[ISN] Anti-Virus Board Gets Sick

From: InfoSec News (isnat_private)
Date: Thu Jun 21 2001 - 02:17:43 PDT

  • Next message: William Knowles: "[ISN] Lawyer: Others possibly leaked FBI files"

    By Brian McWilliams 
    2:00 a.m. June 20, 2001 PDT  
    For the past four weeks, a Windows-based Trojan program dubbed
    NewsFlood has been swamping some Internet discussion groups with a
    heavy stream of bogus child pornography advertisements.
    The attack is the Usenet equivalent of a denial-of-service attack. It
    doesn't destroy files on the victims' PCs and is not designed to
    automatically infect other systems.
    But NewsFlood can ruin the signal-to-noise ratio of an online
    discussion group with its ads, which invite readers to visit three
    pornography sites and carries subject lines such as "Girls of 13-16"
    and "12-15 yo. girls on nudie webcam."
    And in a bit of an ironic twist, one of the 11 newsgroups targeted is
    alt.comp.virus (ACV) -- a popular resource of virus information for PC
    users, virus writers and anti-virus software professionals.
    Like fans of most unmoderated Usenet newsgroups, ACV participants have
    learned to tolerate a good layer of spam marbled into their favorite
    Internet discussions. But this has been a little much.
    "(ACV) is quickly eroding into a non-source," said Mary Landesman,
    product marketing manager for In Defense and editor of the anti-virus
    software site at About.com. "It used to be the first place I checked
    for info. Now it's a dreaded last resort."
    Other newsgroups with their addresses hard-coded into the program's
    source include two hacking discussion groups, alt.2600 and
    alt.hackers.malicious. Also listed in the NewsFlood source are
    alt.politics.bush and alt.religion.scientology.
    Stephen Gielda, president of security information company PacketDerm
    LLC, received a copy of the program last week by e-mail from an
    anonymous sender. After studying the code, which arrived in the form
    of a 28Kb file named StartMenu.exe, Gielda posted an analysis of its
    workings to some of the affected newsgroups on Saturday and also
    provided copies of the code to anti-virus software vendors.
    Gielda said the code included no clues as to the identity of the
    program's authors or to their motivation in writing the program.
    Jesus Sardinas, the operator of GlobalPix -- one of the pornography
    sites touted by the program -- insisted that he had no connection to
    NewsFlood's author, and that his service does not include child
    "I am very interested in knowing who is wasting their time advertising
    my site. I do not have any partner programs or click-through programs,
    so whoever is doing this is definitely not making any money from me,"
    Sardinas said.
    He reported that complaints from newsgroup users caused GlobalPix's
    Internet service provider, EarthLink Network, to shut down the
    GlobalPix site for 36 hours until Sardinas could convince the company
    he was not responsible for the spam.
    According to Nick FitzGerald, an anti-virus researcher and regular
    contributor to alt.comp.virus who has studied the source code to
    NewsFlood, the program appears to have infected an undetermined number
    of users and is silently commandeering their computers and newsgroup
    accounts to create the porn-spam flood.
    FitzGerald said the Trojan randomly generates legitimate-looking
    return e-mail addresses, organization names and message subject lines
    from a list. It also carefully words the messages to avoid detection
    by simple filtering systems.
    Ian Hammeroff, a spokesperson for Computer Associates, said the
    anti-virus software firm has not received any infection reports
    directly from users and considers NewsFlood to be a low risk, because
    it is not self-propagating and because it only affects Internet
    newsgroups. The firm is nonetheless adding detection for NewsFlood to
    all of its products.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 02:33:01 PDT