Good day everyone! Apologies for not having a January Malware Roundup. I was at the RSA conference in San Francisco during the first week of February and wasn’t able to compile a roundup for you dear readers. Anyway, this roundup will cover both January and February so you won’t miss a thing! January Regional Attacks: For January, we’ve received several Trojan seeding attempts in Germany. The Trojans, arriving via e-mail, uses a variety of well-known companies and institutions for social-engineering. Several TROJ_YABE variants were seen pretending to be valid e-mails from 1&1 - a web hosting company, GEZ - a German TV/radio company, and the local German eBay. Malwares that hit it big: The biggest news last January is the so called “Storm Worm”. Technically speaking, this is not a worm per se, but a Trojan spammed aggressively by a worm component. The Trojan, detected as TROJ_SMALL.EDW, arrives as an attachment with the phrase “230 dead as storm batters Europe” as one of its e-mail subject, hence, the name “Storm Worm”. Web-based Threats: From fake codec sites, TROJ_ZLOB creators have set-up a youTube look-alike site that pretends to host adult videos. The site, named adultTuba, will notify the user that a codec is needed to play the adult videos. The resulting downloaded file of course, is a variant of TROJ_ZLOB. News and Events: Malware authors are too smart not to use Saddam Hussein’s execution as a means for social engineering. A spammed e-mail advertising videos of the late dictator’s execution was found to be spammed last January. When clicking on a link embedded on the spam mail, a variant of TSPY_BANKER is downloaded and executed. To avoid suspicion, the malware opens a youTube search page with the query “Enforcado”, meaning, “hanged person” - leading to a results page with Saddam’s exection videos. Vulnerabilities and Exploits: An unknown vulnerability in Microsoft Word is being exploited by TROJ_MDROPPER.EQ, was found to be used in a highly targetted attack. Also, a few days after 2007’s first MS Patch Tuesday, some malicious web sites were found to behosting codes exploiting the MS07-04 vulnerability - making it the first known vulnerability to be exploited for 2007. February Regional Attacks: Just like January, TrendLabs has seen several e-mail based attacks targetted to German users. One attack, where the e-mail message contains malicious scripts, pretends to be a news mail from Spiegel, an online news company from Germany. Another social engineering pretends to be a bill from IKEA - a home furnishing store. Another attack, this time appealing to Australians, was found to contain e-mail subjects claiming Australia’s Prime Minister had a near fatal heart attack. Events Related: We all know the Superbowl is a very big event for the Americans. Needless to say, when the Dolphins’ Stadium website (where this year’s Superbowl was held) was hacked and a malicious link was inserted on one of the site’s pages, all of America’s security experts were concerned. The inserted link points to a malicious site that hosts an exploit in IE in order to download a variant of TROJ_ZLOB. TrendLabs counter-attacked by immediately blocking the malicious sites and updating the pattern file to detect all related malware files. In another event related attack, a new variant of WORM_NUWAR was found to spread some love by propagating with e-mail subjects related to Valentines. Vulnerabilities and Exploits: Following the release of the MS Word zero-day TROJ_MDROPPER.EQ, two new MS Office zero-days were discovered last February. First is TROJ_MDROPPER.FC which exploits an unknown vulnerability in MS Excel, while TROJ_MDROPPER.MY exploits an unknown vulnerability in MS Powerpoint. Other Interesting News: Some new malware tecniques were seen last February, first of which is WORM_RANCHNEG.A employing a password protected zip archive to avoid detection at the mail server level. Take note however that this is not the first time this technique was used. WORM_BAGLE was the original malware to employ this technique. While e-mail client (Outlook) based worms may be passe, there is a huge target for web based e-mails. WORM_ZHELATIN.CH is probably the first malware to use the web based e-mail to propagate, being able to automatically propagate through large web based e-mail services like AOL, Gmail, Hotmail and Yahoo, the propagation potential of this malware is huge if left unchecked.
