Malware made in China

Organisations are being reminded of the importance of properly securing their computer networks, following news reports this week that British firms have been warned by the UK security service MI5 of the threat posed by Chinese hackers, says Brett Myroff, CEO of Netxactics.

According to a report in The Times, MI5 sent a confidential letter to banks, accountants and law firms warning that they are under attack from "Chinese state organisations", he says.

"Sophos noted earlier this year that 30% of all malware is now written in China, most of it taking the form of Trojans used for gaining a backdoor into users` computers," Myroff adds.

"Surprisingly, Sophos also revealed that 17% of the malicious code written in China is not designed to steal confidential information from businesses, but to phish passwords from online gamers."

This week, also raising some concern, is the W32/Sdbot-DJE worm, a network and IRC backdoor for the Windows platform, explains Myroff.

The W32/Sohana-AP worm is also affecting Windows users and is spreading via network shares and chat programs, he says.

According to Myroff, W32/Sohana-AP will attempt to spread via Yahoo Messenger by sending the following messages, with a link to a malicious Web site to contacts in the user`s friends list:

"This is my new Picture. :P "
"Beauty Nude pics. ;) "
"Britney Spear is in nude. :D "
"I think, you are interested in this information. ;)"
"Nothing is free, me too. :)"
"Total is good for you. ;)"
"Careful! Virus warning, how to clean it. x-("
"New special Paris Hilton video. :D"
"Youtube bed room star, show her solo action. ;)"
"Bin Laden is still alive. x-("

"W32/Sohana-AP includes functionality to access the Internet and communicate with a remote server via HTTP and download, install and run new software," says Myroff.

The Troj/Poison-N Trojan has also been detected. It affects the Windows OS and allows others to access the computer. Its aliases include Backdoor:Win32/Poison.gen!A, Backdoor.Win32.PoisonIvy.g and SPR/RAdmin.Poison.B, says Myroff.

A backdoor Trojan, it copies itself to <System>ahmed.exe and creates the file <System>ahmed when first run. A registry entry is created to run ahmed.exe on start-up. Troj/Poison-N injects itself into a hidden instance of IEXPLORE.EXE.

Furthermore, Troj/Ambler-A is a spyware Trojan, which attempts to steal passwords. It is affecting Windows, and additional side-effects include downloading code from the Internet, recording keystrokes, and installing itself in the registry, says Myroff.

"The Troj/Bancodo-AK Trojan is also making the rounds and has been detected under the aliases of Trojan-Spy.Win32.Banker.dfz and PWS-Banker Trojan."

It includes functionality to access the Internet and communicate with a remote server via HTTP and send notification messages to remote locations, explains Myroff.

"Regardless of where an attack may be originating, businesses need to ensure they are properly defended against the latest spate of Trojans attempting to gain backdoor entry into users` computers. Up-to-date anti-virus software, firewalls and security patches are a must, but proactive protection against zero-day attacks and network access control are becoming that much more invaluable," Myroff concludes.