Internet Security

Emerging threats: trojan horse / computer worm.

Recently, a new computer program has been detected that is considered malicious enough that the Department of Homeland Security asked a group of computer analysts to examine and monitor it, according to their spokesman Donald Tighe. An Internet security task force, developed to link the resources of government, business and univerisities to address computer security issues, is part of the Bush administration's national strategy to secure the country's technological infrastructure.

A newly discovered type of computer worm.


This particular worm is generally referred to as Phatbot or polybot ("Bot" is geek talk for "robot," a term generally applied to automated software running on an Internet server.) Phatbot, detected by security researchers, has been described as a "low risk" because it had not spread as widely as recent worms, like MyDoom, Netsky and Bagle. But another source cautions: "the potential for this one is huge" because it could spread in many ways and perform many surreptitious functions on infected machines. Technically known as computer worms these programs generally have similar overall goals: to control remote computers online and proliferate so it can create large networks of remotely controlled computers to take part in online attacks, send junk e-mail messages as spam and possibly engage in other malicious activities such as identity theft.

A random test conducted by Eastern PC.

Connecting to a typical local ISP by dial up modem, our Windows 2000 / XP Lab computer became infected within less than 3 (three) minutes of logging on! The next time we restarted the computer and connected to the network, this program (or a similar program) was observed listening for other infected computers, and had attempted to surreptitiously tranfer data between 10 or more remote machines (worldwide) in less than 1 (one) minute before we shut it down. Evidently using technology similar to that developed for "peer to peer" file sharing networks such as Napster, Gnutella and Kazaa, such worms install on a victim's computer and begin searching for other machines to infect immediately. Any computer that is infected with this new type of worm is probably also infected with other malicious software. Hackers may use such programs to search for passwords or other sensitive information stored on local hard drives. In such case you've got a lot more to worry about than just a computer worm.

Q. What motivates hackers? Why my computer?

A. Previous bot programs have commandeered large networks of machines and used them to anonymously send spam, advertise pornographic Web sites and launch online "denial of service" attacks that attempt to block access to the victims Web site (recently "msblast" and "mydoom" attacked microsoft™'s update site). Bot attacks are just one of a more recent wave that appears to use technology similar to that developed for file sharing networks. Earlier programs used a technology similar to that used for instant online messages called Internet Relay Chat to accomplish the same ends. It is possible for hackers to use these programs to harvest passwords or personal information for use in credit card fraud or identity theft.

Q. What are the symptoms? Can I repair it myself?

A. The most noticeable symptom is unusual hard drive activity. Look for excessive reading / writing to the hard drive, and HDD indicator lights remaining on while you are connected to the Internet. Also, network activity indicators (small computers next to the time on the right side of the task bar) will remain on even when you are not opening any web pages. Other symptoms include a severe system slow down while online. Can I repair it myself? Unfortunately, not likely. Like viruses these programs tend to make numerous changes to core system files or system settings.

Note:

The current bots may be variants of an earlier program known as agobot or gaobot. Worms or "bots" take advantage of unpatched security flaws in popular operating systems that are known to have been exploited by previous Internet viruses / worms like MyDoom. Such malicious programs generally exploit well known vulnerabilities. Microsoft™ does promptly make patches for specific threats available at www.windowsupdate.com, but often computer users do not apply these updates. Computer owners who have kept their systems up to date are most likely not going to experience major problems. Those who do not regularly update their software may already have a malicious program running on theircomputer that may make updating difficult if not impossible. Generally such worms disable antivirus programs and/or interfere with their installation and automatic update utilities. Successive updates are normally needed to address these problems as they often unfold in multiple waves of attacks over several weeks. However patches may or may not reverse changes to the system made by such programs and infected computers may remain symptomatic and vulnerable to some extent until professionally evaluated and repaired.