Pages

Friday, February 27, 2009

Have You Been Infected By The Wovax Trojan?

Today, it seemed that my email flow was a little light. Traffic to some of our sites also seemed rather slow. I couldn’t explain it, but something just didn’t seem right. My first thought was “Is today a holiday?”

If only that were true!

As it turns out, there’s been a wicked Trojan Attack making its way through the web causing spotty access to a number of servers, including those of Dreamhosts and Time Warner Cable down in the Southern California area.

These “security attacks” typically target a server or a group of servers and issue a large number of requests to these servers that ultimately need to be queued up and serviced. The structure of this type of security attack is such that if it can keep the server busy servicing these false requests, then the server will have little or no time to service legitimate requests (AKA your requests).

How does it do it? Is there some super secret supercomputing system out there in Dr. Evil’s cave targeting real systems with these attacks?

Not quite.

Most of the time, it’s a large number of zombified personal systems that have been recruited to participate in these coordinated security attacks. These are systems like yours and mine.

Again, if your system is participating in these kinds of attacks, that means less resources and cycles available for your machine to actively do what you want it to do, like generating revenue.

So if you see your system suddenly slowing down and you don’t have any idea why, or if it is making unusual requests over the ‘net, it may have been recruited.

For a quick check to see if your machine may be participating in this latest Trojan Attack, run a search on all files and folders in the C:\\WINDOWS folder. Search for a file called wovax.exe.

If you don’t find it on your laptop or desktop, you are clear… for this particular attack.

If you do find it, you’ll have to remove it as well as the entry in the registry. If you know how to edit the registry, see the solution in Sophos.com to removing this puppy:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojsecondtaa.html

However, if the first thing that popped into your mind when I said “registry” was “bridal”, leave me a message in the comment section below and I’ll help you through removing this little bug.

Oh, and here is the article on ARS Technica that brought this latest attack to the light of day.

http://arstechnica.com/security/news/2009/02/time-warner-cable-blames-ddos-attack-for-spotty-service.ars

No comments: