Zimuse leverages an IQ test to infect its victims.

An oddball hybrid malware program grabbed some electronic headlines this week. The bad app combines the activity of a worm with the infectious  properties of a virus. There appears to be two variants of it: Win32.Worm.Zimuse.A and Win32.Worm.Zimuse.B.

What makes the pernicious program queer is its destructive properties. These days, Black Hats tend to concentrate their efforts on programming schemes that have a cash payoff. When that’s your line of business, stealth, not havoc, is your modus operandi. Zimuse’s creators, through, don’t seem to care about monetary gain. Proliferation and mayhem appear to be their game.

Given the putative origin of the malware, it’s easy to understand why it departs from the malware mainstream. According to security experts, the black app was originally written to infect fans of a motorcycle club in the Liptov region of Slovakia. As can be the case with computer pranks, however, the malware started spreading wildly and soon began infecting corporate networks. Now badware watchers say the majority of the machines infected by the Zimuse variants are in the United States, followed by Slovakia, Thailand and Spain.

The malware is a two trick pony. First, it infects a machine and looks for ways to propagate itself. Then, after a defined number of days, it trashes its host’s Windows operating system and cripples it.

One way Zimuse distributes itself is by compromising legitimate Web sites. It’s planted as a self-unpacking zip file that contains an IQ test. When the IQ test installs itself on a machine, it also installs the malware. The IQ test is a legitimate application and serves to obfuscate what Zimuse is doing under the compromised computer’s hood.

Continue reading Hybrid malware spreading via USB devices

This week, a Vietnamese security company reported discovery of a new worm, named W32.Gaptcha.Worm, which breaks Google’s CAPTCHA, and then automatically creates multiple random Gmail accounts which are then used for distributing spam.

The attack sends the new Gmail accounts out to hackers, who use them until Gmail blocks the IP address of the infected machine. According to the report, if your computer becomes infected, you will see Internet Explorer launch itself, and then the Gmail account registration process takes place, with the worm automatically filling in random names and numbers to manufacture a bogus user. The worm is able to circumvent Google’s CAPTCHA system by sending the CAPTCHA image to a remote server, where it is broken. Gmail will later block your computer, preventing you from signing up for any new legitimate Gmail accounts.

The blog entry that highlights the discovery doesn’t specify however, just how the CAPTCHA is broken once it has been sent to the remote server. It is believed that some spammers actually use low-tech means, sometimes even employing low-cost laborers in third world countries to decode CAPTCHAs by the thousand, by hand.

The company discovered the worm in a honeypot trap.

The April Fools Day Conficker scare didn’t amount to much, although that doesn’t mean that Conficker poses no danger. It’s still out there, silently spreading and perhaps collecting information, and may well become one of the biggest botnets ever–so don’t make the mistake of being lulled into a false sense of security because nothing happened on April 1.

What’s perhaps even more alarming is that there are copycats out there. The Neeris worm, which has been around for a while, has been updated to target the same MS08-067 Microsoft flaw that Conficker took advantage of. Like Conficker, Neeris downloads a copy of the worm onto the victim’s machine via HTTP, and then patches the system’s TCP/IP layer. Also like Conficker, Neeris spreads via the autorun function, and it adds an “Open folder to view files” Autoplay option.

Continue reading Conficker copycats starting to appear