ESET's ThreatSense.Net® statistical system, which analyses the global trends of virus infections, reported that while on a global scale Conficker was the most prevalent recent infection, with it being detected on nearly one in ten computers  (especially rampant in Russia and Ukraine where it was detected in almost one in three computers), in Ireland it is a Trojan, officially labelled WMA/TrojanDownloader.GetCodec that is doing most of the infecting. Latest figures show that in Ireland it featured in approximately 6.5% of all virus detections (while globally it ranked fifth on ESET's threat list with 1.45% of detections).

]]> Virus News Wed, 15 Apr 2009 17:15:56 +0000 http://www.ctswestcork.com/virus-news/77-worms-infect-twitter This weekend has seen the popular social media site Twitter infected by several worms. Fortunately the technical team at Twitter were on the ball, were able to stop these attacks from progressing too far and have now plugged the vulnerabilities that these attacks exploited.

Both attacks used a technique known as “cross site scripting” (XSS). The perpetrators of the worms discovered that you could put Javascript code into the “Bio” section of a Twitter account. Anyone then visiting the home page of that account would activate the Javascript which would, in turn, infect the visitors account. Thus the worm was able to spread from one account to another.

]]> Virus News Mon, 13 Apr 2009 09:36:28 +0000 http://www.ctswestcork.com/virus-news/76-conficker-still-active The Conficker.C worm became active on April 7th – a week after the expected date for activity. Trend Micro report that at that time it downloaded an update that has changed its behaviour somewhat.

The new variant, Conficker.E (sometimes known as WORM_DOWNAD.E), now has a stop date or May 3rd encoded into it. However the likelihood is that even if the worm itself stops functioning on May 3rd any backdoor that exists as a result of the worm will be left open.

The worm has also been contacting known Waledac worm domains and downloading files from these. Downloads from these servers frequently result in spamming attacks or rogue spyware and virus alerts. The latter may be the real intention of Conficker as it gives cyber-criminals an avenue to monetize the worm’s deployment.

The first was titled "Important Security Alert" and contained the following text:

Your access to Online Services has been suspended. Due to a miss-match access code between your Security information. To enable you continue accessing your online account it will only take you few minutes to verify your Identity. Follow the reference below and you will be guided to where you can gain an instant verification process.

which was followed by the link (DON'T click the link). The interesting thing about this link is that it's on a legitimate (supposedly) radio station website http://www.lemammouthbleu.com Well the site was up when I tried a couple of days ago; but it now "down for maintenance". Were they hacked?

Phish 2 this week was another "You have 1 New Security Notification!" type with just an instruction to log in and the link. I've had two of these this week with the link pointing to different dummy domains.

Just to reiterate the message: don't act on any emails that purport to come from your (or anybody's) bank.

]]> Virus News Mon, 06 Apr 2009 17:39:49 +0000 http://www.ctswestcork.com/virus-news/43-virus-status Here's the current virus activity status supplied to us by ESET. If you think your computer has a virus then don't delay give us a call now on 023 88 39496.

The worm has in its body an embedded command to trigger its activity on April 1st. This command has thus been activated, prompting the worm to start communication with a randomly-generated number of domains out of the estimated daily total of 50,000 where the worm checks for instructions.

]]> Virus News Wed, 01 Apr 2009 18:28:15 +0000 http://www.ctswestcork.com/virus-news/62-new-dhcp-server-malware The SANS Internet Storm Centre has reported a new version of the Flush.M DHCP server malware that first surfaced last December (2008). Whilst this won’t affect home users (unless you’re running a separate DHCP server) businesses may be at risk.  The ISC state:

Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address.

]]> Virus News Wed, 18 Mar 2009 23:23:15 +0000 http://www.ctswestcork.com/virus-news/59-more-phishing More phishing attempts in the news today. Firstly the Revenue Commissioners have issues the following warning about a phishing email that's asking for personal information:

The Revenue Commissioners have today (16/03/09) warned of the existence of a fraudulent email purporting to come from Revenue seeking personal information from taxpayers in connection with a tax refund. The email asks the recipient to submit personal details including date of birth and debit/credit card details. This email did not issue from Revenue.

]]> Virus News Mon, 16 Mar 2009 19:04:45 +0000 http://www.ctswestcork.com/virus-news/58-conficker-c-1st-april A new variant of the Conficker worm, named Conficker.C, is set to become active on the 1st April according to CA. This evolution of the worm has been stripped of a lot of it's replication tools; but these have been replaced by stronger capabilities for disabling anti-virus products and restricting access to websites related to virus removal as well as disabling Windows Security Centre and Windows Defender.

]]> Virus News Mon, 16 Mar 2009 08:38:25 +0000