In the past week, TrendLabs noticed a significant growth in the number of file infectors in the wild, particularly in Latin America. A significant increase in PE_SALITY.BA cases was particularly spotted in the region. A rise in VIRUX variants, particularly PE_VIRUX.R, was also spotted at around the same time.

File infectors are not a new threat nor do they have the notoriety of much-talked-about threats like ZBOT, KOOBFACE, and FAKEAV. However, this does not make them any less of a problem, particularly for enterprise users. In addition, these attacks are growing in sophistication as well.

According to TrendLabs’ Escalation Team, previous versions of SALITY file infectors such as PE_SALITY.SA used simpler encryption techniques. In particular, they used only one layer of encryption, making analysis a simpler affair by looking at sections of the file that have only zeroes as shown in Figure 1.

However, PE_SALITY.BA has increased the complexity of its encryption routine. Analysis thus became more complicated than before. The results can be seen in the code sample shown in Figure 2.

It should also be noted that PE_SALITY.BA, like other previous SALITY variants, goes beyond merely infecting files. Not only does it disable antivirus services, it also turns off alerts that Windows normally displays if no security software currently runs on the system. It also spreads via removable drives like worms. Taken together, PE_SALITY.BA is just as destructive, if not more so, as many other more well-known malware threats.

As for PE_VIRUX.R, the most noteworthy change in its behavior is the fact that it now adds a null last section to the files it infects as shown in Figure 3.

While this does not affect the file infector’s behavior, it does complicate the routines security companies use to clean infected files.

The routines seen in PE_SALITY.BA and PE_VIRUX.R highlight the fact that all malware threats are growing in sophistication, not just more well-known threats like KOOBFACE and FAKEAV. Enterprise users should be particularly on guard, as file infectors tend to hit large companies disproportionately.

Trend Micro™ Smart Protection Network™ protects users from file infectors by detecting and preventing the download and execution of malicious files (e.g., PE_SALITY.BA and PE_VIRUX.R) on systems.

“2010 Pwn2Own” is an annual contest wherein contestants are invited to hack a variety of Web applications and platforms such as Web browsers and mobile phones for cash prizes and benefits. Successful hackers include Dutch hacker Peter Vreugdenhil for Internet Explorer (IE) 8, German hacker “Nils” for Firefox, and Charlie Miller for Safari.

What About Security?

As the only researcher to boast of three consecutive wins in “Pwn2Own,” Miller comments on security (or the lack thereof) in an article in ComputerWorld. He refuses to hand over the vulnerabilities, instead he will demonstrate how he found them in hopes of encouraging software companies to improve their processes.

According to Trend Micro researcher Rajiv Motwani, “Windows/IE has been the target of hackers for years. Microsoft has thus adopted a multipronged approach to deal with vulnerabilities. It encourages responsible disclosure, follows a security development life cycle, organizes Microsoft BlueHat events, has the so-called Microsoft Active Protections Program (MAPP), and fixes vulnerabilities in a predictable manner so that life is a little easier for people who patch.”

This approach definitely helped raise the bar in terms of the complexity of vulnerabilities found. However, attackers still found ways to bypass new technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

But in the end, Microsoft is banking on its holistic approach to address vulnerabilities found on Microsoft products. “Microsoft hopes that because of its multipronged strategy, at least simpler vulnerabilities will be patched. Security is all about raising the bar, after all,” adds Motwani.

On Using Alternative Browsers

While other browsers have been somewhat “safe” because of the attention they get from customers, Motwani does not discount the fact that this notion is changing. “Their market shares are increasing and with that comes hacker attention,” he says.

Motwani predicts the increased adoption of mobile phones for new applications and tasks, which is a likely choice for hackers as well. In fact, a fully patched iPhone was also hacked in “2010 Pwn2Own.” He adds, “Updating one’s phone with the latest software updates is not hassle free. Data usage is increasing and connectivity is also no longer a big issue. There is going to be increased attention in this space.”

Steps Toward Security

Trend Micro encourages responsible disclosure—the decision to give vulnerability information to vendors. Motwani advises, “In the interest of end users, it is better if these bugs are responsibly disclosed and if patches are released as soon as possible so that no one else finds out about and exploits them. If these become public or are actively exploited then vendors will have to rush out patches, which is not necessarily a good thing, and customers (administrators) will have to plan for out-of-band patches.”

Read more on keeping systems safe by patching alternative browsers in “Keep Systems Safe: Patch Alternative Browsers.”

If there is anything we can learn from “Pwn2Own,” the matter at hand does not only go as far as questioning platform security. Rather, it should be acknowledged that software and OSs are prone to vulnerabilities. In fact, recent news even report a security researcher who managed to exploit .PDF files without a vulnerability. From a user’s standpoint, continue following security best practices and be aware of safety measures to protect systems.

Update as of April 1, 2010, 10:00 p.m. (GMT +8:00):

The Mozilla Foundation has announced that a patch for the Firefox flaw found at “Pwn2Own” has been released. According to the security advisory, the flaw has been fixed in the latest version (i.e., Version 3.6.3).

Update as of April 14, 2010, 11:32 a.m. (GMT +8:00):

Apple released a security update, which resolves the drive-by vulnerability used to hack a fully patched MacBook via Safari. More details can be found here.

