Net movies open back door for hackers

Hackers are poised to attack websites after successfully compromising thousands of computers via a malicious program disguised as a movie clip, security experts have warned the US government.

The hackers have been distributing a Trojan Horse - a piece of malicious code embedded inside a legitimate file - which when activated allows hackers full control of a computer while it is connected to the internet.

The problem was detected by Network Security Technologies (Netsec) when the malicious code placed on its network unsuccessfully tried to contact hackers across the internet.

The company isolated and analysed the Trojan, and later contacted government officials at the FBI. Netsec security engineers then followed the Trojan's communications and monitored internet conversations among hackers.

According to US reports, the FBI plans to meet with Netsec officials today amid fears that the launch of a denial-of-service attack is imminent.

"Due to the widescale nature of the infection, the hackers could easily use the compromised machines to launch a distributed denial-of-service attack," said Jerry Harold, Netsec's president and co-founder.

Netsec has identified more than 2000 computer systems within the last few days that have been compromised by this Trojan, including a major corporation in the US and Europe.

Greg Jones, senior security engineer at Information Risk Management, said the warning represents the first reported case of a malicious program has been spread using a movie file. He said it would be difficult to defend against without having to reject all multimedia files at firewall level and that "users who have followed best practice might still become infected".

The development is particularly worrying because "the integrity of streaming media is never checked by virus scanners", said Jones.

The malicious code hackers have installed is an implementation of a known Trojan called Backdoor.SubSeven21, embedded in a multimedia file. The code has been compressed to avoid detection when the video or host file is executed.

Upon a reboot, the malicious code loads itself in to the system, renames itself by assigning a randomly generated name, modifies the system.ini, win.ini and the Windows Registry, and installs a service that makes an outbound connection to one of two modified Internet Relay Chat servers.