NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0397 New 'Mayday' Worm May Rival Storm
Worm:
A new peer-to-peer (P2P) botnet even more powerful and
stealthy than the infamous Storm has begun infiltrating mostly US-based large
enterprises, educational institutions, and customers of major Internet service
providers, according to an online IT journal. Dubbed 'Mayday' or
'Daymay' the worm reportedly spreads itself through PDF attachments in
emails and has the ability to evade many antivirus products. Mayday uses a
combination of techniques to communicate with its bots, including hijacking
browser proxy settings, said Tripp Cox of security firm Damballa. "It can
communicate through an enterprise's secure web proxy and conduct updates and
attack activities," calling it a unique method for a botnet. The web proxy
approach also demonstrates that this is no random bot infection, Cox points out.
"Designing bot malware to specifically use web proxies is a clear indicator
that it is targeting [specific] enterprise systems." The botnet is said to
use two forms of P2P communications to ensure it can talk to its bots, including
encrypted Internet control message protocol. Cox stated "this malware is
for multiple protocols and is specifically designed to be successful, despite
whatever security controls might be in place." Mayday currently is being
used to spread credit-report spam.
Another botnet called 'Mega-D' also has been seen as
overshadowing Storm in spam delivery. UK-based security vendor Marshal said
Mega-D accounted for 32% of all spam they caught in their filters, versus only
2% from Storm, which they say previously had accounted for 20% of the spam.
(www.vnunet.com 08FEB08)(www.darkreading.com 04FEB08)