Bugwatch: Trojan diallers on the loose

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Alex Shipp, senior antivirus technologist at MessageLabs, looks at the growing menace of malicious dialler programs, and suggests measures to avoid getting a nasty shock when the phone bill arrives.

One trend that has dominated 2004 is the huge increase in malware that opens up computers to remote control by malicious parties.

The motive behind this is simple: there is profit to be made from compromised PCs.

You'd be forgiven for assuming that the ideal target for this kind of malicious code is a computer with an always-on high-speed broadband connection.

Networks of these machines - affectionately termed 'botnets' - are traded within the cyber-criminal community and used for distributed denial-of-service attacks, password cracking and the sending of spam.

Yet this doesn't mean that PCs with low-speed dial-up connections are safe; quite the contrary.

A new scam is gathering pace which installs dialler programs onto PCs without the user's knowledge.

Once installed, such a program changes the number the computer uses to connect to the internet from the normal cheap rate to a premium line, which can cost upwards of £1.50 per minute.

The result is a nasty shock when the phone bill arrives, as charges often run into hundreds of pounds. BT recently stated that it currently has 19,000 disputed phone bills, totalling more than £2,000,000.

Unfortunately, the onus is on alleged victim to prove that the dialler was installed without their knowledge.

There are numerous 'legitimate' dialler programs in circulation which display a message informing the user that they will change the connection number, and state the new call rate.

The user then has to confirm that they are happy for the installation to go ahead. If these steps have taken place, then nothing untoward has taken place in the eyes of the law.

As with any aspect of IT security, prevention is always preferable to cure.

Network operators can bar access to premium-rate lines, and for a minimal monthly fee will also block access to foreign phone numbers. It is also worth considering setting a call level so that once a certain figure is reached no more outgoing calls can be made, thus starting the alarm bells ringing.

In addition, computer users should check the number their machine reports it is using to connect to the internet. If the number suddenly changes, this could be because a dialler has been covertly installed.

Security products and services such as antivirus and specialist anti-Trojan programs can help to detect and remove unwanted diallers.

As an ongoing rule, antivirus systems should be kept as up to date as possible, and operating systems patched.

In the majority of cases so far the first indication that something is amiss has been an uncharacteristically large phone bill.

In this event, retrospective action needs to be taken. At the moment, the National Hi-Tech Crime Unit is referring such cases to the Icstis, the Independent Committee for the Supervision of Standards of Telephone Information Services, which is co-ordinating investigations.

In the last few days a new variant, effectively dialler software for mobile phones, has come to light. Masquerading as a game, this Trojan is designed to send out premium-rate SMS text messages without the mobile owner's knowledge.

The illegal installation of dialler programs is on the increase, and is another example of cyber-criminals taking profitable advantage of other computer users' resources.

My advice is simple: take all reasonable precautions immediately, but make sure you have all the necessary information to hand just in case the worst does happen.