New computer virus attacks biz networks

["'Richard M. Smith'" <rms () computerbytesman com>]

http://money.cnn.com/2007/03/01/news/companies/virus/index.htm?cnn=yes

 

New computer virus attacks biz networks

Technology security firm warns the latest strains of the RINBOT or DELBOT
virus are starting to multiply rapidly.

By  <mailto:parija.bhatnagar () turner com> Parija B. Kavilanz, CNNMoney.com
staff writer

March 1 2007: 11:28 AM EST

 

NEW YORK (CNNMoney.com) -- A disgruntled hacker with a personal grudge
against Symantec, which provides anti-virus software to leading Fortune 500
companies, could be behind a new, crippling computer virus that's already
hit divisions of at least one big U.S. corporation on Thursday. 

If it spreads, technology experts warn the latest strains of the insidious
RINBOT computer virus could hijack network systems of businesses worldwide.

New strains

Graham Cluley, senior technology consultant with Boston-based IT security
firm Sophos, said his company has been aware of "a number" of new versions
of the RINBOT or DELBOT virus produced since Feb. 15.

"We believe this latest strain is the 7th version of RINBOT which first
emerged in March 2005," Cluley said.

According to Cluley, this version is designed to exploit security
vulnerabilities embedded in anti-virus software. 

"Traditionally hackers always went after Microsoft's anti-virus programs.
But now they're increasingly targeting other commonly used programs such as
Symantec programs and others," he said.

Cluley said this strain appears to be hitting MS SQL servers. It looks for
networks that run the  <http://money.cnn.com/quote/quote.html?symb=MSFT>
Microsoft ( <http://money.cnn.com/quote/chart/chart.html?symb=MSFT> Charts)
Windows operating system, including Windows 2000, Windows 95, Windows 98,
Windows Me, Windows NT and Windows XP. It then spreads through the network
by manipulating "weak" spots such as simple passwords.

Getting hijacked

Once it's in, Cluley said the virus quickly spreads and takes over many
computers with the intention of turning the network into a botnet, or a
"zombie" network.

"Without you knowing it, hackers will use your computer for a variety of
purposes like sending out spam, or distributing denial of service attacks,
or even blackmailing other Web sites. There was a case where hackers
blackmailed a gambling site and said they would bring down the site for a
few days unless they were paid thousands of dollars" Cluley said. 

Cluley warned that the virus is not geographically limited. "It's very
stealthy and insidious and works without you knowing it," he said.

One company affected by the virus is Turner Broadcasting, which is a
division of  <http://money.cnn.com/quote/quote.html?symb=TWX> Time Warner (
<http://money.cnn.com/quote/chart/chart.html?symb=TWX> Charts), and the
parent company of CNN and CNNMoney.com.

Thomas Parsons, an IT specialist with
<http://money.cnn.com/quote/quote.html?symb=SYMC> Symantec (
<http://money.cnn.com/quote/chart/chart.html?symb=SYMC> Charts), confirmed
to CNNMoney.com that the most recent variants of RINBOT have targeted
Symantec's anti-virus programs that include its Norton security products.

"We're not sure what the motivation is, but we are aware of a hacker that
has been adding his own commands into the strain," Parsons said. Using those
codes, Parsons said the hacker was let it be known that he was wasn't happy
that Symantec was calling the the virus RINBOT.

Regarding the network issues facing Time Warner on Thursday, Parsons said he
believed it was an isolated incident, since Symantec had not received
complaints from any of its other corporate clients.

"We also believe that Time Warner was not impacted by RINBOT but by a
variant of the SPYBOT virus called W32.SPYBOT," he said. "This is a
particularly nasty virus which overlaps with what RINBOT does and it also
exploits a whole pile of vulnerabilities in Microsoft and Symantec."
<http://money.cnn.com/2007/03/01/news/companies/virus/index.htm?cnn=yes#TOP>
Top of page

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.