Hack attacks multiply in June

Andrew Gordon, enterprise senior pre-sales engineer, northern region, at Trend Micro Australia, said Australia was experiencing the flow-on effects of a global increase in malware attacks increasingly targeting back-door, network and Web-based vulnerabilities.

“There's definitely a lot more hacker-type activity as opposed to specific virus-writing activity,” Gordon said. “We're probably seeing a move away from the more dastardly-type viruses, but when you think about what these [recent] threats are doing--such as opening up one machine to anything--if you've got a laptop with sensitive information on it there's a lot of concern.”

Malware now being released increasingly threatened businesses and corporate networks rather than home users, Gordon said. Several trojans and other hacker tools that could enable criminals to steal confidential information or take control of a network appeared in the list of new, mainly low-risk, threats.

According to Trend Micro, one hacker-type tool that appeared this month was Worm_Mumu.A, which uses weak administrator passwords to attack open shared directories. However, the most common way worms and viruses propagate is through infected email attachments, for example by using peer-to-peer file sharing or instant messaging to spread through network drives.

But this isn't the only way worms and viruses spread. One new threat, Troj_Systrim.A, monitors network traffic via port 6000. Another network sniffer, Elf_Typot.A or 'Stumbler', is a Linux-based Trojan that randomly scans IP addresses and ports for vulnerabilities. One instance, Worm_Gant.C, hidden in an email including a .pif attachment, appeared 24 June.

Gordon said the old social-engineering tricks--such as putting 'Here is that file you asked for' in the subject line--to tempt users to open emails from unknown addresses still worked on many people. “It's like little children--the more you tell them not to, the more they do it,” he said.

Furthermore, Gordon pointed out that with the trend towards mobile computing, more executives were now using business networking from home where children, for example, could compromise network security simply by playing with their parents' laptops.

Gordon said that the move towards hacker-type tools could be an indication more serious threats would appear over time. This year saw the world's first successful attack on a specific industry sector, when worm Bugbear.B targeted around 1,200 banks worldwide.

“That was the first one to bring down the system--an example of genuine industrial espionage,” he said.

However, Trend Micro also found that the three most common threats had been around for a while. “Slow-burners are the ones causing the most problems just in trying to keep up with the clean-up [of the threat]--such as FunLove, which we see as rampant both here and in the rest of the world. That's been around for three years now.”

FunLove and two versions of Lovgate were the three most common viruses in June. If only one copy of FunLove survives, that copy can re-infect the entire network. Gordon said system administrators were taking time to clean their networks only to realise some time later that threats could be hidden in unexpected places. “They sometimes forget about the one in the corner with the cobwebs on it, and then they get degradation in bandwidth and end up forever cleaning the same machines,” he said.

Gordon also said there had been an overall decline in the level of virus-writing ability, suggesting a prevalence of 'script kiddies', who merely copy and paste code from earlier exploits. Top-notch hackers seemed to have gone underground in the wake of several prominent and highly-publicised convictions handed down to crackers in recent months, he said.

Trend Micro's top 10 malwares for June, based on the global number of infected computers detected by HouseCall, an online virus scanner for PCs, and Trend Micro Control Manager, a central management application for network administrators, were:

Worm_Lovgate.F with 960,585 infections

Pe_FunLove.4099 with 461,389

Worm_Lovgate.G with 250,478

Worm_Klez.H with 111,413

Worm_Yaha.G with 96,420

Bat_Spybot.A with 87,349

Pe_Bugbear.Dam with 79,506

Pe_Bugbear.B with 63,135

Pe_Elkern.D with 55,466

Js_Nimda.A with 42,331