According to news reports from the US, the ChangeUp worm is a fast-spreading attack designed to spread via network shared drives. Once systems are infected with ChangeUp, the worm contacts a remote server to download additional malware, which can range from banking Trojans to keystroke loggers designed to record keystrokes to steal account credentials. ChangeUp also was programmed to dynamically generate URLs to download its malware payload. The malware author behind the attacks constantly changes it in an effort to evade detection by antivirus and network security appliances. Symantec and several other security firms warned in November that a new variant was detected spreading in the wild.
Dana Tamir, Enterprise Security Director at Trusteer said: “ChangeUp uses multiple evasion techniques to avoid detection by Anti-Virus and network appliances. These security controls have limited impact on advanced threats as the attackers simply work around the blacklisting rules used for malware detection. To effectively protect against advanced malware you need solutions that are not based on malware detection, but rather on validating that sensitive operations are only executed by legitimate applications. You need to restrict unknown processes from executing sensitive operations like logging keystrokes or opening communication channels. There are very few processes that should be allowed to execute such operations.”