. Most unzipping programs will open those files to a specific folder, during which time they’ll be checked for viruses. More importantly, this process gives the user a chance to view the contents of the file before clicking on it, and may perhaps give them pause for thought.

Of course a lot of people do this already, but they tend to be people who aren’t going to be send viruses around, and they’re also not the kind of people to open dodgy attachments. In short, the people who zip aren’t the people we’re worried about. Somehow, we’ve got to convince ordinary folk to zip up, preferably by making it an automatic part of the email program. Attach a file to an email? The thing is automatically zipped.

The poster then suggests that email systems are set to delete or quarantine any executable that’s not zipped. That should remove most virus threats (of course some viruses arrive as zipped files, and rely on some social engineering to persuade the unwitting user to open and execute them, but there’s not much you can do if someone is suicidal enough to do all that.) The last point he makes: Encourage zip program vendors to work closer with anti-virus companies “to provide better protection from viruses in zip archives”.

I can’t see much wrong with this. I think zip programs could be easier to use (ironically, Microsoft’s inbuilt zip viewer in Windows XP seems to work best), but if they can be persuaded to integrate seamlessly with email clients, we may go some way to stemming the virus flood.

An Apology, And Some More Ways Out Of Spam and Viruses

Just got an angry email from the folk at 0Spam.Net, who I mentioned in an earlier post as one of the companies somewhat, er, quick to congratulate itself in the wave for avoiding the worst of MyDoom.

Bill Franklin, 0Spam.Net president, writes that “Whether our product works or not and its value to your readers seems to not be of importance in your column, we’re just someone out of whom to get some mileage, at the cost of tarnishing our reputation.”

My apologies. Perhaps I wasn’t fair. I wasn’t questioning the quality of the service; It just appeared unseemly that, while business and home users were still grappling with MyDoom infections, companies should be firing out dozens of press releases trumpeting their successes in keeping the virus out. But that aside, there are some excellent email services that do keep out spam and viruses (I’m using, and have recommended, one of them: AlienCamel) and 0Spam.Net sounds like another one. These services transfer the onus of filtering out rubbish, both destructive and annoying, so that the end user doesn’t need to set up a spam filter, or an anti-virus program on their computer. All you have to do is to cough up a bit of extra money ($15 for six months for AlienCamel, $5 a month for , and change your email settings a tad.

Of 0Spam.Net, Bill writes: “The truth is, our service works nearly flawlessly – try to find another anti-spam, anti-virus product that comes anywhere close to our accuracy level: 100% detection of viruses and a 1 in 2,250,000 error rate of false positives for spam detection with a spam detection rate of 99.996%.” That’s a pretty good ratio.

Another service that promises to do the same thing is ZoEmail, just launched yesterday. For $1 a month ZoEmail claims to ”completely stop spam and finally give e-mail users real control over what lands in their inbox”. I’ve written an entry on ZoEmail here.

Homeland Virus Alerts – What Happened?

The big anti-virus vendors often stand accused (rightly) of exaggerating the danger and impact of viruses; Not surprising they do that, they make money out of protecting people from viruses. But why would the U.S. government do it?

Here’s a great piece by Mary Landesman of complaining about US CERT, a newly formed partnership between the U.S. Department of Homeland Security’s National Cyber Security Division and the CERT Coordination Center (CERT/CC) run by Carnegie Mellon University. After quoting their blurb — “We have taken great care to be accurate, fair, and honest about the security risks you face, and we feel a tremendous professional obligation to bring you the best, most trustworthy advice we can to help you protect your systems” — she then quotes their first alert (TA04-028A), which was sent out twice: “MyDoom.B Rapidly Spreading”.

Er, no. MyDoom.A — the original version — was big, . MyDoom.B, in her words, is “barely a blip on the radar”. Here’s the data so far:

  • Sophos: er, one copy.
  • Messagelabs: er, 7 copies.
  • Trend Micro: er, 1 copy.

You get the idea. MyDoom.A was big. MyDoom.B is not. So what went wrong? Well it’s early days, so perhaps we can put it down to teething troubles. But it’s not that simple. What I find a bit disturbing is that US-CERT, it appears, have not so much corrected their error as pretended it never happened. The original, incorrect, alerts can only be found on other sites (Google search) but only an ‘updated’ version (without the ‘rapidly spreading’ bit) can be found on US-CERT. Good that they’ve realised their error, but they don’t seem to be acknowledging it: The revision history for this report refers only to a version on Feb 2 that “Updated hosts file and information, changed heading formats”.  Nothing about “removing misleading and horribly incorrect information about spread of virus”. From where I’m sitting (and I may be wrong here), this looks like someone has tried to forget the original reports ever existed.

There are, quite obviously, a few problems with this. What happens to all those folk who have acted on the original reports? I can see it posted at more than 300 sites, where presumably people are cowering under their desks, switching off computers, and wearing gas-masks. How are these people going to know the original report was wrong if you pretend it never existed?

It’s all about credibility. Commercial anti-virus firms do a good job of analysing viruses and a slightly less good job of quickly updating your software so you don’t get infected. They also try to give an accurate idea of how far and how fast the virus is spreading. But do we believe them when they put out press releases saying how much damage viruses cost? Not usually, because we know these folk make money based on how big the problem is. The whole point of something like US-CERT is to bring some impartialitiy to the scene. But that’s not going to work if a) the original reports are horribly wrong and b) if the error is compounded by not ‘fessing up to the error and letting people know what you’ve corrected.

I’ve sought clarification from US-CERT.