Clagger Trojan sparks AV industry war of words

Antivirus firms are denying claims that they did not react quickly enough to block the Clagger-H Trojan

The arrival of a new Trojan has sparked fierce controversy in the IT security community as established antivirus firms hit back at claims that they did not react quickly enough to block the malware.

The row started last weekend after an unnamed virus writer started spamming a Trojan, named PWSteal.Tarno.S or Clagger-H, which purported to be an alert about irregularities with a PayPal transaction.

Managed security services provider BlackSpider Technologies issued a statement on Monday detailing the threat, and accused Symantec, the world's largest security software house, of being caught cold by the malware.

BlackSpider claims that it first spotted the code at 4:55am on Saturday morning, but that Symantec only issued a signature file at 9.55am on Monday morning, leaving systems unprotected for 53 hours.

"The hacker behind this virus has done a real number on the antivirus community," said James Kay, chief technology officer at BlackSpider.

"It was hardly a discreet attack so I'm at a loss as to why it took an antivirus vendor so long to take action. I'm sure the hacker can't believe his/her luck when a virus that went out early Saturday was still unpatched two days later."

Kay added that UK businesses received 3.2 million copies of the Trojan over the weekend, making it the most successful 'zero day' attack this year, according to BlackSpider.

However, Symantec has hit back stating that it customers were protected all along. "We recommend that all internet users have multiple layers of protection to defend against malicious code attacks such as the recent PWSteal.Tarno.S threat," said the company in a statement.

"Symantec's anti-spam solutions include a rule that would block this particular threat, maximising the protection for customers.

"Symantec's Global Intelligence Network enables us to respond as quickly as possible to new threats, and ensures that customers are protected against the latest internet dangers."

The firm has a network of internet monitoring stations in Asia, Europe and America, giving it global coverage that should be able to identify and mitigate new malware as it happens.

However, security firm Sophos told vnunet.com that it picked up on the threat the day before BlackSpider.

"Sophos has been protecting against this Trojan since 2pm on Friday 24 February, some 14 hours before BlackSpider say they first spotted it," said Graham Cluley, senior technology consultant at Sophos.

"So BlackSpider is incorrect in some of its facts and in its claim that the antivirus industry was caught napping.

"The Trojan does not exploit any software vulnerabilities, so it's also somewhat inaccurate to call it a 'zero day' attack. It uses simple social engineering in the form of a bogus message from PayPal to encourage people to click on the attached file."