Security firms disagree over movie virus threat

From...

June 16, 2000
Web posted at: 8:57 a.m. EDT (1257 GMT)

by HŽctor Calabia

BUENOS AIRES, ARGENTINA (IDG) -- Security experts this week were divided on the threat posed by a new Trojan virus after its identification late last week.

Bernardo Quintero, a virus expert with Spanish computer security organization Hispasec, contends that the malicious program which supposedly hides itself in computer movie files is no such thing, but an "elementary Trojan virus serving the marketing purposes of a few security firms and government departments."

Last Friday, FBI sources confirmed that a sophisticated Trojan virus had been released, with the ability to conceal itself in AVI (computer movie) files. The virus was reported as being capable of releasing massive DDoS (distributed denial of service) attacks from thousands of computers permanently connected to the Internet.

	MESSAGE BOARD
Insurgency

The news of the virus was released by Network Security Technologies (Netsec), who had reportedly alerted the FBI. According to a Netsec report, the Trojan virus was probably hosted on more than 2,000 computers and was primed to launch an attack.

The virus was named "Serbian Badman Trojan" after the Internet nicknames of its creators.

However, according to Hispasec's Quintero, the virus threat has been greatly exaggerated. "It is a simple Trojan distributed as an .EXE executable, (and is) completely unsophisticated," Quintero said in a written statement.

The virus disguises itself as a movie file, just by changing its icon, and adding a false intermediate .MPG extension, Quintero said. The virus has no filename of its own, and its filename is changed every time it is sent. The virus therefore appears on a victim's computer as any-filename.mpg.exe.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Make your PC work better with these tips

ITWorld.com

E-BusinessWorld

TechInformer: The Thinking Internaut's Guide to the Tech Industry

Reviews & in-depth info at IDG.net

How-to and advice from IDG.net

Download free PC software from PCWorld.com

Questions about computers? Let IDG.net's editors help you

Product reviews and computing news from IDG.net

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

Hispasec's security expert says that the very elementary Trojan virus is not capable of self-replication and self-mailing and so it cannot spread the infection by itself. The virus was distributed sending the file, under different filenames, to several pornographic newsgroups in the hope that users would be induced to download the supposedly adult content video.

Quintero said that the malicious program was written using an elementary Trojan creation kit, and its only purpose, once installed, is contacting a Web address. Once it has made contact, the virus tries to download and install "SubSeven21", a well-known backdoor program, that most antivirus programs can detect. This backdoor allows hackers to remotely control the compromised computer.

The backdoor program is no longer available at its previous address, so infection is impossible through the Trojan virus, according to Quintero.

Antivirus software vendor Symantec also issued the same finding Wednesday on its Web site. "The intended program file is no longer available on the Internet, thus it currently poses no threat to users," Symantec said in its Web posting.

The SubSeven twist

However, U.S. computer security company iDefense Wednesday supported Netsec's findings, but only in relation to the SubSeven Trojan virus.

SubSeven is the malicious code that the Serbian Badman Trojan tries to download and install. Version 2.1 of SubSeven, and probably other releases, can use the IRC (Internet relay chat) channels (IRC) to launch "ping flood" DOS attacks using IRC commands from infected servers, iDefense said in a statement.

This capability allows a malicious attacker to launch a DDoS attack using all the compromised machines logged onto the appropriate IRC channel at any given time, iDefense said.

This IRC command capacity is significant because corporate firewalls that are not configured to block IRC outbound traffic will not stop the commands, and they will also flow freely from small businesses and homes furnished with permanent DSL (digital subscriber line) and cable modem connections, the iDefense statement said.

Using this feature, attackers can command every compromised computer to send out thousands of large ping packets to a particular IP (Internet Protocol) address at the same time. The iDefense statement made it clear that "this is not the same master and zombie/slave relationship that has come to be identified with DDoS tools such as Trinoo and Stacheldraht, but SubSeven is capable of launching a denial of service attack distributed across potentially thousands of machines," without their owners noticing it.

IDefense urges users to take appropriate measures against this Trojan virus. Firewalls should be set up to block all unsolicited inbound services. Users are also encouraged to apply this precaution to outgoing traffic and to block and log traffic on known Trojan ports (e.g., 2221, 2222, 6669 and 7000).

Both iDefense and Hispasec agreed that updated antivirus programs can detect all uncompressed versions of the SubSeven Trojan. They both recommend keeping the antivirus programs updated.

Virus threat spreads to wireless
June 14, 2000
Palm antivirus protection in the works
June 12, 2000
Pennsylvania makes spreading computer viruses criminal
June 1, 2000
CA releases free antivirus software for home users
May 31, 2000
Computer Associates says new virus can flood e-mail systems
May 29, 2000

'Trojan Horse' planted on 2,000 computers
(The Industry Standard)
Government to combat Trojan horses
(InfoWorld.com)
South Park Trojan can create e-mail storms
(IDG.net)
Virus: A love story
(SunWorld)
Hackers attack DSL, cable modem users
(IDG.net)

HispaSec
iDEFENSE

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.