New malware trojan tries to change your router settings.

If you’ve never gotten around to changing the default password on your home Internet router, and there’s a lot of you who haven’t, then you should go change it right now.  There’s a new trojan making the rounds that’s really bad news:

A new Trojan horse masquerading as a video “codec” required to view content on certain Web sites tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous “Zlob” Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS can be thought of as the Internet’s phone book, translating human-friendly names like into numeric addresses that are easier for networking equipment to handle.

[…] The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company’s malicious software removal tool zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007.

The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer’s Internet connection is functioning fine.

Checking router settings is certainly not one of the things I think to do when cleaning up an infected machine as this is a first as far as anyone knows. You can bet it’ll be something I consider looking at from now on, especially if I know the user in question doesn’t know anything about DNS routing. You should always change the default password on your router along with, if possible, the username of the administrator account itself. Attackers don’t have to have physical access to your machine to attack your router any longer.

Chinese malware threat uses digital picture frames to hide.

Once it became clear that there was big money to be made in malware it was only a matter of time before it started getting really sophisticated and some of the worst of the worst are being developed in China:

Virus from China the gift that keeps on giving –

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games – and its designers might have larger targets in mind.

“It is a nasty worm that has a great deal of intelligence,” said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse.

The virus, which Computer Associates calls Mocmex, recognizes and blocks antivirus protection from more than 100 security vendors, as well as the security and firewall built into Microsoft Windows. It downloads files from remote locations and hides files, which it names randomly, on any PC it infects, making itself very difficult to remove. It spreads by hiding itself on photo frames and any other portable storage device that happens to be plugged into an infected PC.

The authors of the new Trojan Horse are well-funded professionals whose malware has “specific designs to capture something and not leave traces,” Grayek said. “This would be a nuclear bomb” of malware.

In fact quite a few people found themselves infected with this and several other trojans after plugging in digital picture frames they got for Christmas:

The initial reports of infected frames came from people who had bought them over the holidays from Sam’s Club and Best Buy. New reports involve frames sold at Target and Costco, according to SANS, a group of security researchers in Bethesda, Md., who began asking for accounts of infected devices on Christmas Day. So far the group has collected more than a dozen complaints from people across the country.

The new Trojan isn’t the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets – networks of infected PCs that are remotely controlled by hackers.

There’s at least one part of this article that I’m sure will delight owners of Macs and Linux based PCs:

Deborah Hale at SANS suggested that PC users find friends with Macintosh or Linux machines and have them check for malware before plugging any device into a PC.

Let the gloating begin.

Things are likely to get worse before they get better as the malware authors are pumping out new code at a pace fast enough that the anti-virus companies are having trouble keeping up. According to Prevx there are already 67,500 variants of the trojan talked about in the article. Right now it appears this trojan only steals passwords to some MMORPGs, but it’s thought that it’s a test run in preparation for something more insidious.

IBM Internet Security System’s X-Force annual report is out.

The folks over at have a summary of IBM’s latest annual report on the state of security and malware threats which you should read:

Annual IBM security report paints worrisome picture for 2008 –

IBM Internet Security System’s X-Force has released its annual report (PDF) on malware trends and statistics from last year. 2007 saw some significant changes in malware distribution, and there’s reason to think that some of these shifts mark the beginning of new attack patterns rather than small abnormalities. The following are some of the highlights from the report:

  • Reported vulnerabilities in 2007 were down five percent compared to 2006, but the number of those vulnerabilities that were classified as severe rose by 28 percent.
  • Microsoft, Apple, Oracle, IBM, and Cisco reported the most vulnerabilities, but collectively account for only 13.6 percent of all reported vulnerabilities.
  • 90 percent of the 2007 vulnerabilities were exploitable from a remote location, up 1 percent from 2006
  • Most in-the-wild exploits are being generated by web toolkits. Prevalence of these toolkits has risen dramatically since they appeared in 2006.

There’s a couple of things in the report that stood out to me. The first being that, contrary to what most people seem to believe, Microsoft products aren’t miles and away worse in terms of security than those of Apple, Oracle, IBM, and Cicso. Of those top 5 vendors a good 80% of the known vulnerabilities have been patched and while that still leaves 20% of them unpatched, that’s still a boatload better than the 50/50 ratio that everyone else tends to have.

The second thing that stood out is the fact that the percentage of exploits that could be accessed remotely jumped from 43.6 percent in 2000 to 89.4 percent this year. That’s huge and shows just how valuable taking over your PC has become to these people:

Trojans were the overall darlings of the year, accounting for 26 percent of all malware distributed. Worms, adware, viruses, and downloaders also grabbed significant chunks of the pie, while keyloggers, rootkits, and spyware all were all confined to small pieces of the market. Trojans were also responsible for the largest number of malcode additions in 2007—a total of 109,246 new Trojans were detected in 2007, compared to 64,173 worms, 55,873 adware programs, and 48,889 viruses.

Those numbers are staggering, though it helps to keep in mind that a lot of these programs are variations on a theme as each hacker modifies the code to try and avoid detection and/or adapt it to their specific goals. It all should act as a reminder of the need to keep your anti-virus software up to date, make use of a decent firewall, and be very careful about knowing exactly what you’re installing on your PC. Some of the more recent, but less successful, exploits have tried to spread themselves through PDF and MP3 files. While some of the most successful exploits are the fake media codecs from sites that tempt you with some outrageous or titillating video that requires you to install a media codec you’ve never heard of before you can watch the clip. When you do you’re suddenly infected with malicious downloader or spyware.