When you think of viruses, the old image was deleting files or causing forced shutdowns — but these days they’ve evolved into things like:
・Uploading screenshots to message boards
・Sharing files from My Documents via file-sharing software like Winny
Among these, one that’s been catching my eye lately is a virus that blocks antivirus software updates.
In the past, these would spoof hostnames to block updates, but the latest method apparently uses packet filtering to do it.
To deal with this virus, you’d need to distinguish between legitimate packet filtering software and the virus’s own packet filtering — probably through pattern matching. But with variants emerging, that could get quite complicated. There are so many packet filtering tools out there too.
The only virus I’ve ever been infected with myself was the Blaster worm that spread about two years ago. I remember being genuinely shocked. At the time I was running a server on Windows, so it spread freely through my internal network — 2 out of 3 PCs got infected.
<Reference>
Evolving viruses — this time blocking countermeasures with packet filtering
On July 1st, F-Secure issued a warning about the emergence of a virus called “Fantibag.B” that modifies packet filtering settings to block access to antivirus vendors’ and OS vendors’ websites.
Fantibag.B is a Trojan-type virus. Once infected, it copies itself as “firewall_anti.exe”, modifies the registry, and changes packet filtering API settings to block access to antivirus and OS vendors’ websites — preventing updates to patches and virus definition files. Blocked domain names include “windowsupdate.microsoft.com” as well as “www.f-secure.com”, “www.mcafee.com”, “www.symantec.com”, “www.trendmicro.com”, and other major antivirus vendor names.
Many previously seen viruses, including Mytob, have also tried to block definition file updates, but most used the technique of modifying the hosts file (pharming). Blocking access by changing packet filtering policies is relatively unusual.
In response, the SANS Internet Storm Center has pointed out that viruses using packet filtering are more difficult to detect and troubleshoot than the hosts-file modification approach, and that some kind of alert when definition file updates fail may become necessary.