August was a spam-filled month, riddled with unsolicited email messages that employed techniques to bypass traditional filtering methods. A lot of malware actually rely on spammed email to get around, notably WORM_NUWAR, known infamously this month for using e-card greetings. Let’s have a recap on what happened last month.
Notable Malware:WORM_NUWAR.MV. Similar to its predecessors, this latest WORM_NUWAR variant employs wave after wave of spammed email to attract users into downloading a copy of the worm into their systems. It comes with a couple of twists though. For one thing, the spammed email message is filled with extra characters and symbols, combined with some strikethroughs. Our antispam experts here tell us that this is a way of avoiding filtering techniques used by security applications.
The spammed message contains a link that leads to a webpage where the malware can be downloaded automatically, thanks to a malicious Javascript component (JS_DLOADER.PCT).
TROJ_GPCODE.AB and TROJGPCODE.AC. Following the footsteps of TSPY_KOLLAH.F, these two Trojans are the latest ransomware to date, encrypting valuable data on the users system using the RSA-4096 algortihm. Unlike the attacks made with TSPY_KOLLAH.F however, the perpetrators behind these two Trojans demanded less payment ($150 only as compared to the $300 demanded by TSPY_KOLLAH.F).
TSPY_MAMAW.A. This information-stealing Trojan apparently logs in to monster.com (a popular job search website) using a compromised account that is meant for employers who want to review resumes. Once it has gained access, the Trojan harvests the information contained within monster.com’s resume database, siphoning off names, home and mobile phone numbers, home addresses and email addresses into a remote server. It is possible that the Trojan was created to harvest email addresses for the use of spammers. There’s that spam connection again…
WORM_ZHELATI.MAB. Another malware utilizing spammed email, this latest variant of WORM_ZHELATI takes advantage of the popularity of YouTube. An unsuspecting user receives spammed email containing a link that supposedly leads to a YouTube video. Of course the link does not lead to any video, but instead redirects the user to a mimic of the YouTube site, where the user is eventually tricked into downloading the worm.
Web Threats:UN Website Defaced. The United Nations website was defaced by a hacktivist group calling themselves the “Turkish Defacers”. Originally, the website contained statements posted by the UN Secretary General. The hacktivists eventually replaced them with pacifist messages. An exploit was used to take advantage of an SQL injection vulnerability in order to gain access to the the server hosting the site. As of now, the website has been patched and restored.
Compromise of a Taiwanese Private High School Website. DaHua High School, a private educational institution in Taiwan, also suffered from having its website compromised. An IFRAME tag found in the website’s initial page loads a malicious webpage that is completely unaffiliated with the high school. This leads to another malware download and in this case, TSPY_DELF.GMN is downloaded.
Fake Google Page. Towards the end of August, a fake Google page was discovered. Whoever created the page did a fairly good job of imitating the real thing, because ordinary users wouldn’t spot any difference between the fake and the original, unless they happened to notice the obfuscated pieces of JavaScript code residing in the page’s HTML source. Clicking on any of the links present on the page downloads a variant of WORM_SOHANAD on the user’s system.
Vulnerabilities:Yahoo widgets. It has just been a month after the disclosure of Yahoo’s webcam vulnerability and another vulnerability has been uncovered, this time regarding Yahoo’s widget applications. A vulnerability exists in the implementation of the ActiveX control used in the widgets which allows remote malicious users to execute code on affected machines. Yahoo has already issued a security advisory to address this issue, advising users to download an update for the widgets.
New Ichitaro Exploit. TROJ_TARODROP.Q was responsible for exploiting the vulnerabilities found in Ichitaro last August. For those unfamiliar with it yet, Ichitaro is a popular word-processing application used in Japan. In depth analysis reveals that the exploit is based on a stack-based overflow that takes advantage of a certain wrapper function contained in one of the DLLs used by the application. It seems that there was no validation done on the wrapper function, so a buffer overflow overwrites the return value found on the stack, thus leading to control of the execution.
ServerProtect. Yes, even our own security products do get their share of vulnerabilities. Thanks to SANS Internet Storm Center (ISC) we were made aware of vulnerabilities in ServerProtect. The guys at ISC noticed an increase in scans of port 5168, which happens to be a communication port used by ServerProtect. The incident may indicate that some perpetrators may be looking for ways to exploit the vulnerability. Fortunately, we’ve just issued a security patch for ServerProtect to address this vulnerability.
So that’s it for the month of August. September has come along, which means that Halloween, Thanksgiving and Christmas are just around the corner. We’re pretty sure that at least a single malware will capitalize on these events. Lets just see and wait what happens until next months malware roundup.
