Information Security Bulletin

Myfip Stealth Worm Steals Documents

30 Aug 05:38

A growing wave of stealth worms and malware using rootkit functionality specifically created to steal intellectual property has put corporations on the alert. One worm in particular, Myfip.H uses stealth kernel rootkit techniques to hide from the system administrator and conventional AV software.

Myfip is designed to infect computers and steal data. Stealth variants of common malware such as Mytob and Rbot are also a cause of growing concern for corporations.

An actively running stealth worm that uses rootkit technologies can remain undetected by ordinary AV software. This can happen if the system is already infected by a rootkit worm before the AV software is installed, or in the case of where a new worm has hidden its files and processes before the AV software update capable of detecting the worm has been installed. F-Secure has developed a new weapon to fight attacks that use rootkit technologies: the F-Secure BlackLight rootkit scanner. Test versions of the tool are available for free (URL below).

In its forthcoming F-Secure Internet Security 2006 security suite due for release this autumn, BlackLight will be included as an integrated scanning engine. The engine updates automatically with anti-virus updates and then scans hidden rootkit files found by BlackLight with anti-virus engines. BlackLight was first introduced as a beta version at the CeBIT
fair in Hannover, Germany in March. Currently no other commercial AV solutions include rootkit scanning technology.

The F-Secure rootkit scanner will find stealth worms such as Myfip. Myfip first raised the alert among corporations last year for its ability to steal key intellectual property. The original worm which specifically targeted PDF files from infected computers emerged as the variant Myfip.H in February 2005 using stealth kernel rootkit techniques to infect computers and hide from the system administrator and conventional AV software.

During 2005 the amount of worms and bot-malware with rootkit functionality has risen rapidly. Stealth variants of common malware such as Mytob and Rbot have made rootkits a common class of malware.

Unlike other worms, like the destructive Zotob worm which hit CNN two weeks ago, Myfip.H is designed to cause as little interest as possible in order to carry out its mission and is not self-propagating. Transmission is via spam e-mail attachments. When the user clicks on the attachment, Myfip navigates through the local hard disk and the corporate network looking for predefined file types. It then sends found files back to the attacker.

Related links: (Open in a new window.)
www.f-secure.com/blacklight
www.f-secure.com/weblog/

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe? Download a free sample copy!

Download the much quoted October Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

Subscribe Online
About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Security Management
The Importance of Adaptability
Steve Purser

From the Trenches
Reversing Perimeter Defences – a Case Study
Søren Maigaard

Security Architectures
The Self Defending Network: New Trends In ICT Security Infrastructures
Drs. Ing. René Pluis

Subscribe Online!