In recent weeks, WORM_SOHANAD slowly but surely grew into a major malware family, a force to be reckoned with. Indeed, who would have thought that a malware family with such humble beginnings could single-handedly resurrect IM worms?

From the very start, SOHANAD has appeared to be a focused attack. As it developed, it has taken characteristics that are reminiscent of prominent coordinated, targeted attacks of late, chief among them, LINKOPTIM.

To illustrate, I thus trace the development of SOHANAD and its relatives:

September 13- TROJ_AGENT.EVJ was discovered to arrive through an instant message that reads, “Let’s vote for Miss Vietnam – Mai Phuong Thuy – for the upcoming Miss World championship…”.

October 3- The very first SOHANAD worm was discovered in the wild. It propagated through Yahoo! Messenger. It looked like a continuation of the TROJ_AGENT.EVJ attack, because, among others, it used the message “the lastest picture of our upcoming Miss World 2006″, conforming to the fact that the beauty pageant had already taken place. In fact, WORM_SOHANAD.A was very similar to TROJ_AGENT.EVJ in terms of payload. It changed the Internet Explorer home page and modified the registry to prevent the user from reverting to the preferred home page. It also disabled Registry Editor and Task Manager, and changed Yahoo! Messenger settings, such that affected users may mistakenly access a malicious Web site when executing targeted Yahoo! programs.

October 3- An HTML script was discovered hosted on a certain Web site. When the said Web site is accessed, the script, detected as HTML_SOHANAD.A, downloads a copy of WORN_SOHANAD.A.

October 4- WORM_QUATIM.A was discovered propagating via Yahoo! Messenger using a rather long instant message in Vietnamese. Its payloads are also similar to both TROJ_AGENT.EVJ and WORM_SOHANAD.A.

October 4- The first variant of SOHANAD was discovered. Like its predecessor, WORM_SOHANAD.B also propagated via Yahoo! Messenger, but it also used other popular instant messaging applications, such as AOL Instant Messenger and Windows Live Messenger. It also uses more instant messages, including the message used by TROJ_AGENT.EVJ.

October 5- Another variant was discovered. WORM_SOHANAD.C used 23 different instant messages.

October 6-12- Four more variants were discovered. Notably, WORM_SOHANAD.H used instant messages that promised links to the Web site of a popular male Vietnamese singer.

October 20- The most complex variant to date was discovered. WORM_SOHANAD.I uses only a handful of instant messages, but carries more payloads. The first antivirus retaliation also appears with this variant (it terminates security-related processes). New samples would later on be discovered to reveal a coordinated attack.

October 23- Instant messages containing a link were mass-spammed via instant messaging. The link points to a Web site where a script was hosted. The script, detected as VBS_ADODB.AE downloads a copy of WORM_SOHANAD.I onto systems. Another script, JS_WONKA.N was also discovered hosted on another Web site. It, too, downloaded WORM_SOHANAD.I.

October 23- New samples of WORM_SOHANAD.I were discovered. These samples exploited the Data Access Components (MDAC) Function vulnerability to access a Web site where JS_WONKA.N was hosted. The JavaScript then downloads a copy of the worm onto the system, completing an infection cycle reminiscent of the WORM_BAGLE-TROJ_BAGLE and WORM_FEEBS-JS_FEEBS partnerships.

October 23- The latest variant was discovered. WORM_SOHANAD.J downloads files, including a copy of itself and a Trojan downloader.

This quick look at the short history of SOHANAD thus far shows the fast pace with which the family has developed. From the first SOHANAD worm that seemed to be a common IM-propagating worm, it has grown to a family that enlists the help of other components, each playing a role that contributes to the whole attack.

The earlier variants unmistakably targeted the Vietnamese computing population. More recent variants, notably the .I and the .J variants lost that Vietnamese character in terms of the instant messages they use. But it appears more and more coordinated in other aspects.

