[THIN] Alert: Security Experts Warn of malicious Kama Sutra Worm
- From: "Jim Kenzig http://kenzig.com" <jimkenz@xxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
- Date: Wed, 25 Jan 2006 16:34:10 -0800 (PST)
Ok I admit it.. I am a bit embarassed having to send this one out but
this one has the potential to be a very far reaching malicious virus because of
it's content nature. Please be vigilant and careful not to get caught up and
be tricked by this. This one takes social engineering to the max. Be careful,
don't open and delete any such type of emails!
Jim Kenzig
Security Experts Warn of Kama Sutra Worm
Walaika K. Haskins, newsfactor.com 36 minutes ago
http://news.yahoo.com/s/nf/20060125/bs_nf/41201&printer=1;_ylt=As4t_IRUgTi7t3tY47ESG8bwPDQD;_ylu=X3oDMTA3MXN1bHE0BHNlYwN0bWE-
Security analysts are warning computer users about a new and potentially
destructive Internet worm that can obliterate important documents. The worm,
called Kama Sutra, is making the rounds now, but is scheduled to execute its
first massive attack on February 3.
Detected last week, the malicious worm targets computers running Windows and
spreads primarily by copying itself to shared network locations and then
sending itself to e-mail addresses found on afflicted computers. With subject
lines that read "the best videoclip ever," "give me a kiss," and "school girl
fantasies gone bad," the worm entices computer users to open the attached file.
"This worm feeds on people's willingness to receive salacious content on
their desktop computer, but they could be putting their entire company's data
at risk," said Graham Cluley, senior technology consultant at Sophos.
According to Sophos, on the third of each month, the worm will attempt to
disable existing antivirus and firewall software and also will delete specific
files, such as Microsoft Office documents.
Waxing or Waning Threat
The worm -- also known as Blackworm, Nyxem-D, and W32.Blackmail.E, among
others -- was said by Sophos to be the most frequently sighted e-mail worm last
week. Sophos statistics indicate that, within the last 24 hours alone, the worm
has accounted for some 23 percent of all virus reports.
There are disagreements in the security industry about the severity of the
worm, with Symantec and F-Secure taking different positions on the issue.
Controversy stems from interpreting one of the worm's most intriguing features:
a Web counter. Once the worm infects a new computer, it accesses a Web page on
which there is a counter. The counter number increases whenever the Web page is
accessed.
Andrew Jaquith, a Yankee Group senior analyst, said that most reports
indicate that the counter had risen already to 700,000, which could indicate
that nearly a million computers are infected.
Much of the speculation in the industry about the potential for damage done
by the Kama Sutra worm centers on the counter number -- which might represent
unique machines or accesses to the counter page by the same machine more than
once. One of the things that is "sorely lacking" with mass outbreak malware
like the Kama Sutra worm, Jaquith said, is any real sense of how many machines
are compromised.
"We still don't know, for example, how many machines were really affected by
the WMF vulnerability," he explained. "The antivirus vendors don't seem to know
either, or are unwilling to divulge much -- possibly because it would expose
gaps in their signature coverage."
Back to Old-School
To address what is so far the most expansive malware attack in 2006,
speculation among security vendors and researchers has focused on the
destructive nature of the worm. Unlike most viruses currently in the wild, the
Kama Sutra code is not intended to reap the code writer a windfall of
ill-gotten gains. The hacker designed the worm to create mayhem by destroying
documents.
"The reason why experts at Sophos believe the worm is likely to have been
written by an old-school hacker rather than an organized criminal is its
destructive payload," Cluley explained. "That kind of destructive behavior is
not typical of financially motivated worms because the damage is too obvious to
the end user."
Frost & Sullivan analyst Rob Ayoub said he is not convinced that the worm
represents the work of an old-school hacker. This worm is something that the
industry has not seen in about a year. "This is just something we haven't seen
in a while. It's not a botnet or a zombie. It's a throwback to malware that
only seeks to create havoc."
ActiveX Controls
Of greater concern, said Ayoub, is the worm's ability to deceive Windows into
receiving a malicious ActiveX control by providing a phony digital signature.
Discovered originally by Fortinet, the worm apparently adds some 18 entries to
the Windows Registry, allowing it to insert an ActiveX control that can
circumvent Windows' defense mechanisms.
The development is interesting, Ayoub said, because, heretofore, the
assumption has been that if a piece of software has a digital signature, then
it is safe. Ayoub said Microsoft will need to take a serious look at
digital-signature technologies.
"In the past, it has always been if the company signs it, then it must be
authentic," Ayoub said. "Microsoft needs to look at the digital signing process
or else we will see more things like this and that is pretty dangerous because
that gets around some of the safeguards that are supposed to keep these things
out." Analysts are urging computer users, especially home users, to make sure
that they have up-to-date antivirus software installed on their machines.
"There should be no excuse for any data being lost on February 3 by this worm,
but there is always the danger that some home users will not have heard that
warning," Cluley said.
Jim Kenzig
CEO The Kenzig Group
http://www.kenzig.com
Sponsorships Available!
Blog: http://www.techblink.com
Terminal Services Downloads: http://www.thinhelp.com
Windows Vista: http://www.VistaPop.com
Virtualization: http://www.virtualize-it.com
Games: http://www.stressedpuppy.com
Other related posts:
- » [THIN] Alert: Security Experts Warn of malicious Kama Sutra Worm
