After a long time, another Netsky makes it to TrendLabs’ noteworthy list and its routines are nostalgic throwbacks to the days when the egos and juvenile war-mongering of malware authors are AV’s worst enemies. Faithful to its roots, WORM_NETSKY.CA, continues the war with WORM_MYDOOM and WORM_BAGLE by deleting registries related to them.

This mass-mailing worm appears to extend effort to ride the current trend of attacking specific segments. It speaks Portugese as seen in the subject and body of its spammed email messages, which spout such poetry as follows:

Subject
â?¢ Aprovado!
â?¢ Bala
â?¢ Cachaca!
â?¢ Caderno
â?¢ Cambau
â?¢ Contas!
â?¢ Delicia!

Message Body
â?¢ Conta Fechada
â?¢ Conta regularizada veja aqui!!
â?¢ Lamento sabe!
â?¢ Leia rapido o arquivo!!!!
â?¢ Nao sei o que eh isso me diga! Tabela d…
â?¢ Nossas contas veja detalhe

This variant is probably just Netsky’s little ‘Ola!’ to the world. The ego torch it carries for the bygone bot wars is just not profitable enough to fit the show-me-the-money anthem of today’s threats.

Have you opened your Friendster profile lately and checked out who among your Who’s Viewed Melist can be added to your innumerable stalkers?

The Who’s Viewed Me feature of Friendster allows a person to check out who’s been viewing his/her profile only if he/she also allows others to know that he/she is also checking out theirs.

Well, I have recently checked out my list of Who’s Viewed Me and found out that there’s a certain Geraldine Artinez from Manila in it.

Eager to find out who she is, I clicked on her profile to see if we are in the same network of friends. To my surprise, her profile showed what seem to be one of AdultFriendFinder’s Web pages.

Check out the codes in her profile:

%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%
61%64%75%6C%74%66%72%69%65%6E%64%66%69%6E%64%65%72%2E%
63%6F%6D%2F%73%65%61%72%63%68%2F%67%38%31%37%31%32%39%2D%
70%70%63%3F%6D%61%78%5F%61%67%65%3D%26%72%61%63%65%3D%26%
70%68%6F%74%6F%3D%26%6C%6F%6F%6B%69%6E%67%5F%66%6F%72%5F%
…

In English, clicking the advertisement banners in her profile leads the user’s browser to different Web sites of adultfriendfinder.com.

As of now, this may be an innocent attempt to promote the dating Web site. However, using Friendster pages to redirect users to a malicious Web site may not be that far behind…

The latest release of MoKB deals with a stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver. This leads to arbitrary kernel-mode code execution.

The Zeroday Emergency Response Team (ZERT) has released an FAQ discussing the vulnerability.

Q: Why is this vulnerability dangerous? It’s local; it can not be used through the Internet.

A: Although it can not be exploited over the Internet, it can be used against your computer from a distance. If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop, or using your computer with the wireless card enabled in any public place, you are at risk. It is remote by the means of RF transmissions, the distance is dependent on the attacker’s antenna and signal strength.

Windows is exploitable without the existence of an Access Point (AP) or any interaction from the user. The card’s background scan of available wireless networks triggers the flaw.

Technical details about the vulnerability is located in the MoKBsite and the Proof of Concept code is included in the latestmetasploit module.

In the past three months or so, we have seen the increased propagation of malware that use codec download websites as their distribution vector. Commonly belonging to the family TROJ_ZLOB, these Trojans pose as legitimate codec installers, even going a step further to include a EULA to prove that they are legitimate applications. Users who are often victimized by such type of malware are those who want to watch a particular video but can’t do so with their current viewer because a codec is required. What happens next is obvious: they search for a codec using Google and end up installing a malware on their system instead.

Malware authors have taken advantage of the necessity of codecs to distribute and successfully install their creations on the users’ systems. Because of this, users who often watch video clips that require codecs would have to refrain from watching them for fear of installing something like TROJ_ZLOB. Security experts in the industry would often suggest that users be cautious in downloading and installing codecs.

But that is only a half-baked solution. The real solution to the problem is the elimination of the need for a codec. In short, the user’s video player should be able to support whatever codec the downloaded video requires so that he would never have to download one in the first place and risk the security of his system. Average users who are fond of watching videos often use Windows Media Player, which doesn’t always support new codecs. Therefore, what we need is a media player that can play the latest videos without the hassle of downloading and installing codecs.

The answer to our problem lies in VideoLAN VLC Media Player. This media player has been around for some time now but not a lot of users are familiar with it. In comparison to Windows Media Player, I’ve had the experience of watching something on VideoLAN that wouldn’t even play on the latter so I guess it’s more reliable than Windows Media Player. It’s also downloaded for free.

I’m not saying that it’s the best one available. VideoLAN might not be the only media player that can support a lot of codecs. There might be a whole lot more out there. My message is quite simple:if the video that you want to watch requires a codec, then find an alternative media player that allows you to play it without having to go through the hassle of installing an unknown codec that can put your system at risk.

Related Blog Entries

• A Trojan Codec and Two New Rogue Anti-Spywares (Ryan Flores, Nov 09, 2006)
  
• Where There Is Porn, There Are Zlobs (Jessie Paz, Oct 12, 2006)
  
• Browser as Major Distribution Vector for Malware (Jasper, Sep 15, 2006)
  
• CODEC-ted (Eric, Sep 08, 2006)

It’s not the usual maximizing of resources to achieve as many goals as possible. It’s rather the opposite; and it’s actually using all resources, and all possible means in order to achieve one big goal – and that is to amass a lot of money!

This is probably what the creators of the malware families of STRATION and MEDBOT are doing. On one hand, there’s this comeback of mass-mailers whose main purpose is just to make zombies out of the hundred of thousands of computers to serve Image Spam. This is described in the paper, The Real Motive Behind Stration.

Meanwhile, there’s this fairly new strain of IRC bots that was released almost at the same time as the first variant of STRATION came out – and that was last August 2006. This is MEDBOT, an IRC bot that also attempts to infect computers with the goal of making them zombies to send out SPAM regarding the usual pharmaceutical line of ‘viagra’ and ‘cialis’. This is further described in the previous blog, WORM_MEDBOT.AI and SPAM.

Here are some snapshots of the spam mails we generated and that are being sent out from MEDBOT-infected machines to millions of target recipients:

What’s the connection you say?

Running WHOIS on the domains of the advertized ‘viagra’ sites from the MEDBOT spam emails gives us:

Domain Name:genrunkasderunkion.com
Registrant: Dima li
jungonglu1219hao
200093
Administrative Contact: Dima li

Whoa! Now does that name or alias sound familiar! Dima Li! But of course, this is one of the aliases, along with Wang Pang, used by the same registrants or admins of the domains being used by the STRATION worms. Coincidence?… Add to that the fact that both malware families appeared almost at the same time adds more to the assumption that these malware families may indeed be connected. Coincidence again?… And the ultimate goal – which is sending ‘viagra’ spam…

Take a look at the advertized site from MEDBOT:

And now take a look at the one advertized by STRATION:

Coincidence?…

And the plot thickens! Are they using more than one malware family to acheive their goal of SPAM? Are they using two, three or possibly more stones to hit the grand prize? More chances of winning, eh? More on this as we continue our investigations…