Here’s a little update on the latest 0-day threat related to MS PowerPoint vulnerability.

This vulnerability can only be exploited by opening a specially crafted PowerPoint file thus; we need to be cautious on receiving and opening PowerPoint files especially if they came from un-trusted sources.

As of this writing, there is no official security patch yet issued by the vendor and there have been no reported incident found in the wild. Fortunately, TrendMicro already has the solution related to this vulnerability since October 13, 2006.

The Proof-of-Concept exploit ( PERL_AKINA.A) which appeared in milw0rm and the specially crafted PowerPoint file ( TROJ_AKINA.A) generated by the PoC exploit script were already added to the detection patterns of TrendMicro products to protect its clients from being affected by malwares based on this exploit.

Yes, especially if you get those Apple’s Video iPod machines that were manufactured after September 12, according to a report from CNET.

Although the worm does not affect Macs or iPods, the worm included in the iPod units was a Windows-based worm that can propagate via mapped drives and has backdoor capabilities that can leave Windows systems being compromised. Because of this propagation feature, it was possible that during the production of the affected units, the iPods were infected by a copy of the worm already found in an infected system when the iPods were somehow hooked up or plugged in for testing purposes or whatnot.

It’s a good thing though that Trend Micro detects this as WORM_SIWEOL.A since May 2006, and customers can be assured that this free-worm-in-an-iPod will not get in the way of their listening sprees.

More info here:

• Apple Advisory
  
• Free virus with some iPods
  
• Apple Loads Windows Virus on iPods

For the past few months our honeypots haven’t been getting a lot of malwares unlike before where we’d get worms or trojans at a dime a dozen. Now we have the occassional 1 or 2-day spikes where we get say one malware varaint but spammed by the boatload!

For example, starting early last night, we’ve gotten well over 8500 samples (and still counting of course..) of a backdoor haxdoor variant (BKDR_HAXDOOR.KW). And just a little over an hour ago we starting receiving a TROJ_YABE variant (TROJ_YABE.AG) at the same alarming rate (now over 1000 samples in just a couple of hours). You’d think these guys are either in cahoots or there’s some sort of virus war going on (Hehe..). The samples arrive most likely via email, the first containing the file “die_rechnung.exe” as an attachment and the other contains the file “Telekom.pdf.exe”.

Now I’m assuming that at some point over the past few months, we’ve all heard of the term of “Targetted Attacks” but up until now the exact definition (if ever there is one) remains unclear. Even I can’t come up with my own definition of what constitutes a targetted attack. For example the two cases we received last night, can they be classifed as targetted attacks?

Despite the fact that the concept of targetted attacks remain relative to the individual, one thing is quite obvious, there have been increased reports of such activities. The downside I see in these kind of attacks is that they’re harder to spot, and as a result harder to defend against. The more widespread a particular malware is the easier it is for AV vendors to pick it up and create patterns for it. However, if the virus just attacks say one particular corporation it’ll be harder to get samples of it especially if the targetted company doesn’t even realize that its already been compromised.

McDonald’s Japan recalled around 10,000 MP3 players that is part of its promotional prizes, on a statement released by the company last Friday, October 13th 2006.

The recall is due to the fact that some of the MP3 players were found to be infected by WORM_QQPASS.ADH. This worm propagates through removable drives and is the most probable cause of infection.

This worm malware will automatically execute once the infected MP3 player is plugged into the USB drive of the user. This action is caused by the autorun.inf file dropped by the malware which is designed to execute the worm.

There are two other Trojan type malwares that were reportedly found on some MP3 players - TROJ_AGENT.FAO and TROJ_BANLOAD.BGE. The presence of the two malwares may mean that the image used by the MP3 player supplier is already infected.

McDonald’s Japan promptly recalled the promotional MP3 players and opened its phone lines for inquiries.

Trend Micro released OPR 3.845.00 late Friday night to detect all three malwares and prevent any further infection.

Some malwares have evolved from strictly being either a file infector, worm, backdoor, or Trojan to something like a cross-breed of each. For example, we have PE_LOOKED, which is a file-infector, that propagates to shared folders (worm attribute), and downloads variants of TSPY_LINEAGE/TSPY_WOW(CRAFT)/TSPY_AGENT (Trojan attribute). Following PE_LOOKED’s behaviour, we can formulate the theory that the ultimate goal of PE_LOOKED is not to propagate itself, but act as the propagation vector of TSPY_LINEAGE/TSPY_WOW(CRAFT)/TSPY_AGENT.

However, other malwares took a different evolution route. Instead of becoming the do-it-all type of malware like PE_LOOKED, some malwares developed into specialized components. Take for example the TROJ_AGENT family of malwares. These malwares are custom Trojan downloaders that acts as specialized download components that can be used as a seeding component to download other malwares into the infected system.