Apple Fixes Several Bugs

Releasing one of its biggest Mac OS X security updates, Apple fixes 88 vulnerabilities with Security Update 2010-002/Mac OS X v10.6.3. The update addresses critical issues that can lead to arbitrary code execution, information disclosure, and denial-of-service (DoS) attacks.

One of the critical fixes included is the solution for the AppKit issue, which can lead to an unexpected application termination or arbitrary code execution when spell-checking maliciously crafted documents. The update likewise includes fixes for several critical ImageIO and QuickTime bugs.  Mac OS X users are thus advised to immediately download and install the security update.

Microsoft Releases an Out-of-Band Patch

Microsoft, for its part, recognizes the immediate need to provide a solution for CVE-2010-0806 and has announced the impending release of an out-of-band patch via Security Bulletin MS10-018. The said release will primarily solve issues surrounding the zero-day Internet Explorer (IE) vulnerability affecting IE 6 and 7.

Since it first became public, cybercriminals have exploited the zero-day vulnerability. These exploits have led to malware detections, including several malicious JavaScript files (JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_ COSMU.A, and JS_SHELLCODE.YY). The final payload of which are TSPY_GAMETI.WOW and TROJ_GAMETHI.FNZ, which both lead to game-related information theft.

The advance notification also stated that the out-of-band patch will be a cumulative update for IE. Apart from the critical zero-day patch, the update will likewise address nine other vulnerabilities, some of which also affect IE 8.

The patch is slated for release on March 30, 2010 at approximately 10:00 a.m. PDT (UTC-8). The primary workaround for CVE-2010-0806 is to upgrade to IE 8, which remains unaffected by this particular zero-day vulnerability. However, the best practice is still applying the out-of-band patch as soon as it is released.

Trend Micro Solutions for Windows and Mac Users

Trend Micro Deep Security™ and OfficeScan™ continue to protect business users from the this particular IE zero-day exploit via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.

Trend Micro™ Smart Protection Network™ likewise protects product users from this threat by preventing users from accessing sites hosting JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_SHELLCODE.YY, and JS_COSMU.A. It also prevents the download and execution of malicious files such TROJ_INJECT.JDT, TROJ_SASFIS.VR, TROJ_DLOADR.VR, TSPY_GAMETI.WOW, TROJ_DROPPR.FNZ, and TROJ_GAMETHI.FNZ via the file reputation service.

Update as of March 31, 2010, 11:30 a.m. (GMT +8:00):

Microsoft released a security update that resolves nine reported vulnerabilities and one unreported vulnerability in IE. The update also addresses the CVE-2010-0806 vulnerability. Affected users are advised to download the updates from this security bulletin.

It seems that cybercriminals use every bit of news or information worthy of public interest to spread FAKEAV malware. This time around, FAKEAV binaries are being delivered via news about the recently concluded “2010 Kids’ Choice Awards.” The following keywords lead to poisoned Google search results (see Figure 1):

• Kids Choice Awards 2010 Live
• Kids Choice Awards 2010 Air Date
• Kids Choice Awards 2010 Date
• Kids Choice Awards 2010 Logo
• Kids Choice Awards 2010 Performances
• Kids Choice Awards 2010 Performers
• Kids Choice Awards 2010 Vote
• Kids Choice Awards 2010 Sweepstakes

Clicking poisoned links leads users to a fake antivirus alert asking them if they want to protect their systems (see Figure 2).

Users who choose the “recommended” option are then prompted to download the actual FAKEAV executable file detected by Trend Micro as TROJ_FRAUDLO.IA (see Figure 3).

TrendLabs advises users to be extremely careful, as this particular blackhat search engine optimization (SEO) attack targets younger audiences. Younger users are more likely to believe fake antivirus warnings are real, increasing risks of infection. This is not the only attack targeting sites that may be visited by younger users, however. As the website of the talent show, “If I Can Dream,” was recently defaced although no malicious payloads were seen in the said attack.

Trend Micro product users are protected by Smart Protection Network™, which prevents the download of the malicious files onto systems via the Web and file reputation services.

News of a twin bombing attack in Russia shocked the world on Monday morning as two female suicide bombers blew themselves up in Moscow subway stations. According to news reports, the attacks killed at least 38 and wounded more than 60 people. Jumping at the chance to make profit from terrible events, cybercriminals quickly picked the news up and used it for their own malicious attacks.

Shortly after the news broke out, cybercriminals once again employed their blackhat search engine optimization (SEO) tactics to make their malicious links the top-ranking search results in Google. Their links achieved the top 2 spots for about 2 hours for the keywords Moscow subway explosion and are now placing within the top 11 spots for the keywords Moscow bombing. Apparently, this news topic has made Moscow a popular trending topic not only in Google but in social networks as well. In Twitter, searching for Moscow also showed results with embedded malicious URLs within Tweets.

The links, of course, will not direct users to news sites but instead open a fake scanning page. It then reports that the computer is vulnerable to malware attacks and recommends that the users proceed with checking for infections.

Agreeing to install the rogue antivirus downloads the FAKEAV file detected by Trend Micro as TROJ_FAKEAV.SMDY onto affected systems.

If there is one thing every user should now know, it is that cybercriminals will use whatever topic is most popular to make their attacks successful. As always, please be mindful not to click any link even if it is one of the top-ranking results in Google or if it has been sent by your supposed friends in Twitter.

Trend Micro product users are protected from this threat by the Smart Protection Network™, which blocks user access to related malicious sites and prevents malware from being downloaded onto users’ systems.