iApplianceWeb-iApplianceReview

Sponsor-Editors Sites
" iApplianceReview
" Appliance-Lab
" CyberNode Appliances
" VideoIP Services
" Energy Gateways
" Metering & Appliances
" Netcentric Community
" Techrite Associates

EETimes Sites
" EE TIMES
" EE TIMES ASIA
" EE TIMES CHINA
" EE TIMES FRANCE
" EE TIMES GERMANY
" EE TIMES KOREA
" EE TIMES TAIWAN
" EE TIMES UK

EETimes Network Sites
" CommsDesign
" iApplianceWeb.com
" Microwave Engineering
" EEdesign
" Deepchip.com
" Design & Reuse
" Embedded.com
" Embedded Edge
" Elektronik i Norden
" Planet Analog
" Silicon Strategies

" Byte
" ChannelWeb
" CMP
" CommWeb
" Com. Convergence
" CRN
" Conferences and Events
" DB2
" Dr. Dobbs Journal
" DV.Com
" EBN
" EBN China
" eeProductCenter
" Electronics Express
" Electronics Express
" Internet Week
" Network Computing
" Network Magazine
" NetSeminar Services
" QuestLink
" TechWeb
" VAR Business
" Windows Developer

Security Sentinel:

Malware attacks escalate, enable massive identity theft operation

Toni McConnel

iApplianceWeb

(08/07/05, 12:24 PM GMT)

On August 5, Akonix Systems, Inc. announced they have identified a new instant messaging (IM) spyware worm named Chode-D, which is propagating rapidly over a public IM network. Chode-D runs continuously in the background of the computers it infects, providing a backdoor server that allows a remote cracker to gain access and take control over a PC via Internet Relay Chat (IRC) channels. (See Security Sentinel of 7/31/05). The worm uses “backdoor” techniques to send emails, download updates, participate in denial-of-service attacks, steal passwords, disable anti-virus products and modify a system HOSTS file.

In the first quarter of this year, the Akonix Security Center discovered 25 new IM viruses, compared with 10 in the same period in 2004—a 150% increase. Akonix found 42 new threats targeting IM systems just in July of this year, which was a 24% increase over the previous month. Five new viruses were discovered, including Rants, Prex, Kirvo, Hagbard and Lamar. The Akonix Security Center also found new variants of previous malware, including Kelvir, Bropia, Opanki and Oscabot. (Do you ever wonder who names viruses and malware?)

That’s enough bad news for one week, but it’s worse than that. On August 4 Patrick Jordan, a senior researcher at Sunbelt Software (which makes security software) was doing research on a CoolWebSearch (CWS) exploit. During the course of experimentally infecting a machine, he discovered that the machine he was testing was a spam zombie and was making calls back to a remote server. He traced the server and discovered a sophisticated criminal identity theft operation. Sunbelt is not sure yet what malware was involved. It could have been CWS, Chode-D, or any of a number of the malware invaders.

What astonished Sunbelt was the size of the operation. According to Alex Eckelberry of Sunbelt, “The scale is unimaginable. There are thousands of machines pinging back in a day. There is a keylogger file that grows and grows, and then is zipped off and then the cycle starts again. The server is in the US, but the domain is registered to an offshore entity.”

Eckelberry also reports that they have found keylogger transcript files that are being uploaded to remote servers, including chat sessions, user names, passwords, and bank information. Eckelberry states in the Sunbelt Blog that one company bank account had $350,000 at risk, and another small company had $11,000. They also found eBay accounts. Sunbelt notified the FBI and the agency is now working on the case.

While waiting to hear from the FBI, Sunbelt contacted individuals who were at risk for losing a considerable amount of money. “But there is only so much we can do,” says Eckelberry in his account of the experience on the blog, “without bringing in extensive external resources. The scale of this thing is massive. So we are taking down the files as rapidly as possible to save the information. Maybe some law enforcement group can use this information to warn people.”

Eckelberry advises that if you don’t have a firewall on your system, you should install one immediately. Clearly more concerned with people’s safety than with profit, he passes up the opportunity to promote Sunbelt’s software and states that “any decent free one will do the job.” I’m not sure I agree with him. I’d suggest you get your firewall from Sunbelt, of course.

Experts state at every opportunity that enterprises as well as individuals are alarmingly lax about security, and warn repeatedly that the single greatest factor in vulnerability to crackers is user ignorance. I have puzzled over this quite a bit, since security alarms are sounded often by the media, even some that target the general public (Information Week, Washington Post, Wired, and New York Times, for just a few examples, all report regularly on security issues). Do people not read these reports? Let me know what you think by writing to me at SecuritySentinel[at]TechRite-Associates[dot]com.

You can get detailed information about the Chode-D worm or sign up for IM security alerts at Akonix Security Center. To keep up with Sunbelt’s investigation of the identity theft operation, go to their Sunbelt Blog .

Toni McConnel is executive editor of iApplianceWeb. She is also a nature photographer and an award-winning fiction writer. You can reach her by email at SecuritySentinel[at]TechRite-Associates[dot]com.

For more information about topics, issues and technologies mentioned in this story go to the flashing icon in the upper left corner on this page or go to the iAppliance Web Views page and call up the associatively-linked Java/XML-based Web map of the iApplianceWeb site.

Enter the appropriate key word, product or company name to list instantly every news and product story, product review and product database entry relating to the topic since the beginning of the 2002.