Though both evolutionary approach may differ, what remains common between them is the use of multiple component malwares. The infected system is not only infected by PE_LOOKED or TROJ_AGENT, but by the other malware(s) they were able to download.

This type of infection makes manual cleaning tideous and automated cleaning complicated. To make matters worse, the downloaded files may vary. So, for as long as the root downloader is present, AV solutions play catch-up clean-up to the other malwares constantly added by the root downloader.

Now, you may be asking, how frequent is the file to be downloaded changed? Often.

For two weeks running, TMIRT has been monitoring certain malware download URLs from PE_LOOKED, TROJ_AGENT, PE_VBAC, TROJ_DLOADER, TROJ_LINKOPTIM, and WORM_SOHANAD. The variants of these malwares were carefully chosen based on infection reports from the regions they infect. Below are the data of the two week observation we made …

WEEK 1:

TROJ_AGENT.API

• http://[blocked].debelizombi.com/pl.php - WORM_SPYBOT.MO

PE_LOOKED.FT-O

• http://60.190.222.233/[blocked]/maaa1.exe - TSPY_LINEAGE.BGT
  
• http://60.190.222.233/[blocked]/maaa3.exe - TROJ_AGENT.FKA
  
• http://60.190.222.233/[blocked]/maaa1.exe - TSPY_LINEAGE.CCP

WORM_SOHANAD.C

• http: //66.98.138.31/[blocked]/giaitri/tm.exe

TROJ_LINKOPTIM

• http:// 81.177.3.[blocked]/images/image.gif - TROJ_ABWIZ
  
• http:// 81.177.3.[blocked]/images/image.gif - TROJ_AGENT.FKK
  
• http:// 81.177.3.[blocked]/images/image.gif - TROJ_AGENT.FKM
  
• http:// 81.177.3.[blocked]/images/image.gif - TROJ_AGENT.FKL
  
• http:// 81.177.3.[blocked]/images/image.gif - TROJ_ABWIZ.BV
  
• http:// 81.177.3.[blocked]/images/image.gif - TROJ_ABWIZ.BS
  
• http:// 81.177.3.[blocked]/images/image.gif - TROJ_ABWIZ.BR

TROJ_DLOADER.DST

• 81.95.146.[blocked]winudu.exe- TROJ_AGENT.FJY

TROJ_GALAPOPE.BR/BQ

• http:// megacount.[blocked]/proxy.jpg - TROJ_TIBS.LF
  
• http:// megacount.[blocked]/tool.jpg - TROJ_TIBS.LF
  
• http:// megacount.[blocked]/tibs.jpg - TROJ_TIBS.LF
  
• http:// megacount.[blocked]/winlogon.jpg - TROJ_TIBS.LF
  
• http:// megacount.[blocked]/search.jpg - TROJ_TIBS.LF

For the first week of monitoring, TROJ_LINKOPTIM and TROJ_GALAPOPE related download sites were frequently updated to a rate of almost 1 update per day.

WEEK 2:

TROJ_AGENT.API

• [blocked].debelizombi.com/pl.php - WORM_SPYBOT.MS, WORM_SPYBOT.PA, WORM_SPYBOT.FT, WORM_RBOT.LQ, WORM_SPYBOT.RJ, WORM_SPYBOT.MO, WORM_SPYBOT.PY, WORM_SPYBOT.PX, WORM_SPYBOT.PW, WORM_SPYBOT.PZ, WORM_SPYBOT.PS

PE_LOOKED.FT-O

• 60.190.222.233/[blocked]/maaa1.exe - TSPY_LINEAGE.DAV, TSPY_AGENT.FNS
  
• 60.190.222.233/[blocked]/maaa2.exe - TSPY_AGENT.FNT

The most notable difference between week 1 and week 2 is the number of updated sites. Most of the download URLs are now down or is not updating. This is in stark contrast with the data from the first week, specially with TROJ_LINKOPTIM, where the rate of update dropped from 1 update per day to none for the whole week.

Also, the TROJ_AGENT.API download URL entered overdrive mode on its file download update. In a span of 1 week, we monitored at least 11 unique updates for the file to be downloaded. It is also worthy to mention that the downloaded files are BOT variants, this will mean that every infection of TROJ_AGENT.API will produce a different accompanying BOT, depending on the date of TROJ_AGENT.API infection!

Digesting the data we gathered from only two weeks of monitoring helped us to realize a lot of things about the current malware landscape and the advantages and limitations of current solutions. Blocking of malware related sites definitely prevent further infection, but having a stronger generic detection is also needed.

Having a clearer vision on how malwares operate will definitely help Trend Micro to formulate better solutions and come up with better products that will protect our customers from malwares as complicated as the ones we’re seeing now.

As malwares evolve, so does Trend Micro!