Korgo Spreads Its Wings

Seems like the big anti-virus boys are waking up to Korgo, the ‘phishing worm’ that F-Secure was warning about a few days ago.

Symantec have just issued an advisory upgrading W32.Korgo.F, a new variant of the worm, from a Level 2 to a Level 3 threat. As Symantec says, W32.Korgo.F is a worm that attempts to propagate by exploiting a Microsoft Windows vulnerability publicly announced on April 13, 2004, the LSASS Buffer Overrun Vulnerability. This vulnerability allows a hacker, in the words of Symantec, “to execute malicious code on a vulnerable system, resulting in full system compromise.”

But what I don’t understand is that Symantec don’t indicate the real threat behind this worm: That it steals passwords. And no mention of the keylogging properties of Korgo (sometimes called Padobot or Lsabot) on Sophos or McAfee (which has found a seventh variant, but measures all the threats as low). Even a more detailed explanation on Virusdesk doesn’t refer to the keylogging capability. Why is that?

F-Secure point out that “this latest worm makes it possible to gain access to secure passwords and other valuable information, such as credit card numbers.  Banking information is especially vulnerable as this is essentially a keylogging virus.” I can’t see Symantec mentioning this key bit of information, which as UK-based Netcraft points out“represents an alarming advance in phishing, as it forgoes the need to trick the end user into divulging details.”

End users: Symantec recommends that users update their antivirus definitions and configure their firewalls to block ports 113 and 3067.

Update: PC-cilin Goes All 2004

 Trend Micro today released PC-cillin Internet Security 2004, the latest version of an antivirus program that I have written fondly of in the past. There don’t seem to be any new bells and whistles this time around, but then again it doesn’t really need it: Internet Security includes a personal firewall and “advanced privacy and spyware protection to protect passwords, bank account numbers, and other personal information”. It also blocks spam and inappropriate (adult) Web sites. It sells for $50 which will get you a year of updates.

News: Norton Chips In

 I should have known, given the whole virus thing is big business, that if one company announces a new product, its rival down the street isn’t likely to stay silent. Hot on the heels (or maybe before, who knows) of McAfee’s upgrade to its VirusScan, Symantec Corp.announced Norton AntiVirus 2004, although tellingly it’s not ‘widely available’ until early September. (Not trying to muddy McAfee’s launch, are we lads?)
Norton AntiVirus 2004 takes a slightly different approach to the growing threat of worms, rather than viruses (worms jump aboard without the user doing anything like loading a file, while viruses depend on the user actually doing something). Norton AntiVirus 2004 will include scans for programs on the user’s computer that can be used with malicious intent to compromise the security of a system, spy on the user’s private data, or track users’ online behavior. AntiVirus will identify and block these threats at the point of entry to the system, detecting the threats during scans of email and instant message attachments, or during scheduled or on-demand system scans. This seems a little different to McAfee, although on the surface this all doesn’t sound that new. I’ll take a closer look and get back to you.
Norton AntiVirus 2004 and Norton AntiVirus 2004 Professional will be available for an estimated retail price of US$49.95 and US$69.95

Update: Beware Worms Carrying Gifts

 You’re probably heard of the computer worm that is seemingly benign: W32.Welchia.Worm targets customers infected with the W32.Blaster.Worm, deletes it, attempts to download the patch from Microsoft’s Windows Update Web site to correct the hole that allowed the worm in the first place, installs the patch, and then reboots the computer. All very nice, on the surface. But then the worm checks for active machines to infect by sending an ICMP echo, or PING, which generates a lot of traffic. That’s where the problem starts.
Symantec says it’s been receiving reports of severe disruptions on the internal networks of large enterprises caused by ICMP flooding related to the propagation of the W32.Welchia.worm. (Read: large amounts of unnecessary traffic that slows networks to a crawl.) In some cases enterprise users have been unable to access critical network resources. ”Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm,” said Vincent Weafer, senior director, Symantec Security Response. 
In large corporations it will take weeks, maybe months to install the original patch. With all this traffic on their networks, Symantec says, those patches can’t be installed. What to do if you’re infected with the W32.Welchia.Worm?  Symantec has posted a removal tool. Use it. There’s no such thing as a nice worm.