PandaLabs, Panda Software’s anti-malware laboratory, has detected a rapid increase in the number of incidents caused by a new variant of the Spamta worm. In one 12-hour period, incidents involving this malicious code multiplied rapidly.
These waves of malicious code are basically aimed at creating a critical situation that requires security companies to focus their efforts on countering these particular threats. In the meantime, the creators of this malware launch other, more surreptitious, threats that could actually be more dangerous.
This behaviour coincides with the new malware dynamic, which has been monitored for some time now by Panda Software, and this case in particular is typical of one of the classic strategies: distraction. While users believe they are protected against the latest malicious code, such as Spamta, other more selective programs, like the Briz Trojan, can target selected computers. The payload of Briz is more dangerous than that of the Spamta, as it is designed to steal passwords for the web pages of certain online banks, and as it has been custom-made it could slip past antivirus detection systems unnoticed.
Panda Software, thanks to its TruPrevent Technologies, has been able to protect its clients from the moment this code first appeared, detecting it by analyzing its behaviour rather than by comparing it against a list of previously identified threats. When a certain application appears to act in a dangerous way, it is prevented from running and sent to PandaLabs for in-depth analysis.
Spamta.NB, the version detected in this latest wave, spreads across computers via email. It is based on an earlier worm, SpamtaLoad.BL, which also spread via email in a message with a variable subject field: Error, Good day, hello, etc. Those versions with subjects such as “Mail Delivery System”, “Mail server report” or “Mail Transaction Failed”, pose the greatest threat, as users are more likely to think that they are warnings of undelivered messages and therefore open the mail to see what has happened.
The message texts are also variable, and frequently refer to problems with mail management systems. The messages also include an attachment with a false extension. The real extension of this executable that contains the malicious code could be CMD, DAT, EXE, PIF or SCR.
These waves of malicious code could increase, and according to Luis Corrons, Director of PandaLabs, “This type of activity often peaks over the Christmas period, and with users making more purchases online, the security of their systems could be compromised if they do not have adequate protection installed.”
In order to combat malicious code that can spread in just a few hours, “systems such as TruPrevent, Technologies are needed as they can detect threats without having previously identified them,” concludes Corrons.