The use of not one but two scripts to help spread WORM_SOHANAD.I makes it a carefully planned, coordinated strike, which is characteristic of targeted attacks. These attacks do not hope to hit it big, the way malware in the outbreak era did; they instead purposely stage the attack to achieve their end. In these kinds of attack, a multi-component approach is key.

WORM_SOHANAD.I takes it even farther by bringing an exploit to the equation, making the infection more complex than ever.

The latest variant, WORM_SOHANAD.J, carries another payload that is at the heart of all targeted attacks: Trojan downloaders. In the outbreak era, worms reigned supreme, because they have the capability to infect whole networks and spread across geographic regions. In this age of targeted attacks, however, worms have receded into the periphery; with the fast advancement and increased proactive action from antivirus products, worms have become too easy to catch. They have given way to the true big shots of the day.

Trojan downloaders quietly sneak into systems. Today, mass-spamming has become a very important tool for malicious attackers, because that is how they get Trojan downloaders into systems. Once the mass-spamming is done, there is no way for antivirus products to discern that something malicious has transpired. In fact, unless a very smart customer finds out about the file of dubious nature, there is no way for antivirus outfits to get a sample of the file for analysis. This is what the Incident Response Team at Trend Micro refers to as a spiked attack. It doesn’t spread. Instead, it proceeds with its download routine, and then its job is done. Its part in the concerted strike has been achieved.

The downloaded files can be other threats that have other parts to play, all helping in a coordinated attack. Before long, the attack has become so complex that the user is caught in a sticky situation.

This is exactly how the LINKOPTIM incident in Italy got so huge. By sharing similar characteristics, namely, the unmistakable focus on the Vietnamese computing population (LINKOPTIM targeted Italy), the coordinated strike (LINKOPTIM employed downloaders, downloaders, rootkits, spammers, etc), and the prominent use of downloaders, SOHANAD is not just a common IM worm anymore.

SOHANAD arguably has become the most prominent malware of the month. Still very young, with just nine variants and a handful of components to date, it is showing potential for becoming a full-blown concerted, focused attack. The only other thing that SOHANAD has to do to consummate its strike is achieve what all target attacks ultimately achieve: monetary gain. And with the great capacity for improvement that it has shown throughout its very short history, and with downloaders already in the equation, that’s not very hard to do.

Gear up, everyone. Looks like we ain’t seen nothing yet.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Secunia released an advisory discussing IE 7’s Popup Address Bar weakness to Spoofing.

The url in the address bar of the popup can be padded with special characters to show only a portion of the complete url thereby misleading the user to be spoofed.

Secunia came up with a test page to check if your IE 7 is vulnerable. You may check out their test page here.

It is always advisable not to follow links from untrusted sources to prevent from being victimized by phishers and scammers.

Well I’m not actually one to squirm or shiver when it comes to ghosts and ghouls and ‘the undead’ that they say rise from the underground and comes out during the night of the 31st of October. It’s quite another thing that I’m pretty anxious about… and it’s really much more ghastly and hellish (in my point of view that is).

What I’m talking about are malwares – and those malware authors who use special events, such as the coming Halloween, as a social engineering ploy to fool unsuspecting users to say, click on a website that’s part of a search query they just made via Google, allowing a bunch of exploits, malwares and spywares to infiltrate the users’ systems – just like a whole gamut of evil spirits that will reside and continually haunt your environment… And this is just what will happen exactly if we didn’t discover the website described below and promptly released solutions for this ghoulish scheme as early as possible.

The site in question is one of the top query results when you search for “Halloween Sites”in Google. Shown below is the top banner that users will see upon entering the site.

And when users click on this link, they’ll find themselves being redirected to URLs using IFRAMEs found at the bottom of the site. These URLs, using malicious scripts, will infect systems with a devilish trojan downloader that uses the filename of win32.exe. The malicious scripts exploit known vulnerabilities which include but are not limited to:

• COM Object Instantiation Memory Corruption Vulnerability – CAN-2005-2127
  
• Microsoft Windows MDAC Vulnerability – CVE-2006-0003
  
• Cursor and Icon Format Handling Vulnerability – CAN-2004-1049
  
• Graphics Rendering Engine Vulnerability – CVE-2005-4560 (aka the WMF vulnerability)

Shown below are snapshots of one of the sites in question where the scripts are escaped and then finally decoded to reveal some of the exploits being used.

