Next generation of Scob pest can be stopped by existing patches.

New Worm Travels by IM

Next generation of Scob pest can be stopped by existing patches.


A new version of the worm that spread from infected Microsoft Web servers in June has been identified and is using instant messages and infected Web sites in Russia, Uruguay, and the United States to spread itself, according to one security company.

Researchers at PivX Solutions of Newport Beach, California, have intercepted new malicious code closely resembling that from widespread attacks in June attributed to a worm named "Scob" or "Download.ject." The new attacks use mass-distributed instant messages to lure Internet users to Web sites that distribute malicious code similar to Download.ject, says Thor Larholm, senior security researcher at PivX.

This wave of attacks works similarly, routing victims to Web sites with code that takes advantage of vulnerabilities in Microsoft Internet Explorer and Outlook. Though Microsoft has patched those vulnerabilities, the attackers are attempting to exploit unpatched systems. Two patches from 2003, MS03-025 and MS03-040M, address the flaws used by the new worm, Larholm says.


How It Slithers
First detected on June 24, the Scob attacks were attributed to a Russian hacking group known as the "HangUP team." The virus used a recently patched buffer overflow vulnerability in Microsoft's implementation of Secure Sockets Layer to compromise vulnerable Windows 2000 systems running Internet Information Server Version 5 Web servers. Companies that used IIS Version 5 and failed to apply a recent security software patch, MS04-011, were vulnerable.

The June attacks also used two vulnerabilities in Windows and Internet Explorer to silently run the malicious code distributed from the IIS servers on machines that visited the compromised sites. The malware redirected victims to Web sites controlled by the hackers, and downloaded a Trojan horse program that captured keystrokes and personal data.

The newer attacks begin with instant messages sent to people using America Online's AOL Instant Messenger or ICQ instant messaging program. The messages invite recipients to click on a link to a Web page, with pitches such as "Check out my new home page!" The messages could appear to be sent from strangers or from regular IM correspondents, or "buddies," Larholm says.

Once victims click on the link, they are taken to one of a handful of attack Web pages hosted on servers in Uruguay, Russia, and the United States. There, a Trojan horse program is downloaded.


Greedy Worms?
In addition to opening a "back door" on the victim's computer through which additional malicious programs can enter, the new attacks change the victim's Web browser home page or Outlook e-mail search page to Web sites featuring adult content, Larholm says.

PivX is still analyzing the attacks to see if malicious code is placed on victims' machines. However, many of the files used by the new worm and the way the attacks occur point to the same group that launched the Scob attacks in June, Larholm says.

"The code is different enough to be something of its own, but unique enough to be related," he says. "And as with the Scob attacks, this is all about money--in this case, driving ad revenue for specific people."

PivX has informed antivirus companies of the new malicious code.

THE MUL

 

Thanks for the article the mul.

I don't understand these malware people's business model or logic concerning the forced porno stuff.
I understand the id theft, cc and password theft.
But do they really expect a user that has all this porno foisted upon them against their will to suddenly say "gee thanks! I think I'll go and buy some porno from them!"

It doesn't make sense.

 

My thoughts exactly.

Same goes for any of the companies investing in about:blank to promote their products (or any other CWS-like marketing tool).

Do the aggravated and distressed victims who have had their computers invaded suddenly think "Oh,but that turned out to be handy.At least I know who to go to for a mortgage.Saves me searching on Google."

It's never going to happen,is it?-quite aside from the fact all those companies are bogus.That leaves the whole "pay per click" industry.CWS and its variants force sites onto people-via homepage hijacking,say-since these sites are incapable of generating legitimate traffic...

I don't understand how that works.Who "pays for the clicks"?Just the advertisers who appear on said pages?In which case,it brings us back to the original question.Would anyone in their right mind buy any products offered by these beastly toads?

Is it possible that people are being hijacked without even realising what's happened?They consider all the pop-ups,links to sites on their homepage and added favourites as a daily news rotation?

As for the porn-maybe it's "useful" in countries where there's a government ban on ever seeing that type of stuff?

Beats me.