In the past week, TrendLabs noticed a significant growth in the number of file infectors in the wild, particularly in Latin America. A significant increase in PE_SALITY.BA cases was particularly spotted in the region. A rise in VIRUX variants, particularly PE_VIRUX.R, was also spotted at around the same time.

File infectors are not a new threat nor do they have the notoriety of much-talked-about threats like ZBOT, KOOBFACE, and FAKEAV. However, this does not make them any less of a problem, particularly for enterprise users. In addition, these attacks are growing in sophistication as well.

According to TrendLabs’ Escalation Team, previous versions of SALITY file infectors such as PE_SALITY.SA used simpler encryption techniques. In particular, they used only one layer of encryption, making analysis a simpler affair by looking at sections of the file that have only zeroes as shown in Figure 1.

However, PE_SALITY.BA has increased the complexity of its encryption routine. Analysis thus became more complicated than before. The results can be seen in the code sample shown in Figure 2.

It should also be noted that PE_SALITY.BA, like other previous SALITY variants, goes beyond merely infecting files. Not only does it disable antivirus services, it also turns off alerts that Windows normally displays if no security software currently runs on the system. It also spreads via removable drives like worms. Taken together, PE_SALITY.BA is just as destructive, if not more so, as many other more well-known malware threats.

As for PE_VIRUX.R, the most noteworthy change in its behavior is the fact that it now adds a null last section to the files it infects as shown in Figure 3.

While this does not affect the file infector’s behavior, it does complicate the routines security companies use to clean infected files.

The routines seen in PE_SALITY.BA and PE_VIRUX.R highlight the fact that all malware threats are growing in sophistication, not just more well-known threats like KOOBFACE and FAKEAV. Enterprise users should be particularly on guard, as file infectors tend to hit large companies disproportionately.

Trend Micro™ Smart Protection Network™ protects users from file infectors by detecting and preventing the download and execution of malicious files (e.g., PE_SALITY.BA and PE_VIRUX.R) on systems.

“2010 Pwn2Own” is an annual contest wherein contestants are invited to hack a variety of Web applications and platforms such as Web browsers and mobile phones for cash prizes and benefits. Successful hackers include Dutch hacker Peter Vreugdenhil for Internet Explorer (IE) 8, German hacker “Nils” for Firefox, and Charlie Miller for Safari.

What About Security?

As the only researcher to boast of three consecutive wins in “Pwn2Own,” Miller comments on security (or the lack thereof) in an article in ComputerWorld. He refuses to hand over the vulnerabilities, instead he will demonstrate how he found them in hopes of encouraging software companies to improve their processes.

According to Trend Micro researcher Rajiv Motwani, “Windows/IE has been the target of hackers for years. Microsoft has thus adopted a multipronged approach to deal with vulnerabilities. It encourages responsible disclosure, follows a security development life cycle, organizes Microsoft BlueHat events, has the so-called Microsoft Active Protections Program (MAPP), and fixes vulnerabilities in a predictable manner so that life is a little easier for people who patch.”

This approach definitely helped raise the bar in terms of the complexity of vulnerabilities found. However, attackers still found ways to bypass new technologies like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

But in the end, Microsoft is banking on its holistic approach to address vulnerabilities found on Microsoft products. “Microsoft hopes that because of its multipronged strategy, at least simpler vulnerabilities will be patched. Security is all about raising the bar, after all,” adds Motwani.

On Using Alternative Browsers

While other browsers have been somewhat “safe” because of the attention they get from customers, Motwani does not discount the fact that this notion is changing. “Their market shares are increasing and with that comes hacker attention,” he says.

Motwani predicts the increased adoption of mobile phones for new applications and tasks, which is a likely choice for hackers as well. In fact, a fully patched iPhone was also hacked in “2010 Pwn2Own.” He adds, “Updating one’s phone with the latest software updates is not hassle free. Data usage is increasing and connectivity is also no longer a big issue. There is going to be increased attention in this space.”

Steps Toward Security

Trend Micro encourages responsible disclosure—the decision to give vulnerability information to vendors. Motwani advises, “In the interest of end users, it is better if these bugs are responsibly disclosed and if patches are released as soon as possible so that no one else finds out about and exploits them. If these become public or are actively exploited then vendors will have to rush out patches, which is not necessarily a good thing, and customers (administrators) will have to plan for out-of-band patches.”

Read more on keeping systems safe by patching alternative browsers in “Keep Systems Safe: Patch Alternative Browsers.”

If there is anything we can learn from “Pwn2Own,” the matter at hand does not only go as far as questioning platform security. Rather, it should be acknowledged that software and OSs are prone to vulnerabilities. In fact, recent news even report a security researcher who managed to exploit .PDF files without a vulnerability. From a user’s standpoint, continue following security best practices and be aware of safety measures to protect systems.

Update as of April 1, 2010, 10:00 p.m. (GMT +8:00):

The Mozilla Foundation has announced that a patch for the Firefox flaw found at “Pwn2Own” has been released. According to the security advisory, the flaw has been fixed in the latest version (i.e., Version 3.6.3).

Update as of April 14, 2010, 11:32 a.m. (GMT +8:00):

Apple released a security update, which resolves the drive-by vulnerability used to hack a fully patched MacBook via Safari. More details can be found here.