ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

From...
Computerworld

New 'Trojan Horse' strain may go mainstream

July 1, 1999
Web posted at: 12:27 p.m. EDT (1627 GMT)

computer virus

 ALSO
   'July Killer' virus may hit Thursday

   Message Boards:
   How do you define a hacker?
   Computer viruses

   In-Depth Special:
   Insurgency on the Internet

   For more computing stories

  

by Nancy Dillon and Ann Harrison

(IDG) -- A new variety of "Trojan Horse" that broadcasts victims' files on the Internet is making its way into the mainstream, antivirus vendors warn.

While the strain compares to the Melissa and Explore.Zip worms in that it uses e-mail systems for self-perpetuation, it differs in its ability to broadcast the information from a victim's hard drive to Internet Relay Chat (IRC) channels around the world.

An IRC channel might be described as the Internet equivalent of citizens band radio, according to experts. Hundreds of IRC channels on numerous subjects are hosted across the Internet.

"This type of virus is best for targeted attacks," said Dan Schrader, vice president of new technologies at Cupertino, Calif.-based Trend Micro Inc. "If it happens to get on the machine of someone with lots of confidential information, there are huge privacy implications.''

For example, confidential company information about acquisitions, initial public offerings or income sources could end up available to anyone on the Internet, he said.

Viruses that employ IRC as a means to retrieve victims' information have been around for about two years, Schrader said. But the first to hit the mainstream -- what virus experts call moving from a laboratory to being released "into the wild" -- was the PrettyPark virus, which debuted in France earlier this month.
MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Computerworld's home page
  Computerworld Year 2000 resource center
  Computerworld's online subscription center
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers
   

PrettyPark spreads itself via an e-mail attachment bearing the icon of a character from South Park, a popular cartoon series. Once opened, the virus takes sensitive system information, such as user passwords, and posts it on multiple IRC channels.

Fortunately, PrettyPark seems contained inside France because its mechanism for e-mail-based self-perpetuation isn't very good, Schrader said.

"But this is sure a sign of things to come,'' he warned. ``And it's starting to really hit home for security professionals.'' According to Schrader, information technology shops have long relied on encryption and firewalls to protect highly sensitive information. But if someone gets your passwords and seems to be coming from a trusted source, encryption and firewalls can be thwarted, he said.

Schrader said the best defense against Trojan Horse e-mail viruses is end-user education -- and, of course, updated virus-scanning software. Companies should also consider developing broad policies related to e-mail attachments. For instance, companies might consider banning attachments containing macros.

"Everyone needs to think before opening attachments," advised Richard Jacobs, president of Sophos Inc., a data security company in Woburn, Mass. "Viruses can't exist in the text of an e-mail, so they don't get the chance to operate unless they're launched."

This attack can put corporations at risk because telecommuters often fail to regularly update their antivirus software, said Sal Viveros, group marketing manager for total virus defense at Network Associates Inc.(NAI) in Santa Clara, Calif.

"As more and more people telecommute, that is the hardest group to keep updated and control [via] security policies [given that] remote users don't necessarily log in every day," Viveros said. NAI's Enterprise SecureCast technology pushes updates of the company's antivirus software such as VirusScan and CyberCop to users' desktops when they log on to company networks.

"If you have a valuable asset on your laptop or home machine, you should be worried about this attack," said Fred Rica, a partner at Deloitte & Touche's attack and penetration service line.

Information technology managers should be concerned. Viveros said there's a growing number of remote access Trojan programs sent via e-mail that can open the backdoor to a user's PC and gather log-ins and passwords to company intranets. "It is much easier to get a remote access Trojan into a company than break down a firewall," Viveros said.

PrettyPark enters a user's system as a Trojan horse when Windows users open an attached e-mail file named PrettyPark. Unknown to users, the worm connects their PC to a custom IRC channel when they are logged on to a remote server while surfing the Web or reading e-mail.

Once connected to an IRC, the creator of the custom channel or his robot program can download the victim's files, passwords, log-in data, operating system preferences and other personal information -- including stored credit-card numbers.

PrettyPark also sends duplicate files of itself to the e-mail addresses listed in the user's Internet address book. Antivirus software firms say they're trying to determine who's collecting this information.

The worm has mostly attacked home users who are less likely to update antivirus software or use firewalls that block IRC traffic, according to Carey Nachenburg, chief researcher at Symantec Corp.'s antivirus research center in Cupertino, Calif.


IN-DEPTH SPECIAL:
Insurgency on the Internet

MESSAGE BOARDS:
Computer viruses
How do you define a hacker?

RELATED STORIES:
FBI investigates computer 'worm' virus
June 11, 1999
Hackers attack Senate Web site again
June 11, 1999
FBI investigates computer 'worm' virus
June 11, 1999
Feds batten down the online hatches
June 9, 1999

RELATED IDG.net STORIES:
Explorer worm propagating via shared files
(Computerworld)
Major U.S. companies hit by Explorer 'worm'
(Computerworld)
The Melissa virus lesson: Quicker reaction needed
(Computerworld)
FAQ: Melissa virus
(Computerworld)
Melissa: The day after
(Computerworld)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
Year 2000 World
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.