As July winds down, infection counts for PE_EXPIRO have been trending downwards recently. This file infector can infect Windows files on both 32-bit (detected as PE_EXPIRO.JX) and 64-bit (detected as PE64_EXPIRO.JX) systems. At its peak, we saw thousands of infection counts but then dropped eventually (as seen in our Smart Protection Network feedback).
Because of the threat’s interesting blend of routines (file infector with info theft routines and exploit kit connection), we think that this is a good opportunity to discuss the various solutions that are available to help users. For more information about the threat, users can read our previous entry here.
Utilizing Trend Micro Solutions To Stamp Out EXPIRO
First of all, URLs associated with this attack are already blocked to avoid further damage, re-infection, or information leakage. Here’s an example wherein Trend Micro’s OfficeScan Web Reputation Service (WRS) blocked a URL associated to the EXPIRO malware:
WRS blocks the C&C URLs associated with the EXPIRO malware.
The above screenshot was taken from OfficeScan 10.6 Service Pack 2 with the Custom Defense Pack. This enhanced version of Officescan allows administrators to visualize high profile attacks; it uses the Trend Micro Smart Protection Network Global Intelligence list to inform administrators of the activities of any C&C servers and point out which hosts may need immediate remediation.
More detailed information is available if Deep Discovery Inspector is in use. It allows the administrator to watch the network for such events – even if there is no security software installed on the endpoint. For very large networks, it makes it even easier for administrators to determine which endpoint violated a certain policy as they are able to view information – including the MAC address – of the offending endpoint.
The following screenshots show the Deep Discovery Inspector can provide about connections to malicious C&C servers, ranging from DNS queries:
To information about the connection:
Files copied to the affected machine:
And information about the EXPIRO malware itself:
Preventing similar infections in the future
This unusual attack used several noteworthy methods, with both Java and PDF exploits to deliver the file infectors to potentially vulnerable systems. That being said, there are two things that will help minimize similar attacks in the future:
- Have effective patch management, even for third party software such as Java and Adobe Acrobat
- Block unknown or unverified web sites. Web sites that are unknown or unverified may contain malicious files. A web filtering solution – either at the gateway or the endpoint itself – may be useful.
If third party software patch management is not in use, “virtual patching” may be useful. Deep Security or OfficeScan’s Intrusion Detection Firewall plug-ins can prevent vulnerabilities from being executed, preventing these threats from reaching user systems. For more information on the related Deep Security solution, you may read our previous blog entry here.
One weakness in the network is all that is needed for this threat to re-occur. EXPIRO is indeed a traditional file infector (with an added twist of data stealing) and cleaning systems that have been infected with this malware is pretty straight forward. The various Trend Micro solutions at the disposal of system administrators allows them to effectively fix, and prevent, these threats in the enterprise environment.
With additional inputs from Jay Yaneza and Rhena Inocencio.