Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2012
    S M T W T F S
    « Jan    
     1234
    567891011
    12131415161718
    19202122232425
    26272829  
    • About Us
    Malware Blog > Password Protected Malwares Making a Comeback

    This week, we have been seeing a rise in password protected malwares being spammed through the net. Particular malwares are BAGLE (correct me if I’m wrong, I believe this is the first among malwares to use password protection) and RANCHNEG.

    Just to show you a glimpse of how many were spammed, here’s our board yesterday while the patterns were being created,

    Undetected for the Past Hour

	addc97a52a3a464379ffab192c492484	12%	(6)
	ff347f43f8f31f0620587d99e1bad616	12%	(6)
	47f11f2570f62397c6553c6ab7f571a3	12%	(6)
	be34841d628bd5136e589926da1ec6b0	10%	(5)
	ee2e659057466d6aa9de0620859d8119	6%	(3)
	a707ef938f71349a6016c7cbb12ea7aa	6%	(3)
	7d5eeea3b362411446870bc1ac6f0242	6%	(3)

    For those not familiar with this kind of technique by a malware, here a quick info, the malware spammed via email is inside a zip (BAGLE) or rar (RANCHNEG) archive that is password protected. The password for the archive file is included in the e-mail. This serves two things, as far as I can tell, one is for social engineering, the email is more believable because the attachment is password protected and the password is included in the email reinforcing the thought that the email is legitimate, making the user relax a bit. Two, is for avoiding detection, since the attachments are password protected, most AV products don’t or can’t scan the file inside the archive, and thus it goes straight through into the user’s inbox.

    Here are email samples of WORM_BAGLE and WORM_RANCHNEG

    WORM_BAGLE.GX
    WORM_BAGLE.GX

    WORM_RANCHNEG.A
    WORM_RANCHNEG.A

    You might want to watch out for these emails.

    One good news though, the malwares that were spammed were old ones, WORM_BAGLE.GX and WORM_RANCHNEG.A, so even if it goes through to the user’s inbox, it will still be detected once the user extracts them from their archives. But think how destructive it would be, if this were new malwares? Ones that doesn’t have a signature yet?

    Fortunately for Trend Micro customers, the ever so talented engineers of Trend Micro created some magic with their wonderful patterns. We now detect the BAGLE malwares that are password protected inside a zip archive. We are still waiting word for the ones inside a rar archive though.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Tuesday, February 13th, 2007 at 5:31 am and is filed under Uncategorized . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2011 Trend Micro Inc. All rights reserved. Legal Notice