The NY Times is calling it Spam 2.0 – the second wave of the e-junk mail. In the last 6 months, spam deluge is just going from bad to worse. Numbers are doubling, tripling; and there appears to be no end in sight.

Spam is evolving. Whereas text-based spam is getting filtered out easily these days, a new breed of junk called image spam is tricking traditional filters. Until last year, image spam is rare since the technology to randomize images is still young and not as widespread. However, by December 2005, image spam started spiking charts as filters falter in the face of matured and readily available techniques. Spammers started using techniques like image tiling and CAPTCHA. Image tiling takes a big image and splits it up into smaller sized “tiles” that fit together when a recipient views the message. This method confuses OCRs ( Optical Character Recognition), an often-used antispam technology. CAPTCHA ( Completely Automated Public Turing test to tell Computers and Humans Apart), on the other hand, takes a layer of text and places it on top of a layer of a randomly generated background, thus creating a new image every time it runs. Spammers use it to avoid bulk detection and fingerprinting. Ironically, CAPTCHA is developed to prevent bots from signing up in free Internet services like Yahoo! Mail.

Aside from image spam, experts are also pointing to the success of several of this year’s worms (e.g. WORM_STRATION) in turning millions of computers into zombies. The said bots can then be commanded to generate and send out spam. These new sources of spam makes it more difficult to rely on blacklists of known spammers.

Moreover, advertising is not the only force pushing spam. Industry experts, indeed a lot of users, are seeing “pump and dump” schemes that hype up penny stocks to raise their price. To make matters worse these obvious scams appear to be working. A joint study by researchers at Purdue University and Oxford University found that enough recipients buy the stock so that spammers get a 5-6% return in two days.

Spam is getting bigger and better, making it harder for antispam companies to keep up. Can stricter legislation be the key to turn the tide of the spam war? The Can-Spam Act of 2003 in the US seems to have gained some success. However, implementation in the malware and spam cesspools that are Russia, Eastern Europe, and Asia, may prove to be harder to accomplish.

…with Yahoo! 360, that is. Trend Micro has just detected WORM_SOHANAD.AK to be spreading in the wild. Similar to its predecessors, it mainly propagates through instant messaging applications like Yahoo! Messenger, AOL Instant Messenger, and Windows Live! Messenger. Its routine’s also basically the same: SOHANAD sends an instant message (in Vietnamese) containing a link where the worm copy can be downloaded. What is interesting to note about this worm, though, is that this time, one of its URL links points to a Yahoo! 360blog. Yes, as in Yahoo!‘s very own social networking site.

Now, whether the said blog itself hosts the worm copy, or it just redirects users to the real malicious site, it doesn’t really matter. What matters is the fact that by adding another element like social networking sites in its equation, SOHANAD is once again looking for new social engineering techniques that will effectively trick users into downloading and executing its copies.

Add the fact that this has been the second attempt by a malware to use or target these friend-of-a-friend sites in just two days — what with MySpace getting hit by JS_QSPACE.A– it sure looks like malware authors are starting to focus on a new propagation vector…

Holiday season is near and just as we have expected, a malware comes to exploit the occassion. Add to that the fact that pharmaceutical come-ons and ploys via spammed emails are increasing these days makes this incident worthy of a write-up.

Early this morning, we received a report that an email with an htm attachment was being spammed in the net. A screenshot of the email is seen below.

The email attachment, Holliday_Pharmacy-Blowout-Deals_HERE.htm(take note of the spelling for Holliday) entices people to view the html file.

This is a fresh approach in terms of mail-propagating malwares since it uses an html file as an attachment rather than the usual exe or zip file. But since html files can still execute code, they are still very dangerous to view, specially if they coming from an email you are not expecting.

Upon viewing the attachment, the javascript code inside it is executed which loads the site:

http://BrightBoo{blocked}0eF7ce8fc50T34b5400d5593Bf11ea

A couple of minutes earlier, the site was inaccessible; however, after a round of trials leeching the site, we finally were able to dig up some nasties.

