A French Internet worm called PrettyPark, which infected thousands of Windows users last week, can download company data used by telecommuters on home PCs to a thieving Internet Relay Chat (IRC) channel.
And that puts corporations at risk because telecommuters often fail to regularly update their antivirus software, said Sal Viveros, group marketing manager for total virus defense at Network Associates (NAI) in Santa Clara, California.
“As more and more people telecommute, that is the hardest group to keep updated and control [via] security policies [given that] remote users don’t necessarily log in every day,” Viveros said. NAI’s Enterprise SecureCast technology (www.nai.com) pushes updates of the company’s antivirus software such as VirusScan and CyberCop to users’ desktops when they log on to company networks.
“If you have a valuable asset on your laptop or home machine, you should be worried about this attack,” said Fred Rica, a partner at Deloitte & Touche’s attack and penetration service line.
Information technology managers should be concerned. Viveros said there’s a growing number of remote access Trojan programs sent via e-mail that can open the backdoor to a user’s PC and gather log-ins and passwords to company intranets. “It is much easier to get a remote access Trojan into a company than break down a firewall,” Viveros said.
PrettyPark, for example, enters a user’s system as a Trojan horse when Windows users open an attached e-mail file named PrettyPark. Unknown to users, the worm connects their PC to a custom IRC channel when they are logged on to a remote server while surfing the Web or reading e-mail.
Once connected to an IRC, the creator of the custom channel or his robot program can download the victim’s files, passwords, log-in data, operating system preferences and other personal information -- including stored credit-card numbers.
PrettyPark also sends duplicate files of itself to the e-mail addresses listed in the user’s Internet address book. Antivirus software firms say they’re trying to determine who’s collecting this information.
The worm has mostly attacked home users who are less likely to update antivirus software or use firewalls that block IRC traffic, according to Carey Nachenburg, chief researcher at Symantec Corp.’s antivirus research center in Cupertino, California.
Although computer viruses are intended to infect files or disks on a single PC, worms are specially crafted to spread among computers in a network. By last week, at least 2,000 users had been logged on to the rogue IRC channel, Nachenburg said.
“Even if they updated their antivirus software a week or two ago, [PrettyPark] may still be able to infiltrate their systems because the definitions were just posted [June 10],” said Nachenburg, whose company (http://www.symantec.com) distributes Norton AntiVirus software, which also blocks the worm.