Security experts last week were divided on the threat posed by a new Trojan virus after its identification two weeks ago.
Bernardo Quintero, a virus expert with Spanish computer security organisation Hispasec.com, contends that the malicious program which supposedly hides itself in computer movie files is no such thing, but an "elementary Trojan virus serving the marketing purposes of a few security firms and government departments".
Last week, FBI sources confirmed that a sophisticated Trojan virus had been released, with the ability to conceal itself in AVI (computer movie) files. The virus was reported as being capable of releasing massive distributed denial of service (DDoS) attacks from thousands of computers permanently connected to the Internet.
The news of the virus was released by Network Security Technologies (Netsec) who had reportedly alerted the FBI. According to a Netsec report, the Trojan virus was probably hosted on more than 2000 computers and was primed to launch an attack. The virus was named "Serbian Badman Trojan" after the Internet nicknames of its creators.
However, according to Hispasec's Quintero, the virus threat has been greatly exaggerated. "It is a simple Trojan distributed as an .EXE executable, [and is] completely unsophisticated," Quintero said.
The virus disguises itself as a movie file, just by changing its icon, and adding a false intermediate .MPG extension, Quintero. The virus has no filename of its own, and its filename is changed every time it is sent. The virus therefore appears on a victim's computer as any-filename.mpg.exe.
Hispasec's security expert says that the very elementary Trojan virus is not capable of self-replication and self-mailing and so it cannot spread the infection by itself. The virus was distributed sending the file, under different filenames, to several pornographic newsgroups in the hope that users would be induced to download the supposedly adult content video.
Quintero said that the malicious program was written using an elementary Trojan creation kit, and its only purpose, once installed, is contacting a Web address. Once it has made contact, the virus tries to download and install "SubSeven21", a well-known backdoor program, that most antivirus programs can detect. This back door allows hackers to remotely control the compromised computer.
The backdoor program is no longer available at its previous address, so infection is impossible through the Trojan virus, according to Quintero.
Antivirus software vendor Symantec has also issued the same finding on its Web site. "The intended program file is no longer available on the Internet, thus it currently poses no threat to users," Symantec said in its Web posting.
However, US computer security company iDefense last week supported Netsec's findings, but only in relation to the SubSeven Trojan virus. SubSeven is the malicious code that the Serbian Badman Trojan tries to download and install.
Version 2.1 of SubSeven, and probably other releases, can use the Internet relay chat (IRC) channels to launch "ping flood" DoS attacks using IRC commands from infected servers, iDefense said.
This capability allows a malicious attacker to launch a DDoS attack using all the compromised machines logged onto the appropriate IRC channel at any given time, iDefense said.
This IRC command capacity is significant because corporate firewalls that are not configured to block IRC outbound traffic will not stop the commands, and they will also flow freely from small businesses and homes furnished with permanent digital subscriber line (DSL) and cable modem connections, iDefense said.iDefense urges users to take appropriate measures against this Trojan virus.
Firewalls should be set up to block all unsolicited inbound services. Users are also encouraged to apply this precaution to outgoing traffic and to block and log traffic on known Trojan ports (eg, 2221, 2222, 6669 and 7000).
Both iDefense and Hispasec agreed that updated antivirus programs can detect all uncompressed versions of the SubSeven Trojan. They both recommend keeping the antivirus programs updated.