From here on we have another case of an FTBM, or what is known as the Follow The Bouncing Malware scenario, which ultimately leads to the installation of a bot in your systems. Below is a summary of the malware track (so far…)

• Holliday_Pharmacy-Blowout-Deals_HERE.htm
  
  
  
  • the malicious attachment; contains an obfuscated javascript code that loads the site “http://BrightBooksDire{blocked}fc50T34b5400d5593Bf11ea” which is detected by Trend Micro as JS_REDIR.AI.
  
  
• http://BrightBooksDi{blocked}8fc50T34b5400d5593Bf11ea(index.ht{blocked}34b5400d5593Bf11ea)
  
  
  
  • This contains another obfuscated javascript code that loads http://{blocked}/404.php detected by Trend as JS_REDIR.AJ.
  
  
• http://{blocked}/404.php
  
  
  
  • contains another obfuscated javascript code that loads http://{blocked}/external.php, detected as JS_WONKA.AC, through an iframe.
  
  
• http://{blocked}/external.php
  
  
  
  • contains an obfuscated vbscript code which downloads and executes the file http:// {blocked}/win32_update.exe through the MS06-014 vulnerability. The file downloaded is already detected by Trend Micro as TROJ_SMALL.FAR.
  
  
• http://{blocked}/win32_update.exe (TROJ_SMALL.FAR)
  
  
  
  • downloads and executes http{blocked}.com/exp/01.exe and http://{blocked}.com/exp/02.exe, both detected by Trend as TROJ_DELF.DGRand WORM_IRCBOT.RVrespectively.
  
  
• http://{blocked}/exp/01.exe
  
  
  
  • This drops other malicious files in the systems.
  
  
• http://{blocked}/exp/02.exe
  
  
  
  
  • This is a Bot malware.
  
  
• http://{blocked}/index.html
  
  
  
  
  • This html redirects to http://{blocked}/exp/exploit.php. They will be detected by Trend as HTML_REDIR.AQand JS_PSYME.FTrespectively.
  
  
• http://{blocked}/exp/exploit.php
  
  
  
  
  • This contains javascript code which downloads the file hxxp://olatesuite.com/exp/loader_exe.php and saves it to the local computer as “c:ie7_update.exe. The downloaded file will be detected as TROJ_DLOADER.IAT

Every malicious code and behavior that has been described above will not be seen by the user; instead, a blank 404 or Not Found page will be seen. Sneaky!

As we are still further analyzing the files, we will just update this blog once more information are gathered.

In the meantime, here are things you can do to mitigate this holiday menace.

• Since the jump off point of the malwares is from an HTM document, try disabling javascript in your browser. You can also use Mozilla FireFox with the NoScript plugin. This will virtually destroy all chances of the malware to kick off.
  
• Also, the malware author used the MS06-014 exploit to download and execute an exe file. This wouldn’t be a problem if your systems are updated with the latest patch from Microsoft. If you’re not patched yet, well I guess this is as good a time as any to start patching, don’t you think?
  
• So we better watch out, and better not cry… We just have to be aware of these Holiday computer threats so that our holidays will indeed be merry, bright and peaceful! Cheers!

There are reports that an in the wild Zero-Day exploit is targeting an unknown vulnerability in Microsoft Word.

This Zero-Day exploit is in the form of a Word document that when opened, connects to www.ch(blocked)per.com where the following malwares are available for download:

• TROJ_AGENT.HFH
  
• TROJ_AGENT.HFI
  
• TROJ_TINY.DU
  
• TSPY_MJCS.E

The download URL for this malware is already blocked by Trend Micro URL filtering.

Microsoft has released a security advisory to forewarn MS Word users to exercise caution in opening Word documents.

Affected Word versions are:

• Microsoft Word 2000
  
• Microsoft Word 2002
  
• Microsoft Office Word 2003
  
• Microsoft Word Viewer 2003
  
• Microsoft Word 2004 for Mac
  
• Microsoft Word 2004 v. X for Mac
  
• Microsoft Works 2004, 2005, and 2006

Good day blog readers!

As part of our efforts to keep you updated with the latest happenings on the malware scene, we’ve decided to write a monthly round up report, like this one, using data gathered from our honeypot systems, actual infection reports, and news within the industry.

Anyway, enough with the formalities and let’s get it on!