The win32.exe file, which can be classified as a variant of TROJ_GALAPOPER, downloads more ghoul codes in the form of JPEG files, which are variants of TROJ_TIBS. These files are actually also downloader executables, embedded inside a .jpg file format. All of these files will install themselves in the system, leaving the computer being compromised by a remote hacker somewhere in Russia. And what’s more, AV detection rate is quite low for the trojans described above. It’s a good thing though, that Trend Micro detects these malwares and also blocks the malicious URLs in its product implementations.

Sneaky?… Yes it is… But the term I prefer to use is Ssscary… Booooooo…

After all, it’s a Halloween Site, right? And if you are afraid of (not of ghosts or ghouls) but of exploits, malwares and spywares that will hound your system, better be careful when browsing unknown sites, this Halloween and everytime for that matter!

NOTE: The site is alive and hosting malcode up to the time of this writing and has been reported to the proper authorities for take down.

A proof of concept code for a zero-day vulnerability for myspace.com has just emerged. This vulnerability makes use of XSS fragmentation, which is a seldom used but effective technique that can be employed against social networking sites such as myspace.com.

In XSS fragmentation, script code consists of multiple chunks, instead of a whole unit. By placing the code in fragments, they are less likely to be flagged as a security threat by automated filters or firewalls. XSS fragmentation allows an attacker to inject script code into various sections in a website. In the case of myspace, an attacker could place malicious script code in the user interests section for music and film. Of course, any devious attacker can employ social engineering to maximize the impact of this vulnerability.

Myspace.com is particularly vulnerable because it allows a large volume of user-defined content to be uploaded. Unless such volume of content can be filtered thoroughly, there is always the possibility of uploading content that contains malicious code that could be executed on the user’s system via the web browser.

Darkreading provides us with the in-depth facts of this vulnerability. A working example of this proof of concept can be seen here.

For years, the Metasploit project has churned up more than a handful of exploit codes. These exploit codes are based from vulnerability researches from the open-source community. Initially, the software vendors are the most affected by the outputs of these exploit codes – forcing Microsoft, Apple or Mozilla to issue urgent patches to address discovered vulnerabilities.

On the other side of the coin, malware authors are quick to abuse these vulnerabilities. They (malware authors), make use of exploit codes to gain access to an unpatched software. This is where security vendors come into play. Through pattern updates and heuristic detection, anti-virus companies race to detect known exploit codes to protect its consumer base.

However, with the release of the VoMM (eVade-o-Matic Module), the challenge is now shifting from the software vendor to the security company. VoMM is an automated module developed in part by Metasploit (with LMH from Info-pull.com and Aviv Raff), that aims to make exploit codes undetectable by anti-virus vendors. VoMM is initially designed for Javascript based exploits in general, but I think it will be only a matter of time for Metasploit to extend VoMM to other non-binary exploits.

In order to make exploits generated by VoMM undetectable, VoMM employs the following techniques:

1. White-space randomization
   
2. String obfuscation and encoding
   
3. Random comments; placement and manipulation of existing ones
   
4. Block randomization
   
5. Variables and function names randomization
   
6. Integer and miscellaneous variables obfuscation
   
7. Function pointer reassignment

In general, the techniques mentioned above are already being implemented by malware authors. What VoMM does is to make it easier for script-kiddies to employ these techniques. This scenario will definitely raise the bar for the anti-virus community for stronger scan engines, since the demand for filtering out white-strings and comments, and the ability to obfuscate and trace randomized variables will be commoditized.

I’ve always believed that adversity is needed for something to evolve. The cheetah became the fastest land animal chasing the gazelle, the second fastest. It is through challenges posed by the environment that we become better at what we do. VoMM is one such challenge.