For years, the Metasploit project has churned up more than a handful of exploit codes. These exploit codes are based from vulnerability researches from the open-source community. Initially, the software vendors are the most affected by the outputs of these exploit codes - forcing Microsoft, Apple or Mozilla to issue urgent patches to address discovered vulnerabilities.

On the other side of the coin, malware authors are quick to abuse these vulnerabilities. They (malware authors), make use of exploit codes to gain access to an unpatched software. This is where security vendors come into play. Through pattern updates and heuristic detection, anti-virus companies race to detect known exploit codes to protect its consumer base.

However, with the release of the VoMM (eVade-o-Matic Module), the challenge is now shifting from the software vendor to the security company. VoMM is an automated module developed in part by Metasploit (with LMH from Info-pull.com and Aviv Raff), that aims to make exploit codes undetectable by anti-virus vendors. VoMM is initially designed for Javascript based exploits in general, but I think it will be only a matter of time for Metasploit to extend VoMM to other non-binary exploits.

In order to make exploits generated by VoMM undetectable, VoMM employs the following techniques:

1. White-space randomization
   
2. String obfuscation and encoding
   
3. Random comments; placement and manipulation of existing ones
   
4. Block randomization
   
5. Variables and function names randomization
   
6. Integer and miscellaneous variables obfuscation
   
7. Function pointer reassignment

In general, the techniques mentioned above are already being implemented by malware authors. What VoMM does is to make it easier for script-kiddies to employ these techniques. This scenario will definitely raise the bar for the anti-virus community for stronger scan engines, since the demand for filtering out white-strings and comments, and the ability to obfuscate and trace randomized variables will be commoditized.

I’ve always believed that adversity is needed for something to evolve. The cheetah became the fastest land animal chasing the gazelle, the second fastest. It is through challenges posed by the environment that we become better at what we do. VoMM is one such challenge.

After the “success” of WORM_STRAT.DR yesterday, the inevitable twin brother is bound to show up sooner or later. Clearly, with the detection of WORM_STRAT.DX today, it is more “sooner” rather than “later”.

Similar to the .DR variant, this new STRATION worm arrives on a system as a downloaded file of its manually-spammed Trojan clone (TROJ_STRAT.DX). And with the sudden surge of infection reports (mainly from Japan, Taiwan, and China) and email samples received, it seems that there is another attempt at a “spiked attack”. What is different, from these two variants, however, is the domain where they download additional components. Yesterday it was vedasetionderun.comfor WORM_STRAT.DR. Since this is most probably already blocked by most security companies, WORM_STRAT.DX opted to use another domain: hertionkadesinpoion.com.

From the looks of things, there seems to be a new STRATION strategy in the works. Blame it on the recent cameo appearance of MYTOB, because here’s what I think: after all those comparisons between STRATION and MYTOB (i.e., STRATION is the new MYTOB), the sudden reappearance of the the latter reminded us that MYTOB maybe old, but it’s still packs a punch. Placed beside the “original”, STRATION looked like a pathetic copycat.

Uh-oh. Are we looking at another worm war? Let’s hope not.

For a brief amount of time today, TMIRT honeypots were able to receive multiple samples of TROJ_STRAT.DR. In what seems to be another “spiked” attack, TROJ_STRAT.DR was aggressively spammed, recompiled, then spammed again. This methodology resulted in at least 10 variations of the said malware, each one with a different MD5, but with the same behavior.

TROJ_STRAT.DR is a Trojan downloader that copies heavily from its worm brother. The same timing (a few days after MS patch Tuesday), the same e-mail details (pretending to be a patch from MS), and the same file attachment format (UPDATE-KBxxxx-x86).

This trojan downloads WORM_STRAT.DR from the VEDASETIONDERUN.COM domain. Interestingly, the said domain was created only yesterday, October 18, 2006. It seems to be that the domain was created for the sole purpose of hosting downloadable STRAT variants.

OPR 855 was quickly released to protect Trend Micro customers from this malware.

No, there’s no typo in the title above… But I can understand your surprise! (Smirk!)

In our world of antivirus cleaning up infected systems from trojans and viruses, what more can be crazier (but also most ingenious I might say) than actually having a trojan install an antivirus in your system?!?

But yes! It is true… and Trend calls this trojan as TROJ_AGENT.BGK.

This trojan, whose main purpose is to send SPAM from infected computer, installs an antivirus onto the infected systems by downloading a pirated copy of Kaspersky Antivirus. It then patches the KAV license signature checking and then lets the antivirus scan the system, skipping the trojan itself and its components WHILE flagging and deleting other malwares found. The trojan obviously uses this technique against other potential rival-trojans that may possibly also infect the system and take some share of the pickings… Apparently, for this greedily-ingenious trojan, two or more cannot play at this game… ;)

What a dilemma for Kaspersky though… Talk about a free marketing stunt from the bad guys!

More from Joe Stewart of SecureWorks.

Microsoft has released its much awaited (i’m not sure if this is true) Internet Explorer 7 and not more than 24 hours have passed and its first vulnerability has been posted. Secunia released information regarding this new IE7 vulnerability. According to them, an error in the handling of redirections for URLs with the “mhtml” URI Handler caused this vulnerability. This can be exploited to access documents served from another web site.

The vulnerability however requires an access to a server where you can write HTTP headers, you will need to force a browser to go to a certain URL which will then redirect to another URL.

Update (Roberto Tayag, Fri, 20 Oct 2006 07:55:16 AM)

Apparently according to Microsoft, the vulnerability itself is in Outlook Express, IE7 is just a vector. This vulnerability is currently under investigation by Microsoft.