A WORM_NUWAR variant is on CNN or rather CNN is on a new WORM_NUWAR variant. Using the Cable News Network (CNN) for its “click-me” gimmick, WORM_NUWAR.JO has the following message details in its latest spew of spam:

Subject:(any of the following)

• White house news!
  
• Incredible news!
  
• URGENT NEWS!

Message body:(any of the following)

• Full news included in attached file
  
• Open file to get complete news.
  
• Read more in attached file…

Attachment:(any of the following)

• CNN latest news.exe
  
• CNN news reader.exe
  
• WWW-CNN-COM.exe
  
• cnn agent.exe
  
• cnn site explorer.exe
  
• cnn.exe
  
• news agent.exe
  
• news reader.exe
  
• webnews agent.exe
  
• read me.exe

It may be using a different flavored spam but the meat of it is still same; it drops a Trojan, in this case TROJ_SMALL.DUL, into its infected computers. As with other NUWARs, this dropped Trojan downloads other malware components that reveals the true ingenuity of WORM_NUWAR’s attack. Read this article for an in-depth telling of NUWAR’s routines.

A tremendously huge trojan horse has been reported to be now circling Sydney, Australia, targeting various industries and establishments such as the Royal Randwick Racecourse, CNS or Channel 9, the History Department in the Sydney University and even the Sydney Opera House.

The Turkish Consulate was also targeted, as well as the Land Command of the Army Headquarters but due to much higher security enforced in the perimeters, the trojan horse failed to manifest its payload in these areas. At the Army however, the trojan horse was able to penetrate the gateway but further inspection revealed and blocked some five malicious embedded components dropped from the trojan package before they can cause damage.

This report illustrates the same weakest link in security – human gullability. The size of the trojan package was gigantic and no stealth mechanism was used, and yet there was no suspicion attached to the package – entry was granted successfully. It was like merely a simple question of “Can I enter?”, and then bingo – Enter, you can (without questions asked!). As is the usual observation, some simple and yet effective social engineering ploys indeed played a big part in these targeted security breaches.

Adobe released a security advisory about vulnerabilities found in its Adobe Reader and Acrobat softwares. The vulnerable versions are Adobe Reader 7.0.0-7.0.8 and Adobe Standard and Professional 7.0.0-7.0.8 on a Windows platform while using Internet Explorer.

By tricking potential victims into browsing a specially crafted web page, successful exploitation of the said vulnerabilities could allow remote code execution on affected users machine. There are no security patch available as of the moment but a workaround is provided by Adobe. Users are to delete the “AcroPDF.dll” in the Adobe installation directory or another way is to set the kill bit for the CLSID [CA8A9780-280D-11CF-A24D-444553540000]. (Using another browser can also be an option, as other browsers are not affected. However, the best way still is to delete the vulnerable DLL.)

More information can be found in the following links:

• http://www.adobe.com/support/security/advisories
  
• http://www.frsirt.com/english/advisories/2006

One of our engineers discovered a new NUWAR sample while doing an analysis on a current sample and in the process stumbled on a neat little twist. Originally, NUWAR targets were more on Nuclear war and political issues. This time around it appears to ride on the popularity of CNN.

The new sample connects to CNN.COMand determines the “MOST popular news” by parsing the main page and aside from the usual hardcoded email messages and subjects, the malware uses the “news topics” from the cnn main page in its email details. However, one thing that I would want to shed a little more light on is that instead of the usual email recipients, it appears to target only email addresses containing the strings “Microsoft”, “.gov” and “.mil” (All three strings must be present).

Below is an email sample obtained by satisfying the condition stated previously using a bait email address.

Now from the findings stated earlier it would appear that the targets are now the military or the government. A simple search for domains satisfying the above condition yields the following results:

• http://www.mil.wa.gov/ (Washington Military department)
  
• http://www.mil.gov.ua/index.php?lang=en (Ukraine military of defense)
  
• http://www.mil.doh.gov.tw/ (General Hospital – Taiwan Dept. Of Health)
  
• http://naou.mil.gov.ua/index.htm
  
• http://gur.mil.gov.ua

I guess one major concern here is that if the malware is indeed targetting the Government or the Military this gives it a new edge in social engineering. Imagine receiving emails from one of the domains stated above and having email details like:

• Nuclear WAR in USA! Please read attached file!
  
• Nuclear WAR in Russia! Please read news in file!
  
• GLOBAL NUCLEAR WAR JUST STARTED! PLease see attached file.

This could potentially hype up the hit rate of these mass-mailers. Just our two cents but it’s definitely worth digging deeper into.

In Greek mythology, the Hydra was serpent-like creature that possessed many heads. Chopping one of its many heads was a poor way to kill the beast-whenever you decapitated a single head, two grew back in its place. Just imagine how the Greek hero Hercules was frustrated when he fought with the beast. Still if he were living in today’s modern world where he had to contend with spammed and mass-mailed malware instead of mythical beasts, he’d be equally frustrated as well.

TROJ_ZLOB is a modern-day Hydra. This malware has become infamous for being downloaded by unsuspecting users from websites that promise fast and reliable codecs for media players. Once again, two new bogus websites have turned up, each of them hosting a new variant of the malware: TROJ_ZLOB.CCG and TROJ_ZLOB.CDA. Just like their brethren, these new variants pose as codec installers that can be downloaded from these legitimate-looking websites: videosaccess(dot)net and goldcodec(dot)com.

It is advised that you do not visit these websites. These websites do not contain any codec installers at all. Rather, the files that they are offering you for download are nothing more but TROJ_ZLOB variants.