Threat Report: No rest for the wicked

West Coast Labs' Sydney honeypots continued to attract high levels of malware this week, even as globally the total number of threats eased during the Christmas and New Year period.

The Sydney honeypots attracted a strand of the polymorphic Virut family of viruses, which as explained in our first Threat Report, infects files with encrypted code and spreads itself further whenever the files are executed.

West Coast Labs noted that it was precisely the same variant of Virut that attacked its German honeypots in May and Taiwanese honeypots in September - the former attack being launched from Japan and the latter from Romania.

The attack came from Romania on this occasion.

This revealed that the attackers either persisted with the same malware after achieving good results, or innocent end-users continue to be affected by the virus months after its initial release, spreading the threat further afield.

West Coast Labs noted that most IT security vendors now have a fix, even if it took some two months to introduce.

Further information on this piece of malware can be gained from:

• Sophos
• Trend Micro
• Securelist

Asia on the attack

Whilst the Virut variant was sourced to an address in Romania, West Coast Labs also noted that an unusually high number of malware detected by the Sydney honeypots came from addresses in Asia.

Of the 119 attacks detected this week (65 unique, 56 new to Sydney), 28 came from Japan, 18 from Taiwan and 7 from Hong Kong.

One new variant to the Sydney honeypots, detected in Europe as far back as 2008, has been detected in seven Asian countries - primarily sourced to Japan and Taiwan.

It was believed to be a Poly Cript-packed bot, and depending on which vendor you ask is named Ircbot, Mybot, Rbot, Sdbot or Spybot. Equally, it's described as a virus, worm, backdoor or Trojan, but its main aim is to infect the user's machine and add it to a botnet.

More info on this malware is available at:

• McAfee
• Symantec
• Panda