Zimuse leverages an IQ test to infect its victims.

An oddball hybrid malware program grabbed some electronic headlines this week. The bad app combines the activity of a worm with the infectious  properties of a virus. There appears to be two variants of it: Win32.Worm.Zimuse.A and Win32.Worm.Zimuse.B.

What makes the pernicious program queer is its destructive properties. These days, Black Hats tend to concentrate their efforts on programming schemes that have a cash payoff. When that’s your line of business, stealth, not havoc, is your modus operandi. Zimuse’s creators, through, don’t seem to care about monetary gain. Proliferation and mayhem appear to be their game.

Given the putative origin of the malware, it’s easy to understand why it departs from the malware mainstream. According to security experts, the black app was originally written to infect fans of a motorcycle club in the Liptov region of Slovakia. As can be the case with computer pranks, however, the malware started spreading wildly and soon began infecting corporate networks. Now badware watchers say the majority of the machines infected by the Zimuse variants are in the United States, followed by Slovakia, Thailand and Spain.

The malware is a two trick pony. First, it infects a machine and looks for ways to propagate itself. Then, after a defined number of days, it trashes its host’s Windows operating system and cripples it.

One way Zimuse distributes itself is by compromising legitimate Web sites. It’s planted as a self-unpacking zip file that contains an IQ test. When the IQ test installs itself on a machine, it also installs the malware. The IQ test is a legitimate application and serves to obfuscate what Zimuse is doing under the compromised computer’s hood.

Continue reading Hybrid malware spreading via USB devices

The April Fools Day Conficker scare didn’t amount to much, although that doesn’t mean that Conficker poses no danger. It’s still out there, silently spreading and perhaps collecting information, and may well become one of the biggest botnets ever–so don’t make the mistake of being lulled into a false sense of security because nothing happened on April 1.

What’s perhaps even more alarming is that there are copycats out there. The Neeris worm, which has been around for a while, has been updated to target the same MS08-067 Microsoft flaw that Conficker took advantage of. Like Conficker, Neeris downloads a copy of the worm onto the victim’s machine via HTTP, and then patches the system’s TCP/IP layer. Also like Conficker, Neeris spreads via the autorun function, and it adds an “Open folder to view files” Autoplay option.

Continue reading Conficker copycats starting to appear

A PCWorld blog entry calls out the FUD concerning the Conficker worm and the upcoming April 1 threat, saying that it is “likely hype.”

The article quotes a security researcher who says “there will be no April 1st outbreak,” explaining that the concern revolves around a new variant of Conficker that will become active on April 1st. The researcher is correct in saying that for those who are not yet infected, nothing will happen, and if you are, the worm will update itself. But here’s where it gets a little fuzzy. The reseracher says that although it is possible that the update could contain some dramatically dangerous or destructive instructions, it’s “unlikely.”

Let’s not forget though, the main watchwords of security professionals:

1. Trust no one.
2. You are not paranoid. Everybody really is out to get you.
3. Always protect against the unlikely.

Yes, it is true that there is a lot of hype about Conficker’s April Fool’s update. I even saw a report on it on Fox News. But is it just FUD? Sure, the update may not be destructive, in the sense that it’s unlikely that it would do something like wipe out your hard drive. The disseminators of Conficker have something more financially rewarding in mind. We don’t know what that is yet, and that’s the point. We need more FUD and hype about this thing to make sure everybody is aware of it–so don’t get lulled into a false sense of security by anyone claiming it to be “likely hype.”

A computer virus has disrupted communications within a major network of military importance. This time the victim  was the Royal Navy. It was confirmed just over a week ago that the communications network – email and web servers included – aboard some of its warships of the Royal Navy were disrupted because of a virus.

The Ministry of Defence said that a “a small number” of MoD systems had been affected by the disruption caused by the computer virus. There were reports that the virus had affected up to seventy-five percent of the Royal Navy’s fleet.

The MoD said that no classified or personal data had been compromised and that the virus had been contained and insisted that weapons and navigational systems had not been affected.

It was reported that the Navy computers infected were the NavyStar system. These computers are designed, built and supplied by Fujitsu. Fujitsu designed and built the PCs using normal commercial components but packaged them as smaller and more ruggedized for rough weather conditions encountered by the Royal Navy.

Continue reading Royal Navy Email Outage due to Virus