Anti-Virus Board Gets Sick

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,44611,00.html

By Brian McWilliams 
2:00 a.m. June 20, 2001 PDT  
      
For the past four weeks, a Windows-based Trojan program dubbed
NewsFlood has been swamping some Internet discussion groups with a
heavy stream of bogus child pornography advertisements.

The attack is the Usenet equivalent of a denial-of-service attack. It
doesn't destroy files on the victims' PCs and is not designed to
automatically infect other systems.

But NewsFlood can ruin the signal-to-noise ratio of an online
discussion group with its ads, which invite readers to visit three
pornography sites and carries subject lines such as "Girls of 13-16"
and "12-15 yo. girls on nudie webcam."

And in a bit of an ironic twist, one of the 11 newsgroups targeted is
alt.comp.virus (ACV) -- a popular resource of virus information for PC
users, virus writers and anti-virus software professionals.

Like fans of most unmoderated Usenet newsgroups, ACV participants have
learned to tolerate a good layer of spam marbled into their favorite
Internet discussions. But this has been a little much.

"(ACV) is quickly eroding into a non-source," said Mary Landesman,
product marketing manager for In Defense and editor of the anti-virus
software site at About.com. "It used to be the first place I checked
for info. Now it's a dreaded last resort."

Other newsgroups with their addresses hard-coded into the program's
source include two hacking discussion groups, alt.2600 and
alt.hackers.malicious. Also listed in the NewsFlood source are
alt.politics.bush and alt.religion.scientology.

Stephen Gielda, president of security information company PacketDerm
LLC, received a copy of the program last week by e-mail from an
anonymous sender. After studying the code, which arrived in the form
of a 28Kb file named StartMenu.exe, Gielda posted an analysis of its
workings to some of the affected newsgroups on Saturday and also
provided copies of the code to anti-virus software vendors.

Gielda said the code included no clues as to the identity of the
program's authors or to their motivation in writing the program.

Jesus Sardinas, the operator of GlobalPix -- one of the pornography
sites touted by the program -- insisted that he had no connection to
NewsFlood's author, and that his service does not include child
pornography.

"I am very interested in knowing who is wasting their time advertising
my site. I do not have any partner programs or click-through programs,
so whoever is doing this is definitely not making any money from me,"
Sardinas said.

He reported that complaints from newsgroup users caused GlobalPix's
Internet service provider, EarthLink Network, to shut down the
GlobalPix site for 36 hours until Sardinas could convince the company
he was not responsible for the spam.

According to Nick FitzGerald, an anti-virus researcher and regular
contributor to alt.comp.virus who has studied the source code to
NewsFlood, the program appears to have infected an undetermined number
of users and is silently commandeering their computers and newsgroup
accounts to create the porn-spam flood.

FitzGerald said the Trojan randomly generates legitimate-looking
return e-mail addresses, organization names and message subject lines
from a list. It also carefully words the messages to avoid detection
by simple filtering systems.

Ian Hammeroff, a spokesperson for Computer Associates, said the
anti-virus software firm has not received any infection reports
directly from users and considers NewsFlood to be a low risk, because
it is not self-propagating and because it only affects Internet
newsgroups. The firm is nonetheless adding detection for NewsFlood to
all of its products.





ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.