Latest Mytob worms phish for trouble

By themselves, the Mytob variants and Trojan horse programs appearing this past week don't look like much. Put them together and you may have the recipe for a major attack. The smarter and faster the malcode, the more security experts conclude that idea isn't so far-fetched.

Lynnfield, Mass.-based antivirus firm Sophos has found new evidence that Mytob is indeed getting smarter. New variants of the worm -- which have flooded the Internet since the start of the month -- now use phishing tactics to spread, the firm reported Tuesday. That and the emergence of new Trojan horse programs suggest attackers are working feverishly to grow their zombie armies, train them in the art of social engineering and deploy them in large-scale attacks.

"What we are seeing is a major attempt by hackers to harness innocent people's computers to create an army of zombie computers," Graham Cluley, Sophos' senior technology consultant, said in an e-mail interview. "These computers can then be used to run denial-of-service attacks, launch spam campaigns or steal information. Furthermore, because many of them attempt to shut down security programs and block access to antivirus Web sites, there is the danger that infected computers are also open to attack from older viruses and worms that users may have thought they were defended against."

Spoofing your IT department
Mytob's latest assault has raised concern in the security community that the underground is perfecting the ingredients for a super worm that could trample antivirus programs and spread indefinitely:

• Mytob variants accounted for 14 of the top 20 most reported viruses to Sophos in the last week.
• In that same period, Cupertino, Calif.-based Symantec logged about 12 variants in its database, labeling them all a level 2 threat.
• Tokyo-based Trend Micro has seen roughly 11 variants since the start of the month.
• Waltham, Mass.-based IMlogic has added seven variants to its database since June 2.

"It has never been more important to secure your computer system, as the virus writers and hackers become ever more organized and professional," Cluley said. "Everyone should be running their computer with the latest antivirus, security patches and firewalls and ensure they are keeping their defenses up to date." @11326

The worm's phishing tactics are particularly troubling because it can dupe users into thinking they are clicking on a link from their IT department, Sophos said.

"Whereas most of the Mytob worms arrive in e-mail with a viral attachment, some new versions adopt a trick most commonly used by phishers, [including] a faked Web link pointing to the malicious code," the firm said on its Web site. "E-mails sent by the new versions of Mytob masquerade as a seemingly legitimate e-mail from the recipient's IT department or ISP, and suggest that a security problem has been found with their e-mail account. Users are advised to click on the Web link to confirm their account. In a crafty twist, references are made to the recipient's domain name and e-mail address to give the message more legitimacy."

E-mails sent by Mytob-DA, for example, have the following characteristics:

Subject line: *IMPORTANT* Please Confirm Your Account.

Message text: Dear Valued Member, According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons: http://www. /confirm.php?email= Thank you for your attention to this question. We apologize for any inconvenience. Sincerely, Security Department Assistant.

If the user clicks on the link, they open a Web site that downloads a copy of the worm, Cluley said. The new versions of Mytob also contain hidden messages, he said. Some claim the author's name is "DiablO" and contain debug strings such as "[x] starting Hellbot::v3 beta 2."

Add Trojans for a toxic attack recipe
Adding to security experts' concern is the spike in recent Trojan horse activity. Mytob itself tries to open back doors on infected computers that could be used in future attacks. Some of the newest Trojans in the wild appear to be working together. The question now is whether the Mytob and Trojan activity will intersect at some point, and what will happen if it does.

One of the latest Trojans is LdPinch-BD, which tries to steal confidential passwords and other data from infected computers, Sophos said. The Trojan comes with an animated picture of a lion wishing a happy birthday as it steals information from infected machines

Cluley said there's no evidence at this point that the Trojan is connected to the Mytob spread. But he said the recent Trojan and Mytob activity does share a common goal of raising an army of zombie machines for future attacks. And three other Trojans to appear in the past week -- Glieder, Fantibag and Mitglieder -- show that one piece of malcode can be designed to work with others.

New York-based Computer Associates believes this Trojan trio is working together to hijack as many machines as they can in a short period, growing an army of zombie machines that can be sold on the black market and used to steal identities, lift bank account numbers and launch other attacks.