King Stration

For e-mail borne malwares, TROJ_STRAT is undisputed king for November. Aggressively spammed and targeted to known e-mail addresses, not a week passed by without at least three waves of STRATION spamming. No e-mail borne malware came close to the volume of e-mail traffic TROJ_STRAT generated this November. With 31 new STRATION incarnations, each seeding chokes our honeypots with 90% of malicious e-mails belonging to STRATION alone.

Why it can get worse:
STRATION has slowly evolved from a single file mass-mailing worm to a two component Trojan-worm partnership. The malware authors have also changed the release into the wild timing of STRATION. From releasing it into the wild after MS patch Tuesday, STRATION is now released into the wild every other day. These not so subtle changes on STRATION patterns and behavior may indicate that its authors are constantly monitoring how their malware performs. And I’m quite sure the tweaking of STRATION’s characteristics is aimed to infect more and more users.

Busy ZLOBs

European malware writers had a busy November – registering new domains, creating new websites, and making TROJ_ZLOB variants available for download… as pseudo-video codecs!

For November, we’ve seen at least 10 domains hosting TROJ_ZLOB where you can download anywhere from 1 – 1000 unique binaries. The ZLOB sites is carefully laid out to look legitimate and professional, which speaks greatly about the malware authors’ efforts, and monetary returns

Why it can get worse:
With all the digital video formats out there, your favorite video player is bound NOT to have the codec you need in order to watch say, a freshly downloaded porn clip. So you Google for codecs and your search leads you to a site that promises an all-in-one codec complete with amazingly sharp resolution and unbelievable picture quality. Convinced, you download and install. Then, a message box appears saying the codec cannot be installed. Well, you’ve just been Punk’d… err, I mean… infected.

See, this method of infecton is different in such a way that it waits for the victim to download the file. Not like a targeted attack where a hunter tracks his prey, then fires with accuracy, ZLOB’s method is – present a lure, then wait for prey to take the bait.
For as long as there is a need for codec updates, people will surely be lured by fake Trojan codecs.

Malicious Messages

Messenger worms are having a small revival after being almost invisible for the first two quarters of this year. This time WORM_SOHANAD is leading the charge.

Why it can get worse:
This is one area where malware social engineering can get better. Why give links pointing to unknown sites when you can hack a social networking site to make the link more believable? Ooops… did I say it out loud?

WORM_BLASTER Wikipedia Entry Gets Real!!!

Websites that allows users to insert HTML code or link on their pages presents itself as a possible host for malicious code, exploits, or links

Why it can get worse:
User customization is the “in” thing when it comes to forums and social networking sites, thus allowing HTML code modification and linking to other sites. Expect other malware writers to pull off this trick on other sites who still offer the user a great amount of HTML freedom.

Month of Kernel Bugs

November was declared the Month of Kernel Bugs by Info-pull.

Why it can get worse:
Thankfully this did NOT get worse!!! 30 kernel bugs were discovered but not one was translated into actual malicious code (thank you responsible disclosure). Else, it would’ve been a very, very, very busy month for AV.

WORM_NUWARand WORM_MEDBOT

These two malwares serves as downloaders for other malwares to enter the infected machine, elaborately designed to turn those infected into spam zombies sending out Viagraand pump-and-dump stockspams.

Why it can get worse:
Actually, it is getting worse. WORM_NUWAR and WORM_MEDBOT is constantly updating their downloaded components. WORM_NUWAR has updated its spammer component at least 99 times, its downloader component at least 200 times, and itself at least 475 times. WORM_MEDBOT on the other hand updated its spammer component at least 131 times, and itself at least 103 times.

The constant update of files may mean that the two worm malwares either have 1. a large install base, 2. is currently infecting more, 3. or both! The constant update of component files just shows the component files are still being downloaded to infect new or existing infected machines.

PE_LOOKED is stealing on you

PE_LOOKED is known for downloading Trojan spywares that targets online games Lineage and World of Warcraft. Towards the end of the month, at least 26 new variants of PE_LOOKED were released in the wild. A few days after, the new variants’ download sites are making available for download TSPY_LINEAGE, TSPY_WOWSTEAL, and even TSPY_QQPASS variants.

Why it can get worse:
We recently discovered a PE_LOOKED inspired virus named PE_PARDONA.