Thursday, April 05, 2007

ANI -Thursday evening ... late

Hi folks,

Although the number of infected websites is continuing to grow, we feel we have the outbreak contained, at least as far as our users are concerned, and we're starting to look at the many and varied payloads.

The most interesting thing we've seen so far is one that is a genuine virus (in other words, it infects other files really well). That is unusual enough, but it also installs a network packet sniffer, _and_ it installs a copy of the Microsoft Platform SDK... 14,500 files over 1.1gb. At this point, we have absolutely no idea why they would do that. It just doesn't make sense.

You could understand making something viral, and you could understand why the virus might also install a network sniffer, but then to download 1.1gb of SDK is hardly subtle, and tends to give the game away a bit. Also interesting is that some of the infected files call _frequently_ to a url containing MsnPortalHome, which _looks_ like adware. All very odd.

We'll post more as we find out!




Post a Comment

<< Home