Is your home computer distributing pornography - perhaps even child pornography? Your Windows-based PC may not hold any pornography at all, of course. But it could look as though it does, if it has been infected with a new Trojan called migmaf.
Pornography, PayPal scams, spam and lots of other things could be passing through your PC without your knowledge. The texts and images may never be written to your hard drive, but anyone who tracks them back will find they come from the IP (Internet Protocol) address that identifies your computer. That could lead to your net access being blocked, your internet service provider (ISP) threatening to throw you off the net, or worse.
At the moment, the risk is very low. Kevin Hogan, from Symantec's security response team in Dublin, says: "We've only received one file from a customer with this problem. I wouldn't want to overconcern people." Further, if your PC has migmaf, it was probably installed manually, so Hogan's message is: "Don't double-click or install programs if you don't know what they are. And if you're sent something called wingate.exe - the name of the Trojan file - don't run it."
However, it's not hard to imagine migmaf, or something based on the same code, being distributed with a fast-infecting virus. When that happens, pornographic advertisements and spam (unsolicited advertising messages) are going to become harder to stop. Joe Stewart, of Lurhq Corporation, says in his paper on migmaf that it "means the spammer has a complete end-to-end anonymous system for spam, and it lends itself well to the kind of scams already being seen" with regard to PayPal.
Migmaf works as a reverse proxy, and its effect is to hide the real address of the web server that is the source of the pornography or spam. Instead of using its own address, the server uses yours, and your PC simply redirects the traffic.
If someone used your PC as a porn server, you would notice it slow down under the weight of traffic. But these scammers are more sophisticated than that. It seems they use each PC for only 10 minutes before the job is passed to another compromised system. Using a series of proxy servers makes the real server a moving target and much harder for an ISP's spam-blockers to find and close down.
Nobody knows who is responsible for this backdoor program. However, Stewart has noted that it checks for a Russian keyboard, and does not load if you have one. He also associates the scam with emails that often advertise Russian porn sites. That's why he called it "migmaf", for "migrant Mafia", with reference to organised crime in Russia.
Detecting and removing migmaf should not be a problem: Hogan says Symantec's Norton AntiVirus software was updated last Friday when the Trojan became public knowledge, and it should now be detected by programs from all the leading vendors. According to Stewart, it can be removed by deleting the wingate.exe file and the Registry key: Software\ Microsoft\Windows\CurrentVersion\ Run\Login Service = wingate.exe.
Graham Cluley, an antivirus expert from Sophos, says: "We recommend that you update your antivirus software and get yourself a personal firewall, especially if you've got a broadband internet connection."
Free firewalls include Zone Alarm and the Sygate Personal Firewall. The firewall should detect attempts to use TCP port 81, which migmaf uses to send spam via the infected PC.
But "what's going on here is clearly illegal. If we had clear evidence that a particular group was behind it, the authorities would be able to act against them," says Cluley.
Migmaf
Joe Stewart
www.lurhq.com/migmaf.html
Symantec Backdoor.Migmaf
www.symantec.com/avcenter/venc/data/backdoor.migmaf.html
Sophos
www.sophos.com/virusinfo/analyses/trojmigmafa.html
