Experts in the industry would agree that there is no silver bullet in securing your network. There is no single security tool or product that could actually ensure the total security of your network and whatever resources are contained within it. It is a known reality that security products do sometimes fail and may even leave systems unprotected, especially against zero-day attacks. What exactly are the reasons why security products fail? Some experts have just identified significant reasons behind such failures. Among them are:

• Too many false alarms
• Products are riddled with holes
• Products don’t work well together
• Users don’t understand the product’s capabilities
• Users fail to install/deploy the product correctly
• Users fail to update the product

Read more about this here

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

A new malware is being spammed across email inboxes once again. This Trojan poses as a picture file attachment with the filename KodacDC008.JPG……EXE. It uses a double extension and trailing characters to trick unsuspecting users into clicking the file. In some spammed emails the filename may vary (eg. KodacDC004.JPG.EXE, KodacDC007.JPG.EXE). When executed it downloads a file which is saved as KERNEL32.EXE in the affected machine. The file which is saved as KERNEL32.EXE is actually a spyware that Trend detects as TSPY_GOLDUN.FM

Trend detects this threat as TROJ_GOBRENA.V. Its detection pattern has been available since CPR 3.702.01.

Last year, with the destruction brought by Hurricane Katrina, many Katrina sites popped up asking for money.

Some of them legitimate while most, were illegal sites robbing many good Samaritans of their money, some sites also came with spywares and malwares to exploit systems.

See here for a previous blog posting about Katrina.

And now as hurricane Ernesto comes, SANS has noted a spike in Domain registrations with the term “ernesto”.

These are some of the domains that they have disclosed.

• cnnernesto(.com)|(.net)
• ernestodamage(.com)|(.net)
• ernestohurrican(.com)|(.net)
• ernestoinsurance(.com)|(.net)
• ernestomoney(.com)|(.net)
• ernestonews(.com)|(.net)
• ernestopipeline(.com)|(.net)
• ernestovideo(.com)|(.net)
• ernestoweather(.com)|(.net)
• thehurricaneernesto.com

It will be good if we can keep track of these kinds of sites and verify their legitimacy before we have another Katrina on our hands.

Just a heads up: there’s a new malware on the scene once again, one which has the capability to propagate across desktops and mobile devices. Dubbed as “Mobler” by various security reports, this malware has a propagation vector that involves Windows and Symbian platforms. This malware does not actively spread however. Instead of having a routine to propagate itself across both platforms, this malware simply drops an executable file in the mobile device’s memory card. When the files in the memory card are browsed using a PC, the dropped file is displayed as a system file, making it possible for an unsuspecting user to execute the malware and trigger the propagation.

As of now we have alerted the respective channels to provide us with samples of this malware for in-depth analysis, so stay tuned for updates.

Update (Jasper, Tue, 05 Sep 2006 01:42:16 PM)

Trend detects this threat as WORM_MOBLER.A. A detection pattern has been already deployed in CPR 3.708.01

For the past several months, a new trend surfaced when it comes to email-borne malwares. We’re seeing lesser numbers of mass-mailers; instead, we’re seeing more trojans arriving through emails.

These trojans are not capable of mass mailing itself to a bunch of email addresses. They’re usually small programs (usually not more than 5 kB in size) that executes a secondary payload, which can download and execute a file, or just set up a backdoor. This begs the obvious question: If these trojans don’t have the mass mailing capability, then how do these critters arrive at our Inbox?

This, of course, obviously means one thing: these malwares are deliberately spammed, in massive quantities. Massively spamming these malwares, however, cannot be sustainable. A spammer cannot just continuously spam the same malware over a long period of time – it would be just plain expensive. Moreover, once AV firms picked up the sample, systems with AV will protected within the day.

As is oftentimes observed, spam runs of these downloaders occur within just a day, or at the most, two. This would give the spammer enough time to reach a multitude of Inbox, and just enough time before the majority of AV vendors can release signatures to detect the new critter. Of the spammed trojans captured over several months, lets take a look at three.

TROJ_YABE.R was first intercepted late July 4, 2006. The number kept piling up to the next day. After which, TROJ_YABE.R was no longer seen beeing spammed.

Two weeks later, TROJ_DLOADER.DHX made its debut appearance. A LOT was intercepted within the day. But, as with TROJ_YABE.R, TROJ_DLOADER.DHX was never to be seen again.

Just this week, another malware was heavily spammed: BKDR_HAXDOOR.IL. The spam run started very late on August 28, and peaked the next day. The day after, no more email samples with BKDR_HAXDOOR.IL was seen.

Spammed malwares are currently dominating the current threat landscape. As the number of mass mailers go down, expect to see more and more spammed trojans.